Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] possibly Trojan Virtumonde?


  • This topic is locked This topic is locked
16 replies to this topic

#1 tomatosalsa

tomatosalsa

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 02 June 2008 - 07:30 AM

Hi,

This is my first time using such a forum..i have tried/looked at alot of different ways to rectify my problem, and i dont know what else to do.
Spybot S&D found Virtumonde on my computer, but i have also run vundofix.exe and virtumundobegone.exe but neither of them found any infected files.

My problem atm is that my mozilla firefox and internet explorer won't display some webpages for me. My google search bar doesnt generate any webpages, however, if i enter a direct link into the address bar, it works. I'm not sure if that's related to the virus, but it never use to happen!!

Anyway, enough babbling from me: I've dl hijackthis.exe and here is my logfile, i really hope you can help me!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:45 PM, on 2/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BCD747FB-3498-464D-8986-EF8551A5687B} - C:\WINDOWS\system32\byXqrpNd.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [30dc99fc] rundll32.exe "C:\WINDOWS\system32\cvwilpwl.dll",b
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM33efaa60] Rundll32.exe "C:\WINDOWS\system32\wuhgcajp.dll",s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Nigel\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189148533843
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS3\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geeby - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 12218 bytes

    Advertisements

Register to Remove


#2 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 02 June 2008 - 08:39 AM

Hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 tomatosalsa

tomatosalsa

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 05 June 2008 - 09:49 PM

Hi, sorry i took so long ><
hectic period with exams atm.

anyway, below is my combo fix log:

ComboFix 08-06-05.3 - Veronica 2008-06-06 13:17:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.750 [GMT 10:00]
Running from: C:\Documents and Settings\Veronica\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM33efaa60.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dNprqXyb.ini
C:\WINDOWS\system32\dNprqXyb.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qgoeirkr.ini
C:\WINDOWS\system32\vtUklmKe.dll
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak2
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini2
C:\WINDOWS\system32\ybeeg.tmp
C:\WINDOWS\system32\ybeeg.tmp2

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-02 23:16 . 2008-06-02 23:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-02 22:22 . 2008-06-02 22:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-02 13:09 . 2008-06-02 13:09 <DIR> d-------- C:\Documents and Settings\Allen\Application Data\ESET
2008-06-01 13:05 . 2008-06-01 13:05 <DIR> d-------- C:\Program Files\MSBuild
2008-06-01 04:29 . 2008-06-01 04:29 <DIR> d-------- C:\Documents and Settings\Veronica\Application Data\ESET
2008-06-01 04:12 . 2008-06-01 12:44 <DIR> d-------- C:\Program Files\ESET
2008-06-01 04:12 . 2008-06-01 04:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-01 02:54 . 2008-06-01 02:05 294 --ahs---- C:\WINDOWS\system32\lwpliwvc.ini
2008-06-01 02:04 . 2008-06-01 02:04 1,485,014 --ahs---- C:\WINDOWS\system32\lwpliwvc.tmp
2008-05-31 23:41 . 2008-06-01 03:35 121 --a------ C:\WINDOWS\bdagent.INI
2008-05-31 22:44 . 2008-06-01 03:33 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-05-31 18:16 . 2008-06-06 13:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-31 18:16 . 2008-05-31 18:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-31 14:52 . 2008-05-31 14:46 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-31 14:38 . 2008-04-14 10:12 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-05-31 14:37 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-05-31 14:37 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-05-31 14:37 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-05-31 14:37 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-05-31 14:37 . 2008-04-14 10:12 18,944 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-05-31 14:37 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-05-31 14:37 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-05-31 14:36 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-05-31 14:36 . 2004-08-03 22:31 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-05-31 14:36 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-05-31 14:36 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-05-31 14:36 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-05-31 14:36 . 2008-04-14 04:36 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-05-31 14:36 . 2008-04-14 10:12 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-05-31 14:34 . 2001-08-17 13:28 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-05-31 14:34 . 2001-08-17 13:28 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2008-05-31 14:34 . 2001-08-17 13:28 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2008-05-31 14:34 . 2001-08-17 13:28 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2008-05-31 14:34 . 2001-08-17 12:14 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2008-05-31 14:34 . 2001-08-17 13:28 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2008-05-31 14:34 . 2001-08-17 13:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2008-05-31 14:34 . 2008-04-14 04:40 5,376 --a--c--- C:\WINDOWS\system32\dllcache\viaide.sys
2008-05-31 14:32 . 2001-08-17 22:36 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2008-05-31 14:32 . 2001-08-17 22:36 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2008-05-31 14:32 . 2001-08-17 22:36 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2008-05-31 14:32 . 2001-08-17 22:36 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2008-05-31 14:32 . 2001-08-17 22:36 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2008-05-31 14:32 . 2001-08-17 22:36 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2008-05-31 14:32 . 2001-08-17 13:52 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2008-05-31 14:32 . 2001-08-17 22:36 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2008-05-31 14:32 . 2001-08-17 13:58 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2008-05-31 14:32 . 2001-08-17 13:48 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2008-05-31 14:31 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-05-31 14:31 . 2001-08-17 14:56 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2008-05-31 14:31 . 2001-08-17 14:56 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2008-05-31 14:31 . 2001-08-17 12:51 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2008-05-31 14:31 . 2001-08-17 12:51 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2008-05-31 14:31 . 2001-08-17 12:51 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2008-05-31 14:31 . 2008-04-14 10:12 82,944 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2008-05-31 14:31 . 2001-08-17 22:35 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2008-05-31 14:31 . 2001-08-17 12:12 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2008-05-31 14:31 . 2001-08-17 22:36 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2008-05-31 14:30 . 2001-08-17 14:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-05-31 14:30 . 2001-08-17 14:02 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2008-05-31 14:30 . 2008-04-14 04:40 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2008-05-31 14:30 . 2001-08-17 12:51 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-05-31 14:30 . 2001-08-17 12:14 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2008-05-31 14:30 . 2001-08-17 14:56 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-05-31 14:30 . 2001-08-17 12:13 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2008-05-31 14:30 . 2001-08-17 12:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-05-31 14:30 . 2001-08-17 12:13 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2008-05-31 14:30 . 2001-08-17 13:51 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2008-05-31 14:29 . 2001-08-17 14:56 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-05-31 14:29 . 2001-08-17 13:50 103,936 --a--c--- C:\WINDOWS\system32\dllcache\sx.sys
2008-05-31 14:29 . 2001-08-17 22:36 94,293 --a--c--- C:\WINDOWS\system32\dllcache\sxports.dll
2008-05-31 14:29 . 2001-08-17 12:50 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2008-05-31 14:29 . 2001-08-17 14:07 32,640 --a--c--- C:\WINDOWS\system32\dllcache\symc8xx.sys
2008-05-31 14:29 . 2001-08-17 14:07 30,688 --a--c--- C:\WINDOWS\system32\dllcache\sym_u3.sys
2008-05-31 14:29 . 2001-08-17 13:49 30,464 --a--c--- C:\WINDOWS\system32\dllcache\tbatm155.sys
2008-05-31 14:29 . 2001-08-17 14:07 28,384 --a--c--- C:\WINDOWS\system32\dllcache\sym_hi.sys
2008-05-31 14:29 . 2001-08-17 14:07 16,256 --a--c--- C:\WINDOWS\system32\dllcache\symc810.sys
2008-05-31 14:29 . 2001-08-17 13:52 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2008-05-31 14:28 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-05-31 14:28 . 2001-08-17 22:36 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2008-05-31 14:28 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2008-05-31 14:28 . 2001-08-17 22:36 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2008-05-31 14:28 . 2001-08-17 12:11 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2008-05-31 14:28 . 2001-08-17 22:36 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2008-05-31 14:28 . 2001-08-17 13:51 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2008-05-31 14:28 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpidflt.dll
2008-05-31 14:28 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpdflt2.dll
2008-05-31 14:28 . 2001-08-17 14:02 3,968 --a--c--- C:\WINDOWS\system32\dllcache\swusbflt.sys
2008-05-31 14:26 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-05-31 14:26 . 2001-08-17 12:51 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2008-05-31 14:26 . 2001-08-17 22:36 45,568 --a--c--- C:\WINDOWS\system32\dllcache\smb3w.dll
2008-05-31 14:26 . 2001-08-17 12:10 35,913 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2008-05-31 14:26 . 2001-08-17 12:12 25,034 --a--c--- C:\WINDOWS\system32\dllcache\smcpwr2n.sys
2008-05-31 14:26 . 2001-08-17 12:12 24,576 --a--c--- C:\WINDOWS\system32\dllcache\smc8000n.sys
2008-05-31 14:26 . 2008-04-14 04:36 16,000 --a--c--- C:\WINDOWS\system32\dllcache\smbbatt.sys
2008-05-31 14:26 . 2008-04-14 04:36 6,912 --a--c--- C:\WINDOWS\system32\dllcache\smbclass.sys
2008-05-31 14:26 . 2001-08-17 13:57 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2008-05-31 14:25 . 2001-08-17 14:56 157,696 --a--c--- C:\WINDOWS\system32\dllcache\sisv256.dll
2008-05-31 14:25 . 2001-08-17 12:12 94,698 --a--c--- C:\WINDOWS\system32\dllcache\sk98xwin.sys
2008-05-31 14:25 . 2001-08-17 12:12 91,294 --a--c--- C:\WINDOWS\system32\dllcache\skfpwin.sys
2008-05-31 14:25 . 2004-08-03 22:31 63,547 --a--c--- C:\WINDOWS\system32\dllcache\sla30nd5.sys
2008-05-31 14:25 . 2001-08-17 12:50 50,432 --a--c--- C:\WINDOWS\system32\dllcache\sisv.sys
2008-05-31 14:25 . 2001-08-17 22:36 33,792 --a--c--- C:\WINDOWS\system32\dllcache\smb0w.dll
2008-05-31 14:25 . 2004-08-03 22:31 32,768 --a--c--- C:\WINDOWS\system32\dllcache\sisnic.sys
2008-05-31 14:25 . 2001-08-17 22:36 28,672 --a--c--- C:\WINDOWS\system32\dllcache\sma0w.dll
2008-05-31 14:25 . 2001-08-17 22:36 28,160 --a--c--- C:\WINDOWS\system32\dllcache\sm91w.dll
2008-05-31 14:24 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-05-31 14:24 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-05-31 14:24 . 2001-08-17 22:36 238,592 --a--c--- C:\WINDOWS\system32\dllcache\sisgrv.dll
2008-05-31 14:24 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-05-31 14:24 . 2001-08-17 14:56 150,144 --a--c--- C:\WINDOWS\system32\dllcache\sis6306v.dll
2008-05-31 14:24 . 2001-08-17 12:50 104,064 --a--c--- C:\WINDOWS\system32\dllcache\sisgrp.sys
2008-05-31 14:24 . 2001-08-17 12:50 101,760 --a--c--- C:\WINDOWS\system32\dllcache\sis300ip.sys
2008-05-31 14:24 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-05-31 14:24 . 2001-08-17 12:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\sis6306p.sys
2008-05-31 14:24 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-05-31 14:23 . 2001-08-17 12:19 36,480 --a--c--- C:\WINDOWS\system32\dllcache\sfmanm.sys
2008-05-31 14:23 . 2001-08-17 13:51 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmusbm.sys
2008-05-31 14:23 . 2001-08-17 13:48 17,664 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys
2008-05-31 14:23 . 2001-08-17 13:51 17,280 --a--c--- C:\WINDOWS\system32\dllcache\scr111.sys
2008-05-31 14:23 . 2001-08-17 13:51 16,640 --a--c--- C:\WINDOWS\system32\dllcache\scmstcs.sys
2008-05-31 14:23 . 2001-08-17 13:52 11,648 --a--c--- C:\WINDOWS\system32\dllcache\scsiprnt.sys
2008-05-31 14:23 . 2008-04-14 04:45 11,520 --a--c--- C:\WINDOWS\system32\dllcache\scsiscan.sys
2008-05-31 14:23 . 2001-08-17 13:53 6,912 --a--c--- C:\WINDOWS\system32\dllcache\seaddsmc.sys
2008-05-31 14:23 . 2001-08-17 13:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-05-31 14:21 . 2001-08-17 14:56 182,272 --a--c--- C:\WINDOWS\system32\dllcache\s3mt3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 03:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-03 13:45 --------- d-----w C:\Documents and Settings\Allen\Application Data\Azureus
2008-06-02 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 03:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-31 17:25 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Azureus
2008-05-31 15:45 --------- d-----w C:\Program Files\MSN Messenger
2008-05-28 10:33 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-24 02:33 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Canon
2008-05-23 06:33 --------- d-----w C:\Program Files\Picasa2
2008-05-12 15:12 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-12 15:08 --------- d-----w C:\Program Files\WIN XP
2008-05-12 15:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-07 10:35 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Nokia
2008-05-06 04:32 --------- d-----w C:\Documents and Settings\Veronica\Application Data\PC Suite
2008-05-06 03:57 --------- d-----w C:\Program Files\VideoLAN
2008-04-29 01:07 --------- d-----w C:\Documents and Settings\Roxy\Application Data\Launchy
2008-04-27 03:24 --------- d-----w C:\Program Files\Azureus
2008-04-21 23:41 --------- d-----w C:\Documents and Settings\Allen\Application Data\Launchy
2008-04-21 10:55 --------- d-----w C:\Program Files\Launchy
2008-04-21 10:55 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Launchy
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-04-11 03:45 --------- d-----w C:\Documents and Settings\Allen\Application Data\vlc
2008-04-10 09:16 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-10 09:16 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-10 09:11 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-10 09:08 --------- d-----w C:\Program Files\Nokia
2008-04-10 09:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
.



and this is the new hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:47, on 2008-06-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BCD747FB-3498-464D-8986-EF8551A5687B} - C:\WINDOWS\system32\byXqrpNd.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Nigel\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189148533843
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS3\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geeby - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11500 bytes

#4 tomatosalsa

tomatosalsa

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 06 June 2008 - 05:09 AM

and below is the kaspersky log, cos it wouldnt fit with the above text.... i cut out some of the list because the objects were locked, but i checked to make sure they weren't infected... i hope thats ok...? i looked and checked that the 13 infected ones were accounted for though. ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, June 06, 2008 8:27:34 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 6/06/2008 Kaspersky Anti-Virus database records: 833145 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ I:\ Scan Statistics: Total number of scanned objects: 136578 Number of viruses found: 3 Number of infected objects: 13 Number of suspicious objects: 0 Duration of the scan process: 03:37:05 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Charon\CACHE.NDB Object is locked skipped C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\epfwlog.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\virlog.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\warnlog.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3.tmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf4.tmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_224.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-06022008-222457.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/pmnnk.dll Infected: Trojan.Win32.Monder.gen skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: infected - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/pmnnk.dll Infected: Trojan.Win32.Monder.gen skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: infected - 1 skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Desktop Search\Logs\UNCFATPHLog.txt Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Veronica\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Veronica\ntuser.dat.LOG Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\system32\vtUklmKe.dll.vir Infected: Trojan.Win32.Monder.lw skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{5432DF58-F2F7-47CE-857A-F49AE53B9BA3}\RP279\A0047098.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{5432DF58-F2F7-47CE-857A-F49AE53B9BA3}\RP292\A0059314.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{5432DF58-F2F7-47CE-857A-F49AE53B9BA3}\RP292\A0059315.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{5432DF58-F2F7-47CE-857A-F49AE53B9BA3}\RP292\A0059316.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{5432DF58-F2F7-47CE-857A-F49AE53B9BA3}\RP292\A0059317.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{5432DF58-F2F7-47CE-857A-F49AE53B9BA3}\RP292\A0059318.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{5432DF58-F2F7-47CE-857A-F49AE53B9BA3}\RP292\A0059319.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{5432DF58-F2F7-47CE-857A-F49AE53B9BA3}\RP293\A0059424.dll Infected: Trojan.Win32.Monder.lw skipped C:\System Volume Information\_restore{5432DF58-F2F7-47CE-857A-F49AE53B9BA3}\RP294\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped C:\WINDOWS\system32\config\OSession.evt Object is locked skipped C:\WINDOWS\system32\config\sam Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\security Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\RECYCLER\NPROTECT\00000005.db Object is locked skipped D:\RECYCLER\NPROTECT\00000006.AVI Object is locked skipped D:\RECYCLER\NPROTECT\00000007.AVI Object is locked skipped D:\RECYCLER\NPROTECT\00000008.AVI Object is locked skipped Scan process completed.

#5 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 08 June 2008 - 04:55 PM

Hello

Rename HijackThis.exe to Tom.exe


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\lwpliwvc.ini
C:\WINDOWS\system32\lwpliwvc.tmp

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log

#6 tomatosalsa

tomatosalsa

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 08 June 2008 - 09:35 PM

thats the new combofix log..

ComboFix 08-06-05.3 - Veronica 2008-06-09 13:18:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.736 [GMT 10:00]
Running from: C:\Documents and Settings\Veronica\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Veronica\Desktop\CFScript.txt
* Resident AV is active


FILE ::
C:\WINDOWS\system32\lwpliwvc.ini
C:\WINDOWS\system32\lwpliwvc.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Veronica\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\lwpliwvc.ini
C:\WINDOWS\system32\lwpliwvc.tmp
.
---- Previous Run -------
.
C:\WINDOWS\BM33efaa60.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dNprqXyb.ini
C:\WINDOWS\system32\dNprqXyb.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qgoeirkr.ini
C:\WINDOWS\system32\vtUklmKe.dll
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak2
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini2
C:\WINDOWS\system32\ybeeg.tmp
C:\WINDOWS\system32\ybeeg.tmp2

.
((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-08 13:55 . 2008-06-08 13:55 <DIR> d-------- C:\Documents and Settings\Roxy\Application Data\ESET
2008-06-08 13:50 . 2008-06-08 13:50 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\Windows Desktop Search
2008-06-08 13:50 . 2008-06-08 13:50 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\Launchy
2008-06-08 13:50 . 2008-06-08 13:50 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\ESET
2008-06-06 13:56 . 2008-06-06 13:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 23:16 . 2008-06-02 23:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-02 22:22 . 2008-06-02 22:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-02 13:09 . 2008-06-02 13:09 <DIR> d-------- C:\Documents and Settings\Allen\Application Data\ESET
2008-06-01 13:05 . 2008-06-01 13:05 <DIR> d-------- C:\Program Files\MSBuild
2008-06-01 04:29 . 2008-06-01 04:29 <DIR> d-------- C:\Documents and Settings\Veronica\Application Data\ESET
2008-06-01 04:12 . 2008-06-01 12:44 <DIR> d-------- C:\Program Files\ESET
2008-06-01 04:12 . 2008-06-01 04:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-31 23:41 . 2008-06-01 03:35 121 --a------ C:\WINDOWS\bdagent.INI
2008-05-31 22:44 . 2008-06-01 03:33 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-05-31 18:16 . 2008-06-09 12:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-31 18:16 . 2008-05-31 18:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-31 14:52 . 2008-05-31 14:46 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-31 14:38 . 2008-04-14 10:12 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-05-31 14:37 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-05-31 14:37 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-05-31 14:37 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-05-31 14:37 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-05-31 14:37 . 2008-04-14 10:12 18,944 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-05-31 14:37 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-05-31 14:37 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-05-31 14:36 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-05-31 14:36 . 2004-08-03 22:31 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-05-31 14:36 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-05-31 14:36 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-05-31 14:36 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-05-31 14:36 . 2008-04-14 04:36 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-05-31 14:36 . 2008-04-14 10:12 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-05-31 14:34 . 2001-08-17 13:28 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-05-31 14:34 . 2001-08-17 13:28 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2008-05-31 14:34 . 2001-08-17 13:28 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2008-05-31 14:34 . 2001-08-17 13:28 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2008-05-31 14:34 . 2001-08-17 12:14 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2008-05-31 14:34 . 2001-08-17 13:28 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2008-05-31 14:34 . 2001-08-17 13:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2008-05-31 14:34 . 2008-04-14 04:40 5,376 --a--c--- C:\WINDOWS\system32\dllcache\viaide.sys
2008-05-31 14:32 . 2001-08-17 22:36 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2008-05-31 14:32 . 2001-08-17 22:36 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2008-05-31 14:32 . 2001-08-17 22:36 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2008-05-31 14:32 . 2001-08-17 22:36 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2008-05-31 14:32 . 2001-08-17 22:36 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2008-05-31 14:32 . 2001-08-17 22:36 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2008-05-31 14:32 . 2001-08-17 13:52 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2008-05-31 14:32 . 2001-08-17 22:36 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2008-05-31 14:32 . 2001-08-17 13:58 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2008-05-31 14:32 . 2001-08-17 13:48 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2008-05-31 14:31 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-05-31 14:31 . 2001-08-17 14:56 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2008-05-31 14:31 . 2001-08-17 14:56 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2008-05-31 14:31 . 2001-08-17 12:51 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2008-05-31 14:31 . 2001-08-17 12:51 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2008-05-31 14:31 . 2001-08-17 12:51 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2008-05-31 14:31 . 2008-04-14 10:12 82,944 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2008-05-31 14:31 . 2001-08-17 22:35 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2008-05-31 14:31 . 2001-08-17 12:12 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2008-05-31 14:31 . 2001-08-17 22:36 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2008-05-31 14:30 . 2001-08-17 14:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-05-31 14:30 . 2001-08-17 14:02 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2008-05-31 14:30 . 2008-04-14 04:40 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2008-05-31 14:30 . 2001-08-17 12:51 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-05-31 14:30 . 2001-08-17 12:14 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2008-05-31 14:30 . 2001-08-17 14:56 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-05-31 14:30 . 2001-08-17 12:13 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2008-05-31 14:30 . 2001-08-17 12:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-05-31 14:30 . 2001-08-17 12:13 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2008-05-31 14:30 . 2001-08-17 13:51 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2008-05-31 14:29 . 2001-08-17 14:56 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-05-31 14:29 . 2001-08-17 13:50 103,936 --a--c--- C:\WINDOWS\system32\dllcache\sx.sys
2008-05-31 14:29 . 2001-08-17 22:36 94,293 --a--c--- C:\WINDOWS\system32\dllcache\sxports.dll
2008-05-31 14:29 . 2001-08-17 12:50 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2008-05-31 14:29 . 2001-08-17 14:07 32,640 --a--c--- C:\WINDOWS\system32\dllcache\symc8xx.sys
2008-05-31 14:29 . 2001-08-17 14:07 30,688 --a--c--- C:\WINDOWS\system32\dllcache\sym_u3.sys
2008-05-31 14:29 . 2001-08-17 13:49 30,464 --a--c--- C:\WINDOWS\system32\dllcache\tbatm155.sys
2008-05-31 14:29 . 2001-08-17 14:07 28,384 --a--c--- C:\WINDOWS\system32\dllcache\sym_hi.sys
2008-05-31 14:29 . 2001-08-17 14:07 16,256 --a--c--- C:\WINDOWS\system32\dllcache\symc810.sys
2008-05-31 14:29 . 2001-08-17 13:52 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2008-05-31 14:28 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-05-31 14:28 . 2001-08-17 22:36 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2008-05-31 14:28 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2008-05-31 14:28 . 2001-08-17 22:36 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2008-05-31 14:28 . 2001-08-17 12:11 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2008-05-31 14:28 . 2001-08-17 22:36 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2008-05-31 14:28 . 2001-08-17 13:51 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2008-05-31 14:28 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpidflt.dll
2008-05-31 14:28 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpdflt2.dll
2008-05-31 14:28 . 2001-08-17 14:02 3,968 --a--c--- C:\WINDOWS\system32\dllcache\swusbflt.sys
2008-05-31 14:26 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-05-31 14:26 . 2001-08-17 12:51 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2008-05-31 14:26 . 2001-08-17 22:36 45,568 --a--c--- C:\WINDOWS\system32\dllcache\smb3w.dll
2008-05-31 14:26 . 2001-08-17 12:10 35,913 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2008-05-31 14:26 . 2001-08-17 12:12 25,034 --a--c--- C:\WINDOWS\system32\dllcache\smcpwr2n.sys
2008-05-31 14:26 . 2001-08-17 12:12 24,576 --a--c--- C:\WINDOWS\system32\dllcache\smc8000n.sys
2008-05-31 14:26 . 2008-04-14 04:36 16,000 --a--c--- C:\WINDOWS\system32\dllcache\smbbatt.sys
2008-05-31 14:26 . 2008-04-14 04:36 6,912 --a--c--- C:\WINDOWS\system32\dllcache\smbclass.sys
2008-05-31 14:26 . 2001-08-17 13:57 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2008-05-31 14:25 . 2001-08-17 14:56 157,696 --a--c--- C:\WINDOWS\system32\dllcache\sisv256.dll
2008-05-31 14:25 . 2001-08-17 12:12 94,698 --a--c--- C:\WINDOWS\system32\dllcache\sk98xwin.sys
2008-05-31 14:25 . 2001-08-17 12:12 91,294 --a--c--- C:\WINDOWS\system32\dllcache\skfpwin.sys
2008-05-31 14:25 . 2004-08-03 22:31 63,547 --a--c--- C:\WINDOWS\system32\dllcache\sla30nd5.sys
2008-05-31 14:25 . 2001-08-17 12:50 50,432 --a--c--- C:\WINDOWS\system32\dllcache\sisv.sys
2008-05-31 14:25 . 2001-08-17 22:36 33,792 --a--c--- C:\WINDOWS\system32\dllcache\smb0w.dll
2008-05-31 14:25 . 2004-08-03 22:31 32,768 --a--c--- C:\WINDOWS\system32\dllcache\sisnic.sys
2008-05-31 14:25 . 2001-08-17 22:36 28,672 --a--c--- C:\WINDOWS\system32\dllcache\sma0w.dll
2008-05-31 14:25 . 2001-08-17 22:36 28,160 --a--c--- C:\WINDOWS\system32\dllcache\sm91w.dll
2008-05-31 14:24 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-05-31 14:24 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-05-31 14:24 . 2001-08-17 22:36 238,592 --a--c--- C:\WINDOWS\system32\dllcache\sisgrv.dll
2008-05-31 14:24 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-05-31 14:24 . 2001-08-17 14:56 150,144 --a--c--- C:\WINDOWS\system32\dllcache\sis6306v.dll
2008-05-31 14:24 . 2001-08-17 12:50 104,064 --a--c--- C:\WINDOWS\system32\dllcache\sisgrp.sys
2008-05-31 14:24 . 2001-08-17 12:50 101,760 --a--c--- C:\WINDOWS\system32\dllcache\sis300ip.sys
2008-05-31 14:24 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-05-31 14:24 . 2001-08-17 12:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\sis6306p.sys
2008-05-31 14:24 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-05-31 14:23 . 2001-08-17 12:19 36,480 --a--c--- C:\WINDOWS\system32\dllcache\sfmanm.sys
2008-05-31 14:23 . 2001-08-17 13:51 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmusbm.sys
2008-05-31 14:23 . 2001-08-17 13:48 17,664 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys
2008-05-31 14:23 . 2001-08-17 13:51 17,280 --a--c--- C:\WINDOWS\system32\dllcache\scr111.sys
2008-05-31 14:23 . 2001-08-17 13:51 16,640 --a--c--- C:\WINDOWS\system32\dllcache\scmstcs.sys
2008-05-31 14:23 . 2001-08-17 13:52 11,648 --a--c--- C:\WINDOWS\system32\dllcache\scsiprnt.sys
2008-05-31 14:23 . 2008-04-14 04:45 11,520 --a--c--- C:\WINDOWS\system32\dllcache\scsiscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 03:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-06 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-03 13:45 --------- d-----w C:\Documents and Settings\Allen\Application Data\Azureus
2008-06-02 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 03:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-31 17:25 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Azureus
2008-05-31 15:45 --------- d-----w C:\Program Files\MSN Messenger
2008-05-28 10:33 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-24 02:33 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Canon
2008-05-23 06:33 --------- d-----w C:\Program Files\Picasa2
2008-05-12 15:12 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-12 15:08 --------- d-----w C:\Program Files\WIN XP
2008-05-12 15:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-07 10:35 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Nokia
2008-05-06 04:32 --------- d-----w C:\Documents and Settings\Veronica\Application Data\PC Suite
2008-05-06 03:59 --------- d-----w C:\Documents and Settings\Veronica\Application Data\vlc
2008-05-06 03:57 --------- d-----w C:\Program Files\VideoLAN
2008-04-29 01:07 --------- d-----w C:\Documents and Settings\Roxy\Application Data\Launchy
2008-04-27 03:24 --------- d-----w C:\Program Files\Azureus
2008-04-21 23:41 --------- d-----w C:\Documents and Settings\Allen\Application Data\Launchy
2008-04-21 10:55 --------- d-----w C:\Program Files\Launchy
2008-04-21 10:55 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Launchy
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-04-11 03:45 --------- d-----w C:\Documents and Settings\Allen\Application Data\vlc
2008-04-10 09:11 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-10 09:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
.
<pre>
-c--a-w		   620,152 2008-01-11 03:26:21  C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w		 5,674,352 2008-01-11 03:26:40  C:\Program Files\MSN Messenger\msnmsgr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCD747FB-3498-464D-8986-EF8551A5687B}]
C:\WINDOWS\system32\byXqrpNd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-02-12 20:33 5674352]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 18:54 623992]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 13:18 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 22:13 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 22:00 15360]

C:\Documents and Settings\Allen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2008-04-21 20:55:16 274432]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geeby]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.FFDS"= ffdshow.ax
"msacm.l3fhg"= mp3fhg.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr .exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46770af7-f9f6-11dc-a29d-0050bf7e19bd}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-06-03 10:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-09 03:00:00 C:\WINDOWS\Tasks\B407A9869120563A.job"
- c:\docume~1\veronica\applic~1\viewde~1\Creative first hold.exe
"2008-05-31 16:00:47 C:\WINDOWS\Tasks\baackup.job"
- C:\Program Files\BitDefender\BitDefender Backup\backup.exe
"2008-05-31 16:00:47 C:\WINDOWS\Tasks\backup.job"
- C:\Program Files\BitDefender\BitDefender Backup\backup.exe
"2008-06-09 03:07:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-09 03:28:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 13:26:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"
.
Completion time: 2008-06-09 13:32:27
ComboFix-quarantined-files.txt 2008-06-09 03:31:14

Pre-Run: 4,698,681,344 bytes free
Post-Run: 4,739,330,048 bytes free

288 --- E O F --- 2008-06-06 03:46:02


and this is the new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:43 PM, on 9/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Tom.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BCD747FB-3498-464D-8986-EF8551A5687B} - C:\WINDOWS\system32\byXqrpNd.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Nigel\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189148533843
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS3\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geeby - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11703 bytes

#7 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 09 June 2008 - 05:03 AM

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\Tasks\B407A9869120563A.job

Folder::
c:\docume~1\veronica\applic~1\viewde~1

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46770af7-f9f6-11dc-a29d-0050bf7e19bd}]

Driver::
MSControlService

RenV::
-c--a-w 620,152 2008-01-11 03:26:21 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 5,674,352 2008-01-11 03:26:40 C:\Program Files\MSN Messenger\msnmsgr .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also post a new HijackThis log

#8 tomatosalsa

tomatosalsa

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 09 June 2008 - 05:24 AM

hey!! thanks for helping me out with all this stuff can i just get a deeper understanding as to what all these scripts and stuff are doing? is the virus trojan virtumonde? will upload the new logs soon =)

#9 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 09 June 2008 - 05:32 AM

It is a mixture of LOP and Vundo This should remove it all

#10 tomatosalsa

tomatosalsa

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 10 June 2008 - 01:42 AM

the new combofix log

ComboFix 08-06-05.3 - Veronica 2008-06-10 16:59:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.808 [GMT 10:00]
Running from: C:\Documents and Settings\Veronica\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Veronica\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\Tasks\B407A9869120563A.job
.
/wow section - STAGE 41
pv: No matching processes found
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks\B407A9869120563A.job

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-08 13:55 . 2008-06-08 13:55 <DIR> d-------- C:\Documents and Settings\Roxy\Application Data\ESET
2008-06-08 13:50 . 2008-06-08 13:50 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\Windows Desktop Search
2008-06-08 13:50 . 2008-06-08 13:50 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\Launchy
2008-06-08 13:50 . 2008-06-08 13:50 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\ESET
2008-06-06 13:56 . 2008-06-06 13:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 23:16 . 2008-06-02 23:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-02 22:22 . 2008-06-02 22:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-02 13:09 . 2008-06-02 13:09 <DIR> d-------- C:\Documents and Settings\Allen\Application Data\ESET
2008-06-01 13:05 . 2008-06-01 13:05 <DIR> d-------- C:\Program Files\MSBuild
2008-06-01 04:29 . 2008-06-01 04:29 <DIR> d-------- C:\Documents and Settings\Veronica\Application Data\ESET
2008-06-01 04:12 . 2008-06-01 12:44 <DIR> d-------- C:\Program Files\ESET
2008-06-01 04:12 . 2008-06-01 04:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-31 23:41 . 2008-06-01 03:35 121 --a------ C:\WINDOWS\bdagent.INI
2008-05-31 22:44 . 2008-06-01 03:33 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-05-31 18:16 . 2008-06-10 17:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-31 18:16 . 2008-05-31 18:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-31 14:52 . 2008-05-31 14:46 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-31 14:38 . 2008-04-14 10:12 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-05-31 14:37 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-05-31 14:37 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-05-31 14:37 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-05-31 14:37 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-05-31 14:37 . 2008-04-14 10:12 18,944 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-05-31 14:37 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-05-31 14:37 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-05-31 14:36 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-05-31 14:36 . 2004-08-03 22:31 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-05-31 14:36 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-05-31 14:36 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-05-31 14:36 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-05-31 14:36 . 2008-04-14 04:36 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-05-31 14:36 . 2008-04-14 10:12 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-05-31 14:34 . 2001-08-17 13:28 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-05-31 14:34 . 2001-08-17 13:28 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2008-05-31 14:34 . 2001-08-17 13:28 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2008-05-31 14:34 . 2001-08-17 13:28 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2008-05-31 14:34 . 2001-08-17 12:14 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2008-05-31 14:34 . 2001-08-17 13:28 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2008-05-31 14:34 . 2001-08-17 13:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2008-05-31 14:34 . 2008-04-14 04:40 5,376 --a--c--- C:\WINDOWS\system32\dllcache\viaide.sys
2008-05-31 14:32 . 2001-08-17 22:36 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2008-05-31 14:32 . 2001-08-17 22:36 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2008-05-31 14:32 . 2001-08-17 22:36 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2008-05-31 14:32 . 2001-08-17 22:36 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2008-05-31 14:32 . 2001-08-17 22:36 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2008-05-31 14:32 . 2001-08-17 22:36 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2008-05-31 14:32 . 2001-08-17 13:52 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2008-05-31 14:32 . 2001-08-17 22:36 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2008-05-31 14:32 . 2001-08-17 13:58 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2008-05-31 14:32 . 2001-08-17 13:48 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2008-05-31 14:31 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-05-31 14:31 . 2001-08-17 14:56 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2008-05-31 14:31 . 2001-08-17 14:56 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2008-05-31 14:31 . 2001-08-17 12:51 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2008-05-31 14:31 . 2001-08-17 12:51 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2008-05-31 14:31 . 2001-08-17 12:51 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2008-05-31 14:31 . 2008-04-14 10:12 82,944 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2008-05-31 14:31 . 2001-08-17 22:35 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2008-05-31 14:31 . 2001-08-17 12:12 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2008-05-31 14:31 . 2001-08-17 22:36 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2008-05-31 14:30 . 2001-08-17 14:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-05-31 14:30 . 2001-08-17 14:02 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2008-05-31 14:30 . 2008-04-14 04:40 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2008-05-31 14:30 . 2001-08-17 12:51 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-05-31 14:30 . 2001-08-17 12:14 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2008-05-31 14:30 . 2001-08-17 14:56 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-05-31 14:30 . 2001-08-17 12:13 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2008-05-31 14:30 . 2001-08-17 12:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-05-31 14:30 . 2001-08-17 12:13 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2008-05-31 14:30 . 2001-08-17 13:51 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2008-05-31 14:29 . 2001-08-17 14:56 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-05-31 14:29 . 2001-08-17 13:50 103,936 --a--c--- C:\WINDOWS\system32\dllcache\sx.sys
2008-05-31 14:29 . 2001-08-17 22:36 94,293 --a--c--- C:\WINDOWS\system32\dllcache\sxports.dll
2008-05-31 14:29 . 2001-08-17 12:50 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2008-05-31 14:29 . 2001-08-17 14:07 32,640 --a--c--- C:\WINDOWS\system32\dllcache\symc8xx.sys
2008-05-31 14:29 . 2001-08-17 14:07 30,688 --a--c--- C:\WINDOWS\system32\dllcache\sym_u3.sys
2008-05-31 14:29 . 2001-08-17 13:49 30,464 --a--c--- C:\WINDOWS\system32\dllcache\tbatm155.sys
2008-05-31 14:29 . 2001-08-17 14:07 28,384 --a--c--- C:\WINDOWS\system32\dllcache\sym_hi.sys
2008-05-31 14:29 . 2001-08-17 14:07 16,256 --a--c--- C:\WINDOWS\system32\dllcache\symc810.sys
2008-05-31 14:29 . 2001-08-17 13:52 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2008-05-31 14:28 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-05-31 14:28 . 2001-08-17 22:36 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2008-05-31 14:28 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2008-05-31 14:28 . 2001-08-17 22:36 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2008-05-31 14:28 . 2001-08-17 12:11 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2008-05-31 14:28 . 2001-08-17 22:36 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2008-05-31 14:28 . 2001-08-17 13:51 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2008-05-31 14:28 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpidflt.dll
2008-05-31 14:28 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpdflt2.dll
2008-05-31 14:28 . 2001-08-17 14:02 3,968 --a--c--- C:\WINDOWS\system32\dllcache\swusbflt.sys
2008-05-31 14:26 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-05-31 14:26 . 2001-08-17 12:51 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2008-05-31 14:26 . 2001-08-17 22:36 45,568 --a--c--- C:\WINDOWS\system32\dllcache\smb3w.dll
2008-05-31 14:26 . 2001-08-17 12:10 35,913 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2008-05-31 14:26 . 2001-08-17 12:12 25,034 --a--c--- C:\WINDOWS\system32\dllcache\smcpwr2n.sys
2008-05-31 14:26 . 2001-08-17 12:12 24,576 --a--c--- C:\WINDOWS\system32\dllcache\smc8000n.sys
2008-05-31 14:26 . 2008-04-14 04:36 16,000 --a--c--- C:\WINDOWS\system32\dllcache\smbbatt.sys
2008-05-31 14:26 . 2008-04-14 04:36 6,912 --a--c--- C:\WINDOWS\system32\dllcache\smbclass.sys
2008-05-31 14:26 . 2001-08-17 13:57 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2008-05-31 14:25 . 2001-08-17 14:56 157,696 --a--c--- C:\WINDOWS\system32\dllcache\sisv256.dll
2008-05-31 14:25 . 2001-08-17 12:12 94,698 --a--c--- C:\WINDOWS\system32\dllcache\sk98xwin.sys
2008-05-31 14:25 . 2001-08-17 12:12 91,294 --a--c--- C:\WINDOWS\system32\dllcache\skfpwin.sys
2008-05-31 14:25 . 2004-08-03 22:31 63,547 --a--c--- C:\WINDOWS\system32\dllcache\sla30nd5.sys
2008-05-31 14:25 . 2001-08-17 12:50 50,432 --a--c--- C:\WINDOWS\system32\dllcache\sisv.sys
2008-05-31 14:25 . 2001-08-17 22:36 33,792 --a--c--- C:\WINDOWS\system32\dllcache\smb0w.dll
2008-05-31 14:25 . 2004-08-03 22:31 32,768 --a--c--- C:\WINDOWS\system32\dllcache\sisnic.sys
2008-05-31 14:25 . 2001-08-17 22:36 28,672 --a--c--- C:\WINDOWS\system32\dllcache\sma0w.dll
2008-05-31 14:25 . 2001-08-17 22:36 28,160 --a--c--- C:\WINDOWS\system32\dllcache\sm91w.dll
2008-05-31 14:24 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-05-31 14:24 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-05-31 14:24 . 2001-08-17 22:36 238,592 --a--c--- C:\WINDOWS\system32\dllcache\sisgrv.dll
2008-05-31 14:24 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-05-31 14:24 . 2001-08-17 14:56 150,144 --a--c--- C:\WINDOWS\system32\dllcache\sis6306v.dll
2008-05-31 14:24 . 2001-08-17 12:50 104,064 --a--c--- C:\WINDOWS\system32\dllcache\sisgrp.sys
2008-05-31 14:24 . 2001-08-17 12:50 101,760 --a--c--- C:\WINDOWS\system32\dllcache\sis300ip.sys
2008-05-31 14:24 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-05-31 14:24 . 2001-08-17 12:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\sis6306p.sys
2008-05-31 14:24 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-05-31 14:23 . 2001-08-17 12:19 36,480 --a--c--- C:\WINDOWS\system32\dllcache\sfmanm.sys
2008-05-31 14:23 . 2001-08-17 13:51 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmusbm.sys
2008-05-31 14:23 . 2001-08-17 13:48 17,664 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys
2008-05-31 14:23 . 2001-08-17 13:51 17,280 --a--c--- C:\WINDOWS\system32\dllcache\scr111.sys
2008-05-31 14:23 . 2001-08-17 13:51 16,640 --a--c--- C:\WINDOWS\system32\dllcache\scmstcs.sys
2008-05-31 14:23 . 2001-08-17 13:52 11,648 --a--c--- C:\WINDOWS\system32\dllcache\scsiprnt.sys
2008-05-31 14:23 . 2008-04-14 04:45 11,520 --a--c--- C:\WINDOWS\system32\dllcache\scsiscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-06 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-03 13:45 --------- d-----w C:\Documents and Settings\Allen\Application Data\Azureus
2008-06-02 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 03:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-31 17:25 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Azureus
2008-05-31 15:45 --------- d-----w C:\Program Files\MSN Messenger
2008-05-28 10:33 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-24 02:33 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Canon
2008-05-23 06:33 --------- d-----w C:\Program Files\Picasa2
2008-05-12 15:12 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-12 15:08 --------- d-----w C:\Program Files\WIN XP
2008-05-12 15:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-07 10:35 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Nokia
2008-05-06 04:32 --------- d-----w C:\Documents and Settings\Veronica\Application Data\PC Suite
2008-05-06 03:59 --------- d-----w C:\Documents and Settings\Veronica\Application Data\vlc
2008-05-06 03:57 --------- d-----w C:\Program Files\VideoLAN
2008-04-29 01:07 --------- d-----w C:\Documents and Settings\Roxy\Application Data\Launchy
2008-04-27 03:24 --------- d-----w C:\Program Files\Azureus
2008-04-21 23:41 --------- d-----w C:\Documents and Settings\Allen\Application Data\Launchy
2008-04-21 10:55 --------- d-----w C:\Program Files\Launchy
2008-04-21 10:55 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Launchy
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-04-11 03:45 --------- d-----w C:\Documents and Settings\Allen\Application Data\vlc
2008-04-10 09:11 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-10 09:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
.
<pre>
-c--a-w		   620,152 2008-01-11 03:26:21  C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w		 5,674,352 2008-01-11 03:26:40  C:\Program Files\MSN Messenger\msnmsgr .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-06-09_13.30.28.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 02:46:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 07:13:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-31 15:42:57 47,890 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-09 12:02:43 47,890 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-31 15:42:57 335,552 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-09 12:02:43 335,552 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCD747FB-3498-464D-8986-EF8551A5687B}]
C:\WINDOWS\system32\byXqrpNd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-02-12 20:33 5674352]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 18:54 623992]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 13:18 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 22:13 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 22:00 15360]

C:\Documents and Settings\Allen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2008-04-21 20:55:16 274432]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geeby]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.FFDS"= ffdshow.ax
"msacm.l3fhg"= mp3fhg.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr .exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-03 10:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-31 16:00:47 C:\WINDOWS\Tasks\baackup.job"
- C:\Program Files\BitDefender\BitDefender Backup\backup.exe
"2008-05-31 16:00:47 C:\WINDOWS\Tasks\backup.job"
- C:\Program Files\BitDefender\BitDefender Backup\backup.exe
"2008-06-10 07:19:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-10 07:28:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 17:14:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-06-10 17:29:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 07:29:38
ComboFix2.txt 2008-06-09 03:32:30

Pre-Run: 4,817,354,752 bytes free
Post-Run: 4,797,722,624 bytes free

296 --- E O F --- 2008-06-06 03:46:02


this is the malwarebytes log

Malwarebytes' Anti-Malware 1.16
Database version: 845

5:42:31 PM 10/06/2008
mbam-log-6-10-2008 (17-42-31).txt

Scan type: Quick Scan
Objects scanned: 46486
Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSControlService (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

    Advertisements

Register to Remove


#11 tomatosalsa

tomatosalsa

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 10 June 2008 - 01:43 AM

and the new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:47 PM, on 10/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Tom.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BCD747FB-3498-464D-8986-EF8551A5687B} - C:\WINDOWS\system32\byXqrpNd.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Nigel\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189148533843
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS3\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geeby - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11476 bytes

#12 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 10 June 2008 - 05:43 AM

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

RenV::
-c--a-w 620,152 2008-01-11 03:26:21 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 5,674,352 2008-01-11 03:26:40 C:\Program Files\MSN Messenger\msnmsgr .exe



Folder::

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSControlService]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#13 tomatosalsa

tomatosalsa

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 11 June 2008 - 02:50 AM

hi!!

thats the latest combofix log:


ComboFix 08-06-05.3 - Veronica 2008-06-11 18:21:24.5 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.981 [GMT 10:00]
Running from: C:\Documents and Settings\Veronica\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Veronica\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-10 17:32 . 2008-06-10 17:32 <DIR> d-------- C:\Documents and Settings\Veronica\Application Data\Malwarebytes
2008-06-10 17:32 . 2008-06-10 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-08 13:55 . 2008-06-08 13:55 <DIR> d-------- C:\Documents and Settings\Roxy\Application Data\ESET
2008-06-08 13:50 . 2008-06-08 13:50 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\Windows Desktop Search
2008-06-08 13:50 . 2008-06-08 13:50 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\Launchy
2008-06-08 13:50 . 2008-06-08 13:50 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\ESET
2008-06-06 13:56 . 2008-06-06 13:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-02 23:16 . 2008-06-02 23:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-02 22:22 . 2008-06-02 22:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-02 13:09 . 2008-06-02 13:09 <DIR> d-------- C:\Documents and Settings\Allen\Application Data\ESET
2008-06-01 13:05 . 2008-06-01 13:05 <DIR> d-------- C:\Program Files\MSBuild
2008-06-01 04:29 . 2008-06-01 04:29 <DIR> d-------- C:\Documents and Settings\Veronica\Application Data\ESET
2008-06-01 04:12 . 2008-06-01 12:44 <DIR> d-------- C:\Program Files\ESET
2008-06-01 04:12 . 2008-06-01 04:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-31 23:41 . 2008-06-01 03:35 121 --a------ C:\WINDOWS\bdagent.INI
2008-05-31 22:44 . 2008-06-01 03:33 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-05-31 18:16 . 2008-06-11 18:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-31 18:16 . 2008-05-31 18:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-31 14:52 . 2008-05-31 14:46 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-31 14:38 . 2008-04-14 10:12 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-05-31 14:37 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-05-31 14:37 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-05-31 14:37 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-05-31 14:37 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-05-31 14:37 . 2008-04-14 10:12 18,944 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-05-31 14:37 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-05-31 14:37 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-05-31 14:36 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-05-31 14:36 . 2004-08-03 22:31 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-05-31 14:36 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-05-31 14:36 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-05-31 14:36 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-05-31 14:36 . 2008-04-14 04:36 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-05-31 14:36 . 2008-04-14 10:12 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-05-31 14:34 . 2001-08-17 13:28 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-05-31 14:34 . 2001-08-17 13:28 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2008-05-31 14:34 . 2001-08-17 13:28 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2008-05-31 14:34 . 2001-08-17 13:28 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2008-05-31 14:34 . 2001-08-17 12:14 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2008-05-31 14:34 . 2001-08-17 13:28 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2008-05-31 14:34 . 2001-08-17 13:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2008-05-31 14:34 . 2008-04-14 04:40 5,376 --a--c--- C:\WINDOWS\system32\dllcache\viaide.sys
2008-05-31 14:32 . 2001-08-17 22:36 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2008-05-31 14:32 . 2001-08-17 22:36 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2008-05-31 14:32 . 2001-08-17 22:36 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2008-05-31 14:32 . 2001-08-17 22:36 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2008-05-31 14:32 . 2001-08-17 22:36 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2008-05-31 14:32 . 2001-08-17 22:36 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2008-05-31 14:32 . 2001-08-17 13:52 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2008-05-31 14:32 . 2001-08-17 22:36 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2008-05-31 14:32 . 2001-08-17 13:58 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2008-05-31 14:32 . 2001-08-17 13:48 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2008-05-31 14:31 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-05-31 14:31 . 2001-08-17 14:56 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2008-05-31 14:31 . 2001-08-17 14:56 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2008-05-31 14:31 . 2001-08-17 12:51 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2008-05-31 14:31 . 2001-08-17 12:51 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2008-05-31 14:31 . 2001-08-17 12:51 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2008-05-31 14:31 . 2008-04-14 10:12 82,944 --a--c--- C:\WINDOWS\system32\dllcache\tp4mon.exe
2008-05-31 14:31 . 2001-08-17 22:35 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2008-05-31 14:31 . 2001-08-17 12:12 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2008-05-31 14:31 . 2001-08-17 22:36 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2008-05-31 14:30 . 2001-08-17 14:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-05-31 14:30 . 2001-08-17 14:02 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2008-05-31 14:30 . 2008-04-14 04:40 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2008-05-31 14:30 . 2001-08-17 12:51 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-05-31 14:30 . 2001-08-17 12:14 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2008-05-31 14:30 . 2001-08-17 14:56 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-05-31 14:30 . 2001-08-17 12:13 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2008-05-31 14:30 . 2001-08-17 12:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-05-31 14:30 . 2001-08-17 12:13 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2008-05-31 14:30 . 2001-08-17 13:51 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2008-05-31 14:29 . 2001-08-17 14:56 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-05-31 14:29 . 2001-08-17 13:50 103,936 --a--c--- C:\WINDOWS\system32\dllcache\sx.sys
2008-05-31 14:29 . 2001-08-17 22:36 94,293 --a--c--- C:\WINDOWS\system32\dllcache\sxports.dll
2008-05-31 14:29 . 2001-08-17 12:50 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2008-05-31 14:29 . 2001-08-17 14:07 32,640 --a--c--- C:\WINDOWS\system32\dllcache\symc8xx.sys
2008-05-31 14:29 . 2001-08-17 14:07 30,688 --a--c--- C:\WINDOWS\system32\dllcache\sym_u3.sys
2008-05-31 14:29 . 2001-08-17 13:49 30,464 --a--c--- C:\WINDOWS\system32\dllcache\tbatm155.sys
2008-05-31 14:29 . 2001-08-17 14:07 28,384 --a--c--- C:\WINDOWS\system32\dllcache\sym_hi.sys
2008-05-31 14:29 . 2001-08-17 14:07 16,256 --a--c--- C:\WINDOWS\system32\dllcache\symc810.sys
2008-05-31 14:29 . 2001-08-17 13:52 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2008-05-31 14:28 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-05-31 14:28 . 2001-08-17 22:36 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2008-05-31 14:28 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2008-05-31 14:28 . 2001-08-17 22:36 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2008-05-31 14:28 . 2001-08-17 12:11 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2008-05-31 14:28 . 2001-08-17 22:36 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2008-05-31 14:28 . 2001-08-17 13:51 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2008-05-31 14:28 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpidflt.dll
2008-05-31 14:28 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpdflt2.dll
2008-05-31 14:28 . 2001-08-17 14:02 3,968 --a--c--- C:\WINDOWS\system32\dllcache\swusbflt.sys
2008-05-31 14:26 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-05-31 14:26 . 2001-08-17 12:51 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2008-05-31 14:26 . 2001-08-17 22:36 45,568 --a--c--- C:\WINDOWS\system32\dllcache\smb3w.dll
2008-05-31 14:26 . 2001-08-17 12:10 35,913 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2008-05-31 14:26 . 2001-08-17 12:12 25,034 --a--c--- C:\WINDOWS\system32\dllcache\smcpwr2n.sys
2008-05-31 14:26 . 2001-08-17 12:12 24,576 --a--c--- C:\WINDOWS\system32\dllcache\smc8000n.sys
2008-05-31 14:26 . 2008-04-14 04:36 16,000 --a--c--- C:\WINDOWS\system32\dllcache\smbbatt.sys
2008-05-31 14:26 . 2008-04-14 04:36 6,912 --a--c--- C:\WINDOWS\system32\dllcache\smbclass.sys
2008-05-31 14:26 . 2001-08-17 13:57 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2008-05-31 14:25 . 2001-08-17 14:56 157,696 --a--c--- C:\WINDOWS\system32\dllcache\sisv256.dll
2008-05-31 14:25 . 2001-08-17 12:12 94,698 --a--c--- C:\WINDOWS\system32\dllcache\sk98xwin.sys
2008-05-31 14:25 . 2001-08-17 12:12 91,294 --a--c--- C:\WINDOWS\system32\dllcache\skfpwin.sys
2008-05-31 14:25 . 2004-08-03 22:31 63,547 --a--c--- C:\WINDOWS\system32\dllcache\sla30nd5.sys
2008-05-31 14:25 . 2001-08-17 12:50 50,432 --a--c--- C:\WINDOWS\system32\dllcache\sisv.sys
2008-05-31 14:25 . 2001-08-17 22:36 33,792 --a--c--- C:\WINDOWS\system32\dllcache\smb0w.dll
2008-05-31 14:25 . 2004-08-03 22:31 32,768 --a--c--- C:\WINDOWS\system32\dllcache\sisnic.sys
2008-05-31 14:25 . 2001-08-17 22:36 28,672 --a--c--- C:\WINDOWS\system32\dllcache\sma0w.dll
2008-05-31 14:25 . 2001-08-17 22:36 28,160 --a--c--- C:\WINDOWS\system32\dllcache\sm91w.dll
2008-05-31 14:24 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-05-31 14:24 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-05-31 14:24 . 2001-08-17 22:36 238,592 --a--c--- C:\WINDOWS\system32\dllcache\sisgrv.dll
2008-05-31 14:24 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-05-31 14:24 . 2001-08-17 14:56 150,144 --a--c--- C:\WINDOWS\system32\dllcache\sis6306v.dll
2008-05-31 14:24 . 2001-08-17 12:50 104,064 --a--c--- C:\WINDOWS\system32\dllcache\sisgrp.sys
2008-05-31 14:24 . 2001-08-17 12:50 101,760 --a--c--- C:\WINDOWS\system32\dllcache\sis300ip.sys
2008-05-31 14:24 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-05-31 14:24 . 2001-08-17 12:50 68,608 --a--c--- C:\WINDOWS\system32\dllcache\sis6306p.sys
2008-05-31 14:24 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-05-31 14:23 . 2001-08-17 12:19 36,480 --a--c--- C:\WINDOWS\system32\dllcache\sfmanm.sys
2008-05-31 14:23 . 2001-08-17 13:51 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmusbm.sys
2008-05-31 14:23 . 2001-08-17 13:48 17,664 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys
2008-05-31 14:23 . 2001-08-17 13:51 17,280 --a--c--- C:\WINDOWS\system32\dllcache\scr111.sys
2008-05-31 14:23 . 2001-08-17 13:51 16,640 --a--c--- C:\WINDOWS\system32\dllcache\scmstcs.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 08:21 --------- d-----w C:\Program Files\MSN Messenger
2008-06-10 15:09 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Azureus
2008-06-10 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-06 03:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-03 13:45 --------- d-----w C:\Documents and Settings\Allen\Application Data\Azureus
2008-06-02 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 03:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-28 10:33 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-24 02:33 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Canon
2008-05-23 06:33 --------- d-----w C:\Program Files\Picasa2
2008-05-12 15:12 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-12 15:08 --------- d-----w C:\Program Files\WIN XP
2008-05-12 15:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-07 10:35 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Nokia
2008-05-06 04:32 --------- d-----w C:\Documents and Settings\Veronica\Application Data\PC Suite
2008-05-06 03:59 --------- d-----w C:\Documents and Settings\Veronica\Application Data\vlc
2008-05-06 03:57 --------- d-----w C:\Program Files\VideoLAN
2008-04-29 01:07 --------- d-----w C:\Documents and Settings\Roxy\Application Data\Launchy
2008-04-27 03:24 --------- d-----w C:\Program Files\Azureus
2008-04-21 23:41 --------- d-----w C:\Documents and Settings\Allen\Application Data\Launchy
2008-04-21 10:55 --------- d-----w C:\Program Files\Launchy
2008-04-21 10:55 --------- d-----w C:\Documents and Settings\Veronica\Application Data\Launchy
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-04-11 03:45 --------- d-----w C:\Documents and Settings\Allen\Application Data\vlc
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-09_13.30.28.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 02:46:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 08:26:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-31 15:42:57 47,890 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-09 12:02:43 47,890 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-31 15:42:57 335,552 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-09 12:02:43 335,552 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCD747FB-3498-464D-8986-EF8551A5687B}]
C:\WINDOWS\system32\byXqrpNd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2008-01-11 13:26 5674352]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 13:26 620152]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 13:18 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 22:13 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 22:00 15360]

C:\Documents and Settings\Allen\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2008-04-21 20:55:16 274432]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geeby]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.FFDS"= ffdshow.ax
"msacm.l3fhg"= mp3fhg.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 10:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-31 16:00:47 C:\WINDOWS\Tasks\baackup.job"
- C:\Program Files\BitDefender\BitDefender Backup\backup.exe
"2008-05-31 16:00:47 C:\WINDOWS\Tasks\backup.job"
- C:\Program Files\BitDefender\BitDefender Backup\backup.exe
"2008-06-11 08:31:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-11 08:38:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 18:27:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-06-11 18:42:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-11 08:42:08
ComboFix2.txt 2008-06-10 07:29:46
ComboFix3.txt 2008-06-09 03:32:30

Pre-Run: 5,939,322,880 bytes free
Post-Run: 4,551,655,424 bytes free

271 --- E O F --- 2008-06-06 03:46:02

#14 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 11 June 2008 - 05:42 AM

Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also post a new HijackThis log

#15 tomatosalsa

tomatosalsa

    Authentic Member

  • Authentic Member
  • PipPip
  • 23 posts

Posted 11 June 2008 - 06:12 AM

malware scan:

Malwarebytes' Anti-Malware 1.17
Database version: 846

10:12:18 PM 11/06/2008
mbam-log-6-11-2008 (22-12-18).txt

Scan type: Quick Scan
Objects scanned: 47230
Time elapsed: 15 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:35 PM, on 11/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\Tom.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BCD747FB-3498-464D-8986-EF8551A5687B} - C:\WINDOWS\system32\byXqrpNd.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Nigel\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189148533843
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O17 - HKLM\System\CS3\Services\Tcpip\..\{34586B0F-2DD5-4F46-A7D2-5AA6D3540617}: NameServer = 211.29.132.12,198.142.0.51
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geeby - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11702 bytes

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users