Answers to your tech questions
Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

      
2 Pages V   1 2 >  
 Closed TopicStart new topic
> [Resolved] VIRUS ALERT!, Vista Antivirus spam has infected me!
Juliusmaximus
post Jul 25 2008, 09:05 AM
Post #1


Authentic Member
**

Group: Authentic Member
Posts: 35
Joined: 3-December 03
From: tx
Member No.: 1,166
Hello to all the good people at Tom Coyote, always thank you for your services!
Okay, yesterday, I started getting bombed by something that kept wanting to change my registry entries. It started when I got fooled
by a pop-up "Vista Antivirus 2008" instructing me to scan for malware, since it looked just like the Windows Vista Shield (four colored)
I bit the bait and got lured in.

Symptoms:
Made my C: drive invisible when i click on my computer
Clock has turned military time and year/date now reads VIRUS ALERT!
Could not start Automatic Updates (Error 1058: ...because it is disabled or it has no enabled devices associated with it.) I tried enabling, no luck.
Norton Antivirus yielded: Spectron Keygen - Trojan Horse - repair failed; trash keygen - Trojan Horse - repair failed. Quarantined.

I wil post HijackThis log below:

O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{BD8667B7-38D8-4C77-B580-18C3E146372C}]
"SystemComponent"=dword:00000000
"Installer"="MSICD"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{BD8667B7-38D8-4C77-B580-18C3E146372C}\Contains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{BD8667B7-38D8-4C77-B580-18C3E146372C}\Contains\Files]
"C:\\WINDOWS\\system32\\Crusher.dll"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{BD8667B7-38D8-4C77-B580-18C3E146372C}\DownloadInformation]
"CODEBASE"="http://ak.imgag.com/imgag/cp/install/Crusher.cab"
"INF"="C:\\WINDOWS\\Downloaded Program Files\\Crusher.inf"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{BD8667B7-38D8-4C77-B580-18C3E146372C}\InstalledVersion]
@="1,1,5012,0"
"LastModified"="Thu, 13 Jan 2005 21:02:12 GMT"


[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}]
@="Creative Toolbox Plug-in"
"AppID"="{5B01F432-D54D-44E1-A1AE-E4389D8D0FB6}"

[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}\Control]

[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}\InprocServer32]
@="C:\\WINDOWS\\system32\\Crusher.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}\MiscStatus]
@="0"

[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}\MiscStatus\1]
@="132497"

[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}\ProgID]
@="Crusher.Plugin.1"

[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}\Programmable]

[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}\ToolboxBitmap32]
@="C:\\WINDOWS\\system32\\Crusher.dll, 1"

[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}\TypeLib]
@="{2194547B-7361-42A3-874E-A6007734E1C5}"

[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}\Version]
@="1.0"

[HKEY_CLASSES_ROOT\CLSID\{BD8667B7-38D8-4C77-B580-18C3E146372C}\VersionIndependentProgID]
@="Crusher.Plugin"


O11 - Options group: [INTERNATIONAL] International*
Go to the top of the page
 
+Quote Post
Juliusmaximus
post Jul 26 2008, 08:36 AM
Post #2


Authentic Member
**

Group: Authentic Member
Posts: 35
Joined: 3-December 03
From: tx
Member No.: 1,166
well, i haven't seen a response (not complaining, just a fact, i know you all volunteer your time and it is appreciated) so I tried to find other posts with similar problems and saw that there was a few that used the malwarebytes and combofix programs, which I dowloaded and ran.

Malwarebytes fixed a few of the problems:
C:/ is no longer hidden
the "VIRUS ALERT!" down at the time/date corner gone (though still reading 08:28 as opposed to 8:28) leads me to believe still there.

One thing I should mention is that my Spybot S&D teatimer keeps warning me about registry changes which I don't know whether to allow or deny...
I have been ignoring them so as to complete scans and logs. The latest one reads as follows:

category System Startup global entry
change Value deleted
entry Spybot - Search _Destroy
old data "C:\Program Files\Spybot - Search _Destroy\SpybotSD.exe" /autocheck
allow change or deny change?

Below is combo fix log followed by most recent Hijack This log:

ComboFix 08-07-25.7 - Julio 2008-07-26 8:00:30.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1743 [GMT -6:00]
Running from: C:\Documents and Settings\Julio\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Julio\Application Data\macromedia\Flash Player\#SharedObjects\UCD5WNE7\interclick.com
C:\Documents and Settings\Julio\Application Data\macromedia\Flash Player\#SharedObjects\UCD5WNE7\interclick.com\ud.sol
C:\Documents and Settings\Julio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Julio\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
.
---- Previous Run -------
.
C:\Documents and Settings\Julio\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\ajthup.dll
C:\WINDOWS\system32\ATPartners.dll
C:\WINDOWS\system32\camoc.dll
C:\WINDOWS\system32\efcBqpMG.dll
C:\WINDOWS\system32\GMpqBcfe.ini
C:\WINDOWS\system32\GMpqBcfe.ini2
C:\WINDOWS\system32\gvomcplt.ini
C:\WINDOWS\system32\jfhorsuu.ini
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\oahkng.dll
C:\WINDOWS\system32\onpanljy.dll
C:\WINDOWS\system32\osmim.dll
C:\WINDOWS\system32\tnhjvp.dll
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\yfrukwke.dll
C:\WINDOWS\system32\yhkmkwpe.ini
C:\WINDOWS\system32\yvfkyavp.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-26 00:42 . 2008-07-26 00:42 <DIR> d-------- C:\Documents and Settings\Javier\Application Data\Corel
2008-07-25 18:31 . 2008-07-25 18:31 <DIR> d-------- C:\Documents and Settings\Javier\Application Data\Malwarebytes
2008-07-25 17:05 . 2008-07-26 00:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 17:05 . 2008-07-25 17:05 <DIR> d-------- C:\Documents and Settings\Julio\Application Data\Malwarebytes
2008-07-25 17:05 . 2008-07-25 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 17:05 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-25 17:05 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-15 14:23 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 12:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-26 06:26 --------- d-----w C:\Program Files\Hijack This
2008-07-20 13:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-20 13:36 --------- d-----w C:\Program Files\Nick Jr. Arcade
2008-07-15 12:36 --------- d-----w C:\Program Files\Apple Software Update
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2006-09-22 22:17 28,672 ----a-w C:\Documents and Settings\Julio\atwbxdet.dll
2006-07-11 18:07 1,388 ----a-w C:\Documents and Settings\Julio\Application Data\ViewerApp.dat
2004-04-05 17:37 32 --sha-w C:\WINDOWS\{0316D169-4E3F-45A9-865C-13CD4681AFA9}.dat
2004-04-05 17:31 32 --sha-w C:\WINDOWS\{12849E02-956C-4514-A297-CA7245F7B072}.dat
2004-04-05 17:35 32 --sha-w C:\WINDOWS\{2BB2C641-4A1A-4C33-93AE-088D86054BF6}.dat
2004-04-05 17:34 32 --sha-w C:\WINDOWS\{30419408-A6EB-4121-BC37-EB83B59CCF81}.dat
2004-04-05 17:34 32 --sha-w C:\WINDOWS\{C243C660-FC4D-4D6A-BFF3-98C2D0AFFD3A}.dat
2004-04-05 17:34 32 --sha-w C:\WINDOWS\{CBC920AF-051F-448A-BDAF-A587541212D9}.dat
2004-04-05 17:36 32 --sha-w C:\WINDOWS\{ED6E5A5B-09AA-4261-B1B4-C626E113BFF7}.dat
2005-07-23 03:39 104 --sh--r C:\WINDOWS\system32\1395D81BED.sys
2005-04-12 20:37 254,012 --sha-w C:\WINDOWS\system32\Afha38.exe
2005-04-12 20:37 254,012 --sha-w C:\WINDOWS\system32\Aku8.exe
2005-04-12 20:39 499,772 --sha-w C:\WINDOWS\system32\AozDF.exe
2004-08-07 08:57 499,772 --sha-w C:\WINDOWS\system32\Biz1J.exe
2005-04-12 20:37 499,772 --sha-w C:\WINDOWS\system32\Bwdzm.exe
2005-04-12 20:59 254,012 --sha-w C:\WINDOWS\system32\CdiZ63.exe
2004-07-01 06:25 233,532 --sha-w C:\WINDOWS\system32\Cdzp93.exe
2005-04-12 20:37 254,012 --sha-w C:\WINDOWS\system32\Cel377g.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\Chf4e8R.exe
2004-06-29 18:37 233,532 --sha-w C:\WINDOWS\system32\Corx5Ux.exe
2005-04-12 20:39 499,772 --sha-w C:\WINDOWS\system32\CzidS.exe
2005-04-12 20:37 499,772 --sha-w C:\WINDOWS\system32\DcfxTb14.exe
2004-08-07 08:58 254,012 --sha-w C:\WINDOWS\system32\Dif4f8R.exe
2005-04-12 20:39 499,772 --sha-w C:\WINDOWS\system32\Dkb2m.exe
2005-04-12 20:39 499,772 --sha-w C:\WINDOWS\system32\Dyf0o5.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\EgneGdW1.exe
2004-07-02 00:05 233,532 --sha-w C:\WINDOWS\system32\EnfpK.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\EuyapiOy.exe
2005-04-12 20:59 254,012 --sha-w C:\WINDOWS\system32\Exlj31EG.exe
2004-07-01 06:25 233,532 --sha-w C:\WINDOWS\system32\Eyx0YNR.exe
2004-07-30 20:52 458,812 --sha-w C:\WINDOWS\system32\Ezg1p5.exe
2005-04-12 20:50 254,012 --sha-w C:\WINDOWS\system32\FpdS3.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\Fsua7y0.exe
2004-07-02 00:16 233,532 --sha-w C:\WINDOWS\system32\Fymk31fH.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\Gcok1B4A.exe
2005-04-12 20:52 254,012 --sha-w C:\WINDOWS\system32\GfqQ.exe
2004-07-01 06:25 233,532 --sha-w C:\WINDOWS\system32\Hoz3.exe
2004-06-29 18:37 233,532 --sha-w C:\WINDOWS\system32\Hplv.exe
2004-06-29 18:37 458,812 --sha-w C:\WINDOWS\system32\Hyh5.exe
2004-07-02 00:16 233,532 --sha-w C:\WINDOWS\system32\HzwVd25s.exe
2005-04-12 20:39 499,772 --sha-w C:\WINDOWS\system32\Ibo543oK.exe
2004-07-02 00:05 458,812 --sha-w C:\WINDOWS\system32\Ibp5.exe
2004-07-02 00:16 233,532 --sha-w C:\WINDOWS\system32\Ioq3SEW6.exe
2004-06-29 18:37 458,812 --sha-w C:\WINDOWS\system32\IpuFmd.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\IwzV8.exe
2005-04-12 20:37 254,012 --sha-w C:\WINDOWS\system32\JitU.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\Ksc5.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\Kujx50.exe
2005-04-12 20:42 499,772 --sha-w C:\WINDOWS\system32\Lbk7.exe
2005-04-12 20:59 254,012 --sha-w C:\WINDOWS\system32\Lcd1Q2.exe
2005-04-12 20:52 254,012 --sha-w C:\WINDOWS\system32\Lcd1Q3.exe
2005-04-12 20:59 499,772 --sha-w C:\WINDOWS\system32\Lcl7.exe
2005-04-12 20:59 254,012 --sha-w C:\WINDOWS\system32\Lir4bf5.exe
2004-07-01 06:25 458,812 --sha-w C:\WINDOWS\system32\LkhAX92.exe
2004-06-29 18:37 233,532 --sha-w C:\WINDOWS\system32\Lkyrgy.exe
2004-07-02 00:16 233,532 --sha-w C:\WINDOWS\system32\LnapxT3.exe
2004-07-01 06:25 458,812 --sha-w C:\WINDOWS\system32\Lwc31.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\Lzkoq.exe
2004-07-02 00:16 233,532 --sha-w C:\WINDOWS\system32\Mde1R3.exe
2004-08-07 08:58 254,012 --sha-w C:\WINDOWS\system32\MiacT2W.exe
2004-07-01 06:25 233,532 --sha-w C:\WINDOWS\system32\Ncj4Ezy.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\NhayDE.exe
2005-04-12 20:52 499,772 --sha-w C:\WINDOWS\system32\NjqM9X44.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\NtvO.exe
2004-07-02 00:05 458,812 --sha-w C:\WINDOWS\system32\NukO8r9.exe
2004-06-29 18:37 233,532 --sha-w C:\WINDOWS\system32\NvfwGL.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\NvxhK7fv.exe
2004-07-02 00:05 458,812 --sha-w C:\WINDOWS\system32\Ohdc4.exe
2004-07-02 00:16 233,532 --sha-w C:\WINDOWS\system32\Ojz1.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\Onp3e.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\Onyyc.exe
2005-04-12 20:50 499,772 --sha-w C:\WINDOWS\system32\Oqs38O.exe
2005-04-12 20:59 499,772 --sha-w C:\WINDOWS\system32\Ozf42o.exe
2005-04-12 20:42 499,772 --sha-w C:\WINDOWS\system32\Pdo77j0.exe
2005-04-12 20:52 254,012 --sha-w C:\WINDOWS\system32\Pem5Hb08.exe
2004-08-07 08:57 499,772 --sha-w C:\WINDOWS\system32\PiwVU.exe
2005-04-12 20:50 499,772 --sha-w C:\WINDOWS\system32\PkrO0Z54.exe
2005-04-12 21:00 493,464 --sha-w C:\WINDOWS\system32\PoleB1K.exe
2005-04-12 20:50 254,012 --sha-w C:\WINDOWS\system32\Pqvm.exe
2004-07-02 00:16 458,812 --sha-w C:\WINDOWS\system32\Pzw4KF2.exe
2005-04-12 20:42 499,772 --sha-w C:\WINDOWS\system32\Qep78k1i.exe
2004-07-02 00:05 233,532 --sha-w C:\WINDOWS\system32\Qpaae5.exe
2004-07-01 06:25 233,532 --sha-w C:\WINDOWS\system32\QszV.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\Rdrc4j1S.exe
2004-06-29 18:37 233,532 --sha-w C:\WINDOWS\system32\RfheEl.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\Rfn6Id09.exe
2005-04-12 20:59 499,772 --sha-w C:\WINDOWS\system32\RlyXW.exe
2005-04-12 20:50 254,012 --sha-w C:\WINDOWS\system32\Rqbbf5.exe
2004-07-02 00:05 233,532 --sha-w C:\WINDOWS\system32\Ryy36.exe
2004-07-02 00:16 458,812 --sha-w C:\WINDOWS\system32\Sdj6LsO.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\Sep0.exe
2004-08-07 08:58 254,012 --sha-w C:\WINDOWS\system32\Spy70fV9.exe
2005-04-12 20:52 254,012 --sha-w C:\WINDOWS\system32\Sxzsc.exe
2005-04-12 20:42 499,772 --sha-w C:\WINDOWS\system32\TfiOg.exe
2005-04-12 20:39 499,772 --sha-w C:\WINDOWS\system32\Tfn7e.exe
2005-04-12 20:52 499,772 --sha-w C:\WINDOWS\system32\Uit89524.exe
2005-04-12 20:39 499,772 --sha-w C:\WINDOWS\system32\Upws.exe
2004-08-07 08:57 499,772 --sha-w C:\WINDOWS\system32\Upwt.exe
2004-08-07 08:58 254,012 --sha-w C:\WINDOWS\system32\UraV35X3.exe
2005-04-12 20:52 499,772 --sha-w C:\WINDOWS\system32\Uwj9.exe
2005-04-12 20:52 254,012 --sha-w C:\WINDOWS\system32\Uxmb14q.exe
2005-04-12 20:37 499,772 --sha-w C:\WINDOWS\system32\VgmTO8r.exe
2004-07-02 00:16 458,812 --sha-w C:\WINDOWS\system32\Vryu.exe
2004-07-02 00:05 233,532 --sha-w C:\WINDOWS\system32\Vsk4.exe
2004-07-02 00:05 233,532 --sha-w C:\WINDOWS\system32\Vva6i.exe
2005-04-12 20:50 499,772 --sha-w C:\WINDOWS\system32\Vxk0.exe
2005-04-12 20:37 254,012 --sha-w C:\WINDOWS\system32\Vzz7UPXa.exe
2005-04-12 20:38 499,772 --sha-w C:\WINDOWS\system32\WnvDwc.exe
2004-07-02 00:05 458,812 --sha-w C:\WINDOWS\system32\Wryv.exe
2005-04-12 20:42 499,772 --sha-w C:\WINDOWS\system32\Wurk.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\Wzoc25sB.exe
2005-04-12 20:50 254,012 --sha-w C:\WINDOWS\system32\Xapd25tC.exe
2005-04-12 20:42 499,772 --sha-w C:\WINDOWS\system32\Xej7.exe
2005-04-12 20:52 499,772 --sha-w C:\WINDOWS\system32\Xgqs.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\XihVQ6t0.exe
2005-04-12 20:59 254,012 --sha-w C:\WINDOWS\system32\XshLG2.exe
2005-04-12 20:50 254,012 --sha-w C:\WINDOWS\system32\Ycd8.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\YgqG.exe
2005-04-12 20:50 499,772 --sha-w C:\WINDOWS\system32\YjpWR9u0.exe
2004-08-07 08:58 254,012 --sha-w C:\WINDOWS\system32\YrfDdyY.exe
2004-07-01 06:25 458,812 --sha-w C:\WINDOWS\system32\YtaxK.exe
2005-04-12 20:59 499,772 --sha-w C:\WINDOWS\system32\YubxK.exe
2004-06-29 18:37 458,812 --sha-w C:\WINDOWS\system32\Ywt4.exe
2004-07-01 06:25 458,812 --sha-w C:\WINDOWS\system32\ZbujPz8.exe
2005-04-12 20:39 254,012 --sha-w C:\WINDOWS\system32\ZepIh8UP.exe
2005-04-12 20:59 254,012 --sha-w C:\WINDOWS\system32\ZffQZ1.exe
2005-04-12 20:37 499,772 --sha-w C:\WINDOWS\system32\ZkqXS9u0.exe
2005-04-12 20:42 254,012 --sha-w C:\WINDOWS\system32\ZpuwLEK.exe
2004-04-05 17:37 32 --sha-w C:\WINDOWS\system32\{1DA37158-BCFD-4521-B7CA-3A2B845803E1}.dat
2004-04-05 17:34 32 --sha-w C:\WINDOWS\system32\{4E76028B-C57F-4D23-A0D6-B247E4FC5773}.dat
2004-04-05 17:36 32 --sha-w C:\WINDOWS\system32\{6642A8AC-01B7-4F90-892D-9AA8AF9293EA}.dat
2004-04-05 17:31 32 --sha-w C:\WINDOWS\system32\{7EB75BC4-6DDF-41FC-BC77-EAD4BC4D60C7}.dat
2004-04-05 17:34 32 --sha-w C:\WINDOWS\system32\{809FBDF2-41BB-48C6-8EBF-37D0B1F06EE3}.dat
2004-04-05 17:35 32 --sha-w C:\WINDOWS\system32\{DCE8160C-A916-4CF2-9ECF-5D7C82F9242C}.dat
2004-04-05 17:34 32 --sha-w C:\WINDOWS\system32\{E429E904-E6DA-4C4D-83E6-A88C093A4F9A}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" [2003-04-29 10:40 524288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"GhostStartTrayApp"="C:\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2002-08-14 15:21 94208]
"QD FastAndSafe"="C:\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe" [2002-08-13 17:00 32768]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-04-29 07:40 100056]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

C:\Documents and Settings\Julio\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi6"= gmidi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu38.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Julio^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\Julio\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Julio^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=C:\Documents and Settings\Julio\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2005-12-05 18:04 691200 C:\Program Files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDBitSet]
--------- 2002-12-06 16:19 200704 C:\HP CD-DVD\Umbrella\DVDBitSet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
--------- 2002-12-18 16:50 53248 C:\HP CD-DVD\Umbrella\DVDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp 1000 firmware]
--------- 2001-12-15 12:10 36864 C:\Program Files\hp LaserJet 1000\fwdl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 19:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
--a------ 2002-12-16 17:51 36864 C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-04-29 07:40 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-09-09 12:00 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
--a------ 2003-03-31 20:28 155648 C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 15:22 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real Player\\realplay.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\StubInstaller.exe"=
"C:\\HP CD-DVD\\Umbrella\\MyDrive.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 GhPciScan;GhostPciScanner;C:\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 15:11]
S2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS [1999-09-20 12:05]
S3 EWAVE;EWAVE;C:\WINDOWS\System32\drivers\ew.sys [2003-01-24 15:01]
S3 FILESPY;FILESPY;C:\WINDOWS\System32\drivers\FILESPY.sys [2003-01-24 15:10]
S3 iteio;iteio;C:\WINDOWS\System32\drivers\iteio.sys [1999-08-30 20:49]
S3 NSTATION;NSTATION;C:\WINDOWS\System32\drivers\nstation.sys [2003-01-24 15:02]
S3 US122;US122 Driver;C:\WINDOWS\system32\Drivers\US122.sys [2003-02-13 13:40]
S3 US122DL;US122 Firmware Downloader;C:\WINDOWS\system32\Drivers\US122DL.sys [2003-02-13 13:45]
S3 Us122WdmService;US122 Wdm Audio;C:\WINDOWS\system32\Drivers\US122Wdm.sys [2003-02-13 13:40]
S3 Winpu38;Winpu38;C:\WINDOWS\System32\drivers\Winpu38.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15e92af4-e72c-11dc-bbf1-00e04cb6094b}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - DCFS2K
.
Contents of the 'Scheduled Tasks' folder
2008-07-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - :C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0 []
2008-07-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job - C:\NORTON1\NORTON1\NAVW32.EXE []
2008-07-25 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job - Ja7@F s !C:\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULEJulio0 []
2008-07-26 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{04CA4F4E-F8C6-461C-905A-AE484E1B37EC} - (no file)
BHO-{1E850DE2-3727-4438-85A1-5D512BA67FE9} - (no file)
BHO-{7E156AAE-FA60-44A1-8E69-2E0E0030F1F6} - (no file)
BHO-{D47D3342-BF7B-45DF-B026-11FCED400989} - (no file)
BHO-{FF4B51E5-DB8F-4F38-9A57-2CA0C593118B} - (no file)
MSConfigStartUp-googletalk - C:\Program Files\Google\Google Talk\googletalk.exe
MSConfigStartUp-Picasa Media Detector - C:\Documents and Settings\Julio\My Documents\My Pictures\Lores wedding & Stuff\kirinda\Picasa2\PicasaMediaDetector.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 08:05:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-07-26 8:08:22
ComboFix-quarantined-files.txt 2008-07-26 14:08:12

Pre-Run: 18,048,851,968 bytes free
Post-Run: 18,031,669,248 bytes free

352


Hijack This log

Logfile of HijackThis v1.97.7
Scan saved at 08:34, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\snmp.exe
C:\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\$NtServicePackUninstall$\notepad.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {04CA4F4E-F8C6-461C-905A-AE484E1B37EC} - (no file)
O2 - BHO: (no name) - {1E850DE2-3727-4438-85A1-5D512BA67FE9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7E156AAE-FA60-44A1-8E69-2E0E0030F1F6} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D47D3342-BF7B-45DF-B026-11FCED400989} - (no file)
O2 - BHO: (no name) - {FF4B51E5-DB8F-4F38-9A57-2CA0C593118B} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup /scheduler
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113347657609
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134421727625
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx

This post has been edited by Juliusmaximus: Jul 26 2008, 08:45 AM
Go to the top of the page
 
+Quote Post
LDTate
post Jul 26 2008, 08:41 AM
Post #3


Forum God
Group Icon

Group: Root Admin
Posts: 41,777
Joined: 23-September 04
From: Missouri, USA
Member No.: 15,276
While I'm looking at your scan results, you need to get HJT updated.

Please delete any HijackThis Folders and Files you have now.

There's a new version of HijackThis.


Click the "Save" button.

Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.

Open HijackThis and select: Do a system scan and save a log file.
Go to the top of the page
 
+Quote Post
LDTate
post Jul 26 2008, 09:01 AM
Post #4


Forum God
Group Icon

Group: Root Admin
Posts: 41,777
Joined: 23-September 04
From: Missouri, USA
Member No.: 15,276
Open notepad and copy/paste the text in the Codebox below into it:

CODE
File::
C:\WINDOWS\{0316D169-4E3F-45A9-865C-13CD4681AFA9}.dat
C:\WINDOWS\{12849E02-956C-4514-A297-CA7245F7B072}.dat
C:\WINDOWS\{2BB2C641-4A1A-4C33-93AE-088D86054BF6}.dat
C:\WINDOWS\{30419408-A6EB-4121-BC37-EB83B59CCF81}.dat
C:\WINDOWS\{C243C660-FC4D-4D6A-BFF3-98C2D0AFFD3A}.dat
C:\WINDOWS\{CBC920AF-051F-448A-BDAF-A587541212D9}.dat
C:\WINDOWS\{ED6E5A5B-09AA-4261-B1B4-C626E113BFF7}.dat
C:\WINDOWS\system32\1395D81BED.sys
C:\WINDOWS\system32\Afha38.exe
C:\WINDOWS\system32\Aku8.exe
C:\WINDOWS\system32\AozDF.exe
C:\WINDOWS\system32\Biz1J.exe
C:\WINDOWS\system32\Bwdzm.exe
C:\WINDOWS\system32\CdiZ63.exe
C:\WINDOWS\system32\Cdzp93.exe
C:\WINDOWS\system32\Cel377g.exe
C:\WINDOWS\system32\Chf4e8R.exe
C:\WINDOWS\system32\Corx5Ux.exe
C:\WINDOWS\system32\CzidS.exe
C:\WINDOWS\system32\DcfxTb14.exe
C:\WINDOWS\system32\Dif4f8R.exe
C:\WINDOWS\system32\Dkb2m.exe
C:\WINDOWS\system32\Dyf0o5.exe
C:\WINDOWS\system32\EgneGdW1.exe
C:\WINDOWS\system32\EnfpK.exe
C:\WINDOWS\system32\EuyapiOy.exe
C:\WINDOWS\system32\Exlj31EG.exe
C:\WINDOWS\system32\Eyx0YNR.exe
C:\WINDOWS\system32\Ezg1p5.exe
C:\WINDOWS\system32\FpdS3.exe
C:\WINDOWS\system32\Fsua7y0.exe
C:\WINDOWS\system32\Fymk31fH.exe
C:\WINDOWS\system32\Gcok1B4A.exe
C:\WINDOWS\system32\GfqQ.exe
C:\WINDOWS\system32\Hoz3.exe
C:\WINDOWS\system32\Hplv.exe
C:\WINDOWS\system32\Hyh5.exe
C:\WINDOWS\system32\HzwVd25s.exe
C:\WINDOWS\system32\Ibo543oK.exe
C:\WINDOWS\system32\Ibp5.exe
C:\WINDOWS\system32\Ioq3SEW6.exe
C:\WINDOWS\system32\IpuFmd.exe
C:\WINDOWS\system32\IwzV8.exe
C:\WINDOWS\system32\JitU.exe
C:\WINDOWS\system32\Ksc5.exe
C:\WINDOWS\system32\Kujx50.exe
C:\WINDOWS\system32\Lbk7.exe
C:\WINDOWS\system32\Lcd1Q2.exe
C:\WINDOWS\system32\Lcd1Q3.exe
C:\WINDOWS\system32\Lcl7.exe
C:\WINDOWS\system32\Lir4bf5.exe
C:\WINDOWS\system32\LkhAX92.exe
C:\WINDOWS\system32\Lkyrgy.exe
C:\WINDOWS\system32\LnapxT3.exe
C:\WINDOWS\system32\Lwc31.exe
C:\WINDOWS\system32\Lzkoq.exe
C:\WINDOWS\system32\Mde1R3.exe
C:\WINDOWS\system32\MiacT2W.exe
C:\WINDOWS\system32\Ncj4Ezy.exe
C:\WINDOWS\system32\NhayDE.exe
C:\WINDOWS\system32\NjqM9X44.exe
C:\WINDOWS\system32\NtvO.exe
C:\WINDOWS\system32\NukO8r9.exe
C:\WINDOWS\system32\NvfwGL.exe
C:\WINDOWS\system32\NvxhK7fv.exe
C:\WINDOWS\system32\Ohdc4.exe
C:\WINDOWS\system32\Ojz1.exe
C:\WINDOWS\system32\Onp3e.exe
C:\WINDOWS\system32\Onyyc.exe
C:\WINDOWS\system32\Oqs38O.exe
C:\WINDOWS\system32\Ozf42o.exe
C:\WINDOWS\system32\Pdo77j0.exe
C:\WINDOWS\system32\Pem5Hb08.exe
C:\WINDOWS\system32\PiwVU.exe
C:\WINDOWS\system32\PkrO0Z54.exe
C:\WINDOWS\system32\PoleB1K.exe
C:\WINDOWS\system32\Pqvm.exe
C:\WINDOWS\system32\Pzw4KF2.exe
C:\WINDOWS\system32\Qep78k1i.exe
C:\WINDOWS\system32\Qpaae5.exe
C:\WINDOWS\system32\QszV.exe
C:\WINDOWS\system32\Rdrc4j1S.exe
C:\WINDOWS\system32\RfheEl.exe
C:\WINDOWS\system32\Rfn6Id09.exe
C:\WINDOWS\system32\RlyXW.exe
C:\WINDOWS\system32\Rqbbf5.exe
C:\WINDOWS\system32\Ryy36.exe
C:\WINDOWS\system32\Sdj6LsO.exe
C:\WINDOWS\system32\Sep0.exe
C:\WINDOWS\system32\Spy70fV9.exe
C:\WINDOWS\system32\Sxzsc.exe
C:\WINDOWS\system32\TfiOg.exe
C:\WINDOWS\system32\Tfn7e.exe
C:\WINDOWS\system32\Uit89524.exe
C:\WINDOWS\system32\Upws.exe
C:\WINDOWS\system32\Upwt.exe
C:\WINDOWS\system32\UraV35X3.exe
C:\WINDOWS\system32\Uwj9.exe
C:\WINDOWS\system32\Uxmb14q.exe
C:\WINDOWS\system32\VgmTO8r.exe
C:\WINDOWS\system32\Vryu.exe
C:\WINDOWS\system32\Vsk4.exe
C:\WINDOWS\system32\Vva6i.exe
C:\WINDOWS\system32\Vxk0.exe
C:\WINDOWS\system32\Vzz7UPXa.exe
C:\WINDOWS\system32\WnvDwc.exe
C:\WINDOWS\system32\Wryv.exe
C:\WINDOWS\system32\Wurk.exe
C:\WINDOWS\system32\Wzoc25sB.exe
C:\WINDOWS\system32\Xapd25tC.exe
C:\WINDOWS\system32\Xej7.exe
C:\WINDOWS\system32\Xgqs.exe
C:\WINDOWS\system32\XihVQ6t0.exe
C:\WINDOWS\system32\XshLG2.exe
C:\WINDOWS\system32\Ycd8.exe
C:\WINDOWS\system32\YgqG.exe
C:\WINDOWS\system32\YjpWR9u0.exe
C:\WINDOWS\system32\YrfDdyY.exe
C:\WINDOWS\system32\YtaxK.exe
C:\WINDOWS\system32\YubxK.exe
C:\WINDOWS\system32\Ywt4.exe
C:\WINDOWS\system32\ZbujPz8.exe
C:\WINDOWS\system32\ZepIh8UP.exe
C:\WINDOWS\system32\ZffQZ1.exe
C:\WINDOWS\system32\ZkqXS9u0.exe
C:\WINDOWS\system32\ZpuwLEK.exe
C:\WINDOWS\system32\{1DA37158-BCFD-4521-B7CA-3A2B845803E1}.dat
C:\WINDOWS\system32\{4E76028B-C57F-4D23-A0D6-B247E4FC5773}.dat
C:\WINDOWS\system32\{6642A8AC-01B7-4F90-892D-9AA8AF9293EA}.dat
C:\WINDOWS\system32\{7EB75BC4-6DDF-41FC-BC77-EAD4BC4D60C7}.dat
C:\WINDOWS\system32\{809FBDF2-41BB-48C6-8EBF-37D0B1F06EE3}.dat
C:\WINDOWS\system32\{DCE8160C-A916-4CF2-9ECF-5D7C82F9242C}.dat
C:\WINDOWS\system32\{E429E904-E6DA-4C4D-83E6-A88C093A4F9A}.dat
C:\WINDOWS\System32\drivers\Winpu38.sys

Driver::
Winpu38


Save this as Save this as "CFScript"




Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.
Go to the top of the page
 
+Quote Post
Juliusmaximus
post Jul 26 2008, 09:22 AM
Post #5


Authentic Member
**

Group: Authentic Member
Posts: 35
Joined: 3-December 03
From: tx
Member No.: 1,166
Will do, my computer is behaving rather normal, a slight bit of hiccups while I type, choppy but nothing exaggerated. Other than that just the symptoms described above, 09:19 showing on the clock and Spybot S&D TeaTimer alerts repeatedly. I am deleting old HJT and will get the most recent HJT and follow your instructions of copying codebox to notepad, saving as CFscript, dragging into ComboFix and posting results for both combofix and new HJT logs.

I forgot earlier to post the malwarebytes log, so here it is...it came back with two infections, which I have not deleted, waiting for your instructions,
Thank You.

Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 5.1.2600 Service Pack 2

9:05:20 AM 7/26/2008
malwarebytes log

Scan type: Quick Scan
Objects scanned: 43110
Time elapsed: 7 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7e156aae-fa60-44a1-8e69-2e0e0030f1f6} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{90c61707-c8f8-43db-a25c-c1f4b18ee41e} (Spyware.Comet.Cursor) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Go to the top of the page
 
+Quote Post
LDTate
post Jul 26 2008, 09:25 AM
Post #6


Forum God
Group Icon

Group: Root Admin
Posts: 41,777
Joined: 23-September 04
From: Missouri, USA
Member No.: 15,276
Please wait for my instructions.
Don't run any more tools unless I ask you to thumbup.gif
Go to the top of the page
 
+Quote Post
Juliusmaximus
post Jul 26 2008, 10:28 AM
Post #7


Authentic Member
**

Group: Authentic Member
Posts: 35
Joined: 3-December 03
From: tx
Member No.: 1,166
Understood. did as instructed and here are the results:

ComboFix Log with CFsript added and scanned:

ComboFix 08-07-25.7 - Julio 2008-07-26 9:50:30.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1733 [GMT -6:00]
Running from: C:\Documents and Settings\Julio\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Julio\Desktop\CFscript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\{0316D169-4E3F-45A9-865C-13CD4681AFA9}.dat
C:\WINDOWS\{12849E02-956C-4514-A297-CA7245F7B072}.dat
C:\WINDOWS\{2BB2C641-4A1A-4C33-93AE-088D86054BF6}.dat
C:\WINDOWS\{30419408-A6EB-4121-BC37-EB83B59CCF81}.dat
C:\WINDOWS\{C243C660-FC4D-4D6A-BFF3-98C2D0AFFD3A}.dat
C:\WINDOWS\{CBC920AF-051F-448A-BDAF-A587541212D9}.dat
C:\WINDOWS\{ED6E5A5B-09AA-4261-B1B4-C626E113BFF7}.dat
C:\WINDOWS\system32\{1DA37158-BCFD-4521-B7CA-3A2B845803E1}.dat
C:\WINDOWS\system32\{4E76028B-C57F-4D23-A0D6-B247E4FC5773}.dat
C:\WINDOWS\system32\{6642A8AC-01B7-4F90-892D-9AA8AF9293EA}.dat
C:\WINDOWS\system32\{7EB75BC4-6DDF-41FC-BC77-EAD4BC4D60C7}.dat
C:\WINDOWS\system32\{809FBDF2-41BB-48C6-8EBF-37D0B1F06EE3}.dat
C:\WINDOWS\system32\{DCE8160C-A916-4CF2-9ECF-5D7C82F9242C}.dat
C:\WINDOWS\system32\{E429E904-E6DA-4C4D-83E6-A88C093A4F9A}.dat
C:\WINDOWS\system32\1395D81BED.sys
C:\WINDOWS\system32\Afha38.exe
C:\WINDOWS\system32\Aku8.exe
C:\WINDOWS\system32\AozDF.exe
C:\WINDOWS\system32\Biz1J.exe
C:\WINDOWS\system32\Bwdzm.exe
C:\WINDOWS\system32\CdiZ63.exe
C:\WINDOWS\system32\Cdzp93.exe
C:\WINDOWS\system32\Cel377g.exe
C:\WINDOWS\system32\Chf4e8R.exe
C:\WINDOWS\system32\Corx5Ux.exe
C:\WINDOWS\system32\CzidS.exe
C:\WINDOWS\system32\DcfxTb14.exe
C:\WINDOWS\system32\Dif4f8R.exe
C:\WINDOWS\system32\Dkb2m.exe
C:\WINDOWS\System32\drivers\Winpu38.sys
C:\WINDOWS\system32\Dyf0o5.exe
C:\WINDOWS\system32\EgneGdW1.exe
C:\WINDOWS\system32\EnfpK.exe
C:\WINDOWS\system32\EuyapiOy.exe
C:\WINDOWS\system32\Exlj31EG.exe
C:\WINDOWS\system32\Eyx0YNR.exe
C:\WINDOWS\system32\Ezg1p5.exe
C:\WINDOWS\system32\FpdS3.exe
C:\WINDOWS\system32\Fsua7y0.exe
C:\WINDOWS\system32\Fymk31fH.exe
C:\WINDOWS\system32\Gcok1B4A.exe
C:\WINDOWS\system32\GfqQ.exe
C:\WINDOWS\system32\Hoz3.exe
C:\WINDOWS\system32\Hplv.exe
C:\WINDOWS\system32\Hyh5.exe
C:\WINDOWS\system32\HzwVd25s.exe
C:\WINDOWS\system32\Ibo543oK.exe
C:\WINDOWS\system32\Ibp5.exe
C:\WINDOWS\system32\Ioq3SEW6.exe
C:\WINDOWS\system32\IpuFmd.exe
C:\WINDOWS\system32\IwzV8.exe
C:\WINDOWS\system32\JitU.exe
C:\WINDOWS\system32\Ksc5.exe
C:\WINDOWS\system32\Kujx50.exe
C:\WINDOWS\system32\Lbk7.exe
C:\WINDOWS\system32\Lcd1Q2.exe
C:\WINDOWS\system32\Lcd1Q3.exe
C:\WINDOWS\system32\Lcl7.exe
C:\WINDOWS\system32\Lir4bf5.exe
C:\WINDOWS\system32\LkhAX92.exe
C:\WINDOWS\system32\Lkyrgy.exe
C:\WINDOWS\system32\LnapxT3.exe
C:\WINDOWS\system32\Lwc31.exe
C:\WINDOWS\system32\Lzkoq.exe
C:\WINDOWS\system32\Mde1R3.exe
C:\WINDOWS\system32\MiacT2W.exe
C:\WINDOWS\system32\Ncj4Ezy.exe
C:\WINDOWS\system32\NhayDE.exe
C:\WINDOWS\system32\NjqM9X44.exe
C:\WINDOWS\system32\NtvO.exe
C:\WINDOWS\system32\NukO8r9.exe
C:\WINDOWS\system32\NvfwGL.exe
C:\WINDOWS\system32\NvxhK7fv.exe
C:\WINDOWS\system32\Ohdc4.exe
C:\WINDOWS\system32\Ojz1.exe
C:\WINDOWS\system32\Onp3e.exe
C:\WINDOWS\system32\Onyyc.exe
C:\WINDOWS\system32\Oqs38O.exe
C:\WINDOWS\system32\Ozf42o.exe
C:\WINDOWS\system32\Pdo77j0.exe
C:\WINDOWS\system32\Pem5Hb08.exe
C:\WINDOWS\system32\PiwVU.exe
C:\WINDOWS\system32\PkrO0Z54.exe
C:\WINDOWS\system32\PoleB1K.exe
C:\WINDOWS\system32\Pqvm.exe
C:\WINDOWS\system32\Pzw4KF2.exe
C:\WINDOWS\system32\Qep78k1i.exe
C:\WINDOWS\system32\Qpaae5.exe
C:\WINDOWS\system32\QszV.exe
C:\WINDOWS\system32\Rdrc4j1S.exe
C:\WINDOWS\system32\RfheEl.exe
C:\WINDOWS\system32\Rfn6Id09.exe
C:\WINDOWS\system32\RlyXW.exe
C:\WINDOWS\system32\Rqbbf5.exe
C:\WINDOWS\system32\Ryy36.exe
C:\WINDOWS\system32\Sdj6LsO.exe
C:\WINDOWS\system32\Sep0.exe
C:\WINDOWS\system32\Spy70fV9.exe
C:\WINDOWS\system32\Sxzsc.exe
C:\WINDOWS\system32\TfiOg.exe
C:\WINDOWS\system32\Tfn7e.exe
C:\WINDOWS\system32\Uit89524.exe
C:\WINDOWS\system32\Upws.exe
C:\WINDOWS\system32\Upwt.exe
C:\WINDOWS\system32\UraV35X3.exe
C:\WINDOWS\system32\Uwj9.exe
C:\WINDOWS\system32\Uxmb14q.exe
C:\WINDOWS\system32\VgmTO8r.exe
C:\WINDOWS\system32\Vryu.exe
C:\WINDOWS\system32\Vsk4.exe
C:\WINDOWS\system32\Vva6i.exe
C:\WINDOWS\system32\Vxk0.exe
C:\WINDOWS\system32\Vzz7UPXa.exe
C:\WINDOWS\system32\WnvDwc.exe
C:\WINDOWS\system32\Wryv.exe
C:\WINDOWS\system32\Wurk.exe
C:\WINDOWS\system32\Wzoc25sB.exe
C:\WINDOWS\system32\Xapd25tC.exe
C:\WINDOWS\system32\Xej7.exe
C:\WINDOWS\system32\Xgqs.exe
C:\WINDOWS\system32\XihVQ6t0.exe
C:\WINDOWS\system32\XshLG2.exe
C:\WINDOWS\system32\Ycd8.exe
C:\WINDOWS\system32\YgqG.exe
C:\WINDOWS\system32\YjpWR9u0.exe
C:\WINDOWS\system32\YrfDdyY.exe
C:\WINDOWS\system32\YtaxK.exe
C:\WINDOWS\system32\YubxK.exe
C:\WINDOWS\system32\Ywt4.exe
C:\WINDOWS\system32\ZbujPz8.exe
C:\WINDOWS\system32\ZepIh8UP.exe
C:\WINDOWS\system32\ZffQZ1.exe
C:\WINDOWS\system32\ZkqXS9u0.exe
C:\WINDOWS\system32\ZpuwLEK.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\{0316D169-4E3F-45A9-865C-13CD4681AFA9}.dat
C:\WINDOWS\{12849E02-956C-4514-A297-CA7245F7B072}.dat
C:\WINDOWS\{2BB2C641-4A1A-4C33-93AE-088D86054BF6}.dat
C:\WINDOWS\{30419408-A6EB-4121-BC37-EB83B59CCF81}.dat
C:\WINDOWS\{C243C660-FC4D-4D6A-BFF3-98C2D0AFFD3A}.dat
C:\WINDOWS\{CBC920AF-051F-448A-BDAF-A587541212D9}.dat
C:\WINDOWS\{ED6E5A5B-09AA-4261-B1B4-C626E113BFF7}.dat
C:\WINDOWS\system32\{1DA37158-BCFD-4521-B7CA-3A2B845803E1}.dat
C:\WINDOWS\system32\{4E76028B-C57F-4D23-A0D6-B247E4FC5773}.dat
C:\WINDOWS\system32\{6642A8AC-01B7-4F90-892D-9AA8AF9293EA}.dat
C:\WINDOWS\system32\{7EB75BC4-6DDF-41FC-BC77-EAD4BC4D60C7}.dat
C:\WINDOWS\system32\{809FBDF2-41BB-48C6-8EBF-37D0B1F06EE3}.dat
C:\WINDOWS\system32\{DCE8160C-A916-4CF2-9ECF-5D7C82F9242C}.dat
C:\WINDOWS\system32\{E429E904-E6DA-4C4D-83E6-A88C093A4F9A}.dat
C:\WINDOWS\system32\1395D81BED.sys
C:\WINDOWS\system32\Afha38.exe
C:\WINDOWS\system32\Aku8.exe
C:\WINDOWS\system32\AozDF.exe
C:\WINDOWS\system32\Biz1J.exe
C:\WINDOWS\system32\Bwdzm.exe
C:\WINDOWS\system32\CdiZ63.exe
C:\WINDOWS\system32\Cdzp93.exe
C:\WINDOWS\system32\Cel377g.exe
C:\WINDOWS\system32\Chf4e8R.exe
C:\WINDOWS\system32\Corx5Ux.exe
C:\WINDOWS\system32\CzidS.exe
C:\WINDOWS\system32\DcfxTb14.exe
C:\WINDOWS\system32\Dif4f8R.exe
C:\WINDOWS\system32\Dkb2m.exe
C:\WINDOWS\system32\Dyf0o5.exe
C:\WINDOWS\system32\EgneGdW1.exe
C:\WINDOWS\system32\EnfpK.exe
C:\WINDOWS\system32\EuyapiOy.exe
C:\WINDOWS\system32\Exlj31EG.exe
C:\WINDOWS\system32\Eyx0YNR.exe
C:\WINDOWS\system32\Ezg1p5.exe
C:\WINDOWS\system32\FpdS3.exe
C:\WINDOWS\system32\Fsua7y0.exe
C:\WINDOWS\system32\Fymk31fH.exe
C:\WINDOWS\system32\Gcok1B4A.exe
C:\WINDOWS\system32\GfqQ.exe
C:\WINDOWS\system32\Hoz3.exe
C:\WINDOWS\system32\Hplv.exe
C:\WINDOWS\system32\Hyh5.exe
C:\WINDOWS\system32\HzwVd25s.exe
C:\WINDOWS\system32\Ibo543oK.exe
C:\WINDOWS\system32\Ibp5.exe
C:\WINDOWS\system32\Ioq3SEW6.exe
C:\WINDOWS\system32\IpuFmd.exe
C:\WINDOWS\system32\IwzV8.exe
C:\WINDOWS\system32\JitU.exe
C:\WINDOWS\system32\Ksc5.exe
C:\WINDOWS\system32\Kujx50.exe
C:\WINDOWS\system32\Lbk7.exe
C:\WINDOWS\system32\Lcd1Q2.exe
C:\WINDOWS\system32\Lcd1Q3.exe
C:\WINDOWS\system32\Lcl7.exe
C:\WINDOWS\system32\Lir4bf5.exe
C:\WINDOWS\system32\LkhAX92.exe
C:\WINDOWS\system32\Lkyrgy.exe
C:\WINDOWS\system32\LnapxT3.exe
C:\WINDOWS\system32\Lwc31.exe
C:\WINDOWS\system32\Lzkoq.exe
C:\WINDOWS\system32\Mde1R3.exe
C:\WINDOWS\system32\MiacT2W.exe
C:\WINDOWS\system32\Ncj4Ezy.exe
C:\WINDOWS\system32\NhayDE.exe
C:\WINDOWS\system32\NjqM9X44.exe
C:\WINDOWS\system32\NtvO.exe
C:\WINDOWS\system32\NukO8r9.exe
C:\WINDOWS\system32\NvfwGL.exe
C:\WINDOWS\system32\NvxhK7fv.exe
C:\WINDOWS\system32\Ohdc4.exe
C:\WINDOWS\system32\Ojz1.exe
C:\WINDOWS\system32\Onp3e.exe
C:\WINDOWS\system32\Onyyc.exe
C:\WINDOWS\system32\Oqs38O.exe
C:\WINDOWS\system32\Ozf42o.exe
C:\WINDOWS\system32\Pdo77j0.exe
C:\WINDOWS\system32\Pem5Hb08.exe
C:\WINDOWS\system32\PiwVU.exe
C:\WINDOWS\system32\PkrO0Z54.exe
C:\WINDOWS\system32\PoleB1K.exe
C:\WINDOWS\system32\Pqvm.exe
C:\WINDOWS\system32\Pzw4KF2.exe
C:\WINDOWS\system32\Qep78k1i.exe
C:\WINDOWS\system32\Qpaae5.exe
C:\WINDOWS\system32\QszV.exe
C:\WINDOWS\system32\Rdrc4j1S.exe
C:\WINDOWS\system32\RfheEl.exe
C:\WINDOWS\system32\Rfn6Id09.exe
C:\WINDOWS\system32\RlyXW.exe
C:\WINDOWS\system32\Rqbbf5.exe
C:\WINDOWS\system32\Ryy36.exe
C:\WINDOWS\system32\Sdj6LsO.exe
C:\WINDOWS\system32\Sep0.exe
C:\WINDOWS\system32\Spy70fV9.exe
C:\WINDOWS\system32\Sxzsc.exe
C:\WINDOWS\system32\TfiOg.exe
C:\WINDOWS\system32\Tfn7e.exe
C:\WINDOWS\system32\Uit89524.exe
C:\WINDOWS\system32\Upws.exe
C:\WINDOWS\system32\Upwt.exe
C:\WINDOWS\system32\UraV35X3.exe
C:\WINDOWS\system32\Uwj9.exe
C:\WINDOWS\system32\Uxmb14q.exe
C:\WINDOWS\system32\VgmTO8r.exe
C:\WINDOWS\system32\Vryu.exe
C:\WINDOWS\system32\Vsk4.exe
C:\WINDOWS\system32\Vva6i.exe
C:\WINDOWS\system32\Vxk0.exe
C:\WINDOWS\system32\Vzz7UPXa.exe
C:\WINDOWS\system32\WnvDwc.exe
C:\WINDOWS\system32\Wryv.exe
C:\WINDOWS\system32\Wurk.exe
C:\WINDOWS\system32\Wzoc25sB.exe
C:\WINDOWS\system32\Xapd25tC.exe
C:\WINDOWS\system32\Xej7.exe
C:\WINDOWS\system32\Xgqs.exe
C:\WINDOWS\system32\XihVQ6t0.exe
C:\WINDOWS\system32\XshLG2.exe
C:\WINDOWS\system32\Ycd8.exe
C:\WINDOWS\system32\YgqG.exe
C:\WINDOWS\system32\YjpWR9u0.exe
C:\WINDOWS\system32\YrfDdyY.exe
C:\WINDOWS\system32\YtaxK.exe
C:\WINDOWS\system32\YubxK.exe
C:\WINDOWS\system32\Ywt4.exe
C:\WINDOWS\system32\ZbujPz8.exe
C:\WINDOWS\system32\ZepIh8UP.exe
C:\WINDOWS\system32\ZffQZ1.exe
C:\WINDOWS\system32\ZkqXS9u0.exe
C:\WINDOWS\system32\ZpuwLEK.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Winpu38


((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-26 00:42 . 2008-07-26 00:42 <DIR> d-------- C:\Documents and Settings\Javier\Application Data\Corel
2008-07-25 18:31 . 2008-07-25 18:31 <DIR> d-------- C:\Documents and Settings\Javier\Application Data\Malwarebytes
2008-07-25 17:05 . 2008-07-26 00:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 17:05 . 2008-07-25 17:05 <DIR> d-------- C:\Documents and Settings\Julio\Application Data\Malwarebytes
2008-07-25 17:05 . 2008-07-25 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 17:05 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-25 17:05 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-15 14:23 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 16:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-20 13:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-20 13:36 --------- d-----w C:\Program Files\Nick Jr. Arcade
2008-07-15 12:36 --------- d-----w C:\Program Files\Apple Software Update
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2006-09-22 22:17 28,672 ----a-w C:\Documents and Settings\Julio\atwbxdet.dll
2006-07-11 18:07 1,388 ----a-w C:\Documents and Settings\Julio\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((( snapshot@2008-07-25_17.47.13.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-26 16:00:34 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_7e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" [2003-04-29 10:40 524288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 17:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 17:11 58392]
"GhostStartTrayApp"="C:\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [2002-08-14 15:21 94208]
"QD FastAndSafe"="C:\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe" [2002-08-13 17:00 32768]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-04-29 07:40 100056]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

C:\Documents and Settings\Julio\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi6"= gmidi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu38.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Julio^Start Menu^Programs^Startup^MEMonitor.lnk]
path=C:\Documents and Settings\Julio\Start Menu\Programs\Startup\MEMonitor.lnk
backup=C:\WINDOWS\pss\MEMonitor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Julio^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=C:\Documents and Settings\Julio\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2005-12-05 18:04 691200 C:\Program Files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDBitSet]
--------- 2002-12-06 16:19 200704 C:\HP CD-DVD\Umbrella\DVDBitSet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
--------- 2002-12-18 16:50 53248 C:\HP CD-DVD\Umbrella\DVDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp 1000 firmware]
--------- 2001-12-15 12:10 36864 C:\Program Files\hp LaserJet 1000\fwdl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 19:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
--a------ 2002-12-16 17:51 36864 C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-04-29 07:40 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-09-09 12:00 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
--a------ 2003-03-31 20:28 155648 C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 15:22 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]