View Full Version : smitfraud and other malware
monty5012
2006-11-18, 08:55
I'm hoping for some help. I've had my new rig infected with some malware and really need some help cleaning it up. Every time i run spybot i get the smitfraud toolbar as well as other malware. I run norton and let it catch this stuff, so I'm not sure what happened this time.
Here are my Hijackthis results:
Logfile of HijackThis v1.99.1
Scan saved at 11:49:09 PM, on 11/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
H:\itunes\iTunesHelper.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Common Files\{B024C537-0948-1033-0905-060825060001}\Update.exe
C:\DOCUME~1\JAREDA~1\APPLIC~1\YSTEM3~1\services.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
G:\hijackthis\HijackThis.exe
R3 - URLSearchHook: (no name) - {D79856E3-9B2C-91AC-780D-CA896B2C3192} - C:\WINDOWS\system32\tylcfo.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "H:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsac.dll,startup
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [imii] C:\PROGRA~1\COMMON~1\imii\imiim.exe
O4 - HKCU\..\Run: [Atao] "C:\DOCUME~1\JAREDA~1\APPLIC~1\YSTEM3~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Qyyfxcz] C:\WINDOWS\W?nSxS\w?wexec.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
I appreciate anything you can do to help me out!
Hi monty5012 and welcome to Safer Networking Forums :)
You got some infections there...
Please rename HijackThis.exe to Scanner.exe
The post a fresh HijackThis (scanner.exe) log to here :bigthumb:
monty5012
2006-11-18, 18:03
i renamed hijackthis to scanner.exe and reran, and here is the logfile:
Logfile of HijackThis v1.99.1
Scan saved at 9:01:31 AM, on 11/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ismini.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
H:\itunes\iTunesHelper.exe
C:\Program Files\Common Files\{B024C537-0948-1033-0905-060825060001}\Update.exe
C:\DOCUME~1\JAREDA~1\APPLIC~1\YSTEM3~1\services.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
G:\hijackthis\scanner.exe.exe
R3 - URLSearchHook: (no name) - {D79856E3-9B2C-91AC-780D-CA896B2C3192} - C:\WINDOWS\system32\tylcfo.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\jkklmkk.dll
O2 - BHO: (no name) - {D79856E3-9B2C-91AC-780D-CA896B2C3192} - C:\WINDOWS\system32\tylcfo.dll
O2 - BHO: (no name) - {DFB30CD1-ED13-4875-8B6E-27ED467B6FEA} - C:\WINDOWS\system32\jkhhe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "H:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsac.dll,startup
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [imii] C:\PROGRA~1\COMMON~1\imii\imiim.exe
O4 - HKCU\..\Run: [Atao] "C:\DOCUME~1\JAREDA~1\APPLIC~1\YSTEM3~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Qyyfxcz] C:\WINDOWS\W?nSxS\w?wexec.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\system32\jkhhe.dll
O20 - Winlogon Notify: jkklmkk - C:\WINDOWS\SYSTEM32\jkklmkk.dll
O20 - Winlogon Notify: wintug32 - C:\WINDOWS\SYSTEM32\wintug32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Hi again :)
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
NOTE: Do not run any other options from SmitfraudFix until I tell you to do so!
:bigthumb:
monty5012
2006-11-19, 06:01
Mr_JAk3,
I really appreciate your help. I followed your instructions, and here are the logs you requested:
VundoFix V6.2.8
Checking Java version...
Sun Java not detected
Scan started at 8:48:28 PM 11/18/2006
Listing files found while scanning....
C:\WINDOWS\system32\wintug32.dll
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.bak1
Beginning removal...
Attempting to delete C:\WINDOWS\system32\wintug32.dll
C:\WINDOWS\system32\wintug32.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\jkhhe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ehhkj.bak1
C:\WINDOWS\system32\ehhkj.bak1 Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 9:00:09 PM, on 11/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
H:\itunes\iTunesHelper.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Common Files\{B024C537-0948-1033-0905-060825060001}\Update.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\DOCUME~1\JAREDA~1\APPLIC~1\YSTEM3~1\services.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\hijackthis\scanner.exe.exe
R3 - URLSearchHook: (no name) - {D79856E3-9B2C-91AC-780D-CA896B2C3192} -
C:\WINDOWS\system32\tylcfo.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt3.dll
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} -
C:\WINDOWS\system32\jkklmkk.dll
O2 - BHO: (no name) - {D79856E3-9B2C-91AC-780D-CA896B2C3192} -
C:\WINDOWS\system32\tylcfo.dll
O2 - BHO: (no name) - {DFB30CD1-ED13-4875-8B6E-27ED467B6FEA} - C:\WINDOWS\system32\jkhhe.dll
(file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
/r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module
Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module
Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module
Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton
Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
/startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP
Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "H:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsac.dll,startup
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
--force_start_minimized
O4 - HKCU\..\Run: [imii] C:\PROGRA~1\COMMON~1\imii\imiim.exe
O4 - HKCU\..\Run: [Atao] "C:\DOCUME~1\JAREDA~1\APPLIC~1\YSTEM3~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Qyyfxcz] C:\WINDOWS\W?nSxS\w?wexec.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation
Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: jkklmkk - C:\WINDOWS\SYSTEM32\jkklmkk.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton
SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation -
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program
Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program
Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton
Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\Security Center\SymWSC.exe
SmitFraudFix v2.122
Scan done at 20:57:46.50, Sat 11/18/2006
Run from C:\Documents and Settings\Jared and Tina\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\cfltygd.dll FOUND !
C:\WINDOWS\system32\ismini.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\drvsac.dll FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jared and Tina
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jared and Tina\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Hi again :)
Before we'll continue I would like you to do something for me...
I need you too upload few malware files for further inspection.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Please go here (http://www.uploadmalware.com/) to upload a suspicious file for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\WINDOWS\system32\jkklmkk.dll
In the comments, please mention that I asked you to upload this file
Click on Send File
Please let me know when you have done this and then we'll get you cleaned :bigthumb:
monty5012
2006-11-19, 09:52
Just finished uploading the file.
Ok thanks for the upload :)
We'll run VundoFix again :
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\jkklmkk.dll
C:\WINDOWS\system32\kkmlkkj.*
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
monty5012
2006-11-19, 17:11
Mr_JAk3,
Thanks so much for all you help, I really appreciate how quickly you are responding. Here are those logfiles:
undoFix V6.2.8
Checking Java version...
Sun Java not detected
Scan started at 8:48:28 PM 11/18/2006
Listing files found while scanning....
C:\WINDOWS\system32\wintug32.dll
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.bak1
Beginning removal...
Attempting to delete C:\WINDOWS\system32\wintug32.dll
C:\WINDOWS\system32\wintug32.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\jkhhe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ehhkj.bak1
C:\WINDOWS\system32\ehhkj.bak1 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.8
Checking Java version...
Sun Java not detected
Scan started at 8:01:22 AM 11/19/2006
Listing files found while scanning....
C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\egjlm.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\mljge.dll
C:\WINDOWS\system32\mljge.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\egjlm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkklmkk.dll
C:\WINDOWS\system32\jkklmkk.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 8:08:45 AM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
H:\itunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{B024C537-0948-1033-0905-060825060001}\Update.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\DOCUME~1\JAREDA~1\APPLIC~1\YSTEM3~1\services.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
G:\hijackthis\scanner.exe.exe
R3 - URLSearchHook: (no name) - {D79856E3-9B2C-91AC-780D-CA896B2C3192} -
C:\WINDOWS\system32\tylcfo.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt3.dll
O2 - BHO: (no name) - {D79856E3-9B2C-91AC-780D-CA896B2C3192} -
C:\WINDOWS\system32\tylcfo.dll
O2 - BHO: (no name) - {DFB30CD1-ED13-4875-8B6E-27ED467B6FEA} - C:\WINDOWS\system32\jkhhe.dll
(file missing)
O2 - BHO: (no name) - {EC90C30E-66F6-43EA-971F-8519222B11D7} - C:\WINDOWS\system32\mljge.dll
(file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
/r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module
Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module
Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module
Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton
Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
/startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP
Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "H:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsac.dll,startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
--force_start_minimized
O4 - HKCU\..\Run: [imii] C:\PROGRA~1\COMMON~1\imii\imiim.exe
O4 - HKCU\..\Run: [Atao] "C:\DOCUME~1\JAREDA~1\APPLIC~1\YSTEM3~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Qyyfxcz] C:\WINDOWS\W?nSxS\w?wexec.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation
Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton
SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation -
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program
Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program
Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton
Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\Security Center\SymWSC.exe
Hi again, we'll continue :)
Sorry for the delay...
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
and any other programs you didn't install or don't recognize - if your not sure please ask first
Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
Tutorial for the uninstaller if needed (http://www.outerinfo.com/howto.html)
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
Update.exe
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R3 - URLSearchHook: (no name) - {D79856E3-9B2C-91AC-780D-CA896B2C3192} - C:\WINDOWS\system32\tylcfo.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt3.dll
O2 - BHO: (no name) - {D79856E3-9B2C-91AC-780D-CA896B2C3192} -C:\WINDOWS\system32\tylcfo.dll
O2 - BHO: (no name) - {DFB30CD1-ED13-4875-8B6E-27ED467B6FEA} - C:\WINDOWS\system32\jkhhe.dll(file missing)
O2 - BHO: (no name) - {EC90C30E-66F6-43EA-971F-8519222B11D7} - C:\WINDOWS\system32\mljge.dll(file missing)
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsac.dll,startup
O4 - HKCU\..\Run: [imii] C:\PROGRA~1\COMMON~1\imii\imiim.exe
O4 - HKCU\..\Run: [Atao] "C:\DOCUME~1\JAREDA~1\APPLIC~1\YSTEM3~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Qyyfxcz] C:\WINDOWS\W?nSxS\w?wexec.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\tylcfo.dll
C:\WINDOWS\system32\drvsac.dll
Go to the My Computer and delete the following folders (if present):
C:\Program Files\Common Files\imii
C:\Program Files\Common Files\{B024C537-0948-1033-0905-060825060001}
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Restart the computer ro the safe mode again.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- contents of C:\Rapport.txt
- combofix log
monty5012
2006-11-21, 04:05
Alright, lots of work, but here is everything:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:58:25 PM 11/20/2006
+ Scan result:
C:\System Volume Information\_restore{3F916D46-B8F1-4DF2-B396-7FBC1FCA30A8}\RP69\A0029668.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\WіnSxS\wοwexec_exe.vir -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3F916D46-B8F1-4DF2-B396-7FBC1FCA30A8}\RP69\A0029688.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3F916D46-B8F1-4DF2-B396-7FBC1FCA30A8}\RP69\A0029689.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00008003.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\jkklmkk.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\awtrqpq.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wvuvvtu.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Jared and Tina\Application Data\ѕystem32\services.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3F916D46-B8F1-4DF2-B396-7FBC1FCA30A8}\RP69\A0029671.exe -> Downloader.Zlob.axt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3F916D46-B8F1-4DF2-B396-7FBC1FCA30A8}\RP69\A0029670.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3F916D46-B8F1-4DF2-B396-7FBC1FCA30A8}\RP69\A0029676.dll -> Not-A-Virus.Hoax.Win32.Renos.fa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3F916D46-B8F1-4DF2-B396-7FBC1FCA30A8}\RP69\A0029686.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
C:\VundoFix Backups\wintug32.dll.bad -> Trojan.Agent.neq : Cleaned with backup (quarantined).
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 7:04:17 PM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
H:\itunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\hijackthis\scanner.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "H:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
SmitFraudFix v2.122
Scan done at 18:35:13.62, Mon 11/20/2006
Run from C:\Documents and Settings\Jared and Tina\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\cfltygd.dll Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
monty5012
2006-11-21, 04:17
Jared and Tina - 06-11-20 19:01:21.23 Service Pack 2
ComboFix 06.11.19 - Running from: "C:\Documents and Settings\Jared and Tina\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\components
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Jared and Tina\Application Data\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Jared and Tina\Application Data\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\Jared and Tina\Application Data\YSTEM3~1\?ystem32
C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\PPATCH~1
C:\QooBox\Purity\Program Files\PPPATC~1
C:\QooBox\Purity\Program Files\Common Files\DOBE~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\WNSXS~1\w?wexec_exe.vir0
((((((((((((((((((((((((((((((( Files Created from 2006-10-20 to 2006-11-20 ))))))))))))))))))))))))))))))))))
2006-11-20 18:35 4,334 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-20 18:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-20 18:20 <DIR> d-------- C:\Program Files\Grisoft
2006-11-19 13:12 <DIR> d-------- C:\Program Files\Common Files\Adobe
2006-11-19 13:11 <DIR> d--hs---- C:\Config.Msi
2006-11-19 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-18 20:57 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-18 20:57 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-18 20:57 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-18 20:57 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-18 20:48 <DIR> d-------- C:\VundoFix Backups
2006-11-18 15:28 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\AdobeUM
2006-11-17 23:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-17 22:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-11-17 21:47 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\Uniblue
2006-11-17 21:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-17 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-17 20:43 126,996 --a------ C:\WINDOWS\system32\rmblyyae.dll
2006-11-11 23:21 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\BitTorrent
2006-11-11 23:20 <DIR> d-------- C:\Program Files\BitTorrent
2006-11-10 23:14 <DIR> dr-h----- C:\Documents and Settings\Jared and Tina\Application Data\SecuROM
2006-11-03 18:50 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Jared and Tina
2006-11-03 18:50 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\Adobe
2006-11-03 18:41 <DIR> d-------- C:\Program Files\Java Web Start
2006-11-03 18:40 <DIR> d--h----- C:\WINDOWS\PIF
2006-11-03 18:35 <DIR> d-------- C:\WINDOWS\Performance
2006-11-03 18:32 <DIR> d-------- C:\Program Files\Adobe
2006-11-03 18:31 <DIR> dr------- C:\WINDOWS\AsDmiHtm
2006-11-03 18:15 5,685 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2006-11-03 18:15 5,120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2006-11-03 18:15 3,328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2006-11-03 18:15 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2006-11-03 18:15 12,800 --a------ C:\WINDOWS\BS_DEF.sys
2006-11-03 18:15 <DIR> d-------- C:\Program Files\ASUS
2006-11-03 18:00 <DIR> dr-h----- C:\Documents and Settings\Jared and Tina\Recent
2006-11-02 22:57 <DIR> d-------- C:\Program Files\iPod
2006-11-02 22:56 <DIR> d-------- C:\Program Files\Apple Software Update
2006-11-02 22:46 <DIR> d-------- C:\Program Files\QuickTime
2006-11-02 22:46 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\Apple Computer
2006-11-02 22:45 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2006-11-02 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-11-02 22:12 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\DivX
2006-11-02 22:11 20,640 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2006-11-02 22:11 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-11-02 22:11 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-11-02 22:11 <DIR> d-------- C:\Program Files\DivX
2006-11-02 18:53 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-11-02 18:34 <DIR> dr--s---- C:\WINDOWS\assembly
2006-11-02 18:34 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2006-11-01 21:48 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL
2006-11-01 21:48 <DIR> d-------- C:\Program Files\Registry Mechanic
2006-11-01 21:36 <DIR> d-------- C:\Program Files\SiSoftware
2006-10-29 20:22 <DIR> d-------- C:\Program Files\SymNetDrv
2006-10-29 18:14 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2006-10-28 18:19 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\Share-to-Web Upload Folder
2006-10-28 18:18 35,840 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2006-10-28 18:18 <DIR> d-------- C:\Program Files\HP Photosmart 11
2006-10-28 18:18 <DIR> d-------- C:\Program Files\Hewlett-Packard
2006-10-28 18:17 50,896 -ra------ C:\WINDOWS\system32\drivers\hphid411.sys
2006-10-28 18:17 50,276 -ra------ C:\WINDOWS\system32\drivers\hphs2k11.sys
2006-10-28 18:17 356,352 --------- C:\WINDOWS\system32\hphc3204.dll
2006-10-28 18:17 18,928 -ra------ C:\WINDOWS\system32\drivers\hphius11.sys
2006-10-28 18:17 16,112 -ra------ C:\WINDOWS\system32\drivers\hphipr11.sys
2006-10-28 18:16 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-10-28 18:15 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2006-10-28 18:14 <DIR> d-------- C:\WINDOWS\ShellNew
2006-10-28 18:14 <DIR> d-------- C:\Program Files\Microsoft Office
2006-10-28 18:14 <DIR> d-------- C:\Program Files\Common Files\Designer
2006-10-28 11:26 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2006-10-28 11:26 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2006-10-28 09:58 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-10-28 09:58 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-10-28 09:58 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-10-28 09:58 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-10-28 09:58 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-10-28 09:58 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-10-28 09:58 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-10-28 08:54 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-10-28 08:50 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2006-10-28 08:50 <DIR> d-------- C:\WINDOWS\system32\windows media
2006-10-28 08:50 <DIR> d-------- C:\Program Files\Windows Media Components
2006-10-28 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-10-28 08:37 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2006-10-28 08:37 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2006-10-28 08:37 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2006-10-28 08:37 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2006-10-28 08:22 <DIR> d-------- C:\Program Files\Prime95
2006-10-28 08:18 <DIR> d-------- C:\WINDOWS\pss
2006-10-28 08:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2006-10-28 01:59 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-10-28 01:59 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-10-28 01:59 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-10-28 01:59 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-10-28 01:59 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-10-28 01:59 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-10-28 01:59 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-10-28 01:59 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-10-28 01:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2006-10-28 01:59 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-10-28 01:59 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-10-28 01:59 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-10-28 01:59 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-10-28 01:58 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2006-10-28 01:58 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-10-28 01:58 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2006-10-28 01:58 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2006-10-28 01:58 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-10-28 01:58 2,944 --a------ C:\WINDOWS\system32\drivers\msmpu401.sys
2006-10-28 01:58 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-10-28 01:58 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2006-10-28 01:57 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2006-10-28 01:57 9,008 --a------ C:\WINDOWS\system\VER.DLL
2006-10-28 01:57 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2006-10-28 01:57 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2006-10-28 01:57 8,704 --a------ C:\WINDOWS\system32\batt.dll
2006-10-28 01:57 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2006-10-28 01:57 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2006-10-28 01:57 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2006-10-28 01:57 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2006-10-28 01:57 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE
2006-10-28 01:57 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2006-10-28 01:57 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2006-10-28 01:57 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2006-10-28 01:57 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2006-10-28 01:57 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2006-10-28 01:57 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2006-10-28 01:57 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2006-10-28 01:57 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2006-10-28 01:57 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2006-10-28 01:57 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2006-10-28 01:57 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2006-10-28 01:57 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2006-10-28 01:57 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2006-10-28 01:57 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2006-10-28 01:57 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2006-10-28 01:57 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2006-10-28 01:57 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2006-10-28 01:57 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdycc.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbduzb.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdur.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdtat.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdru1.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdru.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdkaz.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdbu.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdblr.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2006-10-28 01:57 5,632 -ra------ C:\WINDOWS\system32\kbdaze.dll
2006-10-28 01:57 5,120 --a------ C:\WINDOWS\system\SHELL.DLL
2006-10-28 01:57 32,816 --a------ C:\WINDOWS\system\COMMDLG.DLL
2006-10-28 01:57 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-10-28 01:57 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL
2006-10-28 01:57 19,200 --a------ C:\WINDOWS\system\TAPI.DLL
2006-10-28 01:57 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2006-10-28 01:57 15,360 --a------ C:\WINDOWS\TASKMAN.EXE
2006-10-28 01:57 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-10-28 01:57 126,912 --a------ C:\WINDOWS\system\MSVIDEO.DLL
2006-10-28 01:57 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2006-10-28 01:57 109,456 --a------ C:\WINDOWS\system\AVIFILE.DLL
2006-10-28 01:57 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2006-10-28 01:57 <DIR> dr------- C:\Program Files\Common Files\..
2006-10-28 01:57 <DIR> dr------- C:\Program Files\.
2006-10-28 01:57 <DIR> dr------- C:\Program Files
2006-10-28 01:57 <DIR> d--hs---- C:\WINDOWS\Installer
2006-10-28 01:57 <DIR> d--hs---- C:\Program Files\..
2006-10-28 01:57 <DIR> d-------- C:\Program Files\Common Files\SpeechEngines
2006-10-28 01:57 <DIR> d-------- C:\Program Files\Common Files\ODBC
2006-10-28 01:57 <DIR> d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-28 01:57 <DIR> d-------- C:\Program Files\Common Files\.
2006-10-28 01:57 <DIR> d-------- C:\Program Files\Common Files
2006-10-28 01:56 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\.
2006-10-28 01:56 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data
2006-10-28 01:56 <DIR> dr------- C:\Documents and Settings\All Users\Start Menu
2006-10-28 01:56 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2006-10-28 01:56 <DIR> d--hs---- C:\System Volume Information
2006-10-28 01:56 <DIR> d--h----- C:\Documents and Settings\All Users\Templates
2006-10-28 01:56 <DIR> d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2006-10-28 01:56 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2006-10-28 01:56 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2006-10-28 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Favorites
2006-10-28 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Desktop
2006-10-28 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\..
2006-10-28 01:56 <DIR> d-------- C:\Documents and Settings\All Users\..
2006-10-28 01:56 <DIR> d-------- C:\Documents and Settings\All Users\.
2006-10-28 01:56 <DIR> d-------- C:\Documents and Settings
2006-10-28 01:50 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2006-10-28 01:50 <DIR> dr--s---- C:\WINDOWS\Fonts
2006-10-28 01:50 <DIR> dr------- C:\WINDOWS\Web
2006-10-28 01:50 <DIR> d--hs---- C:\WINDOWS\..
2006-10-28 01:50 <DIR> d--h----- C:\WINDOWS\inf
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\WinSxS
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\twain_32
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\Temp
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\wins
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\wbem
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\usmt
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\spool
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\Setup
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\ras
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\oobe
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\npp
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\mui
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\IME
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\icsxml
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\ias
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\export
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\drivers\..
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\drivers\.
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\drivers
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\dhcp
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\config
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\3076
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\2052
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\1054
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\1042
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\1041
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\1037
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\1033
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\1031
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\1028
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\1025
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\..
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32\.
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system32
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system\..
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system\.
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\system
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\security
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\Resources
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\repair
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\Provisioning
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\PeerNet
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\pchealth
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\mui
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\msapps
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\msagent
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\Media
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\java
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\ime
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\Help
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\ehome
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\Driver Cache
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\Debug
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\Cursors
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\Connection Wizard
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\Config
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\AppPatch
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\addins
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS\.
2006-10-28 01:50 <DIR> d-------- C:\WINDOWS
monty5012
2006-11-21, 04:20
2006-10-27 23:19 <DIR> d-------- C:\Program Files\WinRAR
2006-10-27 23:04 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\Macromedia
2006-10-27 21:20 <DIR> d-------- C:\Program Files\Western Digital
2006-10-27 21:10 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-27 21:10 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-10-27 21:09 <DIR> d---s---- C:\Documents and Settings\Jared and Tina\UserData
2006-10-27 21:01 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-10-27 08:51 143,360 --a------ C:\WINDOWS\GTRemove.exe
2006-10-27 08:51 <DIR> d-------- C:\Program Files\Actiontec
2006-10-27 08:45 <DIR> d-------- C:\WINDOWS\system32\System
2006-10-27 08:44 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2006-10-27 08:44 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2006-10-27 08:44 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2006-10-27 08:44 17,005 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2006-10-27 08:42 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-10-27 08:42 2,397 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-10-27 08:42 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-10-27 08:42 <DIR> d-------- C:\Program Files\Symantec
2006-10-27 08:42 <DIR> d-------- C:\Program Files\Norton SystemWorks
2006-10-27 08:42 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-27 08:42 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\Symantec
2006-10-27 08:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2006-10-27 08:39 <DIR> d--hs---- C:\RECYCLER
2006-10-27 08:38 41,984 --------- C:\WINDOWS\Ctregrun.exe
2006-10-27 08:37 90,112 --------- C:\WINDOWS\Updreg.EXE
2006-10-27 08:37 81,920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2006-10-27 08:37 233,472 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-10-27 08:37 <DIR> d-------- C:\WINDOWS\system32\Defaults
2006-10-27 08:36 77,824 --------- C:\WINDOWS\system32\ctdvda32.dll
2006-10-27 08:36 11,776 --a------ C:\WINDOWS\INRES.DLL
2006-10-27 08:36 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2006-10-27 08:36 <DIR> d-------- C:\WINDOWS\system32\Data
2006-10-27 08:36 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\Creative
2006-10-27 08:35 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2006-10-27 08:35 <DIR> d-------- C:\Program Files\Creative
2006-10-27 08:34 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2006-10-27 08:31 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2006-10-27 08:31 <DIR> d-------- C:\WINDOWS\nview
2006-10-27 08:29 67,200 -ra------ C:\WINDOWS\system32\drivers\SI3132.sys
2006-10-27 08:29 10,368 -ra------ C:\WINDOWS\system32\drivers\SiWinAcc.sys
2006-10-27 08:29 <DIR> d-------- C:\Program Files\Marvell
2006-10-27 08:27 93,568 -ra------ C:\WINDOWS\system32\drivers\nvata.sys
2006-10-27 08:27 9,728 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2006-10-27 08:27 9,728 -ra------ C:\WINDOWS\system32\bdco1.dll
2006-10-27 08:27 466,944 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2006-10-27 08:27 34,304 -ra------ C:\WINDOWS\system32\nvconrm.dll
2006-10-27 08:27 34,048 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2006-10-27 08:27 33,280 -ra------ C:\WINDOWS\system32\NVCOI.DLL
2006-10-27 08:27 301,312 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2006-10-27 08:27 289,792 -ra------ C:\WINDOWS\system32\idecoins.dll
2006-10-27 08:27 289,792 -ra------ C:\WINDOWS\system32\idecoi.dll
2006-10-27 08:27 222,464 -ra------ C:\WINDOWS\system32\drivers\nvsnpu.sys
2006-10-27 08:27 208,896 --a------ C:\WINDOWS\system32\nvusmb.exe
2006-10-27 08:27 208,896 --a------ C:\WINDOWS\system32\nvunrm.exe
2006-10-27 08:27 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2006-10-27 08:27 208,896 --a------ C:\WINDOWS\system32\nvuide.exe
2006-10-27 08:27 202,240 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2006-10-27 08:27 202,240 -ra------ C:\WINDOWS\system32\fdco1.dll
2006-10-27 08:27 13,056 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2006-10-27 08:27 101,632 -ra------ C:\WINDOWS\system32\drivers\nvtcp.sys
2006-10-27 08:27 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2006-10-27 08:27 <DIR> d-------- C:\WINDOWS\NV20201992.TMP
2006-10-27 08:27 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2006-10-27 08:26 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2006-10-27 08:26 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2006-10-27 08:26 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2006-10-27 08:25 <DIR> dr-h----- C:\Documents and Settings\Jared and Tina\SendTo
2006-10-27 08:25 <DIR> dr-h----- C:\Documents and Settings\Jared and Tina\Application Data\.
2006-10-27 08:25 <DIR> dr-h----- C:\Documents and Settings\Jared and Tina\Application Data
2006-10-27 08:25 <DIR> dr------- C:\Documents and Settings\Jared and Tina\Start Menu
2006-10-27 08:25 <DIR> dr------- C:\Documents and Settings\Jared and Tina\My Documents
2006-10-27 08:25 <DIR> dr------- C:\Documents and Settings\Jared and Tina\Favorites
2006-10-27 08:25 <DIR> d--h----- C:\Program Files\Uninstall Information
2006-10-27 08:25 <DIR> d--h----- C:\Documents and Settings\Jared and Tina\Templates
2006-10-27 08:25 <DIR> d--h----- C:\Documents and Settings\Jared and Tina\PrintHood
2006-10-27 08:25 <DIR> d--h----- C:\Documents and Settings\Jared and Tina\NetHood
2006-10-27 08:25 <DIR> d--h----- C:\Documents and Settings\Jared and Tina\Local Settings
2006-10-27 08:25 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2006-10-27 08:25 <DIR> d---s---- C:\Documents and Settings\Jared and Tina\Cookies
2006-10-27 08:25 <DIR> d---s---- C:\Documents and Settings\Jared and Tina\Application Data\Microsoft
2006-10-27 08:25 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-10-27 08:25 <DIR> d-------- C:\WINDOWS\Prefetch
2006-10-27 08:25 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Desktop
2006-10-27 08:25 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\Identities
2006-10-27 08:25 <DIR> d-------- C:\Documents and Settings\Jared and Tina\Application Data\..
2006-10-27 08:25 <DIR> d-------- C:\Documents and Settings\Jared and Tina\..
2006-10-27 08:25 <DIR> d-------- C:\Documents and Settings\Jared and Tina\.
2006-10-27 08:15 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2006-10-27 08:15 0 -rahs---- C:\MSDOS.SYS
2006-10-27 08:15 0 -rahs---- C:\IO.SYS
2006-10-27 08:15 0 --a------ C:\CONFIG.SYS
2006-10-27 08:15 0 --a------ C:\AUTOEXEC.BAT
2006-10-27 08:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-10-27 08:15 <DIR> d-------- C:\WINDOWS\system32\xircom
2006-10-27 08:15 <DIR> d-------- C:\Program Files\xerox
2006-10-27 08:15 <DIR> d-------- C:\Program Files\microsoft frontpage
2006-10-27 08:14 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2006-10-27 08:14 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2006-10-27 08:14 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2006-10-27 08:14 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-10-27 08:14 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-10-27 08:14 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-10-27 08:14 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2006-10-27 08:14 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-10-27 08:14 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-10-27 08:14 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-10-27 08:14 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-10-27 08:14 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2006-10-27 08:14 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-10-27 08:14 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-10-27 08:14 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2006-10-27 08:14 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2006-10-27 08:14 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-10-27 08:14 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2006-10-27 08:14 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2006-10-27 08:14 <DIR> d--h----- C:\Program Files\WindowsUpdate
2006-10-27 08:14 <DIR> d---s---- C:\WINDOWS\Tasks
2006-10-27 08:14 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2006-10-27 08:14 <DIR> d-------- C:\WINDOWS\system32\Macromed
2006-10-27 08:14 <DIR> d-------- C:\WINDOWS\system32\DirectX
2006-10-27 08:14 <DIR> d-------- C:\WINDOWS\srchasst
2006-10-27 08:14 <DIR> d-------- C:\Program Files\Common Files\Services
2006-10-27 08:14 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2006-10-27 08:13 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2006-10-27 08:13 81,920 --a------ C:\WINDOWS\system32\ils.dll
2006-10-27 08:13 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2006-10-27 08:13 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2006-10-27 08:13 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2006-10-27 08:13 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2006-10-27 08:13 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-10-27 08:13 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2006-10-27 08:13 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-10-27 08:13 5,632 --a------ C:\WINDOWS\system32\write.exe
2006-10-27 08:13 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2006-10-27 08:13 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2006-10-27 08:13 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2006-10-27 08:13 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-10-27 08:13 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-10-27 08:13 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2006-10-27 08:13 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-10-27 08:13 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-10-27 08:13 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-10-27 08:13 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2006-10-27 08:13 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-10-27 08:13 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-10-27 08:13 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-10-27 08:13 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-10-27 08:13 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-10-27 08:13 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-10-27 08:13 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2006-10-27 08:13 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-10-27 08:13 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2006-10-27 08:13 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-10-27 08:13 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2006-10-27 08:13 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-10-27 08:13 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-10-27 08:13 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-10-27 08:13 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2006-10-27 08:13 <DIR> d-------- C:\WINDOWS\system32\Restore
2006-10-27 08:13 <DIR> d-------- C:\WINDOWS\Registration
2006-10-27 08:13 <DIR> d-------- C:\Program Files\Windows Media Player
2006-10-27 08:13 <DIR> d-------- C:\Program Files\Outlook Express
2006-10-27 08:13 <DIR> d-------- C:\Program Files\Online Services
2006-10-27 08:13 <DIR> d-------- C:\Program Files\NetMeeting
2006-10-27 08:13 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2006-10-27 08:13 <DIR> d-------- C:\Program Files\Movie Maker
2006-10-27 08:13 <DIR> d-------- C:\Program Files\Messenger
2006-10-27 08:13 <DIR> d-------- C:\Program Files\Internet Explorer
2006-10-27 08:13 <DIR> d-------- C:\Program Files\ComPlus Applications
2006-10-27 08:13 <DIR> d-------- C:\Program Files\Common Files\System
2006-10-27 08:12 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2006-10-27 08:12 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-10-27 08:12 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-10-27 08:12 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-10-27 08:12 9,728 --a------ C:\WINDOWS\system32\reset.exe
2006-10-27 08:12 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-10-27 08:12 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-10-27 08:12 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2006-10-27 08:12 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2006-10-27 08:12 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2006-10-27 08:12 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-10-27 08:12 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-10-27 08:12 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2006-10-27 08:12 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2006-10-27 08:12 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2006-10-27 08:12 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-10-27 08:12 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-10-27 08:12 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2006-10-27 08:12 56,832 --a------ C:\WINDOWS\system32\sol.exe
2006-10-27 08:12 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2006-10-27 08:12 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2006-10-27 08:12 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-10-27 08:12 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2006-10-27 08:12 538,624 --a------ C:\WINDOWS\system32\spider.exe
2006-10-27 08:12 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-10-27 08:12 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-10-27 08:12 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-10-27 08:12 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-10-27 08:12 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2006-10-27 08:12 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2006-10-27 08:12 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2006-10-27 08:12 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2006-10-27 08:12 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-10-27 08:12 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-10-27 08:12 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2006-10-27 08:12 33,792 --a------ C:\WINDOWS\system32\regini.exe
2006-10-27 08:12 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2006-10-27 08:12 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2006-10-27 08:12 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2006-10-27 08:12 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2006-10-27 08:12 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-10-27 08:12 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2006-10-27 08:12 20,992 --a------ C:\WINDOWS\system32\msg.exe
2006-10-27 08:12 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2006-10-27 08:12 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2006-10-27 08:12 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2006-10-27 08:12 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-10-27 08:12 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2006-10-27 08:12 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2006-10-27 08:12 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-10-27 08:12 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-10-27 08:12 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-10-27 08:12 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-10-27 08:12 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2006-10-27 08:12 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-10-27 08:12 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2006-10-27 08:12 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2006-10-27 08:12 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2006-10-27 08:12 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2006-10-27 08:12 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-10-27 08:12 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-10-27 08:12 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2006-10-27 08:12 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2006-10-27 08:12 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2006-10-27 08:12 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-10-27 08:12 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-10-27 08:12 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-10-27 08:12 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2006-10-27 08:12 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2006-10-27 08:12 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2006-10-27 08:12 114,688 --a------ C:\WINDOWS\system32\calc.exe
2006-10-27 08:12 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-10-27 08:12 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-10-27 08:12 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2006-10-27 08:12 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-10-27 08:12 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-10-27 08:12 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2006-10-27 08:12 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2006-10-27 08:12 <DIR> d-------- C:\WINDOWS\system32\Com
2006-10-27 08:12 <DIR> d-------- C:\Program Files\Windows NT
2006-10-27 08:12 <DIR> d-------- C:\Program Files\MSN
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"CTDVDDET"="\"C:\\Program Files\\Creative\\SBAudigy4\\DVDAudio\\CTDVDDET.EXE\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy4\\Surround Mixer\\CTSysVol.exe /r"
"RCSystem"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" RCSystem * -Startup"
"AudioDrvEmulator"="\"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Program Files\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"AcctMgr"="C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe /startup"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"HPHmon04"="C:\\WINDOWS\\system32\\hphmon04.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"RegistryMechanic"=""
"iTunesHelper"="\"H:\\itunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
monty5012
2006-11-21, 04:20
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OverClk"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ASUS\\Ai Booster\\OverClk.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20061120-182952-996
O2 - BHO: (no name) - {EC90C30E-66F6-43EA-971F-8519222B11D7} - C:\WINDOWS\system32\mljge.dll (file missing)
backup-20061120-182952-800
O4 - HKCU\..\Run: [imii] C:\PROGRA~1\COMMON~1\imii\imiim.exe
backup-20061120-182952-985
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsac.dll,startup
backup-20061120-182952-622
O4 - HKCU\..\Run: [Atao] "C:\DOCUME~1\JAREDA~1\APPLIC~1\YSTEM3~1\services.exe" -vt yazb
backup-20061120-182952-831
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt3.dll
backup-20061120-182952-748
O2 - BHO: (no name) - {DFB30CD1-ED13-4875-8B6E-27ED467B6FEA} - C:\WINDOWS\system32\jkhhe.dll (file missing)
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec Drmc.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 06-11-20 19:01:59.46
C:\ComboFix.txt ... 06-11-20 19:01
Hi again, looks quite good now :)
The computer is running fine ?
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\rmblyyae.dll
IF your Norton doesn't include a firewall:
You don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
==============
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
You can delete the following backup folders:
C:\QooBox
C:\VundoFix Backups
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
monty5012
2006-11-23, 02:54
Mr_JAk3,
Thank you so much for all of your help. I was a little thrown off last night, because after I did everything from your post some things were still popping up in AVG. Then I realized it was from System Restore, and once I cleared that out I was fine.
Once again, everything is running great and I really appreciate all of your help!
That's great news and you're very welcome :D:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: