HJT Log

[Rippy]

In a misguided search for a CD key generator I wound up taking on board god knows what. What's worse, I did this on somebody else's machine.

I took some time and did what I could, but I'm not sure if I got rid of all of it. Any advice would be much appreciated.

---------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:26 PM, on 10/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rpinfo.rpi.edu/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ijybstqv] rundll32.exe "C:\Program Files\ijybstqv\mnadorup.dll",Init
O4 - HKLM\..\Run: [pcjgjyli] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\pcjgjyli.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6985 bytes

 

[__RiP_ChAiN_]

Hello Rippy,

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

[Rippy]

Combofix:

ComboFix 07-10-07.2 - Corr Lab 2007-10-07 14:47:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2349 [GMT -4:00]
Running from: C:\Documents and Settings\Corr Lab\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\pcjgjyli.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe.bak
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\dhxutaas.dll
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\ggjlm.tmp
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\pqtss.ini
C:\WINDOWS\system32\pqtss.ini
C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\pqtss.tmp
C:\WINDOWS\system32\pqtss.tmp
C:\WINDOWS\system32\sstqp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-07 to 2007-10-07 )))))))))))))))))))))))))))))))
.

2007-10-07 14:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 20:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-05 20:14 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\SUPERAntiSpyware.com
2007-10-05 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-05 18:44 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-05 18:28 <DIR> d-------- C:\VundoFix Backups
2007-10-05 18:16 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-05 18:16 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-05 18:16 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-05 18:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-05 18:16 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-05 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 17:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-05 17:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-05 17:15 <DIR> d-------- C:\WINDOWS\system32\vldpmvww
2007-10-05 17:15 <DIR> d-------- C:\Program Files\ijybstqv
2007-10-05 17:15 <DIR> d-------- C:\Program Files\Ahcfrklk
2007-10-05 17:14 35,328 --a------ C:\WINDOWS\system32\ssqpmji.dll
2007-10-05 17:14 104,448 --a------ C:\WINDOWS\system32\drvwuk.dll
2007-10-05 16:10 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-05 16:10 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\U3
2007-10-05 16:08 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-05 16:07 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-05 12:45 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\AdobeUM
2007-10-05 12:06 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-10-05 12:06 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\Thunderbird
2007-10-05 11:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-05 11:55 1,277 --a------ C:\WINDOWS\mozver.dat
2007-10-05 11:40 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-02 15:24 <DIR> d-------- C:\Temp
2007-10-02 15:12 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-10-02 15:12 <DIR> d-------- C:\Program Files\Abaqus
2007-10-02 15:04 <DIR> d--h----- C:\Documents and Settings\Corr Lab\InstallAnywhere
2007-10-02 15:01 <DIR> d---s---- C:\Documents and Settings\Corr Lab\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 14:51 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 18:03 315392 --a------ C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:00 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-06-04 14:40]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2007-06-04 14:51]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-06-04 14:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-10-05 12:44:19]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BE666F3C-9D33-4E29-B4BC-7E6AA64B5129}"= C:\WINDOWS\system32\ssqpmji.dll [2007-10-05 17:14 35328]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpmji]
ssqpmji.dll 2007-10-05 17:14 35328 C:\WINDOWS\system32\ssqpmji.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqp.dll

R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe
R2 KeyAgent;KeyAgent;\??\C:\WINDOWS\system32\drivers\KeyAgent.sys
R2 MacHALDriver;Mac HAL;\??\C:\WINDOWS\system32\drivers\MacHALDriver.sys
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe"
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-08-11 20:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 14:53:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 14:54:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-07 14:54
.
--- E O F ---

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:04 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rpinfo.rpi.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqpmji - C:\WINDOWS\SYSTEM32\ssqpmji.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7388 bytes

 

[__RiP_ChAiN_]

Hello Rippy,

A. Please RUN HijackThis

1. Click the SCAN button to produce a log.
   
   
2. Place a check mark beside each one of the following items:
   
   O20 - Winlogon Notify: ssqpmji - C:\WINDOWS\SYSTEM32\ssqpmji.dll
   
   
3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ssqpmji.dll
C:\WINDOWS\system32\drvwuk.dll

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\vldpmvww
C:\Program Files\ijybstqv
C:\Program Files\Ahcfrklk

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[Rippy]

I'm sorry for the lack of feedback.

I just ran HJT again, intending to perform the first step you described. However, I saw no entry for O20 this time, so I couldn't perform the step.

I wasn't sure if I should perform the rest of the steps if the first one wasn't complete... so I just reproduced both logs...

Honestly, I'm kind of panicking at this point.:sad:


HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:17 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rpinfo.rpi.edu/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DomainService - - C:\DOCUME~1\CORRLA~1\LOCALS~1\Temp\eaxyygkp.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6880 bytes


COMBOFIX LOG

ComboFix 07-10-07.2 - Corr Lab 2007-10-08 21:27:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2593 [GMT -4:00]
Running from: C:\Documents and Settings\Corr Lab\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\fhkmp.bak2
C:\WINDOWS\system32\fhkmp.bak2
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fhkmp.tmp
C:\WINDOWS\system32\fhkmp.tmp
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\npqss.tmp
C:\WINDOWS\system32\npqss.tmp
C:\WINDOWS\system32\tsogdmjc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-07 17:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-07 16:31 311,392 --------- C:\WINDOWS\system32\pmkhf.dll
2007-10-07 14:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 20:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-05 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-05 18:44 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-05 18:28 <DIR> d-------- C:\VundoFix Backups
2007-10-05 18:16 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-05 18:16 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-05 18:16 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-05 18:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-05 18:16 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-05 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 17:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-05 17:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-05 17:15 <DIR> d-------- C:\WINDOWS\system32\vldpmvww
2007-10-05 17:15 <DIR> d-------- C:\Program Files\ijybstqv
2007-10-05 17:15 <DIR> d-------- C:\Program Files\Ahcfrklk
2007-10-05 17:14 35,328 --a------ C:\WINDOWS\system32\ssqpmji.dll
2007-10-05 17:14 104,448 --a------ C:\WINDOWS\system32\drvwuk.dll
2007-10-05 16:10 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-05 16:10 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\U3
2007-10-05 16:08 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-05 16:07 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-05 12:45 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\AdobeUM
2007-10-05 12:06 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-10-05 12:06 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\Thunderbird
2007-10-05 11:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-05 11:55 1,277 --a------ C:\WINDOWS\mozver.dat
2007-10-05 11:40 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-02 15:24 <DIR> d-------- C:\Temp
2007-10-02 15:12 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-10-02 15:12 <DIR> d-------- C:\Program Files\Abaqus
2007-10-02 15:04 <DIR> d--h----- C:\Documents and Settings\Corr Lab\InstallAnywhere
2007-10-02 15:01 <DIR> d---s---- C:\Documents and Settings\Corr Lab\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 21:33 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 18:03 315392 --a------ C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9817E7C-B508-43A2-A9B6-08DD4EFC9B46}]
2007-10-07 16:31 311392 --------- C:\WINDOWS\system32\pmkhf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:00 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-06-04 14:40]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2007-06-04 14:51]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-06-04 14:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-10-05 12:44:19]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BE666F3C-9D33-4E29-B4BC-7E6AA64B5129}"= C:\WINDOWS\system32\ssqpmji.dll [2007-10-05 17:14 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpmji]
ssqpmji.dll 2007-10-05 17:14 35328 C:\WINDOWS\system32\ssqpmji.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkhf.dll

R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe
R2 KeyAgent;KeyAgent;\??\C:\WINDOWS\system32\drivers\KeyAgent.sys
R2 MacHALDriver;Mac HAL;\??\C:\WINDOWS\system32\drivers\MacHALDriver.sys
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe"
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-08-11 20:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 21:32:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 21:34:07 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 21:34
C:\ComboFix2.txt ... 2007-10-07 14:54
.
--- E O F ---

 

[__RiP_ChAiN_]

Hello Rippy,

Honestly, I'm kind of panicking at this point.

Don't. We'll get this computer cleaned out in no time at all:

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\ssqpmji.dll
C:\WINDOWS\system32\drvwuk.dll

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\vldpmvww
C:\Program Files\ijybstqv
C:\Program Files\Ahcfrklk

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[Rippy]

HJT LOG



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:58 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rpinfo.rpi.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ssqpmji - ssqpmji.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7172 bytes



COMBOFIX LOG



ComboFix 07-10-07.2 - Corr Lab 2007-10-08 23:18:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2578 [GMT -4:00]
Running from: C:\Documents and Settings\Corr Lab\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Corr Lab\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\drvwuk.dll
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\ssqpmji.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Ahcfrklk
C:\Program Files\Ahcfrklk\afvhtsbk.dll
C:\Program Files\ijybstqv
C:\Program Files\ijybstqv\mnadorup.dll
C:\VundoFix Backups
C:\VundoFix Backups\drvwukr.dll.bad
C:\VundoFix Backups\hooefaak.ini.bad
C:\VundoFix Backups\kaafeooh.dll.bad
C:\VundoFix Backups\llwbujdq.ini.bad
C:\VundoFix Backups\qdjubwll.dll.bad
C:\WINDOWS\system32\drvwuk.dll
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\ssqpmji.dll
C:\WINDOWS\system32\vldpmvww
C:\WINDOWS\system32\vldpmvww\bg1.gif
C:\WINDOWS\system32\vldpmvww\bgtop.gif
C:\WINDOWS\system32\vldpmvww\bottom1.gif
C:\WINDOWS\system32\vldpmvww\essentials.gif
C:\WINDOWS\system32\vldpmvww\icon1.ico
C:\WINDOWS\system32\vldpmvww\install1.gif
C:\WINDOWS\system32\vldpmvww\left1.gif
C:\WINDOWS\system32\vldpmvww\li.gif
C:\WINDOWS\system32\vldpmvww\logo.gif
C:\WINDOWS\system32\vldpmvww\main.htm
C:\WINDOWS\system32\vldpmvww\mainframe.htm
C:\WINDOWS\system32\vldpmvww\reinstall1.gif
C:\WINDOWS\system32\vldpmvww\right1.gif
C:\WINDOWS\system32\vldpmvww\s1.htm
C:\WINDOWS\system32\vldpmvww\s2.htm
C:\WINDOWS\system32\vldpmvww\s3.htm
C:\WINDOWS\system32\vldpmvww\SMTop1.gif
C:\WINDOWS\system32\vldpmvww\SMTop2.gif
C:\WINDOWS\system32\vldpmvww\SMTop3.gif
C:\WINDOWS\system32\vldpmvww\SMTop4.gif
C:\WINDOWS\system32\vldpmvww\soft1_off.gif
C:\WINDOWS\system32\vldpmvww\soft1_off_ext.gif
C:\WINDOWS\system32\vldpmvww\soft1_on.gif
C:\WINDOWS\system32\vldpmvww\soft1_on_ext.gif
C:\WINDOWS\system32\vldpmvww\soft2_off.gif
C:\WINDOWS\system32\vldpmvww\soft2_off_ext.gif
C:\WINDOWS\system32\vldpmvww\soft2_on.gif
C:\WINDOWS\system32\vldpmvww\soft2_on_ext.gif
C:\WINDOWS\system32\vldpmvww\soft3_off.gif
C:\WINDOWS\system32\vldpmvww\soft3_off_ext.gif
C:\WINDOWS\system32\vldpmvww\soft3_on.gif
C:\WINDOWS\system32\vldpmvww\soft3_on_ext.gif
C:\WINDOWS\system32\vldpmvww\softbottom_off.gif
C:\WINDOWS\system32\vldpmvww\softbottom_on.gif
C:\WINDOWS\system32\vldpmvww\softleft_off.gif
C:\WINDOWS\system32\vldpmvww\softleft_on.gif
C:\WINDOWS\system32\vldpmvww\top1.gif
C:\WINDOWS\system32\vldpmvww\top2.gif
C:\WINDOWS\system32\vldpmvww\turnoff1.gif
C:\WINDOWS\system32\vldpmvww\turnon1.gif

.
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 22:33 6,633 --ahs---- C:\WINDOWS\system32\fhkmp.bak2
2007-10-07 17:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-07 14:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 20:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-05 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-05 18:44 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-05 18:16 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-05 18:16 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-05 18:16 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-05 18:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-05 18:16 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-05 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 17:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-05 17:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-05 16:10 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-05 16:10 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\U3
2007-10-05 16:08 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-05 16:07 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-05 12:45 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\AdobeUM
2007-10-05 12:06 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-10-05 12:06 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\Thunderbird
2007-10-05 11:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-05 11:55 1,277 --a------ C:\WINDOWS\mozver.dat
2007-10-05 11:40 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-02 15:24 <DIR> d-------- C:\Temp
2007-10-02 15:12 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-10-02 15:12 <DIR> d-------- C:\Program Files\Abaqus
2007-10-02 15:04 <DIR> d--h----- C:\Documents and Settings\Corr Lab\InstallAnywhere
2007-10-02 15:01 <DIR> d---s---- C:\Documents and Settings\Corr Lab\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 23:23 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 18:03 315392 --a------ C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:00 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-06-04 14:40]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2007-06-04 14:51]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-06-04 14:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-10-05 12:44:19]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BE666F3C-9D33-4E29-B4BC-7E6AA64B5129}"= C:\WINDOWS\system32\ssqpmji.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpmji]
ssqpmji.dll

R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe
R2 KeyAgent;KeyAgent;\??\C:\WINDOWS\system32\drivers\KeyAgent.sys
R2 MacHALDriver;Mac HAL;\??\C:\WINDOWS\system32\drivers\MacHALDriver.sys
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe"
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-08-11 20:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 23:23:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 23:24:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 23:24
C:\ComboFix2.txt ... 2007-10-08 21:34
C:\ComboFix3.txt ... 2007-10-07 14:54
.
--- E O F ---

 

[Rippy]

That's funny.

The O20 entry is back (with the same file name, ssqpmji.dll).

But now it adds (file missing). Does this mean I don't need to try to "fix" it with HJT?

 

[__RiP_ChAiN_]

Hello Rippy,

But now it adds (file missing). Does this mean I don't need to try to "fix" it with HJT?

We still need to fix it with Hijackthis, juts to cleanup the leftover entry. This just shows us that this file is no longer actively present on the computer.

A. Please RUN HijackThis

1. Click the SCAN button to produce a log.
   
   
2. Place a check mark beside each one of the following items:
   
   O20 - Winlogon Notify: ssqpmji - ssqpmji.dll (file missing)
   
   
3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\fhkmp.bak2

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[Rippy]

New Logs

Done!

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:31 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rpinfo.rpi.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ssqpmji - ssqpmji.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7258 bytes


[B]COMBOFIX LOG[/B]

ComboFix 07-10-07.2 - Corr Lab 2007-10-09 15:39:54.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2595 [GMT -4:00]
Running from: C:\Documents and Settings\Corr Lab\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Corr Lab\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 22:33 6,633 --ahs---- C:\WINDOWS\system32\fhkmp.bak2
2007-10-07 17:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-07 14:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 20:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-05 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-05 18:44 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-05 18:16 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-05 18:16 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-05 18:16 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-05 18:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-05 18:16 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-05 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 17:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-05 17:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-05 16:10 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-05 16:10 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\U3
2007-10-05 16:08 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-05 16:07 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-05 12:45 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\AdobeUM
2007-10-05 12:06 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-10-05 12:06 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\Thunderbird
2007-10-05 11:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-05 11:55 1,277 --a------ C:\WINDOWS\mozver.dat
2007-10-05 11:40 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-02 15:24 <DIR> d-------- C:\Temp
2007-10-02 15:12 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-10-02 15:12 <DIR> d-------- C:\Program Files\Abaqus
2007-10-02 15:04 <DIR> d--h----- C:\Documents and Settings\Corr Lab\InstallAnywhere
2007-10-02 15:01 <DIR> d---s---- C:\Documents and Settings\Corr Lab\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 15:35 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 18:03 315392 --a------ C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-07_14.53.49.15 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\spuninst.exe
----a-w 1,022,976 2007-08-22 13:12:15 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\browseui.dll
----a-w 151,040 2007-08-22 13:12:15 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\cdfview.dll
----a-w 1,054,208 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\danim.dll
----a-w 357,888 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\dxtmsft.dll
----a-w 205,312 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\dxtrans.dll
----a-w 55,808 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\extmgr.dll
----a-w 18,432 2007-08-21 10:30:45 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\iedw.exe
----a-w 251,392 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\iepeers.dll
----a-w 96,256 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\inseng.dll
----a-w 16,384 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\jsproxy.dll
----a-w 3,058,176 2007-08-22 13:12:17 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\mshtml.dll
----a-w 449,024 2007-08-22 13:12:17 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\mshtmled.dll
----a-w 146,432 2007-08-22 13:12:17 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\msrating.dll
----a-w 532,480 2007-08-22 13:12:17 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\mstime.dll
----a-w 39,424 2007-08-22 13:12:17 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\pngfilt.dll
----a-w 1,494,528 2007-08-22 13:12:18 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\shdocvw.dll
----a-w 474,112 2007-08-22 13:12:18 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\shlwapi.dll
----a-w 615,424 2007-08-22 13:12:18 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\urlmon.dll
----a-w 658,944 2007-08-22 13:12:18 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\wininet.dll
----a-w 115,712 2007-08-21 10:20:02 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\xpsp3res.dll
----a-w 1,022,976 2007-08-22 12:55:28 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\browseui.dll
----a-w 151,040 2007-08-22 12:55:29 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\cdfview.dll
----a-w 1,054,208 2007-08-22 12:55:30 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\danim.dll
----a-w 357,888 2007-08-22 12:55:30 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\dxtmsft.dll
----a-w 205,824 2007-08-22 12:55:31 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\dxtrans.dll
----a-w 55,808 2007-08-22 12:55:31 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\extmgr.dll
----a-w 18,432 2007-08-21 10:19:39 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\iedw.exe
----a-w 251,904 2007-08-22 12:55:32 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\iepeers.dll
----a-w 96,256 2007-08-22 12:55:32 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\inseng.dll
----a-w 16,384 2007-08-22 12:55:32 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\jsproxy.dll
----a-w 3,064,832 2007-08-22 12:55:36 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\mshtml.dll
----a-w 449,024 2007-08-22 12:55:37 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\mshtmled.dll
----a-w 146,432 2007-08-22 12:55:37 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\msrating.dll
----a-w 532,480 2007-08-22 12:55:38 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\mstime.dll
----a-w 39,424 2007-08-22 12:55:38 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\pngfilt.dll
----a-w 1,498,112 2007-08-22 12:55:40 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\shdocvw.dll
----a-w 474,112 2007-08-22 12:55:41 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\shlwapi.dll
----a-w 617,984 2007-08-22 12:55:43 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\urlmon.dll
----a-w 665,600 2007-08-22 12:55:44 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\wininet.dll
----a-w 350,720 2007-08-21 10:13:33 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\xpsp3res.dll
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\update\updspapi.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\spuninst.exe
----a-w 584,192 2007-07-09 13:09:42 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2GDR\rpcrt4.dll
----a-w 115,712 2007-06-13 06:53:14 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2GDR\xpsp3res.dll
----a-w 582,656 2007-07-09 13:16:16 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2QFE\rpcrt4.dll
----a-w 350,720 2007-06-19 07:24:36 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2QFE\xpsp3res.dll
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:28 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\update.exe
----a-w 371,424 2005-10-12 23:12:33 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\updspapi.dll
----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\spuninst.exe
----a-w 683,520 2007-08-21 06:15:44 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\sp2gdr\inetcomm.dll
----a-w 683,520 2007-08-21 06:25:02 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\sp2qfe\inetcomm.dll
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\updspapi.dll
.
.

 

[Rippy]

Cont.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:00 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-06-04 14:40]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2007-06-04 14:51]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-06-04 14:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-10-05 12:44:19]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BE666F3C-9D33-4E29-B4BC-7E6AA64B5129}"= C:\WINDOWS\system32\ssqpmji.dll [ ]

R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe
R2 KeyAgent;KeyAgent;\??\C:\WINDOWS\system32\drivers\KeyAgent.sys
R2 MacHALDriver;Mac HAL;\??\C:\WINDOWS\system32\drivers\MacHALDriver.sys
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe"
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-08-11 20:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 15:42:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-09 15:42:51
C:\ComboFix-quarantined-files.txt ... 2007-10-09 15:42
C:\ComboFix2.txt ... 2007-10-08 23:24
C:\ComboFix3.txt ... 2007-10-08 21:34
.
--- E O F ---

 

[__RiP_ChAiN_]

Hello Rippy,

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\fhkmp.bak2
C:\WINDOWS\system32\ssqpmji.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BE666F3C-9D33-4E29-B4BC-7E6AA64B5129}"= C:\WINDOWS\system32\ssqpmji.dll"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[Rippy]

Anything else?

COMBOFIX LOG


ComboFix 07-10-07.2 - Corr Lab 2007-10-10 12:16:07.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2594 [GMT -4:00]
Running from: C:\Documents and Settings\Corr Lab\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Corr Lab\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\fhkmp.bak2
C:\WINDOWS\system32\ssqpmji.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fhkmp.bak2

.
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.

2007-10-07 17:02 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-07 14:46 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-05 20:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-05 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-05 18:44 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-05 18:16 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-05 18:16 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-05 18:16 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-05 18:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-05 18:16 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-05 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 17:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-05 17:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-05 16:10 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-10-05 16:10 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\U3
2007-10-05 16:08 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-05 16:07 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-05 12:45 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\AdobeUM
2007-10-05 12:06 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-10-05 12:06 <DIR> d-------- C:\Documents and Settings\Corr Lab\Application Data\Thunderbird
2007-10-05 11:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-05 11:55 1,277 --a------ C:\WINDOWS\mozver.dat
2007-10-05 11:40 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-02 15:24 <DIR> d-------- C:\Temp
2007-10-02 15:12 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-10-02 15:12 <DIR> d-------- C:\Program Files\Abaqus
2007-10-02 15:04 <DIR> d--h----- C:\Documents and Settings\Corr Lab\InstallAnywhere
2007-10-02 15:01 <DIR> d---s---- C:\Documents and Settings\Corr Lab\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 11:45 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-08-21 02:15 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 18:03 315392 --a------ C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-07_14.53.49.15 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\$hf_mig$\KB933729\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\$hf_mig$\KB933729\spuninst.exe
----a-w 582,656 2007-07-09 13:16:16 C:\WINDOWS\$hf_mig$\KB933729\SP2QFE\rpcrt4.dll
----a-w 350,720 2007-06-19 07:24:36 C:\WINDOWS\$hf_mig$\KB933729\SP2QFE\xpsp3res.dll
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\$hf_mig$\KB933729\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:28 C:\WINDOWS\$hf_mig$\KB933729\update\update.exe
----a-w 371,424 2005-10-12 23:12:33 C:\WINDOWS\$hf_mig$\KB933729\update\updspapi.dll
----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\$hf_mig$\KB939653\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\$hf_mig$\KB939653\spuninst.exe
----a-w 1,022,976 2007-08-22 12:55:28 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\browseui.dll
----a-w 151,040 2007-08-22 12:55:29 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\cdfview.dll
----a-w 1,054,208 2007-08-22 12:55:30 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\danim.dll
----a-w 357,888 2007-08-22 12:55:30 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\dxtmsft.dll
----a-w 205,824 2007-08-22 12:55:31 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\dxtrans.dll
----a-w 55,808 2007-08-22 12:55:31 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\extmgr.dll
----a-w 18,432 2007-08-21 10:19:39 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\iedw.exe
----a-w 251,904 2007-08-22 12:55:32 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\iepeers.dll
----a-w 96,256 2007-08-22 12:55:32 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\inseng.dll
----a-w 16,384 2007-08-22 12:55:32 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\jsproxy.dll
----a-w 3,064,832 2007-08-22 12:55:36 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\mshtml.dll
----a-w 449,024 2007-08-22 12:55:37 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\mshtmled.dll
----a-w 146,432 2007-08-22 12:55:37 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\msrating.dll
----a-w 532,480 2007-08-22 12:55:38 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\mstime.dll
----a-w 39,424 2007-08-22 12:55:38 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\pngfilt.dll
----a-w 1,498,112 2007-08-22 12:55:40 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\shdocvw.dll
----a-w 474,112 2007-08-22 12:55:41 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\shlwapi.dll
----a-w 617,984 2007-08-22 12:55:43 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\urlmon.dll
----a-w 665,600 2007-08-22 12:55:44 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\wininet.dll
----a-w 350,720 2007-08-21 10:13:33 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\xpsp3res.dll
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\$hf_mig$\KB939653\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\$hf_mig$\KB939653\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\$hf_mig$\KB939653\update\updspapi.dll
----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\$hf_mig$\KB941202\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\$hf_mig$\KB941202\spuninst.exe
----a-w 683,520 2007-08-21 06:25:02 C:\WINDOWS\$hf_mig$\KB941202\SP2QFE\inetcomm.dll
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\$hf_mig$\KB941202\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\$hf_mig$\KB941202\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\$hf_mig$\KB941202\update\updspapi.dll
-c----w 581,120 2004-08-04 12:00:00 C:\WINDOWS\$NtUninstallKB933729$\rpcrt4.dll
-c----w 213,216 2005-10-12 23:12:26 C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe
-c----w 371,424 2005-10-12 23:12:33 C:\WINDOWS\$NtUninstallKB933729$\spuninst\updspapi.dll
-c----w 1,023,488 2007-06-14 18:09:18 C:\WINDOWS\$NtUninstallKB939653$\browseui.dll
-c----w 151,040 2007-06-14 18:09:18 C:\WINDOWS\$NtUninstallKB939653$\cdfview.dll
-c----w 1,054,208 2007-06-14 18:09:18 C:\WINDOWS\$NtUninstallKB939653$\danim.dll
-c----w 357,888 2007-06-14 18:09:18 C:\WINDOWS\$NtUninstallKB939653$\dxtmsft.dll
-c----w 205,312 2007-06-14 18:09:19 C:\WINDOWS\$NtUninstallKB939653$\dxtrans.dll
-c----w 55,808 2007-06-14 18:09:19 C:\WINDOWS\$NtUninstallKB939653$\extmgr.dll
-c----w 18,432 2007-06-14 14:07:24 C:\WINDOWS\$NtUninstallKB939653$\iedw.exe
-c----w 251,392 2007-06-14 18:09:19 C:\WINDOWS\$NtUninstallKB939653$\iepeers.dll
-c----w 96,256 2007-06-14 18:09:19 C:\WINDOWS\$NtUninstallKB939653$\inseng.dll
-c----w 16,384 2007-06-14 18:09:19 C:\WINDOWS\$NtUninstallKB939653$\jsproxy.dll
-c----w 3,058,688 2007-06-14 18:09:20 C:\WINDOWS\$NtUninstallKB939653$\mshtml.dll
-c----w 449,024 2007-06-14 18:09:19 C:\WINDOWS\$NtUninstallKB939653$\mshtmled.dll
-c----w 146,432 2007-06-14 18:09:19 C:\WINDOWS\$NtUninstallKB939653$\msrating.dll
-c----w 532,480 2007-06-14 18:09:20 C:\WINDOWS\$NtUninstallKB939653$\mstime.dll
-c----w 39,424 2007-06-14 18:09:20 C:\WINDOWS\$NtUninstallKB939653$\pngfilt.dll
-c----w 1,494,528 2007-06-14 18:09:20 C:\WINDOWS\$NtUninstallKB939653$\shdocvw.dll
-c----w 474,112 2007-06-14 18:09:20 C:\WINDOWS\$NtUninstallKB939653$\shlwapi.dll
-c----w 615,424 2007-06-14 18:09:20 C:\WINDOWS\$NtUninstallKB939653$\urlmon.dll
-c----w 658,944 2007-06-26 14:09:10 C:\WINDOWS\$NtUninstallKB939653$\wininet.dll
-c----w 115,712 2007-06-14 13:39:54 C:\WINDOWS\$NtUninstallKB939653$\xpsp3res.dll
-c----w 213,216 2007-03-06 01:22:41 C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe
-c----w 371,424 2007-03-06 01:23:51 C:\WINDOWS\$NtUninstallKB939653$\spuninst\updspapi.dll
-c----w 683,520 2007-05-16 15:12:02 C:\WINDOWS\$NtUninstallKB941202$\inetcomm.dll
-c----w 213,216 2007-03-06 01:22:41 C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe
-c----w 371,424 2007-03-06 01:23:51 C:\WINDOWS\$NtUninstallKB941202$\spuninst\updspapi.dll
----a-w 14,048 2007-03-06 01:22:36

 

[Rippy]

Cont.

C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\spuninst.exe
----a-w 1,022,976 2007-08-22 13:12:15 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\browseui.dll
----a-w 151,040 2007-08-22 13:12:15 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\cdfview.dll
----a-w 1,054,208 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\danim.dll
----a-w 357,888 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\dxtmsft.dll
----a-w 205,312 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\dxtrans.dll
----a-w 55,808 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\extmgr.dll
----a-w 18,432 2007-08-21 10:30:45 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\iedw.exe
----a-w 251,392 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\iepeers.dll
----a-w 96,256 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\inseng.dll
----a-w 16,384 2007-08-22 13:12:16 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\jsproxy.dll
----a-w 3,058,176 2007-08-22 13:12:17 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\mshtml.dll
----a-w 449,024 2007-08-22 13:12:17 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\mshtmled.dll
----a-w 146,432 2007-08-22 13:12:17 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\msrating.dll
----a-w 532,480 2007-08-22 13:12:17 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\mstime.dll
----a-w 39,424 2007-08-22 13:12:17 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\pngfilt.dll
----a-w 1,494,528 2007-08-22 13:12:18 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\shdocvw.dll
----a-w 474,112 2007-08-22 13:12:18 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\shlwapi.dll
----a-w 615,424 2007-08-22 13:12:18 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\urlmon.dll
----a-w 658,944 2007-08-22 13:12:18 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\wininet.dll
----a-w 115,712 2007-08-21 10:20:02 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2gdr\xpsp3res.dll
----a-w 1,022,976 2007-08-22 12:55:28 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\browseui.dll
----a-w 151,040 2007-08-22 12:55:29 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\cdfview.dll
----a-w 1,054,208 2007-08-22 12:55:30 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\danim.dll
----a-w 357,888 2007-08-22 12:55:30 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\dxtmsft.dll
----a-w 205,824 2007-08-22 12:55:31 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\dxtrans.dll
----a-w 55,808 2007-08-22 12:55:31 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\extmgr.dll
----a-w 18,432 2007-08-21 10:19:39 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\iedw.exe
----a-w 251,904 2007-08-22 12:55:32 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\iepeers.dll
----a-w 96,256 2007-08-22 12:55:32 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\inseng.dll
----a-w 16,384 2007-08-22 12:55:32 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\jsproxy.dll
----a-w 3,064,832 2007-08-22 12:55:36 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\mshtml.dll
----a-w 449,024 2007-08-22 12:55:37 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\mshtmled.dll
----a-w 146,432 2007-08-22 12:55:37 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\msrating.dll
----a-w 532,480 2007-08-22 12:55:38 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\mstime.dll
----a-w 39,424 2007-08-22 12:55:38 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\pngfilt.dll
----a-w 1,498,112 2007-08-22 12:55:40 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\shdocvw.dll
----a-w 474,112 2007-08-22 12:55:41 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\shlwapi.dll
----a-w 617,984 2007-08-22 12:55:43 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\urlmon.dll
----a-w 665,600 2007-08-22 12:55:44 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\wininet.dll
----a-w 350,720 2007-08-21 10:13:33 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\sp2qfe\xpsp3res.dll
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\SoftwareDistribution\Download\0474e07262334919ca66aaa879430a63\update\updspapi.dll
----a-w 14,048 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\spmsg.dll
----a-w 213,216 2005-10-12 23:12:26 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\spuninst.exe
----a-w 584,192 2007-07-09 13:09:42 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2GDR\rpcrt4.dll
----a-w 115,712 2007-06-13 06:53:14 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2GDR\xpsp3res.dll
----a-w 582,656 2007-07-09 13:16:16 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2QFE\rpcrt4.dll
----a-w 350,720 2007-06-19 07:24:36 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\SP2QFE\xpsp3res.dll
----a-w 22,752 2005-10-12 23:12:25 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\spcustom.dll
----a-w 716,000 2005-10-12 23:12:28 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\update.exe
----a-w 371,424 2005-10-12 23:12:33 C:\WINDOWS\SoftwareDistribution\Download\28d74bdac17e30d3a4336176766f2e4a\update\updspapi.dll
----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\spuninst.exe
----a-w 683,520 2007-08-21 06:15:44 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\sp2gdr\inetcomm.dll
----a-w 683,520 2007-08-21 06:25:02 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\sp2qfe\inetcomm.dll
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\SoftwareDistribution\Download\8c426bb59cb8f380ba397304c1c563d0\update\updspapi.dll
----a-w 1,022,976 2007-08-22 13:12:15 C:\WINDOWS\system32\browseui.dll
----a-w 151,040 2007-08-22 13:12:15 C:\WINDOWS\system32\cdfview.dll
----a-w 1,054,208 2007-08-22 13:12:16 C:\WINDOWS\system32\danim.dll
----a-w 357,888 2007-08-22 13:12:16 C:\WINDOWS\system32\dxtmsft.dll
----a-w 205,312 2007-08-22 13:12:16 C:\WINDOWS\system32\dxtrans.dll
----a-w 55,808 2007-08-22 13:12:16 C:\WINDOWS\system32\extmgr.dll
----a-w 251,392 2007-08-22 13:12:16 C:\WINDOWS\system32\iepeers.dll
----a-w 96,256 2007-08-22 13:12:16 C:\WINDOWS\system32\inseng.dll
----a-w 16,384 2007-08-22 13:12:16 C:\WINDOWS\system32\jsproxy.dll
----a-w 18,089,592 2007-09-28 05:19:39 C:\WINDOWS\system32\MRT.exe
----a-w 3,058,176 2007-08-22 13:12:17 C:\WINDOWS\system32\mshtml.dll
----a-w 449,024 2007-08-22 13:12:17 C:\WINDOWS\system32\mshtmled.dll
----a-w 146,432 2007-08-22 13:12:17 C:\WINDOWS\system32\msrating.dll
----a-w 532,480 2007-08-22 13:12:17 C:\WINDOWS\system32\mstime.dll
----a-w 39,424 2007-08-22 13:12:17 C:\WINDOWS\system32\pngfilt.dll
----a-w 584,192 2007-07-09 13:09:42 C:\WINDOWS\system32\rpcrt4.dll
----a-w 1,494,528 2007-08-22 13:12:18 C:\WINDOWS\system32\shdocvw.dll
----a-w 474,112 2007-08-22 13:12:18 C:\WINDOWS\system32\shlwapi.dll
----a-w 615,424 2007-08-22 13:12:18 C:\WINDOWS\system32\urlmon.dll
----a-w 658,944 2007-08-22 13:12:18 C:\WINDOWS\system32\wininet.dll
----a-w 115,712 2007-08-21 10:20:02 C:\WINDOWS\system32\xpsp3res.dll
-c--a-w 1,022,976 2007-08-22 13:12:15 C:\WINDOWS\system32\dllcache\browseui.dll
-c--a-w 151,040 2007-08-22 13:12:15 C:\WINDOWS\system32\dllcache\cdfview.dll
-c--a-w 1,054,208 2007-08-22 13:12:16 C:\WINDOWS\system32\dllcache\danim.dll
-c--a-w 357,888 2007-08-22 13:12:16 C:\WINDOWS\system32\dllcache\dxtmsft.dll
-c--a-w 205,312 2007-08-22 13:12:16 C:\WINDOWS\system32\dllcache\dxtrans.dll
-c--a-w 55,808 2007-08-22 13:12:16 C:\WINDOWS\system32\dllcache\extmgr.dll
-c--a-w 18,432 2007-08-21 10:30:45 C:\WINDOWS\system32\dllcache\iedw.exe
-c--a-w 251,392 2007-08-22 13:12:16 C:\WINDOWS\system32\dllcache\iepeers.dll
-c--a-w 683,520 2007-08-21 06:15:44 C:\WINDOWS\system32\dllcache\inetcomm.dll
-c--a-w 96,256 2007-08-22 13:12:16 C:\WINDOWS\system32\dllcache\inseng.dll
-c--a-w 16,384 2007-08-22 13:12:16 C:\WINDOWS\system32\dllcache\jsproxy.dll
-c--a-w 3,058,176 2007-08-22 13:12:17 C:\WINDOWS\system32\dllcache\mshtml.dll
-c--a-w 449,024 2007-08-22 13:12:17 C:\WINDOWS\system32\dllcache\mshtmled.dll
-c--a-w 146,432 2007-08-22 13:12:17 C:\WINDOWS\system32\dllcache\msrating.dll
-c--a-w 532,480 2007-08-22 13:12:17 C:\WINDOWS\system32\dllcache\mstime.dll
-c--a-w 39,424 2007-08-22 13:12:17 C:\WINDOWS\system32\dllcache\pngfilt.dll
-c--a-w 584,192 2007-07-09 13:09:42 C:\WINDOWS\system32\dllcache\rpcrt4.dll
-c--a-w 1,494,528 2007-08-22 13:12:18 C:\WINDOWS\system32\dllcache\shdocvw.dll
-c--a-w 474,112 2007-08-22 13:12:18 C:\WINDOWS\system32\dllcache\shlwapi.dll
-c--a-w 615,424 2007-08-22 13:12:18 C:\WINDOWS\system32\dllcache\urlmon.dll
-c--a-w 658,944 2007-08-22 13:12:18 C:\WINDOWS\system32\dllcache\wininet.dll
.
----a-w 1,023,488 2007-06-14 18:09:18 C:\WINDOWS\system32\browseui.dll
----a-w 151,040 2007-06-14 18:09:18 C:\WINDOWS\system32\cdfview.dll
----a-w 1,054,208 2007-06-14 18:09:18 C:\WINDOWS\system32\danim.dll
----a-w 357,888 2007-06-14 18:09:18 C:\WINDOWS\system32\dxtmsft.dll
----a-w 205,312 2007-06-14 18:09:19 C:\WINDOWS\system32\dxtrans.dll
----a-w 55,808 2007-06-14 18:09:19 C:\WINDOWS\system32\extmgr.dll
----a-w 251,392 2007-06-14 18:09:19 C:\WINDOWS\system32\iepeers.dll
----a-w 96,256 2007-06-14 18:09:19 C:\WINDOWS\system32\inseng.dll
----a-w 16,384 2007-06-14 18:09:19 C:\WINDOWS\system32\jsproxy.dll
----a-w 17,474,680 2007-09-05 23:50:44 C:\WINDOWS\system32\MRT.exe
----a-w 3,058,688 2007-06-14 18:09:20 C:\WINDOWS\system32\mshtml.dll
----a-w 449,024 2007-06-14 18:09:19 C:\WINDOWS\system32\mshtmled.dll
----a-w 146,432 2007-06-14 18:09:19 C:\WINDOWS\system32\msrating.dll
----a-w 532,480 2007-06-14 18:09:20 C:\WINDOWS\system32\mstime.dll
----a-w 39,424 2007-06-14 18:09:20 C:\WINDOWS\system32\pngfilt.dll
----a-w 581,120 2004-08-04 12:00:00 C:\WINDOWS\system32\rpcrt4.dll
----a-w 1,494,528 2007-06-14 18:09:20 C:\WINDOWS\system32\shdocvw.dll
----a-w 474,112 2007-06-14 18:09:20 C:\WINDOWS\system32\shlwapi.dll
----a-w 615,424 2007-06-14 18:09:20 C:\WINDOWS\system32\urlmon.dll
----a-w 658,944 2007-06-26 14:09:10 C:\WINDOWS\system32\wininet.dll
----a-w 115,712 2007-06-14 13:39:54 C:\WINDOWS\system32\xpsp3res.dll
-c--a-w 1,023,488 2007-06-14 18:09:18 C:\WINDOWS\system32\dllcache\browseui.dll
-c--a-w 151,040 2007-06-14 18:09:18 C:\WINDOWS\system32\dllcache\cdfview.dll
-c--a-w 1,054,208 2007-06-14 18:09:18 C:\WINDOWS\system32\dllcache\danim.dll
-c--a-w 357,888 2007-06-14 18:09:18 C:\WINDOWS\system32\dllcache\dxtmsft.dll
-c--a-w 205,312 2007-06-14 18:09:19 C:\WINDOWS\system32\dllcache\dxtrans.dll
-c--a-w 55,808 2007-06-14 18:09:19 C:\WINDOWS\system32\dllcache\extmgr.dll
-c--a-w 18,432 2007-06-14 14:07:24 C:\WINDOWS\system32\dllcache\iedw.exe
-c--a-w 251,392 2007-06-14 18:09:19 C:\WINDOWS\system32\dllcache\iepeers.dll
-c--a-w 683,520 2007-05-16 15:12:02 C:\WINDOWS\system32\dllcache\inetcomm.dll
-c--a-w 96,256 2007-06-14 18:09:19 C:\WINDOWS\system32\dllcache\inseng.dll
-c--a-w 16,384 2007-06-14 18:09:19 C:\WINDOWS\system32\dllcache\jsproxy.dll
-c--a-w 3,058,688 2007-06-14 18:09:20 C:\WINDOWS\system32\dllcache\mshtml.dll
-c--a-w 449,024 2007-06-14 18:09:19 C:\WINDOWS\system32\dllcache\mshtmled.dll
-c--a-w 146,432 2007-06-14 18:09:19 C:\WINDOWS\system32\dllcache\msrating.dll
-c--a-w 532,480 2007-06-14 18:09:20 C:\WINDOWS\system32\dllcache\mstime.dll
-c--a-w 39,424 2007-06-14 18:09:20 C:\WINDOWS\system32\dllcache\pngfilt.dll
-c--a-w 581,120 2004-08-04 12:00:00 C:\WINDOWS\system32\dllcache\rpcrt4.dll
-c--a-w 1,494,528 2007-06-14 18:09:20 C:\WINDOWS\system32\dllcache\shdocvw.dll
-c--a-w 474,112 2007-06-14 18:09:20 C:\WINDOWS\system32\dllcache\shlwapi.dll
-c--a-w 615,424 2007-06-14 18:09:20 C:\WINDOWS\system32\dllcache\urlmon.dll
-c--a-w 658,944 2007-06-26 14:09:10 C:\WINDOWS\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:00 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-06-04 14:40]
"Brightness"="C:\WINDOWS\system32\Brightness.exe" [2007-06-04 14:51]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-06-04 14:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-10-05 12:44:19]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BE666F3C-9D33-4E29-B4BC-7E6AA64B5129}"= C:\WINDOWS\system32\ssqpmji.dll [ ]

R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe
R2 KeyAgent;KeyAgent;\??\C:\WINDOWS\system32\drivers\KeyAgent.sys
R2 MacHALDriver;Mac HAL;\??\C:\WINDOWS\system32\drivers\MacHALDriver.sys
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe"
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys
S3 iSightUpdate;iSight Update Driver;C:\WINDOWS\system32\DRIVERS\iSightUP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-08-11 20:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 12:30:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-10 12:37:26
C:\ComboFix-quarantined-files.txt ... 2007-10-10 12:37
C:\ComboFix2.txt ... 2007-10-09 15:42
C:\ComboFix3.txt ... 2007-10-08 23:24
.
--- E O F ---

 

[Rippy]

Cont.

HJT LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:08 PM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rpinfo.rpi.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7019 bytes

 

[__RiP_ChAiN_]

Hello Rippy,

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\WINDOWS\HideWin.exe
• Click on the submit button
  
• Please repeat the above steps for the two files below as well.
  C:\WINDOWS\system32\IRW.exe
  C:\WINDOWS\system32\Brightness.exe
  
  
• Please post the results in your next reply.

 

[Rippy]

File: HideWin.exe
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 2d65f8db74c36819896cf809e4375f0a
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 12 Oct 2007 16:58:56 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

[Rippy]

File: IRW.exe
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 87d451a87cc4a4afb3d4b8f020de3769
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 12 Oct 2007 17:13:15 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

File: Brightness.exe
Status: OK
MD5: e755f79f8233c5f2bf5d09b14b4fee31
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 12 Oct 2007 17:16:37 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

[__RiP_ChAiN_]

Hello Rippy,

Open notepad and copy (Ctrl C) and paste (Ctrl V) the following text in the quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BE666F3C-9D33-4E29-B4BC-7E6AA64B5129}"=-

Save it to your drive C:\ as fix131.reg and as Type "All files"

Double click on fix131.reg and allow when prompted to let it merge with the registry.

Please post back with a new HijackThis log and an update on how your computer is running.

 

[Rippy]

Sorry, it took a bit to get back to you.

I introduced that file to a registry a couple days ago or so. I just performed a new HJT scan, and the computer seems to be doing fine.


HJT Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:10 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\Brightness.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rpinfo.rpi.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Brightness] C:\WINDOWS\system32\Brightness.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6920 bytes