cmdService

[teacup61]

Please be careful!

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\WINNT\system32\wshtcpip.dll

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Regards,
tea

 

[Grandterminus]

Moving Along

SO I found two copiers of this on my machine so i copied both and scanned them....here are the results

Service load:
0% 100%
File: wshtcpip1.dll
Status:
Uploading file, please wait...
MD5 61297dea5932a3d8a9e6a2d17d0b8e8b
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Service load:
0% 100%
File: wshtcpip.dll
Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 a7f95a53ee055115df03588997a47d4d
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

 

[teacup61]

Hello,

Well that was a dead end huh? It's been 8 days, so let's have a scan with either Dr. Web or Ewido, post the logs for me, and let me see a new HijackThis log if you please. You might also try the directions I posted some time ago for the internet connection and see if it works now. It could happen.:

Have a great weekend!
tea

 

[Grandterminus]

Buggery!

Alright so the quick scan in Dr. Web turned up clean so I am running it again with a full system scan. While watching the scrolls bar, SpyCatcher caught the Dollar Revenue app trying to run again.....then it flagged C:\WINNT\system32\pautoenr.dll Application:eDonkey (any clue what that is?) and Type is Spyware.

I'll give the the results of Dr. Web and Ewido when I get them.

 

[Grandterminus]

Clever

So in trying to be clever, I copied over the pautoenr.dll files to another PC and am ging to try and scan them at the site you had me scan at last time. Hopefully my independant thought doesn't destroy anything!

 

[Grandterminus]

Working

The online malware scanner has been busy for the lst few hours. Ewido scan came back clean, however the Dr. Web scan is running and has already picked up about five virus/spyware instances. Will post when it's finished.:fear:

 

[Grandterminus]

Still In Trouble

:sad: So Dr. Web has found some items:

A0070427.dll;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Trojan.DownLoader.12021;Deleted.;
A0070428.EXE;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Adware.Aws;Moved.;
A0070429.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Program.mIRC.617;Moved.;
A0070430.exe;C:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Adware.DollarRevenue;Moved.;
A0070428.EXE;c:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Adware.Aws;;
A0070429.exe;c:\System Volume Information\_restore{330F9500-EA78-4C62-843B-78611BFDE72B}\RP485;Program.mIRC.617;Deleted.;

It found the dollarerevenue piece last time, but it doesn't seem to be completely getting rid of it.

 

[teacup61]

Hello,

Everything Dr.Web found is in System Restore and either moved or deleted, so no problem there. Stop worrying.

This about eDonkey : http://en.wikipedia.org/wiki/EDonkey_network

And this, dated 10-01-06 from the eDonkey site :The eDonkey2000 Network is no longer available.

If you steal music or movies, you are breaking the law.

Courts around the world -- including the United States Supreme Court --
have ruled that businesses and individuals can be prosecuted for illegal
downloading.

Can you tell me what all you've tried as far as regaining your internet access?

tea

 

[tashi]

Grandterminus?

 

[Grandterminus]

Strange

I posted a reply some time ago...but it isn't here. I tried your original suggestions from back in the thread ...and tried them again recently with no louck. I've disabled and reenabled both of my adapters (wired and wireless), then tried uninstalling and reinstalling them. I get a network connection, but I cannot get on the internet.

 

[teacup61]

Hey! I was worried....glad to see you back.

maybe this break has been a good thing. I've been trying to think of anything new that's come out that might help us here.

Combofix has been updated, so I'd like for you to delete your current one and download another and run it. combofix.exe

Post the results for me, and we'll go on to the next thing.

Thanks,
tea

 

[teacup61]

Scatch that last.....ComboFix is down at present. Save what you have for now. Instead let's use this :


Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Thanks,
tea

 

[Grandterminus]

Alrighty then!

Cool,

I will get going on the new project!

 

[teacup61]

Hi

Update : Go ahead with ComboFix as well. It's back up.

tea

 

[Grandterminus]

Still Alive

Hey Tea,

Thanks for your patience man, I've had some bad health issues and have been laid up at home. The laptop has been sitting at work. I think I am going back to work tomorrow if I hold up over night. I'll start cracking at it there. Thanks again for all of the jelp!

:bigthumb:

 

[teacup61]

Awww.....I'm so sorry to hear it. You get well! This thread will still be here when you feel like it.

Take care!!!

 

[Grandterminus]

Here we go

Here are the latest results

shawnn - 06-10-19 17:09:30.21 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\"

((((((((((((((((((((((((((((((( Files Created from 2006-09-19 to 2006-10-19 ))))))))))))))))))))))))))))))))))


2006-10-19 15:19 0 --a------ C:\WINNT\gmer.reg
2006-10-19 15:19 0 --a------ C:\WINNT\gmer.bat
2006-10-19 15:12 385,024 --a------ C:\gmer.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-19 15:09 276918 --a------ C:\combofix.exe
2006-10-05 09:10 -------- d-------- C:\Program Files\BOINC
2006-10-05 08:59 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-21 09:07 -------- d-------- C:\Program Files\HijackThis
2006-09-21 08:57 -------- d-------- C:\Program Files\mIRC
2006-09-20 13:55 -------- d-------- C:\Program Files\ComPlus Applications
2006-09-20 13:54 -------- d-------- C:\Program Files\Online Services
2006-09-14 16:54 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-14 13:31 -------- d-------- C:\Program Files\Messenger
2006-09-12 00:18 -------- d-------- C:\Program Files\Common Files
2006-08-21 06:21 16896 --a------ C:\WINNT\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINNT\system32\fltmc.exe
2006-08-21 03:14 128896 --------- C:\WINNT\system32\drivers\fltmgr.sys
2006-08-20 03:40 -------- d-------- C:\Program Files\Gaim
2006-08-11 21:01 435 --a------ C:\WINNT\vnvqn.dll
2006-08-11 20:09 1167 --a------ C:\WINNT\system32\jqwd09d3.sys
2006-08-09 16:48 186 --a------ C:\WINNT\system32\n.bat
2006-08-09 16:48 147456 --a------ C:\WINNT\system32\vbzip10.dll
2006-07-27 07:24 679424 --a------ C:\WINNT\system32\inetcomm.dll
2006-07-21 02:24 72704 --a------ C:\WINNT\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TabletTip"="\"C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabtip.exe\" /resume"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PRONoMgr.exe"="c:\\Program Files\\Intel\\PROSetWireless\\NCS\\PROSet\\PRONoMgr.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"vptray"="C:\\PROGRA~1\\NavNT\\vptray.exe"
"TabletWizard"="C:\\WINNT\\help\\SplshWrp.exe"
"SpyCatcher Reminder"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck /autofix /autoclose"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk"
"backup"="C:\\WINNT\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Distillr\\AcroTray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINNT\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINNT\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\SetPoint.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pabld.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pabld.exe"
"backup"="C:\\WINNT\\pss\\pabld.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pabld.exe"
"item"="pabld"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^shawnn.THEVARK^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"path"="C:\\Documents and Settings\\shawnn.THEVARK\\Start Menu\\Programs\\Startup\\Microsoft Office OneNote 2003 Quick Launch.lnk"
"backup"="C:\\WINNT\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^shawnn.THEVARK^Start Menu^Programs^Startup^Sticky Notes.lnk]
"path"="C:\\Documents and Settings\\shawnn.THEVARK\\Start Menu\\Programs\\Startup\\Sticky Notes.lnk"
"backup"="C:\\WINNT\\pss\\Sticky Notes.lnkStartup"
"location"="Startup"
"command"="C:\\WINNT\\system32\\stikynot.exe "
"item"="Sticky Notes"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACUMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ACUMon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Cisco Systems\\Aironet Client Monitor\\ACUMon.Exe\" -a"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="System"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\System Files\\System.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_8"
"hkey"="HKLM"
"command"="C:\\\\dfndrff_8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eraser"
"hkey"="HKCU"
"command"="C:\\Program Files\\Eraser\\eraser.exe -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gaim]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gaim"
"hkey"="HKCU"
"command"="C:\\Program Files\\Gaim\\gaim.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GWInkMonitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Gateway\\Gateway Ink Monitor\\GWInkMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WCESCOMM"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINNT\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jqwd09d3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w2ec5443.dll,n 002d09d1000000032ec5443"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINNT\\system32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Logitech\\KhalShared\\KHALMNPR.EXE\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLifeService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaLifeService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mimboot"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CfgWiz"
"hkey"="HKLM"
"command"="c:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINNT\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_8"
"hkey"="HKLM"
"command"="C:\\\\nwnmff_8.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sgbdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wspkww"
"hkey"="HKCU"
"command"="C:\\WINNT\\system32\\wspkww.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyCatcher Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyCatcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletWizard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SplshWrp"
"hkey"="HKLM"
"command"="C:\\WINNT\\help\\SplshWrp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcmdmgrl"
"hkey"="HKLM"
"command"="C:\\WINNT\\wt\\updater\\wcmdmgrl.exe -launch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wktcwv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wspkww"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\wspkww.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=dword:00000002
"VSS"=dword:00000003
"LBTServ"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-19 17:11:17.78
C:\ComboFix.txt ... 06-10-19 17:11
C:\ComboFix2.txt ... 06-09-19 08:42
C:\ComboFix3.txt ... 06-09-12 00:24

 

[Grandterminus]

Gmer

And now for the other one

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-19 17:27:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess
---- Processes - GMER 1.0.11 ----

Library C:\WINNT\System32\wshtcpip.dll (*** hidden *** ) @ C:\WINNT\system32\svchost.exe [1412] 0x71A90000
Library C:\WINNT\System32\wshtcpip.dll (*** hidden *** ) @ C:\WINNT\system32\svchost.exe [1732] 0x71A90000
Library C:\WINNT\System32\wshtcpip.dll (*** hidden *** ) @ C:\WINNT\explorer.exe [1816] 0x71A90000

---- Files - GMER 1.0.11 ----

File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt
File C:\Documents and Settings\shawnn.THEVARK\Application Data\Mozilla\Firefox\Profiles\m9reetxw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\8XU7KPIJ\2[1].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\8XU7KPIJ\2[2].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\8XU7KPIJ\2[3].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\ELKH67IB\1[2].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\ELKH67IB\2[2].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\ELKH67IB\2[3].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\OTINK9AJ\1[1].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\OTINK9AJ\2[1].htm
File C:\Documents and Settings\shawnn.THEVARK\Local Settings\Temp\Temporary Internet Files\Content.IE5\S3810REP\1[2].htm
ADS C:\Documents and Settings\shawnn.THEVARK\My Documents\aardvark all.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\shawnn.THEVARK\My Documents\aardvark all.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...
File C:\Program Files\Java\j2re1.4.2\bin\jdriver.dll
File C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

 

[Grandterminus]

Gmer 2

File C:\Program Files\WildTangent
File C:\Program Files\WildTangent\Apps
File C:\Program Files\WildTangent\Apps\ActiveLauncher
File C:\Program Files\WildTangent\Apps\ActiveLauncher\ActiveLauncher.ini
File C:\Program Files\WildTangent\Apps\CDA
File C:\Program Files\WildTangent\Apps\CDA\ActiveLauncher.ini
File C:\Program Files\WildTangent\Apps\CDA\ActiveLauncher0101.dll
File C:\Program Files\WildTangent\Apps\CDA\CDAEngine0400.dll
File C:\Program Files\WildTangent\Apps\CDA\CDALogger.dll
File C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA\about.html
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\CDA\cache.html
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\DRM
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\index.html
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\nav.html
File C:\Program Files\WildTangent\Apps\CDA\ControlPanel\Webd
File C:\Program Files\WildTangent\Apps\CDA\GameData
File C:\Program Files\WildTangent\Apps\CDA\OtherLicenses.txt
File C:\Program Files\WildTangent\Apps\CDA\wt.ico
File C:\Program Files\WildTangent\Apps\DRM0302.dll
File C:\Program Files\WildTangent\Apps\DRM0302java.jar
File C:\Program Files\WildTangent\Components
File C:\Program Files\WildTangent\Components\wtAppConfig0200.dll
File C:\Program Files\WildTangent\Components\wtCache0200.dll
File C:\Program Files\WildTangent\Components\wtCookie0200.dll
File C:\Program Files\WildTangent\Components\wtDownloader0200.dll
File C:\Program Files\WildTangent\Components\wtGameData0200.dll
File C:\Program Files\WildTangent\Components\wtGUI0200.dll
File C:\Program Files\WildTangent\Components\wtIO0200.dll
File C:\Program Files\WildTangent\Components\wtKernel0200.dll
File C:\Program Files\WildTangent\Components\wtLua0200.dll
File C:\Program Files\WildTangent\Components\wtNetworking0200.dll
File C:\Program Files\WildTangent\Components\wtPropertyBag0200.dll
File C:\Program Files\WildTangent\Components\wtScript0200.dll
File C:\Program Files\WildTangent\Components\wtSerialization0200.dll
File C:\Program Files\WildTangent\Components\wtStreamProcessing0200.dll
File C:\Program Files\WildTangent\Components\wtSystem0200.dll
File C:\Program Files\WildTangent\Components\wtSystemConfig0200.dll
File C:\Program Files\WildTangent\Components\wtUserSupport0200.dll
File C:\Program Files\WildTangent\LFS
File C:\Program Files\WildTangent\LFS\ActiveLauncher
File C:\Program Files\WildTangent\LFS\AppConfig
File C:\Program Files\WildTangent\LFS\Cache
File C:\Program Files\WildTangent\LFS\CDAData
File C:\Program Files\WildTangent\LFS\CDAData\Checkin
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\download.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\downloadTrayIconData.cdas
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\icon.ico
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\install.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\installTrayIconData.cdas
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\install_complete.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\install_progress.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\inuse.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\inuseitems.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\items.html
File C:\Program Files\WildTangent\LFS\CDAData\Checkin\style.css
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAOnlyScreen
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\CDAOnlyScreen\style.css
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ErrorScreen
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ErrorScreen\style.css
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\FinishedScreen
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\FinishedScreen\style.css
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\bc.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\bl.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\br.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\btm.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\cancel-over.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\cancel.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\finish-over.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\finish.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\header.jpg
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\le.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\mb.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\next-over.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\next.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\re.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\Images\retry-over.gif
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen\inuse.html
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\InUseScreen\items.html
File C:\Program Files\WildTangent\LFS\CDAData\UninstallerUI\ProgressScreen\style.css
File C:\Program Files\WildTangent\LFS\Scripts
File C:\Program Files\WildTangent\LFS\Scripts\Common
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Files.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_LFSInit.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Registry.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_Scheduler.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_String.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\CL01_User.cdas

 

[Grandterminus]

Gmer 3

good god this thing is long!!!!

File C:\Program Files\WildTangent\LFS\Scripts\Common\DpidLibrary_01.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\MasterUpdateLibrary_01.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Common\UI_Stub.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Downloaded
File C:\Program Files\WildTangent\LFS\Scripts\Downloaded\MasterUpdate.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Downloaded\SystemConfigurationUpload.cdas
File C:\Program Files\WildTangent\LFS\Scripts\GameData.log
File C:\Program Files\WildTangent\LFS\Scripts\Install
File C:\Program Files\WildTangent\LFS\Scripts\Install\CDALogger_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\CDALogger_install.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\CPL_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\CPL_uninstall.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\DMMP_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\DMMP_install.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_install.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\DRM0302_Uninstall.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\UI_checkin.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\UI_stub.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\Webd331_filelist.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\Webd331_Uninstall.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_install.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\Webd4_1_1_Uninstall.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Install\_6095B9CF_DD6F_4F94_91A3_156A8D9006A1_fileList.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Uninstall\DRM0302.cdanfo
File C:\Program Files\WildTangent\LFS\Scripts\Uninstall\Uninstaller.cdas
File C:\Program Files\WildTangent\LFS\Scripts\Uninstall\Webd331.cdanfo
File C:\Program Files\WildTangent\LFS\System
File C:\Program Files\WildTangent\LFS\TaskStore\Bandwidth.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\Bandwidth.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\CreateAppConfig.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\GameData.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\Maint.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\Maint.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\Maint.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\MigrateDpid.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\MigrateDpid.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\MigrateDpid.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\NewUser.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\NewUser.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\NewUser.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateLibrary01.cdas
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateNormal.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateNormal.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateNormal.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateQuick.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateQuick.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateRestart.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\PersistentUpdateRestart.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\ShutdownTest.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\SystemConfiguration.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\SystemConfiguration.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\SystemConfiguration.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\UrlUpdate.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\UrlUpdate.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\UrlUpdate.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaes
File C:\Program Files\WildTangent\LFS\TaskStore\verify.cdaet
File C:\Program Files\WildTangent\LFS\TaskStore\WeeklyCDA.cdaed
File C:\Program Files\WildTangent\LFS\TaskStore\WeeklyCDA.cdaes
File C:\Program Files\WildTangent\LicenseStores\WT\a14fd069-5c46-4863-a07b-4d03ce7fc46c.wtlic
File C:\Program Files\WildTangent\LicenseStores\WT\A7456F43-E255-4c09-90BD-81EC82890C69.wtlic
File C:\Program Files\WildTangent\LicenseStores\WT\ceb1265a-b646-4bd4-a56c-635a23d3f07a.wtlic
File C:\WINNT\system32\wshtcpip.dll
File C:\WINNT\system32\wtcpl.cpl

---- EOF - GMER 1.0.11 ----