6 replies to this topic

[tonka001]

I'm helping a friend to fix her computer. From what I can tell it seems to be loaded with malware, spyware, etc.

Below is the log file, I removed the header so I could post it, the results are from version 2.0 every time I tryed to run version 1.99 I recieve a windows error message stating that windows needs to shut down hijackthis. It does create a partal log file, but stops near the end. and doesn't create the complete log. The 2 logs look the same except for the final 2 or three lines.

Thanks for any/all help you can provide.

Scan saved at 8:02:56 AM, on 9/20/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\upzdowd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\svchost.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\cfg32.exe
C:\winnt\system32\mqdsregp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\COMMON~1\MBOLS~1\msiexec.exe
C:\PROGRA~1\COMMON~1\kuoq\kuoqm.exe
C:\WINNT\cfg32a.exe
C:\PROGRA~1\COMMON~1\kuoq\kuoqa.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\Logitech\Video\AlbumDB2.exe
C:\Documents and Settings\OWNER\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {040586F2-9B87-4353-81C8-9EFF8A5CFCF0} - C:\WINNT\system32\hjmjhfpg.dll
O2 - BHO: (no name) - {23972CE8-9EE7-45EF-AE49-DAC3A48AD9D9} - C:\Program Files\Common Files\texoh.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINNT\system32\efcbxwu.dll
O2 - BHO: (no name) - {31C7D466-35FC-4AF0-8A62-CCB82E633E37} - C:\WINNT\system32\hjmjhfpg.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {524D1710-251B-47D0-BA08-68689DAC72AC} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINNT\system32\kjoglnrc.dll
O2 - BHO: (no name) - {643E1FFF-F56B-C09D-1A17-8F8DBB21839F} - C:\WINNT\system32\syk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINNT\cfg32o.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\system32\dnsersnd.dll
O2 - BHO: 0 - {EF1F76F7-5787-4265-47AF-FA526697B57C} - C:\Program Files\Outlook Express\xukabol490.dll
O2 - BHO: (no name) - {F0867323-7F80-4B25-8797-1AA40CA394AD} - C:\WINNT\system32\vtutu.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [WorkFlow] E:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3
1DC7E4638E8323A15806F9DA6EF604776CA6C1637F811E3C28125102CCE7003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\nwinrndt.exe CHD003
O4 - HKLM\..\Run: [upzdowdA] C:\WINNT\upzdowdA.exe
O4 - HKLM\..\Run: [win320747261563] C:\WINNT\win320747261563.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINNT\cfg32.exe
O4 - HKLM\..\Run: [startdrv] C:\WINNT\Temp\startdrv.exe
O4 - HKLM\..\Run: [{40-06-6D-D2-ZN}] C:\winnt\system32\mqdsregp.exe CHD003
O4 - HKLM\..\Run: [j0261738] rundll32 C:\WINNT\system32\j0261738.dll sook
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINNT\system32\drvpag.dll,startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [EPSON Stylus CX4800 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /M "Stylus CX4800" /EF "HKCU"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Ocom] "C:\PROGRA~1\COMMON~1\MBOLS~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [kuoq] C:\PROGRA~1\COMMON~1\kuoq\kuoqm.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINNT\svchost.exe
O4 - HKUS\.DEFAULT\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\nwinrndt.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\OWNER\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: efcbxwu - C:\WINNT\SYSTEM32\efcbxwu.dll
O20 - Winlogon Notify: vtutu - C:\WINNT\system32\vtutu.dll
O20 - Winlogon Notify: winrxa32 - C:\WINNT\SYSTEM32\winrxa32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\upzdowd.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\ceseprifs.html

--
End of file - 8552 bytes

[Markka]

Hi and welcome to the forums. I'm Markka and I will be helping you with your malware issues. I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by teachers of Malware Removal University. Please be patient.

[Markka]

Hello

We need to create a new folder for HijackThis, bacuse when HijackThis isn't in own folder it doesn't create backups.

Create a new folder to your desktop (right-click on the desktop and choose from the pull-down menu "Create a new folder") called HJT and drag the HiJackThis_v2.exe into the HJT folder.
_________________

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall!
________________

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

________________

Post:
- A fresh HijackThis log
- Contents of C:\ComboFix.txt
- Contents of Report.txt

[tonka001]

Below are the HJT Log file and the Combofix log file. Combofix took a few time before I could get it to complete and create a log file.

I couldn't get SDfix to complete and create a log file.

Scan saved at 6:29:07 AM, on 9/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\dls0523pmw.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\upzdowd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\upzdowdA.exe
C:\WINNT\cfg32.exe
C:\winnt\system32\mqdsregp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\COMMON~1\MBOLS~1\msiexec.exe
C:\WINNT\cfg32a.exe
C:\PROGRA~1\COMMON~1\kuoq\kuoqm.exe
C:\PROGRA~1\COMMON~1\kuoq\kuoqa.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\OWNER\Desktop\HJT\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {040586F2-9B87-4353-81C8-9EFF8A5CFCF0} - C:\WINNT\system32\hjmjhfpg.dll
O2 - BHO: (no name) - {23972CE8-9EE7-45EF-AE49-DAC3A48AD9D9} - C:\Program Files\Common Files\texoh.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINNT\system32\efcbxwu.dll
O2 - BHO: (no name) - {31C7D466-35FC-4AF0-8A62-CCB82E633E37} - C:\WINNT\system32\hjmjhfpg.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {524D1710-251B-47D0-BA08-68689DAC72AC} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINNT\system32\kjoglnrc.dll
O2 - BHO: (no name) - {643E1FFF-F56B-C09D-1A17-8F8DBB21839F} - C:\WINNT\system32\syk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {768F2C59-B943-4592-85DD-4E6E0F43EF81} - C:\WINNT\system32\vtutu.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINNT\cfg32o.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\system32\dnsersnd.dll
O2 - BHO: 0 - {EF1F76F7-5787-4265-47AF-FA526697B57C} - C:\Program Files\Outlook Express\xukabol490.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [WorkFlow] E:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3
1DC7E4638E8323A15806F9DA6EF604776CA6C1637F811E3C28125102CCE7003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\nwinrndt.exe CHD003
O4 - HKLM\..\Run: [upzdowdA] C:\WINNT\upzdowdA.exe
O4 - HKLM\..\Run: [win320747261563] C:\WINNT\win320747261563.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINNT\cfg32.exe
O4 - HKLM\..\Run: [startdrv] C:\WINNT\Temp\startdrv.exe
O4 - HKLM\..\Run: [{40-06-6D-D2-ZN}] C:\winnt\system32\mqdsregp.exe CHD003
O4 - HKLM\..\Run: [j0261738] rundll32 C:\WINNT\system32\j0261738.dll sook
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINNT\system32\drvpag.dll,startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [EPSON Stylus CX4800 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /M "Stylus CX4800" /EF "HKCU"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Ocom] "C:\PROGRA~1\COMMON~1\MBOLS~1\msiexec.exe" -vt yazb
O4 - HKCU\..\Run: [kuoq] C:\PROGRA~1\COMMON~1\kuoq\kuoqm.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\Program Files\Common Files\svchost.exe
O4 - HKUS\.DEFAULT\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\nwinrndt.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\OWNER\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: c:\winnt\system32\ldcore.dll
O20 - Winlogon Notify: efcbxwu - C:\WINNT\SYSTEM32\efcbxwu.dll
O20 - Winlogon Notify: vtutu - C:\WINNT\system32\vtutu.dll
O20 - Winlogon Notify: winrxa32 - C:\WINNT\SYSTEM32\winrxa32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\upzdowd.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\ceseprifs.html

--
End of file - 8809 bytes

ComboFix 07-09-21.2 - "OWNER" 2007-09-24 7:10:03.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.61 [GMT -7:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a.exe
C:\DOCUME~1\DEFAUL~1\APPLIC~1\.rdr.ini
C:\DOCUME~1\DEFAUL~1\Desktop\tagasaurus.exe
C:\DOCUME~1\OWNER\APPLIC~1\.rdr.ini
C:\DOCUME~1\OWNER\APPLIC~1\install.dat
C:\DOCUME~1\OWNER\APPLIC~1\macromedia\Flash Player\#SharedObjects\3JYCGF93\www.broadcaster.com
C:\DOCUME~1\OWNER\APPLIC~1\macromedia\Flash Player\#SharedObjects\3JYCGF93\www.broadcaster.com\played_list.sol
C:\DOCUME~1\OWNER\APPLIC~1\macromedia\Flash Player\#SharedObjects\3JYCGF93\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\OWNER\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\OWNER\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\OWNER\STARTM~1\Programs\Outerinfo\Terms.lnk
C:\DOCUME~1\OWNER\STARTM~1\Programs\Outerinfo\Uninstall.lnk
C:\DOCUME~1\OWNER\STARTM~1\Programs\Startup\think-adz.lnk
C:\Program Files\bravesentry
C:\Program Files\bravesentry\BraveSentry.exe
C:\Program Files\bravesentry\BraveSentry.lic
C:\Program Files\bravesentry\BraveSentry0.bs
C:\Program Files\bravesentry\BraveSentry0.dll
C:\Program Files\bravesentry\BraveSentry1.bs
C:\Program Files\bravesentry\BraveSentry2.dll
C:\Program Files\bravesentry\BraveSentry3.dll
C:\Program Files\bravesentry\Uninstall.exe
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\mbols~1\??mbols\
C:\Program Files\Common Files\mbols~1\msiexec.exe
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\PopSwatr\History\allowed
C:\Program Files\FunWebProducts\PopSwatr\History\notallow
C:\Program Files\inetget2
C:\Program Files\inetget2\install.exe
C:\Program Files\inetget2\MTE3MTk6ODoxNg.exe
C:\Program Files\inetget2\stub_109_4_0_4_0.exe
C:\Program Files\inetget2\YazzleBundle-1122.exe
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Outlook Express\ceseprifs.html
C:\tempb9
C:\tempb9\tmpTF.log
C:\temp\tn3
C:\WINNT\b103.exe
C:\WINNT\b104.exe
C:\WINNT\b122.exe
C:\WINNT\b128.exe
C:\WINNT\b129.exe
C:\WINNT\b136.exe
C:\WINNT\cfg32.exe
C:\WINNT\cfg32a.exe
C:\WINNT\cfg32o.dll
C:\WINNT\cfg32r.dll
C:\WINNT\cfg32s.dll
C:\WINNT\cs_cache.ini
C:\WINNT\dls0523pmw.exe
C:\WINNT\g4356cbvy63.exe
C:\WINNT\itpb_11.exe
C:\WINNT\itpb_3.exe
C:\WINNT\itpb_4.exe
C:\WINNT\offun.exe
C:\WINNT\rau001978.exe
C:\WINNT\retadpu.exe
C:\WINNT\retadpu1000106.exe
C:\WINNT\rk.exe
C:\WINNT\sammy3.exe
C:\WINNT\setup89.exe
C:\WINNT\stub_mma1.exe
C:\WINNT\svchost.exe
C:\WINNT\system32\6_exception.nls
C:\WINNT\system32\advvpi32.dll
C:\WINNT\system32\afbvxaga.dll
C:\WINNT\system32\agaxvbfa.ini
C:\WINNT\system32\aruqagxr.dll
C:\WINNT\system32\awtqnkh.dll
C:\WINNT\system32\axknrncs.dll
C:\WINNT\system32\bjbybgpn.dll
C:\WINNT\system32\bmpcqqye.dll
C:\WINNT\system32\bvgvlwwc.dll
C:\WINNT\system32\bvqkxacg.exe
C:\WINNT\system32\bxaaryjf.exe
C:\WINNT\system32\cbhiepyw.dll
C:\WINNT\system32\cektqbcn.exe
C:\WINNT\system32\ckntabqd.dll
C:\WINNT\system32\cmimqdvy.ini
C:\WINNT\system32\cmjlbpmk.dll
C:\WINNT\system32\cpcyvxql.exe
C:\WINNT\system32\cqtyfobe.dll
C:\WINNT\system32\dfqumaja.exe
C:\WINNT\system32\dgdpnbvd.ini
C:\WINNT\system32\dnsersnd.dll
C:\WINNT\system32\drbjbbyl.exe
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\core.sys
C:\WINNT\system32\dulqisdb.dll
C:\WINNT\system32\dvbnpdgd.dll
C:\WINNT\system32\dwdsregt.exe
C:\WINNT\system32\dxxyicjn.ini
C:\WINNT\system32\ectampdm.exe
C:\WINNT\system32\eeekcgpq.dll
C:\WINNT\system32\efcaywu.dll
C:\WINNT\system32\efcbxwu.dll
C:\WINNT\system32\egtfbjip.exe
C:\WINNT\system32\elhqyslv.dll
C:\WINNT\system32\eptblbda.exe
C:\WINNT\system32\esdioxrg.dll
C:\WINNT\system32\ewvxuark.dll
C:\WINNT\system32\fbmsugmm.dll
C:\WINNT\system32\frxuocdj.dll
C:\WINNT\system32\fvcecotk.exe
C:\WINNT\system32\fwrxunij.dll
C:\WINNT\system32\gebxvwu.dll
C:\WINNT\system32\gncmetny.exe
C:\WINNT\system32\gqpivagk.ini
C:\WINNT\system32\hanxjeet.exe
C:\WINNT\system32\henerdcl.ini
C:\WINNT\system32\heqwigfy.exe
C:\WINNT\system32\hgmeykdn.dll
C:\WINNT\system32\hhkjkacm.dll
C:\WINNT\system32\hjmjhfpg.dll
C:\WINNT\system32\hjyqxglb.exe
C:\WINNT\system32\hkjgwbjq.dll
C:\WINNT\system32\hnsxsjrw.ini
C:\WINNT\system32\hqnkmdmv.exe
C:\WINNT\system32\hsfpcxfp.ini
C:\WINNT\system32\iaabdabx.exe
C:\WINNT\system32\iavlrecc.exe
C:\WINNT\system32\ihhywxtu.dll
C:\WINNT\system32\iovwqgeb.dll
C:\WINNT\system32\iqlxbqds.dll
C:\WINNT\system32\itkqiayt.ini
C:\WINNT\system32\ivaynpli.exe
C:\WINNT\system32\ixmijnoj.exe
C:\WINNT\system32\j0261738.dll
C:\WINNT\system32\jbeosudc.exe
C:\WINNT\system32\jbqpdpsc.exe
C:\WINNT\system32\jchvejcg.dll
C:\WINNT\system32\jdcouxrf.ini
C:\WINNT\system32\jiepofep.dll
C:\WINNT\system32\jkkheed.dll
C:\WINNT\system32\joqyfcyq.exe
C:\WINNT\system32\jplkswyy.dll
C:\WINNT\system32\jsemoajb.dll
C:\WINNT\system32\jxqafeht.dll
C:\WINNT\system32\jyewwvos.dll
C:\WINNT\system32\jyyehjjf.dll
C:\WINNT\system32\kgavipqg.dll
C:\WINNT\system32\kguncgwo.exe
C:\WINNT\system32\khfeeby.dll
C:\WINNT\system32\kjoglnrc.dll
C:\WINNT\system32\ksys.sys
C:\WINNT\system32\ktwrvmpm.ini
C:\WINNT\system32\kviwwwst.exe
C:\WINNT\system32\lbunqhra.exe
C:\WINNT\system32\lcdreneh.dll
C:\WINNT\system32\ldcore.dll
C:\WINNT\system32\ldinfo.ldr
C:\WINNT\system32\lgqeoviq.ini
C:\WINNT\system32\lhevhiuv.ini
C:\WINNT\system32\lhsoxqar.dll
C:\WINNT\system32\ljjjjjj.dll
C:\WINNT\system32\lmfvacmt.dll
C:\WINNT\system32\lvjfveut.dll
C:\WINNT\system32\mibwsqnx.exe
C:\WINNT\system32\miijnubj.exe
C:\WINNT\system32\mlvucegp.exe
C:\WINNT\system32\mpmvrwtk.dll
C:\WINNT\system32\msnav32.ax
C:\WINNT\system32\ncavlsej.exe
C:\WINNT\system32\ndkyemgh.ini
C:\WINNT\system32\ngudfmdq.ini
C:\WINNT\system32\njciyxxd.dll
C:\WINNT\system32\nnnmlmm.dll
C:\WINNT\system32\npfbavgs.exe
C:\WINNT\system32\nqpwbnpl.dll
C:\WINNT\system32\nxxocndn.exe
C:\WINNT\system32\ockcdduc.dll
C:\WINNT\system32\okjqeoib.exe
C:\WINNT\system32\opnllkj.dll
C:\WINNT\system32\pfxcpfsh.dll
C:\WINNT\system32\pkhqhsjm.exe
C:\WINNT\system32\qdmfdugn.dll
C:\WINNT\system32\qhqsjgcb.exe
C:\WINNT\system32\qivoeqgl.dll
C:\WINNT\system32\qnwypkbf.exe
C:\WINNT\system32\qosjxlle.dll
C:\WINNT\system32\qpgckeee.ini
C:\WINNT\system32\qtvhnrnv.dll
C:\WINNT\system32\quvaiuxo.dll
C:\WINNT\system32\qwerty12.exe
C:\WINNT\system32\raqxoshl.ini
C:\WINNT\system32\rbysdpwh.exe
C:\WINNT\system32\rdgjxnwv.dll
C:\WINNT\system32\rgusbnmd.exe
C:\WINNT\system32\rkgcghvl.dll
C:\WINNT\system32\rndgkiiv.dll
C:\WINNT\system32\rovjmikb.dll
C:\WINNT\system32\rsbqexlh.exe
C:\WINNT\system32\rwfpewrc.exe
C:\WINNT\system32\rxgaqura.ini
C:\WINNT\system32\sdhhhcyk.exe
C:\WINNT\system32\sfblopfp.exe
C:\WINNT\system32\sfxldilw.exe
C:\WINNT\system32\sjcekvfl.exe
C:\WINNT\system32\sjsqqvep.exe
C:\WINNT\system32\skimvify.exe
C:\WINNT\system32\srgbvyjg.exe
C:\WINNT\system32\ssbeeoui.exe
C:\WINNT\system32\svmjwgrh.exe
C:\WINNT\system32\T3
C:\WINNT\system32\T3\dlltk67.exe
C:\WINNT\system32\T4
C:\WINNT\system32\T4\d5ll.exe
C:\WINNT\system32\T6
C:\WINNT\system32\T6\dlwr.exe
C:\WINNT\system32\tecjvuew.dll
C:\WINNT\system32\tewpcnfu.exe
C:\WINNT\system32\thefaqxj.ini
C:\WINNT\system32\tkjhjoji.dll
C:\WINNT\system32\trxeaxnl.dll
C:\WINNT\system32\tsuninst.exe
C:\WINNT\system32\tuevfjvl.ini
C:\WINNT\system32\tvieqdui.exe
C:\WINNT\system32\twquhwha.exe
C:\WINNT\system32\twyqtbgx.exe
C:\WINNT\system32\tyaiqkti.dll
C:\WINNT\system32\umugqjjc.exe
C:\WINNT\system32\unjxxjit.dll
C:\WINNT\system32\uodjbxlk.exe
C:\WINNT\system32\ututv.bak1
C:\WINNT\system32\ututv.bak2
C:\WINNT\system32\ututv.ini
C:\WINNT\system32\uwrmlmhx.dll
C:\WINNT\system32\uwrtauxw.dll
C:\WINNT\system32\uwvvuucp.dll
C:\WINNT\system32\vdgvkfob.exe
C:\WINNT\system32\vesjqbki.dll
C:\WINNT\system32\viikgdnr.ini
C:\WINNT\system32\voqlehbb.dll
C:\WINNT\system32\vsnmfhnx.exe
C:\WINNT\system32\vtutu.dll
C:\WINNT\system32\vuihvehl.dll
C:\WINNT\system32\waxuxxln.dll
C:\WINNT\system32\wdjeaffi.exe
C:\WINNT\system32\winpfz32.sys
C:\WINNT\system32\winrxa32.dll
C:\WINNT\system32\wiufhnlx.exe
C:\WINNT\system32\wjlmqest.dll
C:\WINNT\system32\wnstsicom32.exe
C:\WINNT\system32\wrjsxsnh.dll
C:\WINNT\system32\wrpukqgy.exe
C:\WINNT\system32\wuhwsqvk.dll
C:\WINNT\system32\wxxwdfhx.dll
C:\WINNT\system32\xafgboof.exe
C:\WINNT\system32\xecoqkjl.exe
C:\WINNT\system32\xglaovii.exe
C:\WINNT\system32\xgwgofsr.dll
C:\WINNT\system32\xhmlmrwu.ini
C:\WINNT\system32\xkwkehyd.exe
C:\WINNT\system32\xnuxlusa.dll
C:\WINNT\system32\xoyaitnj.exe
C:\WINNT\system32\xtniafrh.dll
C:\WINNT\system32\xukamnny.dll
C:\WINNT\system32\xytgdtuc.exe
C:\WINNT\system32\ygflthai.exe
C:\WINNT\system32\ynifcrib.dll
C:\WINNT\system32\yodixtpt.exe
C:\WINNT\system32\ypaeidcf.exe
C:\WINNT\system32\yvdqmimc.dll
C:\WINNT\system32\yywsklpj.ini
C:\WINNT\system32\zxdnt3d.cfg
C:\WINNT\uni_e6h.exe
C:\WINNT\uni_eh44.exe
C:\WINNT\uninst1014.exe
C:\WINNT\uninst108.exe
C:\WINNT\uninst2.htm
C:\WINNT\uninstall_nmon.vbs
C:\WINNT\unist1.htm
C:\WINNT\win3206347261562007.exe
C:\WINNT\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NDNET1
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\NDnet1
-------\Net Agent
-------\Network Monitor
-------\runtime
-------\runtime2
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
.

2007-09-24 07:09 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2e8.dat
2007-09-24 06:39 51,200 --a------ C:\WINNT\NirCmd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
07-09-24 06:57 7680 --a------ C:\WINNT\system32\drivers\netdtect.sys
07-09-20 11:59 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
07-08-07 20:03 --------- d-------- C:\Program Files\Yahoo!
07-08-07 20:01 --------- d-------- C:\Program Files\MSHome
07-08-07 18:51 --------- d-------- C:\Program Files\BearShare
07-07-13 14:22 224654 --a------ C:\WINNT\lnums0578.exe
07-07-08 19:54 49152 --a------ C:\WINNT\ciyjk0578.exe
07-04-06 12:27 139264 --a------ C:\Program Files\Common Files\texoh.dll
05-03-14 16:10 271 ---h----- C:\Program Files\desktop.ini
05-03-14 16:10 21952 ---h----- C:\Program Files\folder.htt
1989-12-12 17:10:10 381,920 --sh--r C:\WINNT\upzdowdA.exe
2005-08-02 23:46:54 187,904 --sha-r C:\WINNT\T1dORVI\asappsrv.dll
2005-08-02 23:58:38 293,888 --sha-r C:\WINNT\T1dORVI\command.exe
2005-07-29 23:24:26 472 --sha-r C:\WINNT\T1dORVI\nYxilpK.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23972CE8-9EE7-45EF-AE49-DAC3A48AD9D9}]
07-04-06 12:27 139264 --a------ C:\Program Files\Common Files\texoh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E1500AC-87A5-416b-A211-82E848649DA9}]
07-05-31 20:31 192512 --a------ C:\PROGRA~1\Ofb11\Ofb11.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{524D1710-251B-47D0-BA08-68689DAC72AC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{643E1FFF-F56B-C09D-1A17-8F8DBB21839F}]
07-06-20 07:49 60928 --a------ C:\WINNT\system32\syk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF1F76F7-5787-4265-47AF-FA526697B57C}]
07-05-31 20:32 45568 --a------ C:\Program Files\Outlook Express\xukabol490.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-14 05:00 C:\WINNT\system32\mobsync.exe]
"VTPreset"="VTPreset.exe" [04-02-24 20:17 C:\WINNT\system32\VTPreset.exe]
"CountrySelection"="pctptt.exe" [01-01-09 05:47 C:\WINNT\system32\pctptt.exe]
"LVCOMS"="C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE" [03-07-21 16:14 ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [03-07-21 16:46 ]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [03-07-21 16:49 ]
"LogitechGalleryRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [03-07-21 16:46 ]
"EPSON Stylus CX4800 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [05-02-01 20:00 ]
"WorkFlow"="E:\Install\WorkFlow.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 13:03 ]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [05-06-10 02:24 ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [05-06-10 02:21 ]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [02-12-03 18:06 ]
"UpdReg"="C:\WINNT\UpdReg.EXE" [00-05-11 01:00 ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 09:36 ]
"CTHelper"="CTHELPER.EXE" [03-04-10 01:36 C:\WINNT\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [03-07-14 05:00 C:\WINNT\system32\regsvr32.exe]
"BearFlix"="C:\Program Files\BearFlix\BearFlix.exe" []
"upzdowdA"="C:\WINNT\upzdowdA.exe" [89-12-12 10:10 ]
"win320747261563"="C:\WINNT\win320747261563.exe" []
"{40-06-6D-D2-ZN}"="c:\winnt\system32\dwdsregt.exe" [07-09-24 07:32 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [07-03-19 00:45 ]
"EPSON Stylus CX4800 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [05-02-01 20:00 ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"RemoteCenter"="" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [06-11-07 08:29 ]
"Ocom"="C:\PROGRA~1\COMMON~1\MBOLS~1\msiexec.exe" []
"kuoq"="C:\PROGRA~1\COMMON~1\kuoq\kuoqm.exe" [06-07-19 14:56 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\DOCUME~1\OWNER\STARTM~1\Programs\Startup\
TA_Start.lnk - C:\WINNT\system32\mqdsregp.exe [2007-05-31 15:24:13]

R2 Pctspk;W2k PCtel speaker phone;C:\WINNT\system32\pctspk.exe
R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys
R3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;C:\WINNT\system32\DRIVERS\DLKRTS.SYS
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINNT\system32\DRIVERS\point32.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S3 BEFCMU10V4;Linksys BEFCMU10 ver. 4 Cable Modem;C:\WINNT\system32\DRIVERS\BEFCMU10V4.sys
S3 gena;Ethernet 10/100 PC Card;C:\WINNT\system32\DRIVERS\genan5.sys
S3 lsermous;Logitech Serial Mouse Driver;C:\WINNT\system32\DRIVERS\lsermous.sys
S3 LVUMSFD;Mass Storage Filter Service;C:\WINNT\system32\DRIVERS\LVUMSFD.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-05-20 23:53:03 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-07-31 01:36:54 C:\WINNT\Tasks\At1.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-09-20 16:02:03 C:\WINNT\Tasks\At10.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:55 C:\WINNT\Tasks\At11.job"
"2007-07-31 01:36:55 C:\WINNT\Tasks\At12.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:55 C:\WINNT\Tasks\At13.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:55 C:\WINNT\Tasks\At14.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:55 C:\WINNT\Tasks\At15.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:55 C:\WINNT\Tasks\At16.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:55 C:\WINNT\Tasks\At17.job"
"2007-08-04 00:02:10 C:\WINNT\Tasks\At18.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:55 C:\WINNT\Tasks\At19.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:54 C:\WINNT\Tasks\At2.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-08-08 02:01:51 C:\WINNT\Tasks\At20.job"
"2007-07-31 01:36:55 C:\WINNT\Tasks\At21.job"
"2007-08-03 04:02:25 C:\WINNT\Tasks\At22.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:55 C:\WINNT\Tasks\At23.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:56 C:\WINNT\Tasks\At24.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:54 C:\WINNT\Tasks\At3.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:54 C:\WINNT\Tasks\At4.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:54 C:\WINNT\Tasks\At5.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:54 C:\WINNT\Tasks\At6.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-09-24 13:02:02 C:\WINNT\Tasks\At7.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-09-24 14:01:46 C:\WINNT\Tasks\At8.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-31 01:36:55 C:\WINNT\Tasks\At9.job"
- C:\WINNT\system32\e7xGdRL3.exe
"2007-07-24 10:00:00 C:\WINNT\Tasks\Disk Cleanup.job"
- C:\WINNT\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-24 07:32:18
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-24 7:34:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-09-24 07:33
.
--- E O F ---

[Markka]

Hello

Some vundo files didn't leave, so let's use this tool

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

[tonka001]

Marrka. The friend had to take her PC back home so I couldn't complete the last step you instructed me too. I'm post here now so that this thread can be closed "resolved" I have a feeling it's not the last I've heard from her so I think I will be posting again with that computer. Thank you very much for your help as well as all the folks at WTT

[Scotty]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.