Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Malware/trojan keeps reappearing


  • This topic is locked This topic is locked
10 replies to this topic

#1 Weasel225

Weasel225

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 15 January 2008 - 11:28 PM

Whichever it was wiped my av out. Went to safe mode and uninstalled, then installed Trend Micro. TM found a few htm files and deleted those. Unsatisfied I attempted to uninstall TM and it barfed. removed everything but tmdshell.dll (wont let me) and installed avg and avg spyware and also Comodo firewall pro. Firewall is showing a ton of inbound tcp and a lot of outbound using services.exe/ outbound on port 2260 to dest ip 208.72.168.151:80

Before I came here I had run combofix .. log appended to end. Things seem semi normal at the moment, but would like an expert to advise me.

Thanks
Edit.. Virus log from AVG

Trojan horse Generic9.AKUT C:\WINDOWS\Temp\9601EBC5.exe 1/15/2008 16:53 9601EBC5.exe 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\32LLUEVP\xall[1].htm 1/15/2008 17:34 xall[1].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZQRZD6BK\xall[1].htm 1/15/2008 18:45 xall[1].htm 18.5 KB
Trojan horse Generic9.AKUT C:\WINDOWS\Temp\57EF75AA.exe 1/15/2008 18:45 57EF75AA.exe 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\X8Z2CGE1\xall[1].htm 1/15/2008 17:57 xall[1].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\X8Z2CGE1\xall[2].htm 1/15/2008 17:57 xall[2].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZQRZD6BK\xall[1].htm 1/15/2008 17:57 xall[1].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KPK62OGE\xall[1].htm 1/15/2008 22:49 xall[1].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1FWM9YB7\xall[1].htm 1/15/2008 22:49 xall[1].htm 18.5 KB
Trojan horse Generic9.AKUT C:\WINDOWS\TEMP\64520FB9.exe 1/15/2008 22:49 64520FB9.exe 18.5 KB
Trojan horse Generic9.AKUT C:\WINDOWS\TEMP\6D5592FD.exe 1/15/2008 22:49 6D5592FD.exe 18.5 KB
Trojan horse Generic9.ANCW C:\ecnsfw.exe 1/15/2008 0:18 ecnsfw.exe 59.57 KB
Trojan horse SHeur.ALMT C:\ydpgtbtq.exe 1/15/2008 0:18 ydpgtbtq.exe 57.5 KB
Trojan horse Downloader.Generic6.ABJP C:\Documents and Settings\Administrator\Local Settings\Temp\TMP360.tmp 1/15/2008 0:18 TMP360.tmp 26 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\06AY7FGA\xall[1].htm 1/15/2008 0:18 xall[1].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\06AY7FGA\xall[2].htm 1/15/2008 0:18 xall[2].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\06AY7FGA\xall[3].htm 1/15/2008 0:18 xall[3].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\06AY7FGA\xall[4].htm 1/15/2008 0:18 xall[4].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\06AY7FGA\xall[5].htm 1/15/2008 0:18 xall[5].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\06AY7FGA\xall[6].htm 1/15/2008 0:18 xall[6].htm 18.5 KB
Trojan horse Generic9.AKUT C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\32LLUEVP\xall[1].htm 1/15/2008 0:18 xall[1].htm 18.5 KB
Trojan horse Dialer.RBN C:\WINDOWS\system32\drvbaz.dll 1/15/2008 0:18 drvbaz.dll 101 KB
Trojan horse Dialer.RBN C:\WINDOWS\system32\drvcub.dll 1/15/2008 0:18 drvcub.dll 101 KB
Trojan horse Dialer.RBN C:\WINDOWS\system32\drvkuk.dll 1/15/2008 0:18 drvkuk.dll 101 KB
Trojan horse Dialer.RBN C:\WINDOWS\system32\drvvoc.dll 1/15/2008 0:18 drvvoc.dll 101 KB

Scan with Kaspersky found the following

deleted: adware not-a-virus:AdWare.Win32.BHO.rh File: C:\Documents and Settings\Administrator\Desktop\backups\backup-20080114-221340-852.dll//PE_Patch.PECompact//PecBundle//PECompact
deleted: Trojan program Trojan.Win32.Dialer.yz File: C:\WINDOWS\system32\winbue32.dll//PE_Patch.PECompact//PecBundle//PECompact


Logfile of HijackThis v1.99.1
Scan saved at 9:16:10 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - (no file)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - (no file)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:13:57 AM 1/15/2008

+ Scan result:



C:\Documents and Settings\Administrator\Desktop\backups\backup-20080114-221340-852.dll -> Not-A-Virus.Adware.BHO : Ignored.
:mozilla.10:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.157:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.167:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.204:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jeff\Cookies\jeff@cbs.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jeff\Cookies\jeff@cbsdigitalmedia.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jeff\Cookies\jeff@electronicarts.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jeff\Cookies\jeff@samsung.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.18:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Jeff\Cookies\jeff@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.323:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.324:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.37:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.39:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.40:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.46:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.296:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Jeff\Cookies\jeff@ads.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.345:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Jeff\Cookies\jeff@e-2dj6wjlygmajgep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.94:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.112:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.113:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.329:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.330:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.331:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.326:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.327:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.328:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Jeff\Cookies\jeff@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.28:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.29:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.30:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.31:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.32:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.33:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.34:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.35:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.36:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.188:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.189:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.191:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.192:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.193:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.194:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.195:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.196:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.197:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.198:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.199:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.200:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.297:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.374:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Safer-networking : Cleaned.
:mozilla.205:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.206:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.207:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.208:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.209:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.210:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.53:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.229:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.230:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.231:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.247:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.248:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.249:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.250:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.251:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.257:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.261:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.291:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.292:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.293:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.294:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.295:C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\5ljq5vyw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

ComboFix 08-01-16.4 - Jeff 2008-01-15 19:58:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1464 [GMT -8:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\hjllm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 19:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 19:45 . 2008-01-15 19:49 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-15 19:45 . 2008-01-15 19:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-15 18:43 . 2008-01-15 18:43 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Comodo
2008-01-15 18:43 . 2008-01-15 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-01-15 18:41 . 2008-01-15 18:41 <DIR> d-------- C:\Program Files\Comodo
2008-01-15 18:41 . 2008-01-14 21:05 211 --a------ C:\boot.ini.comodofirewall
2008-01-15 17:17 . 2008-01-15 20:05 <DIR> d-------- C:\Program Files\Trojan Remover
2008-01-15 17:16 . 2008-01-15 17:16 6,713,328 --a------ C:\temp\trsetup.exe
2008-01-15 17:15 . 2008-01-15 17:17 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Simply Super Software
2008-01-15 17:15 . 2008-01-15 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-01-15 17:15 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-01-15 17:15 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-01-15 17:15 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-01-15 17:15 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-01-15 17:15 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-01-15 09:32 . 2008-01-15 09:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-15 00:24 . 2008-01-15 00:24 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Grisoft
2008-01-15 00:24 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-15 00:23 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-14 23:10 . 2008-01-14 23:10 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-01-14 23:10 . 2008-01-15 19:15 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\AVG7
2008-01-14 23:10 . 2008-01-15 00:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-14 23:10 . 2008-01-15 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-14 22:40 . 2008-01-14 22:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Verizon
2008-01-14 21:57 . 2008-01-14 21:57 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-14 21:54 . 2008-01-14 21:54 <DIR> d-------- C:\KAV
2008-01-14 21:16 . 2008-01-14 21:16 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-14 21:13 . 2008-01-14 21:13 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-14 21:02 . 2008-01-14 21:02 11 --a------ C:\AuResult.ini
2008-01-14 20:08 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-01-14 20:05 . 2008-01-14 20:05 <DIR> d-------- C:\Program Files\Raxco
2008-01-14 20:05 . 2008-01-14 20:20 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-14 20:05 . 2008-01-14 20:05 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-01-14 20:05 . 2008-01-14 20:05 <DIR> d-------- C:\Program Files\CA
2008-01-14 20:05 . 2008-01-14 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2008-01-14 20:05 . 2007-04-19 11:24 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2008-01-14 20:03 . 2008-01-14 20:05 <DIR> d-------- C:\Program Files\Verizon
2008-01-14 20:03 . 2008-01-14 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Verizon
2008-01-14 20:01 . 2008-01-14 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-01-14 20:00 . 2008-01-14 20:00 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\SoftwareDetectionScripts
2008-01-14 20:00 . 2008-01-15 17:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\temp
2008-01-14 15:12 . 2008-01-14 15:12 <DIR> d-------- C:\temp\pe
2008-01-14 15:12 . 2008-01-14 15:12 <DIR> d-------- C:\Program Files\New Folder
2008-01-14 14:18 . 2008-01-14 14:18 <DIR> d-------- C:\zip
2008-01-13 22:58 . 2008-01-14 21:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 22:58 . 2007-09-18 01:10 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-13 22:58 . 2007-09-18 01:10 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-13 20:45 . 2008-01-13 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-13 20:45 . 2007-09-18 01:10 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-13 20:07 . 2008-01-13 22:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-13 19:49 . 2008-01-14 14:12 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-13 14:20 . 2008-01-14 18:02 709 --a------ C:\WINDOWS\wininit.ini
2008-01-13 13:34 . 2008-01-13 13:34 54,764 --a------ C:\WINDOWS\system32\dxdss.sys
2008-01-13 13:34 . 2008-01-13 13:34 24,576 --a------ C:\WINDOWS\system32\winbue32.dll
2008-01-13 13:34 . 2008-01-13 13:34 2 --a------ C:\-863452662
2008-01-12 20:08 . 2008-01-12 20:11 632 --a------ C:\WINDOWS\CoD.INI
2008-01-06 01:37 . 2008-01-13 23:45 <DIR> d-------- C:\Program Files\PokerStars
2007-12-28 16:50 . 2007-12-28 19:56 <DIR> d-------- C:\Cat
2007-12-27 19:31 . 2007-12-27 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2007-12-27 19:30 . 2007-12-27 19:31 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-12-27 19:30 . 2007-12-27 19:31 <DIR> d-------- C:\Program Files\AVS4YOU
2007-12-26 23:38 . 2008-01-13 22:34 <DIR> d-------- C:\Program Files\MagicTune Premium
2007-12-26 23:35 . 2007-12-26 23:35 <DIR> d-------- C:\Program Files\SEC
2007-12-26 16:44 . 2007-12-26 16:44 59,392 --a------ C:\temp\20070430084153500_SM226CW.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 04:20 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Verizon
2008-01-15 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-14 16:25 --------- d-----w C:\Program Files\QuickTime
2008-01-14 09:26 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe.tmp
2008-01-14 06:40 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-14 06:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 06:35 --------- d-----w C:\Program Files\Common Files\Seagate
2008-01-14 06:34 --------- d-----w C:\Program Files\ATITool
2008-01-14 06:21 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
2008-01-14 04:43 --------- d-----w C:\Program Files\Lavasoft
2008-01-12 22:44 --------- d-----w C:\Program Files\World of Warcraft
2008-01-04 09:27 --------- d-----w C:\Program Files\UltimateBuddy
2008-01-04 09:27 --------- d-----w C:\Program Files\UltimateBet
2007-12-26 20:05 --------- d-----w C:\Documents and Settings\Jeff\Application Data\ICAClient
2007-12-26 20:03 --------- d-----w C:\Program Files\Citrix
2007-12-16 06:10 --------- d-----w C:\Program Files\Elaborate Bytes
2007-12-16 05:58 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-16 05:56 --------- d-----w C:\Program Files\SlySoft
2007-12-16 05:56 --------- d-----w C:\Program Files\Astonsoft
2007-12-16 05:51 --------- d-----w C:\Documents and Settings\Jeff\Application Data\DeepBurner
2007-12-14 22:44 --------- d-----w C:\Program Files\Microsoft Games
2007-11-30 04:53 --------- d-----w C:\Program Files\Ventrilo
2007-11-28 07:18 --------- d-----w C:\Program Files\Allied General
2007-11-26 11:29 --------- d-----w C:\Program Files\Ahead
2007-11-20 06:54 --------- d-----w C:\Documents and Settings\Jeff\Application Data\Lavasoft
2007-11-20 06:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-18 01:32 --------- d-----w C:\Program Files\Warcraft III
2007-11-07 22:41 126,976 ----a-w C:\WINDOWS\War3Unin.exe
.
<pre>
----a-w			39,792 2008-01-14 05:35:04  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		 3,035,136 2008-01-14 04:16:54  C:\Program Files\ATITool\ATITool .exe
----a-w			68,856 2008-01-14 06:56:15  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		   282,624 2008-01-14 09:13:02  C:\Program Files\QuickTime\qttask	.exe
----a-w		   282,624 2008-01-14 09:13:03  C:\Program Files\QuickTime\qttask   .exe
----a-w		   282,624 2008-01-14 05:27:57  C:\Program Files\QuickTime\qttask  .exe
----a-w		   282,624 2008-01-14 05:27:57  C:\Program Files\QuickTime\qttask .exe
----a-w		   160,592 2008-01-14 06:43:06  C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon .exe
----a-w		   158,208 2008-01-14 06:21:35  C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
----a-w			15,360 2008-01-14 22:12:19  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-14 15:51 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2007-08-07 17:31 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 01:09 77824 C:\WINDOWS\SOUNDMAN.EXE]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 15:20 2061816]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [2007-08-07 17:31 303344]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2007-08-07 17:31 13552]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-15 09:33 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-01-03 17:11 737872]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-01-15 18:41 1115728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2007-08-07 17:31 61168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-14 23:10 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=C:\WINDOWS\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-06-14 15:48 149024 C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-14 01:07 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 04:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2005-11-22 16:05 344064 C:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATITool]
C:\Program Files\ATITool\ATITool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\winD2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
C:\WINDOWS\system32\drvvoc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-14 15:51 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckElbyCDFL]
--a------ 2001-12-06 13:09 45056 C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 16:52 50736 C:\Program Files\Common Files\AOL\1160445705\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-02 15:24 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\mlljh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-14 01:13 282624 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2002-02-04 21:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2008-01-14 01:13 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSRaid]
--------- 2004-12-22 16:32 892928 C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-14 01:09 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltimateBuddy]
C:\Program Files\UltimateBuddy\UltimateBuddy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Custom Uninstall Tracking]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\InstallHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
--a------ 2007-05-11 15:20 2061816 C:\Program Files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winupdate Engine]
C:\WINDOWS\system32\wupeng.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"ose"=3 (0x3)

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 15:12]
S3 Radialpoint Security Services;Verizon Internet Security Suite;C:\WINDOWS\system32\dllhost.exe [2004-08-03 23:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56ed281c-a43c-11db-89d6-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79dc2fde-a6a9-11db-89e3-00038a000015}]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3c6a8d2-898f-11db-9a4e-806d6172696f}]
\Shell\AutoRun\command - E:\monsetup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 20:05:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 20:08:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 04:08:28
.
2008-01-10 06:42:08 --- E O F ---

Edited by Weasel225, 16 January 2008 - 06:56 PM.

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 January 2008 - 07:18 AM

Hello and Welcome to the forum.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**[/color]
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

[color="blue"]****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Weasel225

Weasel225

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 21 January 2008 - 07:37 PM

As requested, Combo fix log and new Hijack log

Thanks for your help!


ComboFix 08-01-21.3 - Jeff 2008-01-21 17:26:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1588 [GMT -8:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper

.
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-19 20:32 . 2008-01-19 20:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 20:32 . 2008-01-19 20:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 19:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-16 19:42 . 2008-01-16 19:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-16 07:54 . 2008-01-21 17:29 14,165,792 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-16 07:54 . 2008-01-21 10:56 190,340 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-16 07:54 . 2008-01-21 17:29 40,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-16 07:54 . 2008-01-21 10:56 4,556 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-16 07:51 . 2008-01-16 07:51 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-15 21:05 . 2008-01-15 21:07 367,565,824 --a------ C:\114.tmp
2008-01-15 20:50 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-15 20:48 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\uawwyeginewc.sys
2008-01-15 20:34 . 2008-01-15 21:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-15 20:34 . 2008-01-15 20:47 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-15 20:34 . 2008-01-15 20:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-15 20:34 . 2008-01-15 20:47 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-15 19:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 19:45 . 2008-01-20 01:03 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-15 18:41 . 2008-01-15 18:41 <DIR> d-------- C:\Program Files\Comodo
2008-01-15 18:41 . 2008-01-14 21:05 211 --a------ C:\boot.ini.comodofirewall
2008-01-15 17:16 . 2008-01-15 17:16 6,713,328 --a------ C:\temp\trsetup.exe
2008-01-15 17:15 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-01-15 17:15 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-01-15 17:15 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-01-15 17:15 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-01-15 17:15 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-01-15 00:24 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-15 00:23 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-14 21:57 . 2008-01-14 21:57 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-14 21:54 . 2008-01-14 21:54 <DIR> d-------- C:\KAV
2008-01-14 21:13 . 2008-01-14 21:13 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-14 21:02 . 2008-01-14 21:02 11 --a------ C:\AuResult.ini
2008-01-14 15:12 . 2008-01-14 15:12 <DIR> d-------- C:\temp\pe
2008-01-14 15:12 . 2008-01-14 15:12 <DIR> d-------- C:\Program Files\New Folder
2008-01-14 14:18 . 2008-01-14 14:18 <DIR> d-------- C:\zip
2008-01-13 22:58 . 2008-01-14 21:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 22:58 . 2007-09-18 01:10 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-13 22:58 . 2007-09-18 01:10 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-13 20:45 . 2007-09-18 01:10 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-13 20:07 . 2008-01-13 22:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-13 19:49 . 2008-01-14 14:12 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-13 14:20 . 2008-01-14 18:02 709 --a------ C:\WINDOWS\wininit.ini
2008-01-13 13:34 . 2008-01-13 13:34 2 --a------ C:\-863452662
2008-01-12 20:08 . 2008-01-12 20:11 632 --a------ C:\WINDOWS\CoD.INI
2008-01-06 01:37 . 2008-01-21 01:19 <DIR> d-------- C:\Program Files\PokerStars
2007-12-28 16:50 . 2007-12-28 19:56 <DIR> d-------- C:\Cat
2007-12-27 19:30 . 2007-12-27 19:31 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-12-27 19:30 . 2007-12-27 19:31 <DIR> d-------- C:\Program Files\AVS4YOU
2007-12-26 23:38 . 2008-01-13 22:34 <DIR> d-------- C:\Program Files\MagicTune Premium
2007-12-26 23:35 . 2007-12-26 23:35 <DIR> d-------- C:\Program Files\SEC
2007-12-26 16:44 . 2007-12-26 16:44 59,392 --a------ C:\temp\20070430084153500_SM226CW.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 03:43 --------- d-----w C:\Program Files\Java
2008-01-16 05:44 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-01-14 23:51 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-14 16:25 --------- d-----w C:\Program Files\QuickTime
2008-01-14 09:26 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe.tmp
2008-01-14 06:40 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-14 06:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 06:35 --------- d-----w C:\Program Files\Common Files\Seagate
2008-01-14 06:34 --------- d-----w C:\Program Files\ATITool
2008-01-14 06:21 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
2008-01-14 04:43 --------- d-----w C:\Program Files\Lavasoft
2008-01-12 22:44 --------- d-----w C:\Program Files\World of Warcraft
2008-01-04 09:27 --------- d-----w C:\Program Files\UltimateBuddy
2008-01-04 09:27 --------- d-----w C:\Program Files\UltimateBet
2007-12-26 20:03 --------- d-----w C:\Program Files\Citrix
2007-12-16 06:10 --------- d-----w C:\Program Files\Elaborate Bytes
2007-12-16 05:58 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-16 05:56 --------- d-----w C:\Program Files\SlySoft
2007-12-16 05:56 --------- d-----w C:\Program Files\Astonsoft
2007-12-14 22:44 --------- d-----w C:\Program Files\Microsoft Games
2007-11-30 04:53 --------- d-----w C:\Program Files\Ventrilo
2007-11-28 07:18 --------- d-----w C:\Program Files\Allied General
2007-11-26 11:29 --------- d-----w C:\Program Files\Ahead
2007-11-07 22:41 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
.
<pre>
----a-w			39,792 2008-01-14 05:35:04  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		 3,035,136 2008-01-14 04:16:54  C:\Program Files\ATITool\ATITool .exe
----a-w			68,856 2008-01-14 06:56:15  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		   282,624 2008-01-14 09:13:02  C:\Program Files\QuickTime\qttask	.exe
----a-w		   282,624 2008-01-14 09:13:03  C:\Program Files\QuickTime\qttask   .exe
----a-w		   282,624 2008-01-14 05:27:57  C:\Program Files\QuickTime\qttask  .exe
----a-w		   282,624 2008-01-14 05:27:57  C:\Program Files\QuickTime\qttask .exe
----a-w		   160,592 2008-01-14 06:43:06  C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon .exe
----a-w		   158,208 2008-01-14 06:21:35  C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
----a-w			15,360 2008-01-14 22:12:19  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-15_20.07.38.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 16:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2008-01-16 03:57:29 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 01:26:08 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 03:57:29 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 01:26:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 03:57:29 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 01:26:08 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 03:57:29 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 01:26:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 03:57:29 7,258,112 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-22 01:26:08 7,245,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-16 03:57:29 348,160 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-22 01:26:08 348,160 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2007-03-29 17:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-06 00:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 22:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 19:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 21:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2007-11-12 17:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2006-02-17 02:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-26 02:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2007-11-26 19:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2004-05-04 23:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 21:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 18:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 21:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-17 02:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-06 00:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2007-06-04 19:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2006-06-30 22:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 22:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2007-10-30 18:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
+ 2006-08-01 21:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2007-11-21 18:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 21:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2006-08-17 19:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 19:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 16:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 22:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 18:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 18:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-21 00:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 17:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 18:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 22:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 22:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 21:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 16:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 16:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-10-18 17:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 22:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 17:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 19:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 16:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 23:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 16:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 16:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 23:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 19:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 19:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-04-19 01:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 22:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 2007-06-08 17:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 18:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 1997-09-18 14:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-03-01 01:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2007-09-17 17:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
+ 2006-08-02 20:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2006-05-05 03:07:25 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-22 01:03:39 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2006-05-05 03:07:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-22 01:03:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-05 03:07:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-22 01:03:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-16 15:54:39 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
- 2007-07-12 08:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 06:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 08:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 06:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 09:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 07:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-11-21 00:04:14 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
- 2007-11-14 06:18:30 48,749 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-01-20 08:54:22 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2003-03-26 02:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-14 15:51 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 01:09 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-15 09:33 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-01-15 18:41 1115728]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-14 08:25 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-14 23:10 219136]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=C:\WINDOWS\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-06-14 15:48 149024 C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-14 01:07 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 04:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2005-11-22 16:05 344064 C:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATITool]
C:\Program Files\ATITool\ATITool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\winD2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
C:\WINDOWS\system32\drvvoc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-14 15:51 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckElbyCDFL]
--a------ 2001-12-06 13:09 45056 C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 16:52 50736 C:\Program Files\Common Files\AOL\1160445705\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-02 15:24 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\mlljh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-14 01:13 282624 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2002-02-04 21:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2008-01-14 01:13 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSRaid]
--------- 2004-12-22 16:32 892928 C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-14 01:09 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltimateBuddy]
C:\Program Files\UltimateBuddy\UltimateBuddy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Custom Uninstall Tracking]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\InstallHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winupdate Engine]
C:\WINDOWS\system32\wupeng.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"ose"=3 (0x3)

S1 mp32;mp3 audio;C:\WINDOWS\system32\dxdss.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 15:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56ed281c-a43c-11db-89d6-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79dc2fde-a6a9-11db-89e3-00038a000015}]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3c6a8d2-898f-11db-9a4e-806d6172696f}]
\Shell\AutoRun\command - E:\monsetup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 17:30:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 17:31:39
ComboFix-quarantined-files.txt 2008-01-22 01:31:28
ComboFix2.txt 2008-01-16 04:08:35
.
2008-01-10 06:42:08 --- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 5:35:19 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" -r (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - (no file)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - (no file)

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 January 2008 - 08:01 PM

Open notepad and copy/paste the text in the Codebox below into it:

File::
C:\114.tmp
C:\WINDOWS\system32\drivers\uawwyeginewc.sys
C:\temp\trsetup.exe
C:\WINDOWS\system32\ztvunrar36.dll
C:\WINDOWS\wininit.ini
C:\-863452662
C:\temp\20070430084153500_SM226CW.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe.tmp
C:\WINDOWS\TEMP\winD2.exe
C:\WINDOWS\system32\mlljh.exe
C:\DOCUME~1\Jeff\LOCALS~1\Temp\InstallHelper.exe
C:\WINDOWS\system32\wupeng.exe

RenV::
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\ATITool\ATITool .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\QuickTime\qttask	.exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon .exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon .exe

Driver::
uawwyeginewc

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winupdate Engine]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79dc2fde-a6a9-11db-89e3-00038a000015}]


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 Weasel225

Weasel225

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 21 January 2008 - 08:42 PM

Machine appeared to be running ok both before and after as I had locked down services.exe from accessing the Net. I have unlocked it now and will monitor it closely


ComboFix 08-01-21.3 - Jeff 2008-01-21 18:30:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1543 [GMT -8:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\-863452662
C:\114.tmp
C:\DOCUME~1\Jeff\LOCALS~1\Temp\InstallHelper.exe
C:\temp\20070430084153500_SM226CW.exe
C:\temp\trsetup.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe.tmp
C:\WINDOWS\system32\drivers\uawwyeginewc.sys
C:\WINDOWS\system32\mlljh.exe
C:\WINDOWS\system32\wupeng.exe
C:\WINDOWS\system32\ztvunrar36.dll
C:\WINDOWS\TEMP\winD2.exe
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-863452662
C:\114.tmp
C:\temp\20070430084153500_SM226CW.exe
C:\temp\trsetup.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe.tmp
C:\WINDOWS\system32\drivers\uawwyeginewc.sys
C:\WINDOWS\system32\ztvunrar36.dll
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_UAWWYEGINEWC
-------\uawwyeginewc


((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-19 20:32 . 2008-01-19 20:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 20:32 . 2008-01-19 20:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 19:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-16 19:42 . 2008-01-16 19:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-16 07:54 . 2008-01-21 18:34 14,207,008 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-16 07:54 . 2008-01-21 18:33 191,324 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-16 07:54 . 2008-01-21 18:33 43,296 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-16 07:54 . 2008-01-21 18:33 5,108 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-16 07:51 . 2008-01-16 07:51 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-15 20:50 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-15 20:34 . 2008-01-15 21:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-15 20:34 . 2008-01-15 20:47 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-15 20:34 . 2008-01-15 20:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-15 20:34 . 2008-01-15 20:47 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-15 19:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 19:45 . 2008-01-20 01:03 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-15 18:41 . 2008-01-15 18:41 <DIR> d-------- C:\Program Files\Comodo
2008-01-15 18:41 . 2008-01-14 21:05 211 --a------ C:\boot.ini.comodofirewall
2008-01-15 17:15 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-01-15 17:15 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-01-15 17:15 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-01-15 17:15 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-01-15 00:24 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-15 00:23 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-14 21:57 . 2008-01-14 21:57 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-14 21:54 . 2008-01-14 21:54 <DIR> d-------- C:\KAV
2008-01-14 21:13 . 2008-01-14 21:13 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-14 21:02 . 2008-01-14 21:02 11 --a------ C:\AuResult.ini
2008-01-14 15:12 . 2008-01-14 15:12 <DIR> d-------- C:\temp\pe
2008-01-14 15:12 . 2008-01-14 15:12 <DIR> d-------- C:\Program Files\New Folder
2008-01-14 14:18 . 2008-01-14 14:18 <DIR> d-------- C:\zip
2008-01-13 22:58 . 2008-01-14 21:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 22:58 . 2007-09-18 01:10 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-13 22:58 . 2007-09-18 01:10 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-13 22:21 . 2008-01-13 22:21 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-13 20:45 . 2007-09-18 01:10 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-13 20:07 . 2008-01-13 22:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-13 19:49 . 2008-01-14 14:12 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-13 19:49 . 2008-01-14 14:12 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-12 20:08 . 2008-01-12 20:11 632 --a------ C:\WINDOWS\CoD.INI
2008-01-06 01:37 . 2008-01-21 01:19 <DIR> d-------- C:\Program Files\PokerStars
2007-12-28 16:50 . 2007-12-28 19:56 <DIR> d-------- C:\Cat
2007-12-27 19:30 . 2007-12-27 19:31 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-12-27 19:30 . 2007-12-27 19:31 <DIR> d-------- C:\Program Files\AVS4YOU
2007-12-26 23:38 . 2008-01-13 22:34 <DIR> d-------- C:\Program Files\MagicTune Premium
2007-12-26 23:35 . 2007-12-26 23:35 <DIR> d-------- C:\Program Files\SEC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 02:30 --------- d-----w C:\Program Files\QuickTime
2008-01-22 02:30 --------- d-----w C:\Program Files\ATITool
2008-01-17 03:43 --------- d-----w C:\Program Files\Java
2008-01-16 05:44 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-01-14 06:40 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-14 06:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 06:35 --------- d-----w C:\Program Files\Common Files\Seagate
2008-01-14 04:43 --------- d-----w C:\Program Files\Lavasoft
2008-01-12 22:44 --------- d-----w C:\Program Files\World of Warcraft
2008-01-04 09:27 --------- d-----w C:\Program Files\UltimateBuddy
2008-01-04 09:27 --------- d-----w C:\Program Files\UltimateBet
2007-12-26 20:03 --------- d-----w C:\Program Files\Citrix
2007-12-16 06:10 --------- d-----w C:\Program Files\Elaborate Bytes
2007-12-16 05:58 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-16 05:56 --------- d-----w C:\Program Files\SlySoft
2007-12-16 05:56 --------- d-----w C:\Program Files\Astonsoft
2007-12-14 22:44 --------- d-----w C:\Program Files\Microsoft Games
2007-11-30 04:53 --------- d-----w C:\Program Files\Ventrilo
2007-11-28 07:18 --------- d-----w C:\Program Files\Allied General
2007-11-26 11:29 --------- d-----w C:\Program Files\Ahead
2007-11-07 22:41 126,976 ----a-w C:\WINDOWS\War3Unin.exe
.

((((((((((((((((((((((((((((( snapshot_2008-01-21_17.30.41.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 01:26:08 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 02:30:11 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 01:26:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 02:30:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 01:26:08 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 02:30:11 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 01:26:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 02:30:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 01:26:08 7,245,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-22 02:30:11 7,245,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 01:26:08 348,160 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-22 02:30:11 348,160 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2004-08-04 07:56:54 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
+ 2008-01-14 06:21:35 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-14 14:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 01:09 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-15 09:33 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-01-15 18:41 1115728]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-13 21:27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-14 23:10 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=C:\WINDOWS\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-06-14 15:48 149024 C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-13 21:35 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 04:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2005-11-22 16:05 344064 C:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATITool]
--a------ 2008-01-13 20:16 3035136 C:\Program Files\ATITool\ATITool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\winD2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
C:\WINDOWS\system32\drvvoc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-14 14:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckElbyCDFL]
--a------ 2001-12-06 13:09 45056 C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 16:52 50736 C:\Program Files\Common Files\AOL\1160445705\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-02 15:24 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\mlljh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2002-02-04 21:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2008-01-13 22:43 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSRaid]
--------- 2004-12-22 16:32 892928 C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-13 22:56 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltimateBuddy]
C:\Program Files\UltimateBuddy\UltimateBuddy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Custom Uninstall Tracking]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\InstallHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"ose"=3 (0x3)

S1 mp32;mp3 audio;C:\WINDOWS\system32\dxdss.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 15:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56ed281c-a43c-11db-89d6-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3c6a8d2-898f-11db-9a4e-806d6172696f}]
\Shell\AutoRun\command - E:\monsetup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 18:35:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 18:38:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-22 02:38:04
ComboFix2.txt 2008-01-22 01:31:40
ComboFix3.txt 2008-01-16 04:08:35
.
2008-01-10 06:42:08 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 6:40:07 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" -r (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - (no file)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - (no file)

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 January 2008 - 08:51 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\temp\pe
C:\Program Files\UltimateBuddy\UltimateBuddy.exe

Folder::
C:\Program Files\UltimateBuddy

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UltimateBuddy]


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Also please describe how your computer behaves at the moment.


I just noticed you are running 2 anti-virus programs.

Grisoft\AVG7
Kaspersky Lab\Kaspersky Anti-Virus

You need to uninstall one of them using Add/Remove Programs

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 Weasel225

Weasel225

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 21 January 2008 - 09:08 PM

System net acitivty seems normal now with services.exe allowed access through the firewall again. I have one inbound that I had to block an IP range 169.254.1.0 to 169.254.1.255 as it continues to assault my firewall. Other than that things seem normal. Will run a full system scan when you think I am clear enough to do so.

ComboFix 08-01-21.3 - Jeff 2008-01-21 18:58:24.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1601 [GMT -8:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\UltimateBuddy\UltimateBuddy.exe
C:\temp\pe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\UltimateBuddy
C:\Program Files\UltimateBuddy\LocalWeb\bg-popup.gif
C:\Program Files\UltimateBuddy\LocalWeb\buddy-popup.html
C:\Program Files\UltimateBuddy\LocalWeb\popup-ub-logo.gif
C:\Program Files\UltimateBuddy\RteMenu.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-19 20:32 . 2008-01-19 20:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 20:32 . 2008-01-19 20:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 19:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-16 19:42 . 2008-01-16 19:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-16 07:54 . 2008-01-21 18:55 14,242,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-16 07:54 . 2008-01-21 18:55 191,828 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-16 07:54 . 2008-01-21 18:55 48,672 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-16 07:54 . 2008-01-21 18:55 5,636 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-15 20:50 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-15 20:34 . 2008-01-15 21:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-15 20:34 . 2008-01-15 20:47 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-15 20:34 . 2008-01-15 20:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-15 20:34 . 2008-01-15 20:47 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-15 19:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 19:45 . 2008-01-20 01:03 <DIR> d-------- C:\Program Files\Security Task Manager
2008-01-15 18:41 . 2008-01-15 18:41 <DIR> d-------- C:\Program Files\Comodo
2008-01-15 18:41 . 2008-01-14 21:05 211 --a------ C:\boot.ini.comodofirewall
2008-01-15 17:15 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-01-15 17:15 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-01-15 17:15 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-01-15 17:15 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-01-15 00:24 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-15 00:23 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-14 21:57 . 2008-01-14 21:57 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-01-14 21:54 . 2008-01-14 21:54 <DIR> d-------- C:\KAV
2008-01-14 21:13 . 2008-01-14 21:13 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-14 21:02 . 2008-01-14 21:02 11 --a------ C:\AuResult.ini
2008-01-14 15:12 . 2008-01-14 15:12 <DIR> d-------- C:\temp\pe
2008-01-14 15:12 . 2008-01-14 15:12 <DIR> d-------- C:\Program Files\New Folder
2008-01-14 14:18 . 2008-01-14 14:18 <DIR> d-------- C:\zip
2008-01-13 22:58 . 2008-01-14 21:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 22:58 . 2007-09-18 01:10 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-13 22:58 . 2007-09-18 01:10 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-01-13 22:21 . 2008-01-13 22:21 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-13 20:45 . 2007-09-18 01:10 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-01-13 20:07 . 2008-01-13 22:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-13 19:49 . 2008-01-14 14:12 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-13 19:49 . 2008-01-14 14:12 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-12 20:08 . 2008-01-12 20:11 632 --a------ C:\WINDOWS\CoD.INI
2008-01-06 01:37 . 2008-01-21 01:19 <DIR> d-------- C:\Program Files\PokerStars
2007-12-28 16:50 . 2007-12-28 19:56 <DIR> d-------- C:\Cat
2007-12-27 19:30 . 2007-12-27 19:31 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-12-27 19:30 . 2007-12-27 19:31 <DIR> d-------- C:\Program Files\AVS4YOU
2007-12-26 23:38 . 2008-01-13 22:34 <DIR> d-------- C:\Program Files\MagicTune Premium
2007-12-26 23:35 . 2007-12-26 23:35 <DIR> d-------- C:\Program Files\SEC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 02:30 --------- d-----w C:\Program Files\QuickTime
2008-01-22 02:30 --------- d-----w C:\Program Files\ATITool
2008-01-17 03:43 --------- d-----w C:\Program Files\Java
2008-01-16 05:44 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-01-14 06:40 --------- d-----w C:\Program Files\Common Files\Motive
2008-01-14 06:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 06:35 --------- d-----w C:\Program Files\Common Files\Seagate
2008-01-14 04:43 --------- d-----w C:\Program Files\Lavasoft
2008-01-12 22:44 --------- d-----w C:\Program Files\World of Warcraft
2008-01-04 09:27 --------- d-----w C:\Program Files\UltimateBet
2007-12-26 20:03 --------- d-----w C:\Program Files\Citrix
2007-12-16 06:10 --------- d-----w C:\Program Files\Elaborate Bytes
2007-12-16 05:58 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-16 05:56 --------- d-----w C:\Program Files\SlySoft
2007-12-16 05:56 --------- d-----w C:\Program Files\Astonsoft
2007-12-14 22:44 --------- d-----w C:\Program Files\Microsoft Games
2007-11-30 04:53 --------- d-----w C:\Program Files\Ventrilo
2007-11-28 07:18 --------- d-----w C:\Program Files\Allied General
2007-11-26 11:29 --------- d-----w C:\Program Files\Ahead
2007-11-07 22:41 126,976 ----a-w C:\WINDOWS\War3Unin.exe
.

((((((((((((((((((((((((((((( snapshot_2008-01-21_17.30.41.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 01:26:08 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 02:57:42 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 01:26:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 02:57:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 01:26:08 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 02:57:42 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 01:26:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 02:57:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 01:26:08 7,245,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-22 02:57:43 7,245,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 01:26:08 348,160 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-22 02:57:43 348,160 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2004-08-04 07:56:54 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
+ 2008-01-14 06:21:35 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-14 14:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 01:09 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-15 09:33 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-01-15 18:41 1115728]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-13 21:27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-14 23:10 219136]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=C:\WINDOWS\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-06-14 15:48 149024 C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-13 21:35 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 04:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2005-11-22 16:05 344064 C:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATITool]
--a------ 2008-01-13 20:16 3035136 C:\Program Files\ATITool\ATITool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\winD2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
C:\WINDOWS\system32\drvvoc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-14 14:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckElbyCDFL]
--a------ 2001-12-06 13:09 45056 C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 16:52 50736 C:\Program Files\Common Files\AOL\1160445705\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-03-02 15:24 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\mlljh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2002-02-04 21:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2008-01-13 22:43 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSRaid]
--------- 2004-12-22 16:32 892928 C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-13 22:56 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Custom Uninstall Tracking]
C:\DOCUME~1\Jeff\LOCALS~1\Temp\InstallHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL ACS"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"ose"=3 (0x3)

S1 mp32;mp3 audio;C:\WINDOWS\system32\dxdss.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 15:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56ed281c-a43c-11db-89d6-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3c6a8d2-898f-11db-9a4e-806d6172696f}]
\Shell\AutoRun\command - E:\monsetup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 19:01:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 19:03:04
ComboFix-quarantined-files.txt 2008-01-22 03:03:01
ComboFix2.txt 2008-01-22 02:38:09
ComboFix3.txt 2008-01-22 01:31:40
ComboFix4.txt 2008-01-16 04:08:35
.
2008-01-10 06:42:08 --- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 7:03:36 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - (no file)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - (no file)

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 January 2008 - 09:14 PM

IP Location: Private Ip Address Lan
IP Address: 169.254.1.0
Blacklist Status: Clear

Whois Record
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
NetName: LINKLOCAL
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0


Delete all files in this folder
C:\temp\<...All Files, not the folder.


Good job :thumbup:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Posted Image


    Here's my usual all clean post

    Log looks good :D


    You need to create a new Clean restore point.

    Note: This will remove all previous Restore Points

    Click Start Menu > Run > copy and paste

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

    Double-click My Computer.
    Click the Tools menu, and then click Folder Options.
    Click the View tab.
    Check "Hide file extensions for known file types."
    Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
    Check "Hide protected operating system files."
    Click Apply, and then click OK.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Note: I no longer suggest Zone Alarm

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  • Winpatrol


  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 Weasel225

Weasel225

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 21 January 2008 - 09:38 PM

All of your suggestions have been implemented. Is that IP range safe to clear from my firewall? I am still getting hit from it every 2-3 sec and some of the packets are malformed or fake. I have installed Spyware blaster and Win patrol, are these compatible with AVG spyware/Spybot, or should I dump either of those? Thanks again for all the help, I can usually remove most of this on my own, but I knew I was missing something when i saw a reoccurence.

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 January 2008 - 06:39 AM

That IP could be your network card / router / ISP service, etc. If I were you I'd call my ISP and ask them if it belongs to them.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 23 January 2008 - 03:44 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users