Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] virus help!


  • This topic is locked This topic is locked
11 replies to this topic

#1 asolis

asolis

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 07 November 2007 - 10:54 AM

yesterday all sorts of crazy pop ups came up on my computer, today I keep getting security warnings that my computere is infected with a trojan "PSW.X-Vir" and Troan-spy.win32@mx. I have no idea how to get rid of it. Norton doesn't seem to recognize it when I run a scan. Please help!!! Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:38 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\Navw32.exe
C:\WINDOWS\system32\qvnkunls.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Eddy\Desktop\Spyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e1.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local;<local>
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {612ba761-4684-ad38-5894-5603e8a43171} - {17134a8e-3065-4985-83da-4864167ab216} - C:\WINDOWS\system32\byfxwqaf.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\tuvtspn.dll
O2 - BHO: (no name) - {7487CA51-92EE-4DB9-9BCE-8326B84CB875} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zqodkicw.dll
O2 - BHO: (no name) - {D1895368-97BC-4AE5-BFB1-647A922DFBEF} - C:\WINDOWS\system32\vturq.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zqodkicw.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Eddy\LOCALS~1\Temp\2007923162827_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Eddy\LOCALS~1\Temp\2007923162822_mcinfo.exe /insfin
O4 - HKLM\..\Run: [14d0450a] rundll32.exe "C:\WINDOWS\system32\gualkkfi.dll",b
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SightSpeed] C:\Program Files\SightSpeed\SightSpeed.exe -minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....302/Coupons.cab
O20 - Winlogon Notify: gebyx - C:\WINDOWS\system32\gebyx.dll (file missing)
O20 - Winlogon Notify: tuvtspn - C:\WINDOWS\SYSTEM32\tuvtspn.dll
O20 - Winlogon Notify: zqodkicw - C:\WINDOWS\SYSTEM32\zqodkicw.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DomainService - - C:\WINDOWS\system32\qvnkunls.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 12894 bytes

Edited by asolis, 07 November 2007 - 10:55 AM.

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 November 2007 - 11:19 AM

Hi! Welcome to the WTT forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.



Download and Save ComboFix
  • Download this file from below:

    Here
  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 asolis

asolis

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 07 November 2007 - 11:40 AM

Here is the list from hijack this: Thanks Adobe Anchor Service CS3 Adobe Asset Services CS3 Adobe Bridge CS3 Adobe Bridge Start Meeting Adobe Camera Raw 4.0 Adobe CMaps Adobe Color - Photoshop Specific Adobe Color Common Settings Adobe Color EU Extra Settings Adobe Color JA Extra Settings Adobe Color NA Recommended Settings Adobe Default Language CS3 Adobe Device Central CS3 Adobe ExtendScript Toolkit 2 Adobe Flash Player 9 ActiveX Adobe Fonts All Adobe Help Viewer CS3 Adobe Linguistics CS3 Adobe PDF Library Files Adobe Photoshop CS3 Adobe Photoshop CS3 Adobe Reader 7.0.9 Adobe Setup Adobe Stock Photos CS3 Adobe Type Support Adobe Update Manager CS3 Adobe Version Cue CS3 Client Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS3 AOLIcon AppCore ArcSoft PhotoImpression 5 Broadcom Management Programs Brother HL-5140 ccCommon Component Framework Creative Mass Storage Drivers Creative MediaSource Creative System Information Creative Zen Nano Plus Dell Driver Reset Tool Dell Media Experience Dell Photo Printer 720 DellSupport EPSON CX 4200 4800 Guide EPSON Printer Software EPSON Scan EuroTalk Talk Now Plus! EZLive Monitor 2.0 EZMedia Box 2.0 EZVideo Mail Google Toolbar for Internet Explorer Higher Score on the SAT/PSAT HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) Intel® 537EP V9x DF PCI Modem Intel® Extreme Graphics Driver InterActual Player Internet Explorer Default Page Jasc Paint Shop Photo Album Jasc Paint Shop Photo Album 5 Jasc Paint Shop Pro Studio, Dell Editon Java 2 Runtime Environment, SE v1.4.2_03 Kaplan Essential Review - Writing and Vocabulary LiveUpdate (Symantec Corporation) LiveUpdate (Symantec Corporation) Macromedia Flash Player MDL Chime/Chime Pro for Internet Explorer Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office XP Media Content Microsoft Office XP Professional with FrontPage Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft Windows Media Video 9 VCM Modem Event Monitor Modem Helper Modem On Hold Move Networks Player for Internet Explorer Mozilla Firefox (2.0.0.9) MSN MSN Toolbar MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) Multimedia Typing Teacher v1.00 MyWay Search Assistant Nancy Drew: Secret of the Old Clock Nero Suite Norton AntiVirus Norton AntiVirus (Symantec Corporation) Norton AntiVirus Help Norton Protection Center Olympus Digital Wave Player PaperPort 8.0 SE PC CameraQ PDF Settings Photo Click PowerDVD QuickBooks Simple Start Special Edition QuickTime RealPlayer Basic Samsung Video Codec 1.1 Uninstall Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901190) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926247) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928090) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB929969) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931768) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933566) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB937143) Security Update for Windows XP (KB938127) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB939653) Security Update for Windows XP (KB941202) SightSpeed (remove only) Sonic DLA Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager SPBBC 32bit SpongeBob SquarePants Typing Spybot - Search & Destroy SymNet The Print Shop Deluxe III TurboTax Deluxe 2005 TurboTax ItsDeductible 2005 Typing Ulead Photo Express 2.0 SE Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Viewpoint Media Player WebCyberCoach 3.2 Dell WexTech AnswerWorks Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Live Messenger Windows Live Sign-in Assistant Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 10 Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Wireless-B PCI Adapter WLAN Monitor WordPerfect Office 12 Yahoo! Anti-Spy Yahoo! extras Yahoo! Internet Mail Yahoo! Toolbar

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 November 2007 - 02:11 PM

Hi Is this the same pc Bob4 is helping you with?
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#5 asolis

asolis

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 07 November 2007 - 02:22 PM

yeah, I just saw bob4's post. I put that up yesterday when I thought it was just an adware problem.

The combofix scan took a while, here's the log:

ComboFix 07-11-08.1 - Eddy 2007-11-07 11:38:06.2 - NTFSx86
Running from: C:\Documents and Settings\Eddy\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Eddy\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Eddy\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Eddy\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\qrutv.bak1
C:\WINDOWS\system32\qrutv.bak2
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\zqodkicw.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-07 08:56 <DIR> d-------- C:\VundoFix Backups
2007-11-07 03:29 79,936 --a------ C:\WINDOWS\system32\byfxwqaf.dll
2007-11-07 03:26 86,080 --a------ C:\WINDOWS\system32\gualkkfi.dll
2007-11-07 03:21 145,984 --a------ C:\WINDOWS\system32\zqodkicw.dll
2007-11-07 03:20 145,984 --a------ C:\WINDOWS\system32\vnocrfqx.dll
2007-11-06 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 10:58 35,328 --a------ C:\WINDOWS\system32\efcaxvu.dll
2007-11-05 15:12 36,352 --a------ C:\WINDOWS\system32\tuvtspn.dll
2007-11-03 16:00 <DIR> d-------- C:\Documents and Settings\Eddy\Contacts
2007-11-03 15:50 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-09 22:15 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 04:53 --------- d-----w C:\Documents and Settings\Eddy\Application Data\Jasc Software Inc
2007-11-07 04:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-07 04:47 --------- d-----w C:\Program Files\Google
2007-11-07 04:45 --------- d-----w C:\Program Files\Yahoo! Games
2007-11-07 04:44 --------- d-----w C:\Program Files\Dell Photo Printer 720
2007-11-07 04:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-07 04:40 --------- d-----w C:\Program Files\Brother
2007-11-07 04:31 --------- d-----w C:\Program Files\Yahoo!
2007-11-07 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-07 02:17 --------- d-----w C:\Program Files\PAL SPYREM
2007-11-06 18:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 06:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 06:33 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-05 06:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-05 06:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 06:33 --------- d-----w C:\Program Files\Symantec
2007-11-05 02:19 230,454 ----a-w C:\StiImg.dat
2007-11-03 23:54 --------- d-----w C:\Program Files\MSN Messenger
2007-10-28 04:15 --------- d-----w C:\Documents and Settings\Eddy\Application Data\AdobeUM
2007-10-07 22:33 98,768 ----a-w C:\Documents and Settings\Aniel\Application Data\GDIPFONTCACHEV1.DAT
2007-09-27 04:06 98,768 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2007-09-25 03:43 --------- d-----w C:\Documents and Settings\Guest\Application Data\GTek
2007-09-25 03:40 --------- d-----w C:\Documents and Settings\Guest\Application Data\Yahoo!
2007-09-24 14:51 --------- d-----w C:\Documents and Settings\administrator 101\Application Data\GTek
2007-09-23 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-09-23 04:27 --------- d-----w C:\Program Files\Norton AntiVirus
2007-09-22 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-22 21:54 --------- d-----w C:\Program Files\Windows Sidebar
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-08 20:06 --------- d-----w C:\Documents and Settings\Aniel\Application Data\Yahoo!
2007-08-29 21:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-14 02:54 818,688 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-14 02:54 670,720 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-14 02:54 475,648 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-14 02:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-14 02:54 413,696 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2007-08-14 02:54 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll
2007-08-14 02:54 3,578,368 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-14 02:54 27,136 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-14 02:54 231,424 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-14 02:54 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-14 02:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-14 02:54 156,160 ------w C:\WINDOWS\system32\dllcache\msls31.dll
2007-08-14 02:54 131,584 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-14 02:54 1,162,240 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-14 02:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-14 02:45 78,336 ------w C:\WINDOWS\system32\dllcache\ieencode.dll
2007-08-14 02:44 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-14 02:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-14 02:44 40,960 ------w C:\WINDOWS\system32\dllcache\licmgr10.dll
2007-08-14 02:44 192,000 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-14 02:44 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-14 02:44 101,376 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-14 02:43 622,080 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-14 02:42 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
2007-08-14 02:42 17,408 ------w C:\WINDOWS\system32\dllcache\corpol.dll
2007-08-14 02:39 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-14 02:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-14 02:39 71,680 ------w C:\WINDOWS\system32\dllcache\admparse.dll
2007-08-14 02:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
2007-08-14 02:39 55,296 ------w C:\WINDOWS\system32\dllcache\iesetup.dll
2007-08-14 02:39 54,784 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-14 02:39 43,008 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-14 02:39 382,976 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-14 02:39 229,376 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-14 02:39 152,064 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-14 02:39 123,904 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-14 02:38 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-08-14 02:36 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-14 02:36 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
2007-08-14 02:36 36,352 ------w C:\WINDOWS\system32\dllcache\imgutil.dll
2007-08-14 02:35 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-14 02:35 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-14 02:32 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
2007-08-14 02:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\mshta.exe
2007-08-14 02:18 60,416 ------w C:\WINDOWS\system32\dllcache\hmmapi.dll
2007-08-14 02:01 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
2007-08-14 02:01 48,128 ------w C:\WINDOWS\system32\dllcache\mshtmler.dll
2007-08-14 01:56 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-17 04:42 98,768 ----a-w C:\Documents and Settings\Eddy\Application Data\GDIPFONTCACHEV1.DAT
2005-11-14 09:30 56 -c--a-w C:\Documents and Settings\Eddy\showmenu.bat
2006-08-14 01:35:07 1,031,189 --sha-w C:\WINDOWS\system32\xybeg.bak1
2006-08-13 01:33:00 1,026,781 --sha-w C:\WINDOWS\system32\xybeg.bak2
2006-08-14 05:15:09 1,043,345 --sha-w C:\WINDOWS\system32\xybeg.ini2
.

((((((((((((((((((((((((((((( snapshot_2007-09-23_162040.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2007-08-22 12:55:28 1,022,976 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\browseui.dll
+ 2007-08-22 12:55:29 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\cdfview.dll
+ 2007-08-22 12:55:30 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\danim.dll
+ 2007-08-22 12:55:30 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\dxtmsft.dll
+ 2007-08-22 12:55:31 205,824 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\dxtrans.dll
+ 2007-08-22 12:55:31 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\extmgr.dll
+ 2007-08-21 10:19:39 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\iedw.exe
+ 2007-08-22 12:55:32 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\iepeers.dll
+ 2007-08-22 12:55:32 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\inseng.dll
+ 2007-08-22 12:55:32 16,384 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\jsproxy.dll
+ 2007-08-22 12:55:36 3,064,832 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\mshtml.dll
+ 2007-08-22 12:55:37 449,024 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\mshtmled.dll
+ 2007-08-22 12:55:37 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\msrating.dll
+ 2007-08-22 12:55:38 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\mstime.dll
+ 2007-08-22 12:55:38 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\pngfilt.dll
+ 2007-08-22 12:55:40 1,498,112 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\shdocvw.dll
+ 2007-08-22 12:55:41 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\shlwapi.dll
+ 2007-08-22 12:55:43 617,984 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\urlmon.dll
+ 2007-08-22 12:55:44 665,600 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\wininet.dll
+ 2007-08-21 10:13:33 350,720 ----a-w C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\xpsp3res.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB939653\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB939653\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB939653\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB939653\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB939653\update\updspapi.dll
+ 2007-08-21 06:25:02 683,520 ----a-w C:\WINDOWS\$hf_mig$\KB941202\SP2QFE\inetcomm.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\updspapi.dll
- 2007-07-20 07:47:22 109,056 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-01 19:21:12 345,816 ----a-w C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
- 2007-03-13 17:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-03-13 18:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2004-08-04 10:00:00 61,440 -c--a-w C:\WINDOWS\ie7\admparse.dll
+ 2004-08-04 10:00:00 99,840 -c--a-w C:\WINDOWS\ie7\advpack.dll
+ 2004-08-04 10:00:00 35,328 -c--a-w C:\WINDOWS\ie7\corpol.dll
+ 2004-09-15 17:28:08 28,672 -c--a-w C:\WINDOWS\ie7\custsat.dll
+ 2007-08-22 13:12:16 357,888 -c--a-w C:\WINDOWS\ie7\dxtmsft.dll
+ 2007-08-22 13:12:16 205,312 -c--a-w C:\WINDOWS\ie7\dxtrans.dll
+ 2007-08-22 13:12:16 55,808 -c--a-w C:\WINDOWS\ie7\extmgr.dll
+ 2004-08-04 10:00:00 38,912 -c--a-w C:\WINDOWS\ie7\hmmapi.dll
+ 2004-08-04 10:00:00 34,304 -c--a-w C:\WINDOWS\ie7\ie4uinit.exe
+ 2004-08-04 10:00:00 139,264 -c--a-w C:\WINDOWS\ie7\ieakeng.dll
+ 2004-08-04 10:00:00 216,576 -c--a-w C:\WINDOWS\ie7\ieaksie.dll
+ 2004-08-04 10:00:00 221,184 -c--a-w C:\WINDOWS\ie7\ieakui.dll
+ 2004-08-04 10:00:00 323,584 -c--a-w C:\WINDOWS\ie7\iedkcs32.dll
+ 2007-08-21 10:30:45 18,432 -c--a-w C:\WINDOWS\ie7\iedw.exe
+ 2004-08-04 10:00:00 81,920 -c--a-w C:\WINDOWS\ie7\ieencode.dll
+ 2007-08-22 13:12:16 251,392 -c--a-w C:\WINDOWS\ie7\iepeers.dll
+ 2004-08-04 10:00:00 48,640 -c--a-w C:\WINDOWS\ie7\iernonce.dll
+ 2004-08-04 10:00:00 62,976 -c--a-w C:\WINDOWS\ie7\iesetup.dll
+ 2004-08-04 10:00:00 93,184 -c--a-w C:\WINDOWS\ie7\iexplore.exe
+ 2004-08-04 10:00:00 35,840 -c--a-w C:\WINDOWS\ie7\imgutil.dll
+ 2007-08-22 13:12:16 96,256 -c--a-w C:\WINDOWS\ie7\inseng.dll
+ 2006-05-18 05:24:25 450,560 -c--a-w C:\WINDOWS\ie7\jscript.dll
+ 2007-08-22 13:12:16 16,384 -c--a-w C:\WINDOWS\ie7\jsproxy.dll
+ 2004-08-04 10:00:00 22,016 -c--a-w C:\WINDOWS\ie7\licmgr10.dll
+ 2004-08-04 10:00:00 29,184 -c--a-w C:\WINDOWS\ie7\mshta.exe
+ 2007-08-22 13:12:17 3,058,176 -c--a-w C:\WINDOWS\ie7\mshtml.dll
+ 2007-08-22 13:12:17 449,024 -c--a-w C:\WINDOWS\ie7\mshtmled.dll
+ 2004-08-04 10:00:00 56,832 -c--a-w C:\WINDOWS\ie7\mshtmler.dll
+ 2004-08-04 10:00:00 146,432 -c--a-w C:\WINDOWS\ie7\msls31.dll
+ 2007-08-22 13:12:17 146,432 -c--a-w C:\WINDOWS\ie7\msrating.dll
+ 2007-08-22 13:12:17 532,480 -c--a-w C:\WINDOWS\ie7\mstime.dll
+ 2004-08-04 10:00:00 96,256 -c--a-w C:\WINDOWS\ie7\occache.dll
+ 2007-08-22 13:12:17 39,424 -c--a-w C:\WINDOWS\ie7\pngfilt.dll
+ 2007-08-14 02:54:42 32,960 -c--a-w C:\WINDOWS\ie7\spuninst\iecustom.dll
+ 2007-08-14 02:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2006-09-07 01:43:16 213,216 -c--a-w C:\WINDOWS\ie7\spuninst\spuninst.exe
+ 2006-09-07 01:43:18 371,424 -c--a-w C:\WINDOWS\ie7\spuninst\updspapi.dll
+ 2004-08-04 10:00:00 37,888 -c--a-w C:\WINDOWS\ie7\url.dll
+ 2007-08-22 13:12:18 615,424 -c--a-w C:\WINDOWS\ie7\urlmon.dll
+ 2004-08-04 10:00:00 417,792 -c--a-w C:\WINDOWS\ie7\vbscript.dll
+ 2007-06-26 15:13:22 851,968 -c--a-w C:\WINDOWS\ie7\vgx.dll
+ 2004-08-04 10:00:00 276,480 -c--a-w C:\WINDOWS\ie7\webcheck.dll
+ 2007-08-22 13:12:18 658,944 -c--a-w C:\WINDOWS\ie7\wininet.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-14 02:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
+ 2007-11-03 23:50:42 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
- 2007-05-10 03:35:52 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2007-10-07 23:10:02 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2007-05-10 03:35:52 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2007-10-07 23:10:02 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2007-05-10 03:35:52 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2007-10-07 23:10:02 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2007-05-10 03:35:52 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2007-10-07 23:10:02 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2007-05-10 03:35:52 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2007-10-07 23:10:02 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2007-05-10 03:35:52 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2007-10-07 23:10:03 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2007-05-10 03:35:52 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2007-10-07 23:10:02 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2007-05-10 03:35:52 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2007-10-07 23:10:02 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2007-05-10 03:35:52 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2007-10-07 23:10:03 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2007-05-10 03:35:52 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2007-10-07 23:10:02 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2007-05-10 03:35:52 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2007-10-07 23:10:02 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2007-10-19 13:53:27 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70900000002}\SC_Reader.exe
- 2007-06-17 07:11:58 51,200 ----a-w C:\WINDOWS\NirCmd.exe
+ 2007-06-17 08:11:58 51,200 ----a-w C:\WINDOWS\NirCmd.exe
- 2004-08-04 10:00:00 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-08-14 02:39:00 123,904 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-06-14 18:09:18 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2007-08-22 13:12:15 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-06-14 18:09:18 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2007-08-22 13:12:15 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-06-14 18:09:18 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2007-08-22 13:12:16 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2007-06-26 15:13:22 851,968 ------w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-07-12 23:31:54 765,952 ----a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-06-14 18:09:18 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-08-14 02:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-06-14 18:09:19 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-08-14 02:35:38 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-06-14 18:09:19 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-08-14 02:54:10 131,584 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-08-14 02:36:26 61,952 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2006-06-29 16:05:44 26,112 ----a-w C:\WINDOWS\system32\idndl.dll
- 2004-08-04 10:00:00 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-08-14 02:39:06 54,784 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2004-08-04 10:00:00 139,264 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-08-14 02:39:26 152,064 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2004-08-04 10:00:00 216,576 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-08-14 02:39:54 229,376 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2004-08-04 10:00:00 221,184 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-08-14 01:56:54 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-02-13 00:10:12 2,451,312 ----a-w C:\WINDOWS\system32\ieapfltr.dat
+ 2007-07-11 20:27:48 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2004-08-04 10:00:00 323,584 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-08-14 02:39:50 382,976 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-08-14 02:54:10 6,049,280 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-06-14 18:09:19 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-14 02:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2004-08-04 10:00:00 48,640 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-08-14 02:39:10 43,008 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-08-14 02:34:04 266,752 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-08-14 02:39:10 13,312 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-08-14 02:54:10 180,736 ----a-w C:\WINDOWS\system32\ieui.dll
- 2007-06-14 18:09:19 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-08-14 02:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2006-05-18 05:24:25 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-08-14 02:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-06-14 18:09:19 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-08-14 02:54:10 27,136 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-09-28 06:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-08-14 02:54:10 458,752 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-08-14 02:54:10 50,688 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-08-14 02:36:40 12,288 ----a-w C:\WINDOWS\system32\msfeedssync.exe
- 2007-06-14 18:09:20 3,058,688 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-08-14 02:54:12 3,578,368 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-06-14 18:09:19 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-08-14 02:54:10 475,648 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-06-14 18:09:19 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-08-14 02:44:26 192,000 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-06-14 18:09:20 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-08-14 02:54:10 670,720 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2006-06-29 01:59:26 24,576 ----a-w C:\WINDOWS\system32\nlsdl.dll
+ 2006-06-29 16:05:44 23,552 ----a-w C:\WINDOWS\system32\normaliz.dll
- 2004-08-04 10:00:00 96,256 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-08-14 02:44:06 101,376 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-03-27 18:45:22 38,567 ----a-w C:\WINDOWS\system32\pcpbios.exe
- 2007-09-23 03:43:21 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-04 22:39:19 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-09-23 03:43:21 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-04 22:39:20 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-06-14 18:09:20 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-08-14 02:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2004-08-04 10:00:00 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-09 13:09:42 584,192 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2007-06-14 18:09:20 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2007-08-22 13:12:18 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-06-14 18:09:20 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2007-08-22 13:12:18 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2006-01-24 18:34:24 118,784 ----a-w C:\WINDOWS\system32\sirenacm.dll
+ 2007-01-19 19:53:04 51,056 ----a-w C:\WINDOWS\system32\sirenacm.dll
- 2007-07-23 01:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-23 02:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-03-27 18:45:22 4,096 ----a-w C:\WINDOWS\system32\sysres.dll
- 2004-08-04 10:00:00 37,888 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-08-14 02:44:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-06-14 18:09:20 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-08-14 02:54:10 1,162,240 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 10:00:00 276,480 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-08-14 02:54:10 231,424 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-08-14 02:45:16 206,336 ----a-w C:\WINDOWS\system32\WinFXDocObj.exe
- 2007-06-26 14:09:10 658,944 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-08-14 02:54:10 818,688 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2006-07-14 15:51:51 121,856 ----a-w C:\WINDOWS\system32\xmllite.dll
- 2007-06-14 13:39:54 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-11-08 20:03:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6d8.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17134a8e-3065-4985-83da-4864167ab216}]
2007-11-07 03:29 79936 --a------ C:\WINDOWS\system32\byfxwqaf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-05 15:12 36352 --a------ C:\WINDOWS\system32\tuvtspn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7487CA51-92EE-4DB9-9BCE-8326B84CB875}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-07 03:21 145984 --a------ C:\WINDOWS\system32\zqodkicw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\zqodkicw.dll [2007-11-07 03:21 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\zqodkicw.dll [2007-11-07 03:21 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 16:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 14:48]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-08-24 06:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-24 06:59]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 13:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 13:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 09:33]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 10:07]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 19:00]
"bacstray"="BacsTray.exe" [2003-05-08 16:15 C:\WINDOWS\system32\BacsTray.exe]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 20:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"SightSpeed"="C:\Program Files\SightSpeed\SightSpeed.exe" [2006-08-08 12:37]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2005-10-26 13:58:23]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2006-01-15 15:04:35]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 08:59:36]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 11:29:12]
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe [2006-01-26 19:21:10]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\tuvtspn.dll [2007-11-05 15:12 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyx]
C:\WINDOWS\system32\gebyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtspn]
tuvtspn.dll 2007-11-05 15:12 36352 C:\WINDOWS\system32\tuvtspn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zqodkicw]
zqodkicw.dll 2007-11-07 03:21 145984 C:\WINDOWS\system32\zqodkicw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturq.dll

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 17:30:37 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Eddy.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 12:08:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 12:12:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-23 15:24
C:\ComboFix2.txt ... 2007-09-23 15:25
.
--- E O F ---




AND HERE'S THE HIJACK THIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:26 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Eddy\Desktop\virus treatment\Spyware.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e1.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local;<local>
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {612ba761-4684-ad38-5894-5603e8a43171} - {17134a8e-3065-4985-83da-4864167ab216} - C:\WINDOWS\system32\byfxwqaf.dll
O2 - BHO: (no name) - {1FA363EE-560B-4C3C-8DE8-92CC77A8C83C} - C:\WINDOWS\system32\mllji.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\tuvtspn.dll
O2 - BHO: (no name) - {7487CA51-92EE-4DB9-9BCE-8326B84CB875} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zqodkicw.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zqodkicw.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SightSpeed] C:\Program Files\SightSpeed\SightSpeed.exe -minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....302/Coupons.cab
O20 - Winlogon Notify: gebyx - C:\WINDOWS\system32\gebyx.dll (file missing)
O20 - Winlogon Notify: tuvtspn - C:\WINDOWS\SYSTEM32\tuvtspn.dll
O20 - Winlogon Notify: zqodkicw - C:\WINDOWS\SYSTEM32\zqodkicw.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 12016 bytes

Thanks

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 07 November 2007 - 02:49 PM

Hi

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

File::
C:\WINDOWS\system32\byfxwqaf.dll
C:\WINDOWS\system32\gualkkfi.dll
C:\WINDOWS\system32\zqodkicw.dll
C:\WINDOWS\system32\vnocrfqx.dll
C:\WINDOWS\system32\efcaxvu.dll
C:\WINDOWS\system32\tuvtspn.dll
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\xybeg.bak2
C:\WINDOWS\system32\xybeg.ini2
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\mllji.dll

Folder::
C:\VundoFix Backups
C:\Program Files\PAL SPYREM
C:\Program Files\MyWaySA

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17134a8e-3065-4985-83da-4864167ab216}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7487CA51-92EE-4DB9-9BCE-8326B84CB875}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyx]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtspn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zqodkicw] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.


Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#7 asolis

asolis

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 07 November 2007 - 07:40 PM

Here's the HiJack This log:

ComboFix 07-11-08.1 - Eddy 2007-11-08 12:57:35.3 - NTFSx86
Running from: C:\Documents and Settings\Eddy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eddy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\byfxwqaf.dll
C:\WINDOWS\system32\efcaxvu.dll
C:\WINDOWS\system32\gualkkfi.dll
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\tuvtspn.dll
C:\WINDOWS\system32\vnocrfqx.dll
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\xybeg.bak2
C:\WINDOWS\system32\xybeg.ini2
C:\WINDOWS\system32\zqodkicw.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Eddy\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Eddy\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Eddy\Favorites\Online Security Guide.lnk
C:\Program Files\MyWaySA
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
C:\Program Files\PAL SPYREM
C:\VundoFix Backups
C:\VundoFix Backups\zqodkicw.dll.bad
C:\WINDOWS\system32\byfxwqaf.dll
C:\WINDOWS\system32\efcaxvu.dll
C:\WINDOWS\system32\gualkkfi.dll
C:\WINDOWS\system32\ijllm.bak1
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\tuvtspn.dll
C:\WINDOWS\system32\vnocrfqx.dll
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\xybeg.bak2
C:\WINDOWS\system32\xybeg.ini2
C:\WINDOWS\system32\zqodkicw.dll
C:\WINDOWS\system32\zqodkicw.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-06 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 16:00 <DIR> d-------- C:\Documents and Settings\Eddy\Contacts
2007-11-03 15:50 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-09 22:15 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 04:53 --------- d-----w C:\Documents and Settings\Eddy\Application Data\Jasc Software Inc
2007-11-07 04:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-07 04:47 --------- d-----w C:\Program Files\Google
2007-11-07 04:45 --------- d-----w C:\Program Files\Yahoo! Games
2007-11-07 04:44 --------- d-----w C:\Program Files\Dell Photo Printer 720
2007-11-07 04:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-07 04:40 --------- d-----w C:\Program Files\Brother
2007-11-07 04:31 --------- d-----w C:\Program Files\Yahoo!
2007-11-07 04:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-06 18:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 06:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 06:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-05 06:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 06:33 --------- d-----w C:\Program Files\Symantec
2007-11-05 02:19 230,454 ----a-w C:\StiImg.dat
2007-11-03 23:54 --------- d-----w C:\Program Files\MSN Messenger
2007-10-28 04:15 --------- d-----w C:\Documents and Settings\Eddy\Application Data\AdobeUM
2007-10-07 22:33 98,768 ----a-w C:\Documents and Settings\Aniel\Application Data\GDIPFONTCACHEV1.DAT
2007-09-27 04:06 98,768 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2007-09-25 03:43 --------- d-----w C:\Documents and Settings\Guest\Application Data\GTek
2007-09-25 03:40 --------- d-----w C:\Documents and Settings\Guest\Application Data\Yahoo!
2007-09-24 14:51 --------- d-----w C:\Documents and Settings\administrator 101\Application Data\GTek
2007-09-23 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-09-23 04:27 --------- d-----w C:\Program Files\Norton AntiVirus
2007-09-22 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-22 21:54 --------- d-----w C:\Program Files\Windows Sidebar
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-08 20:06 --------- d-----w C:\Documents and Settings\Aniel\Application Data\Yahoo!
2007-07-17 04:42 98,768 ----a-w C:\Documents and Settings\Eddy\Application Data\GDIPFONTCACHEV1.DAT
2005-11-14 09:30 56 -c--a-w C:\Documents and Settings\Eddy\showmenu.bat
.

((((((((((((((((((((((((((((( snapshot_2007-11-08_12.09.54.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-08 21:15:13 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 16:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 14:48]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 17:12]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-08-24 06:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-24 06:59]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 13:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 13:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 09:33]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 10:07]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 12:51]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 19:00]
"bacstray"="BacsTray.exe" [2003-05-08 16:15 C:\WINDOWS\system32\BacsTray.exe]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 20:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"SightSpeed"="C:\Program Files\SightSpeed\SightSpeed.exe" [2006-08-08 12:37]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2005-10-26 13:58:23]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2006-01-15 15:04:35]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 08:59:36]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 11:29:12]
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe [2006-01-26 19:21:10]

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 17:30:37 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Eddy.job"
- C:\Program Files\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 13:16:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-08 13:20:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-23 15:24
C:\ComboFix2.txt ... 2007-11-08 12:12
C:\ComboFix3.txt ... 2007-09-23 15:25
.
--- E O F ---


AND THE KASPERSKY SCAN LOG: IT SAYS THAT i HAVE 11 VIRUSES ON MY COMPUTER, YIKES!



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 08, 2007 5:35:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/11/2007
Kaspersky Anti-Virus database records: 453637
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 93237
Number of viruses found: 11
Number of infected objects: 62
Number of suspicious objects: 0
Duration of the scan process: 02:01:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-08_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{8C6FE449-177A-4E01-A03B-E03B231E0BA2}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{8C6FE449-177A-4E01-A03B-E03B231E0BA2}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\F141A5BB.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Aniel\Local Settings\Application Data\Mozilla\Firefox\Profiles\otqw91xn.default\Cache\51F1B901d01/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Documents and Settings\Aniel\Local Settings\Application Data\Mozilla\Firefox\Profiles\otqw91xn.default\Cache\51F1B901d01 CAB: infected - 1 skipped
C:\Documents and Settings\Eddy\Application Data\Mozilla\Firefox\Profiles\hawq11x6.default\cert8.db Object is locked skipped
C:\Documents and Settings\Eddy\Application Data\Mozilla\Firefox\Profiles\hawq11x6.default\history.dat Object is locked skipped
C:\Documents and Settings\Eddy\Application Data\Mozilla\Firefox\Profiles\hawq11x6.default\key3.db Object is locked skipped
C:\Documents and Settings\Eddy\Application Data\Mozilla\Firefox\Profiles\hawq11x6.default\parent.lock Object is locked skipped
C:\Documents and Settings\Eddy\Application Data\Mozilla\Firefox\Profiles\hawq11x6.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Eddy\Application Data\Mozilla\Firefox\Profiles\hawq11x6.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Eddy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\Application Data\Mozilla\Firefox\Profiles\hawq11x6.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\Application Data\Mozilla\Firefox\Profiles\hawq11x6.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\Application Data\Mozilla\Firefox\Profiles\hawq11x6.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\Application Data\Mozilla\Firefox\Profiles\hawq11x6.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\History\History.IE5\MSHist012007110820071109\index.dat Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\Temp\~DF7C63.tmp Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Eddy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Eddy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Eddy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\efcaxvu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP731\A0111800.exe Infected: Trojan-Downloader.Win32.Agent.dnt skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP731\A0111802.exe Infected: Trojan-Dropper.Win32.Agent.bxn skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP731\A0111807.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP731\A0111808.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP731\A0111815.exe Infected: Trojan-Downloader.Win32.Agent.dnt skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP731\A0111821.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP731\A0111822.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP733\A0112821.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP733\A0112822.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP733\A0112827.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP733\A0112846.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP733\A0112847.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP733\A0112859.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0112874.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0112875.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0112887.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0112891.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0112892.dll Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0113053.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0113054.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114053.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114054.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114060.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114067.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114068.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114109.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114121.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114122.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114123.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114124.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114125.dll Infected: Trojan-Spy.Win32.VBStat.d skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114126.dll Infected: Trojan-Spy.Win32.VBStat.c skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114127.dll Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP734\A0114130.dll Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP735\A0114140.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP735\A0114141.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP735\A0114142.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP735\A0114156.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP735\A0114157.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP735\A0114158.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0114173.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0114174.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0114175.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0114240.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0114242.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0115239.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0115240.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0116246.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0116247.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0116385.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0116394.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0116443.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0116444.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0116445.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP736\A0116655.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP737\A0116672.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP737\A0116673.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP775\A0132309.exe Infected: not-virus:Hoax.Win32.Renos.kf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP790\A0135876.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP790\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F16B82DF-D4E6-4833-B414-14D208816A90}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET133.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_730.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 08 November 2007 - 05:18 AM

Hello

No need to worry. Everything is either in Quarantine or they are infected Restore Points, which will be taken care of shortly. :thumbup:

Open Firefox, select Preferences then Privacy and then under Private Data select Clear Now.
(It may be under Tools on your FF, mine is the bundled version with Kubuntu)

Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.
  • Close any programmes you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Then download the latest version of Java Runtime Environment (JRE) (4th one down the list), which is JRE6u3, and click Yes at the page warning, then accept the Licence Agreement before downloading the Offline file.

Then post a new HijackThis log.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#9 asolis

asolis

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 08 November 2007 - 10:52 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:38 AM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SightSpeed\SightSpeed.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eddy\Desktop\virus treatment\Spyware.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e1.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*.local;<local>
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SightSpeed] C:\Program Files\SightSpeed\SightSpeed.exe -minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....302/Coupons.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11448 bytes

#10 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 08 November 2007 - 02:35 PM

Hello

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.



I see that Viewpoint Media Player is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto‑updating for the Viewpoint Manager ‑‑ the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight Viewpoint Media Player , click Remove.
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image
  • When shown the disclaimer, Select "2"
1 - Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: www.adobe.com/uk/products/acrobat/readstep2.html and download the latest version of Adobe Reader
OR, after uninstalling Adobe Reader, you could try installing Foxit Reader from >here<
Foxit Reader has fewer add-ons therefore loads more quickly.


Here are some free programs I recommend, although you will not need them all.

Spybot Search and Destroy
Download it from here . Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here


Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"


Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#11 asolis

asolis

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 08 November 2007 - 09:55 PM

Thanks so much Scotty, my computer is back to its old self. Couldn't have done it without your help. Awesomeness!

#12 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 09 November 2007 - 04:22 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users