BleepingComputer.com: Htepo.com Has Grabbed My Computer!

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

Htepo.com Has Grabbed My Computer!

#1 User is offline   rvbeaumont 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 15-November 07
  • Location:key west

Posted 15 November 2007 - 04:33 PM

Boy has this been a week! Here's a log from combofix, I have now added Stinger, ad-adware2007,vundofix,regcure,spybot 15,HJT,xoftspy,spybot search and destroy. Way too much, and still have it. Have removed IE as browser, and have reinstalled it, and Java. Here's the log
ComboFix 07-11-08.1 - HP_Owner 2007-11-15 16:03:59.9 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\My Documents\mozilla downloads\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\HP_Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\HP_Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\HP_Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\usysykju.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 15:32 <DIR> d-------- C:\Program Files\RegCure
2007-11-15 15:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-15 15:09 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 14:30 <DIR> d-------- C:\Program Files\Viewpoint
2007-11-15 14:06 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-15 01:32 144,480 --a------ C:\WINDOWS\system32\usysykju.dll
2007-11-15 01:32 144,480 --a--c--- C:\WINDOWS\system32\criktbeb.dll
2007-11-15 01:29 71,232 --a--c--- C:\WINDOWS\system32\qnggmrfw.exe
2007-11-14 02:37 6,058,496 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-14 02:37 2,455,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-14 02:37 459,264 --a------ C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-14 02:37 383,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-14 02:37 267,776 --a------ C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-14 02:37 63,488 --a------ C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-14 02:37 52,224 --a------ C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-14 02:37 13,824 --a------ C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-14 02:21 37,376 --a------ C:\WINDOWS\system32\nnnnkkk.dll
2007-11-14 02:13 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-14 01:47 <DIR> d----c--- C:\VundoFix Backups
2007-11-13 22:43 37,376 --a------ C:\WINDOWS\system32\khfcdba.dll
2007-11-13 22:43 336 --a------ C:\WINDOWS\17PHolmes1188.exe
2007-11-13 22:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-13 20:24 144,480 --a--c--- C:\WINDOWS\system32\aipbnwrm.dll
2007-11-13 20:21 85,056 --a--c--- C:\WINDOWS\system32\bwnknnrh.dll
2007-11-13 20:18 80,448 --a--c--- C:\WINDOWS\system32\jwwspdfs.dll
2007-11-13 20:12 71,232 --a--c--- C:\WINDOWS\system32\eoxejuqf.exe
2007-11-13 05:01 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Roxio
2007-11-13 02:24 <DIR> d-------- C:\Program Files\WinMX Fix v.3.0
2007-11-13 02:24 <DIR> d-------- C:\Program Files\iTunes
2007-11-13 02:24 <DIR> d-------- C:\Program Files\iPod
2007-11-13 02:23 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Roxio
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Remove Empty Directories
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Maxis
2007-11-13 02:23 <DIR> d-------- C:\Program Files\InterVideo
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Disney
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Cosmi
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Clipmarks
2007-11-13 02:23 <DIR> d-------- C:\Program Files\BaDoink
2007-11-13 02:23 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-11-13 02:23 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Roxio
2007-11-13 02:22 <DIR> d-------- C:\Program Files\Viewpoint(3)
2007-11-13 02:22 <DIR> d-------- C:\Program Files\Tencent
2007-11-13 02:22 <DIR> d-------- C:\Program Files\MySpace
2007-11-13 02:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 02:22 <DIR> d-------- C:\audio
2007-11-13 02:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion(2)
2007-11-10 13:33 <DIR> d-------- C:\Program Files\AGEIA Technologies(2)
2007-11-09 19:19 <DIR> d-------- C:\Program Files\Aspyr
2007-11-09 15:18 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-08 23:11 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-08 23:09 134 --a--c--- C:\n.bat
2007-11-08 23:08 35,328 --a------ C:\WINDOWS\system32\yayxutq.dll
2007-11-08 23:08 0 --a--c--- C:\z.dat
2007-11-08 23:08 0 --a--c--- C:\x.dat
2007-11-07 15:42 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-11-07 15:42 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-07 15:42 <DIR> d-------- C:\Program Files\Legacy Interactive
2007-11-07 15:42 <DIR> d-------- C:\Program Files\GameSpy
2007-11-07 15:42 <DIR> d-------- C:\Program Files\Firaxis Games
2007-11-07 15:42 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-11-07 15:41 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-11-07 15:41 <DIR> d-------- C:\Program Files\VstPlugins
2007-11-07 15:41 <DIR> d-------- C:\Program Files\UltraISO
2007-11-07 15:41 <DIR> d-------- C:\Program Files\Symantec
2007-11-07 15:41 <DIR> d-------- C:\Program Files\SoundSpectrum
2007-11-07 15:41 <DIR> d-------- C:\Program Files\SD EnterNET
2007-11-07 00:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-11-06 01:20 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-04 20:10 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-11-04 13:33 <DIR> d----c--- C:\c6616f9bfd906f1ad04bbed7e3dd4f
2007-11-04 13:30 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-11-04 13:30 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Sonic
2007-11-04 01:28 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Sierra Entertainment
2007-11-04 01:28 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-03 17:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-30 01:47 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Super-Cow
2007-10-29 01:58 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-10-29 01:58 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-29 01:58 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-10-29 01:58 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-10-25 02:25 <DIR> d-------- C:\Program Files\MSECache
2007-10-25 02:05 <DIR> d-------- C:\Program Files\Download Manager
2007-10-24 01:58 143,872 --a------ C:\WINDOWS\system32\iacenc.dll
2007-10-24 01:58 56,832 --a------ C:\WINDOWS\system32\iyvu9_32.dll
2007-10-24 01:44 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\QQ Games Plugin
2007-10-23 18:22 86,082 --a------ C:\WINDOWS\system32\ftdiunin.exe
2007-10-23 18:22 77,890 --a------ C:\WINDOWS\system32\FTLang.dll
2007-10-23 18:22 60,572 --a------ C:\WINDOWS\system32\drivers\ftser2k.sys
2007-10-23 18:22 48,625 --a------ C:\WINDOWS\system32\ftserui2.dll
2007-10-23 18:22 28,449 --a------ C:\WINDOWS\system32\drivers\ftdibus.sys
2007-10-20 12:32 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-10-20 12:32 53,760 --a------ C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-10-20 02:30 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\iWin
2007-10-20 01:36 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-10-20 01:36 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-10-20 01:36 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-10-20 01:36 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-10-20 01:35 <DIR> d-------- C:\Program Files\coolpro2
2007-10-19 19:01 <DIR> d-------- C:\Program Files\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 20:20 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-15 20:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 06:41 --------- d-----w C:\Program Files\Google
2007-11-14 07:28 --------- d-----w C:\Program Files\Trend Micro
2007-11-14 03:07 --------- d-----w C:\Program Files\Java
2007-11-13 22:35 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 07:32 --------- d-----w C:\Program Files\Microsoft Games
2007-11-13 07:23 --------- d-----w C:\Program Files\QuickTime
2007-11-13 07:23 --------- d-----w C:\Program Files\LimeWire
2007-11-12 01:31 9,046 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-11-10 18:52 --------- d-----w C:\Program Files\InterActual
2007-11-10 00:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-09 23:12 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\IGN_DLM
2007-11-07 23:53 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-07 23:53 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-07 20:42 --------- d-----w C:\Program Files\HPQ
2007-11-07 19:22 --------- d-----w C:\Program Files\Yahoo!
2007-11-07 19:22 --------- d-----w C:\Program Files\Support.com
2007-11-07 19:21 --------- d-----w C:\Program Files\Real
2007-11-07 19:21 --------- d-----w C:\Program Files\Online Backup
2007-11-07 19:21 --------- d-----w C:\Program Files\MSN Toolbar Suite
2007-11-07 19:21 --------- d-----w C:\Program Files\MSN Messenger
2007-11-07 19:21 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-07 19:21 --------- d-----w C:\Program Files\ICOO Loader
2007-11-07 19:20 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-04 18:29 --------- d-----w C:\Program Files\Sonic
2007-10-24 06:43 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-22 22:54 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-10-20 22:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\muvee Technologies
2007-10-20 22:05 --------- d-----w C:\Program Files\AskTBar
2007-10-20 17:52 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-10-20 00:11 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Nero
2007-10-20 00:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-19 20:13 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2007-10-19 19:47 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-19 17:47 --------- d-----w C:\Program Files\PConPoint
2007-10-19 17:07 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-19 16:06 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-19 15:52 --------- d-----w C:\Program Files\IncrediMail
2007-10-19 05:37 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Intuit
2007-10-19 05:36 --------- dc----w C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-19 05:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-19 05:20 --------- d-----w C:\Program Files\Common Files\Real
2007-10-19 05:18 --------- d-----w C:\Program Files\AOL Computer Check-Up
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0f
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0e
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0b
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0
2007-10-19 04:49 --------- dc----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-19 04:40 --------- d-----w C:\Program Files\HP
2007-10-19 04:33 1,716 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PY208AV-ABA a1030e_YC_0Pavi_QMXG530_E53NAheBLU5_47_ISalmon_SASUSTek Computer INC._V1.04_B3.15_T051019_WXH2_L409_M896_J80_7AMD_8Sempron_91.81_#050913_N10390900_Z11C1048C_G10396330.MRK
2007-10-19 04:30 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-10-19 03:44 --------- d-----w C:\Program Files\Webshots
2007-10-19 02:54 --------- d-----w C:\Program Files\Rhapsody
2007-10-19 02:13 --------- d-----w C:\Program Files\BellSouth
2007-10-19 02:10 132,675 ----a-w C:\Program Files\INSTALL.LOG
2007-10-19 02:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\BellSouth
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\All Users\Application Data\BellSouth
2007-10-19 00:04 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-18 23:50 4 -c--a-w C:\WINDOWSRegDefrag.dat
2007-10-17 18:12 --------- d-----w C:\Program Files\DFX
2007-10-17 08:43 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-10-17 08:43 --------- dc----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-17 08:43 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\yahoo!
2007-10-17 08:42 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-10-17 08:41 --------- dc----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-17 08:41 --------- d-----w C:\Program Files\Multimedia Transcoding Tool
2007-10-17 08:40 --------- d-----w C:\Program Files\AOL 9.0a
2007-10-17 08:37 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AOL
2007-10-17 05:37 --------- d-----w C:\Program Files\web-radio
2007-10-17 04:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-12 04:03 --------- dc----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-10-11 19:08 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2007-10-10 16:50 --------- d-----w C:\Program Files\ACNielsen
2007-10-06 17:11 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-06 08:43 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\WeatherBug
2007-09-29 19:48 --------- dc----w C:\Documents and Settings\All Users\Application Data\DFX
2007-09-28 18:34 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Babylon
2007-09-24 13:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 13:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 13:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 13:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-01-10 17:15 839,684 ----a-w C:\WINDOWS\Fonts\Crack.exe
2007-01-10 17:15 839,683 --sh--w C:\WINDOWS\Fonts\svchost.exe
2006-11-12 18:42 0 ----a-w C:\Program Files\Common Files\err.log
2006-09-19 18:10 1 -c--a-w C:\Documents and Settings\HP_Owner\SI.bin
2006-05-10 18:26 299 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\internaldb1942.dat
2006-01-26 20:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-10 17:15:15 839,683 --sh--w C:\WINDOWS\Fonts\svchost.exe
2005-11-15 21:39:10 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-15 01:32 144480 --a------ C:\WINDOWS\system32\usysykju.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d91edfd0-519c-4707-8869-95221c3f4bc3}]
2007-11-13 20:18 80448 --a--c--- C:\WINDOWS\system32\jwwspdfs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}]
2007-11-14 02:21 37376 --a------ C:\WINDOWS\system32\nnnnkkk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\usysykju.dll [2007-11-15 01:32 144480]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\usysykju.dll [2007-11-15 01:32 144480]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-05 01:54 C:\WINDOWS\system32\SiSPower.dll]
"CTHelper"="CTHELPER.EXE" [2003-11-14 03:18 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 10:00]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 11:07]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2005-08-31 13:14]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 12:12]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 15:09]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-18 21:47]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-04-12 16:23]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 13:04]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 13:55]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-01-10 12:15]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-03 23:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 11:02]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57]
"AOL Fast Start"="C:\Program Files\AOL 9.0b\AOL.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 17:11]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 22:05]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-14 12:32]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"=MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}"= C:\WINDOWS\system32\nnnnkkk.dll [2007-11-14 02:21 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnkkk]
nnnnkkk.dll 2007-11-14 02:21 37376 C:\WINDOWS\system32\nnnnkkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\usysykju]
usysykju.dll 2007-11-15 01:32 144480 C:\WINDOWS\system32\usysykju.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnno.dll

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e29e2fbc-b976-11d9-bac2-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-11-12 19:06:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-03 03:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-11-12 13:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2007-11-09 21:45:01 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
"2007-11-15 21:15:20 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-15 20:35:48 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-15 21:17:03 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-11-15 21:15:21 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-11-15 19:06:20 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 16:15:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 16:22:04 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-15 13:19
C:\ComboFix3.txt ... 2007-11-15 12:54
.
--- E O F ---

#2 User is offline   rvbeaumont 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 15-November 07
  • Location:key west

Posted 15 November 2007 - 06:52 PM

and it happened again! I have Incredemail, could that be infected , here's the latest log

ComboFix 07-11-08.1 - HP_Owner 2007-11-15 18:09:22.10 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\My Documents\mozilla downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\HP_Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\HP_Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\HP_Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\usysykju.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 17:11 <DIR> d-------- C:\Program Files\Viewpoint
2007-11-15 15:32 <DIR> d-------- C:\Program Files\RegCure
2007-11-15 15:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-15 15:09 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-15 14:06 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-15 01:32 144,480 --a--c--- C:\WINDOWS\system32\criktbeb.dll
2007-11-15 01:29 71,232 --a--c--- C:\WINDOWS\system32\qnggmrfw.exe
2007-11-14 02:37 6,058,496 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-14 02:37 2,455,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-14 02:37 459,264 --a------ C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-14 02:37 383,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-14 02:37 267,776 --a------ C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-14 02:37 63,488 --a------ C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-14 02:37 52,224 --a------ C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-14 02:37 13,824 --a------ C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-14 02:21 37,376 --a------ C:\WINDOWS\system32\nnnnkkk.dll
2007-11-14 02:13 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-14 01:47 <DIR> d----c--- C:\VundoFix Backups
2007-11-13 22:43 37,376 --a------ C:\WINDOWS\system32\khfcdba.dll
2007-11-13 22:43 336 --a------ C:\WINDOWS\17PHolmes1188.exe
2007-11-13 22:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-13 20:24 144,480 --a--c--- C:\WINDOWS\system32\aipbnwrm.dll
2007-11-13 20:21 85,056 --a--c--- C:\WINDOWS\system32\bwnknnrh.dll
2007-11-13 20:18 80,448 --a--c--- C:\WINDOWS\system32\jwwspdfs.dll
2007-11-13 20:12 71,232 --a--c--- C:\WINDOWS\system32\eoxejuqf.exe
2007-11-13 05:01 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Roxio
2007-11-13 02:24 <DIR> d-------- C:\Program Files\WinMX Fix v.3.0
2007-11-13 02:24 <DIR> d-------- C:\Program Files\iTunes
2007-11-13 02:24 <DIR> d-------- C:\Program Files\iPod
2007-11-13 02:23 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Roxio
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Remove Empty Directories
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Maxis
2007-11-13 02:23 <DIR> d-------- C:\Program Files\InterVideo
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Disney
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Cosmi
2007-11-13 02:23 <DIR> d-------- C:\Program Files\Clipmarks
2007-11-13 02:23 <DIR> d-------- C:\Program Files\BaDoink
2007-11-13 02:23 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-11-13 02:23 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Roxio
2007-11-13 02:22 <DIR> d-------- C:\Program Files\Viewpoint(3)
2007-11-13 02:22 <DIR> d-------- C:\Program Files\Tencent
2007-11-13 02:22 <DIR> d-------- C:\Program Files\MySpace
2007-11-13 02:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 02:22 <DIR> d-------- C:\audio
2007-11-13 02:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion(2)
2007-11-10 13:33 <DIR> d-------- C:\Program Files\AGEIA Technologies(2)
2007-11-09 19:19 <DIR> d-------- C:\Program Files\Aspyr
2007-11-09 15:18 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-08 23:11 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-08 23:09 134 --a--c--- C:\n.bat
2007-11-08 23:08 35,328 --a------ C:\WINDOWS\system32\yayxutq.dll
2007-11-08 23:08 0 --a--c--- C:\z.dat
2007-11-08 23:08 0 --a--c--- C:\x.dat
2007-11-07 15:42 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-11-07 15:42 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-07 15:42 <DIR> d-------- C:\Program Files\Legacy Interactive
2007-11-07 15:42 <DIR> d-------- C:\Program Files\GameSpy
2007-11-07 15:42 <DIR> d-------- C:\Program Files\Firaxis Games
2007-11-07 15:42 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-11-07 15:41 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-11-07 15:41 <DIR> d-------- C:\Program Files\VstPlugins
2007-11-07 15:41 <DIR> d-------- C:\Program Files\UltraISO
2007-11-07 15:41 <DIR> d-------- C:\Program Files\Symantec
2007-11-07 15:41 <DIR> d-------- C:\Program Files\SoundSpectrum
2007-11-07 15:41 <DIR> d-------- C:\Program Files\SD EnterNET
2007-11-07 00:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-11-06 01:20 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-04 20:10 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-11-04 13:33 <DIR> d----c--- C:\c6616f9bfd906f1ad04bbed7e3dd4f
2007-11-04 13:30 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-11-04 13:30 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Sonic
2007-11-04 01:28 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Sierra Entertainment
2007-11-04 01:28 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-03 17:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-30 01:47 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Super-Cow
2007-10-29 01:58 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-10-29 01:58 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-29 01:58 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-10-29 01:58 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-10-25 02:25 <DIR> d-------- C:\Program Files\MSECache
2007-10-25 02:05 <DIR> d-------- C:\Program Files\Download Manager
2007-10-24 01:58 143,872 --a------ C:\WINDOWS\system32\iacenc.dll
2007-10-24 01:58 56,832 --a------ C:\WINDOWS\system32\iyvu9_32.dll
2007-10-24 01:44 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\QQ Games Plugin
2007-10-23 18:22 86,082 --a------ C:\WINDOWS\system32\ftdiunin.exe
2007-10-23 18:22 77,890 --a------ C:\WINDOWS\system32\FTLang.dll
2007-10-23 18:22 60,572 --a------ C:\WINDOWS\system32\drivers\ftser2k.sys
2007-10-23 18:22 48,625 --a------ C:\WINDOWS\system32\ftserui2.dll
2007-10-23 18:22 28,449 --a------ C:\WINDOWS\system32\drivers\ftdibus.sys
2007-10-20 12:32 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-10-20 12:32 53,760 --a------ C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-10-20 02:30 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\iWin
2007-10-20 01:36 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-10-20 01:36 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-10-20 01:36 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-10-20 01:36 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-10-20 01:35 <DIR> d-------- C:\Program Files\coolpro2
2007-10-19 19:01 <DIR> d-------- C:\Program Files\Nero
2007-10-19 19:01 <DIR> d-------- C:\Program Files\Common Files\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 22:05 --------- d-----w C:\Program Files\Advanced System Optimizer
2007-11-15 21:55 --------- d-----w C:\Program Files\Trend Micro
2007-11-15 20:20 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-15 20:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 06:41 --------- d-----w C:\Program Files\Google
2007-11-14 03:07 --------- d-----w C:\Program Files\Java
2007-11-13 22:35 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 07:32 --------- d-----w C:\Program Files\Microsoft Games
2007-11-13 07:23 --------- d-----w C:\Program Files\QuickTime
2007-11-13 07:23 --------- d-----w C:\Program Files\LimeWire
2007-11-12 01:31 9,046 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-11-10 18:52 --------- d-----w C:\Program Files\InterActual
2007-11-10 00:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-09 23:12 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\IGN_DLM
2007-11-07 23:53 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-07 23:53 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-07 20:42 --------- d-----w C:\Program Files\HPQ
2007-11-07 19:22 --------- d-----w C:\Program Files\Yahoo!
2007-11-07 19:22 --------- d-----w C:\Program Files\Support.com
2007-11-07 19:21 --------- d-----w C:\Program Files\Real
2007-11-07 19:21 --------- d-----w C:\Program Files\Online Backup
2007-11-07 19:21 --------- d-----w C:\Program Files\MSN Toolbar Suite
2007-11-07 19:21 --------- d-----w C:\Program Files\MSN Messenger
2007-11-07 19:21 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-07 19:21 --------- d-----w C:\Program Files\ICOO Loader
2007-11-07 19:20 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-04 18:29 --------- d-----w C:\Program Files\Sonic
2007-10-24 06:43 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-22 22:54 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-10-20 22:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\muvee Technologies
2007-10-20 22:05 --------- d-----w C:\Program Files\AskTBar
2007-10-20 17:52 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-10-20 00:11 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Nero
2007-10-20 00:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-19 20:13 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2007-10-19 19:47 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-19 17:47 --------- d-----w C:\Program Files\PConPoint
2007-10-19 17:07 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-19 16:06 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-19 15:52 --------- d-----w C:\Program Files\IncrediMail
2007-10-19 05:37 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Intuit
2007-10-19 05:36 --------- dc----w C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-19 05:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-19 05:20 --------- d-----w C:\Program Files\Common Files\Real
2007-10-19 05:18 --------- d-----w C:\Program Files\AOL Computer Check-Up
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0f
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0e
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0b
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0
2007-10-19 04:49 --------- dc----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-19 04:40 --------- d-----w C:\Program Files\HP
2007-10-19 04:33 1,716 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PY208AV-ABA a1030e_YC_0Pavi_QMXG530_E53NAheBLU5_47_ISalmon_SASUSTek Computer INC._V1.04_B3.15_T051019_WXH2_L409_M896_J80_7AMD_8Sempron_91.81_#050913_N10390900_Z11C1048C_G10396330.MRK
2007-10-19 04:30 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-10-19 03:44 --------- d-----w C:\Program Files\Webshots
2007-10-19 02:54 --------- d-----w C:\Program Files\Rhapsody
2007-10-19 02:13 --------- d-----w C:\Program Files\BellSouth
2007-10-19 02:10 132,675 ----a-w C:\Program Files\INSTALL.LOG
2007-10-19 02:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\BellSouth
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\All Users\Application Data\BellSouth
2007-10-19 00:04 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-18 23:50 4 -c--a-w C:\WINDOWSRegDefrag.dat
2007-10-17 18:12 --------- d-----w C:\Program Files\DFX
2007-10-17 08:43 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-10-17 08:43 --------- dc----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-17 08:43 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\yahoo!
2007-10-17 08:42 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-10-17 08:41 --------- dc----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-17 08:41 --------- d-----w C:\Program Files\Multimedia Transcoding Tool
2007-10-17 08:40 --------- d-----w C:\Program Files\AOL 9.0a
2007-10-17 08:37 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AOL
2007-10-17 05:37 --------- d-----w C:\Program Files\web-radio
2007-10-17 04:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-12 04:03 --------- dc----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-10-11 19:08 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2007-10-10 16:50 --------- d-----w C:\Program Files\ACNielsen
2007-10-06 17:11 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-06 08:43 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\WeatherBug
2007-09-29 19:48 --------- dc----w C:\Documents and Settings\All Users\Application Data\DFX
2007-09-28 18:34 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Babylon
2007-09-24 13:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 13:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 13:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 13:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-01-10 17:15 839,684 ----a-w C:\WINDOWS\Fonts\Crack.exe
2007-01-10 17:15 839,683 --sh--w C:\WINDOWS\Fonts\svchost.exe
2006-11-12 18:42 0 ----a-w C:\Program Files\Common Files\err.log
2006-09-19 18:10 1 -c--a-w C:\Documents and Settings\HP_Owner\SI.bin
2006-05-10 18:26 299 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\internaldb1942.dat
2006-01-26 20:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-10 17:15:15 839,683 --sh--w C:\WINDOWS\Fonts\svchost.exe
2005-11-15 21:39:10 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d91edfd0-519c-4707-8869-95221c3f4bc3}]
2007-11-13 20:18 80448 --a--c--- C:\WINDOWS\system32\jwwspdfs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}]
2007-11-14 02:21 37376 --a------ C:\WINDOWS\system32\nnnnkkk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-05 01:54 C:\WINDOWS\system32\SiSPower.dll]
"CTHelper"="CTHELPER.EXE" [2003-11-14 03:18 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 10:00]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 11:07]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2005-08-31 13:14]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 12:12]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 15:09]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-18 21:47]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-04-12 16:23]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 13:04]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 13:55]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-01-10 12:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 11:02]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57]
"AOL Fast Start"="C:\Program Files\AOL 9.0b\AOL.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 17:11]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 22:05]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-14 12:32]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB2355"=command /c del "C:\WINDOWS\system32\usysykju.dll_old"
"SpybotDeletingD5429"=cmd /c del "C:\WINDOWS\system32\usysykju.dll_old"
"SpybotDeletingB6316"=command /c del "C:\WINDOWS\system32\usysykju.dll"
"SpybotDeletingD1614"=cmd /c del "C:\WINDOWS\system32\usysykju.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA781"=command /c del "C:\WINDOWS\system32\usysykju.dll_old"
"SpybotDeletingC8533"=cmd /c del "C:\WINDOWS\system32\usysykju.dll_old"
"SpybotDeletingA9287"=command /c del "C:\WINDOWS\system32\usysykju.dll"
"SpybotDeletingC3200"=cmd /c del "C:\WINDOWS\system32\usysykju.dll"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"=MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}"= C:\WINDOWS\system32\nnnnkkk.dll [2007-11-14 02:21 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnkkk]
nnnnkkk.dll 2007-11-14 02:21 37376 C:\WINDOWS\system32\nnnnkkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\usysykju]
usysykju.dll

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e29e2fbc-b976-11d9-bac2-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-11-12 19:06:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-03 03:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-11-12 13:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2007-11-09 21:45:01 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
"2007-11-15 23:17:14 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-15 20:35:48 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-15 23:12:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-11-15 23:21:05 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-11-15 19:06:20 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 18:18:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 18:21:32 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-15 16:22
C:\ComboFix3.txt ... 2007-11-15 13:19
.
--- E O F ---

#3 User is offline   Yourhighness 

  • The BSG Malware Fighter
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,925
  • Joined: 20-April 06
  • Gender:Male
  • Location:Hamburg

Posted 28 November 2007 - 08:12 AM

Hello rvbeaumont and welcome to BleepingComputer!

Apollogies for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes
"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image

#4 User is offline   rvbeaumont 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 15-November 07
  • Location:key west

Posted 29 November 2007 - 02:13 AM

It's back, just did combofix, and readded destroy, already have a great spyware, will run, but here is the latest log, and it didn't take it away, will try again, and log it on again.
ComboFix 07-11-19.4 - HP_Owner 2007-11-29 1:30:56.13 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.405 [GMT -5:00]Running from: C:\Documents and Settings\HP_Owner\My Documents\My Videos\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\HP_Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\HP_Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\HP_Owner\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\c1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\ihkmp.bak1
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\j2
C:\WINDOWS\system32\j2\ppjup83122.exe
C:\WINDOWS\system32\m8
C:\WINDOWS\system32\m8\nsts2dll1.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkhi.dll
C:\WINDOWS\system32\pzvyotou.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-29 01:48 0 ---hs---- C:\WINDOWS\system32\pzvyotou.dllbox
2007-11-29 01:22 789,408 ---hs---- C:\WINDOWS\system32\kysndupv.ini
2007-11-29 01:17 144,480 --a------ C:\WINDOWS\system32\pzvyotou.dll
2007-11-29 01:16 144,480 --a--c--- C:\WINDOWS\system32\xkiuhcwh.dll
2007-11-29 01:13 77,888 --a--c--- C:\WINDOWS\system32\haecltty.dll
2007-11-29 01:11 71,232 --a--c--- C:\WINDOWS\system32\ndkttktx.exe
2007-11-27 23:26 36,864 --a------ C:\WINDOWS\system32\gebxutu.dll
2007-11-27 19:58 789,288 --ahs---- C:\WINDOWS\system32\rpddfylh.ini
2007-11-27 19:49 71,232 --a--c--- C:\WINDOWS\system32\astbfaoq.exe
2007-11-27 18:55 294 --ahs---- C:\WINDOWS\system32\lekemoub.ini
2007-11-27 12:06 78,912 --a--c--- C:\WINDOWS\system32\hggwfuxq.dll
2007-11-27 12:03 85,056 --a--c--- C:\WINDOWS\system32\lqhqyjwt.dll
2007-11-27 12:03 526 --ahs---- C:\WINDOWS\system32\twjyqhql.ini
2007-11-27 12:01 71,232 --a--c--- C:\WINDOWS\system32\hoebwqke.exe
2007-11-27 04:09 78,912 --a--c--- C:\WINDOWS\system32\ucvacjes.dll
2007-11-27 04:09 354 --ahs---- C:\WINDOWS\system32\raopqtos.ini
2007-11-27 04:08 36,864 --a------ C:\WINDOWS\system32\nnnkkjh.dll
2007-11-27 04:06 71,232 --a--c--- C:\WINDOWS\system32\amlmghtc.exe
2007-11-27 03:57 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-27 03:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{FAE72283-E912-4CA0-A263-E07183A4AF20}
2007-11-27 03:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
2007-11-27 03:01 36 --ah----- C:\WINDOWS\system32\f9t.dat
2007-11-27 01:51 <DIR> d-------- C:\Program Files\iTunes
2007-11-26 20:40 80,960 --a--c--- C:\WINDOWS\system32\lyrgompo.dll
2007-11-26 20:37 85,056 --a--c--- C:\WINDOWS\system32\gocqxgou.dll
2007-11-26 20:37 534 --ahs---- C:\WINDOWS\system32\uogxqcog.ini
2007-11-26 20:35 71,232 --a--c--- C:\WINDOWS\system32\ahjllxju.exe
2007-11-26 20:09 80,960 --a--c--- C:\WINDOWS\system32\tktcfhak.dll
2007-11-26 20:09 474 --ahs---- C:\WINDOWS\system32\lqhtxddv.ini
2007-11-26 20:01 71,232 --a--c--- C:\WINDOWS\system32\gnbomdsc.exe
2007-11-26 03:49 354 --ahs---- C:\WINDOWS\system32\pnevawfw.ini
2007-11-26 03:45 80,960 --a--c--- C:\WINDOWS\system32\qmckutyp.dll
2007-11-26 03:40 71,232 --a--c--- C:\WINDOWS\system32\qccvxgpq.exe
2007-11-25 14:36 79,936 --a--c--- C:\WINDOWS\system32\rnghanvc.dll
2007-11-25 14:33 85,056 --a--c--- C:\WINDOWS\system32\mgigrpgh.dll
2007-11-25 14:33 294 --ahs---- C:\WINDOWS\system32\hgprgigm.ini
2007-11-25 14:31 71,232 --a--c--- C:\WINDOWS\system32\pkjrdxeq.exe
2007-11-25 13:35 79,936 --a--c--- C:\WINDOWS\system32\ynsnofiw.dll
2007-11-25 13:29 85,056 --a--c--- C:\WINDOWS\system32\hdisunts.dll
2007-11-25 13:29 414 --ahs---- C:\WINDOWS\system32\stnusidh.ini
2007-11-25 13:28 71,232 --a--c--- C:\WINDOWS\system32\gjkqifcb.exe
2007-11-25 01:57 79,936 --a--c--- C:\WINDOWS\system32\okgnmwqk.dll
2007-11-25 01:52 354 --ahs---- C:\WINDOWS\system32\dcmwijdi.ini
2007-11-25 01:50 71,232 --a--c--- C:\WINDOWS\system32\jusuqald.exe
2007-11-24 15:01 85,056 --a--c--- C:\WINDOWS\system32\txhsordg.dll
2007-11-24 15:01 294 --ahs---- C:\WINDOWS\system32\gdroshxt.ini
2007-11-24 14:58 81,472 --a--c--- C:\WINDOWS\system32\ddxfxlrq.dll
2007-11-24 14:55 71,232 --a--c--- C:\WINDOWS\system32\hgnccvss.exe
2007-11-23 12:17 83,520 --a--c--- C:\WINDOWS\system32\squneltu.dll
2007-11-23 12:11 85,056 --a--c--- C:\WINDOWS\system32\myvborev.dll
2007-11-23 12:09 71,232 --a--c--- C:\WINDOWS\system32\datqxpxm.exe
2007-11-23 02:50 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-23 02:50 83,520 --a--c--- C:\WINDOWS\system32\pesuexct.dll
2007-11-23 02:42 71,232 --a--c--- C:\WINDOWS\system32\ennqbiwg.exe
2007-11-23 01:32 83,520 --a--c--- C:\WINDOWS\system32\lofpawas.dll
2007-11-23 01:29 85,056 --a--c--- C:\WINDOWS\system32\gawvyhes.dll
2007-11-23 01:29 294 --ahs---- C:\WINDOWS\system32\sehyvwag.ini
2007-11-23 01:24 71,232 --a--c--- C:\WINDOWS\system32\ikersexg.exe
2007-11-23 01:00 83,520 --a--c--- C:\WINDOWS\system32\jwycvwpy.dll
2007-11-23 00:54 85,056 --a--c--- C:\WINDOWS\system32\xlhqqrlv.dll
2007-11-23 00:52 71,232 --a--c--- C:\WINDOWS\system32\iipiulaw.exe
2007-11-22 23:51 79,936 --a--c--- C:\WINDOWS\system32\rppbtokh.dll
2007-11-22 23:48 714,650 --ahs---- C:\WINDOWS\system32\ofspjqii.ini
2007-11-22 23:48 85,056 --a--c--- C:\WINDOWS\system32\iiqjpsfo.dll
2007-11-22 23:43 71,232 --a--c--- C:\WINDOWS\system32\yskbmyoy.exe
2007-11-21 19:41 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\iWin
2007-11-21 16:42 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-11-21 16:30 <DIR> d-------- C:\Program Files\LimeWire
2007-11-21 15:20 917,504 --a------ C:\WINDOWS\system32\FLASH.OCX
2007-11-21 15:02 80,960 --a--c--- C:\WINDOWS\system32\bivsylaf.dll
2007-11-21 14:59 714,590 --ahs---- C:\WINDOWS\system32\ytxcdfwy.ini
2007-11-21 14:57 71,232 --a--c--- C:\WINDOWS\system32\mcxotbcu.exe
2007-11-21 12:58 80,960 --a--c--- C:\WINDOWS\system32\rssruhne.dll
2007-11-21 12:52 714,461 --ahs---- C:\WINDOWS\system32\jqgrnofu.ini
2007-11-21 12:51 <DIR> d-------- C:\WINDOWS\system32\rMa05yy
2007-11-21 12:51 <DIR> d-------- C:\temp\abW9
2007-11-21 12:50 71,232 --a--c--- C:\WINDOWS\system32\niyldnmh.exe
2007-11-20 12:17 714,341 --ahs---- C:\WINDOWS\system32\jyahqbll.ini
2007-11-20 12:11 84,544 --a--c--- C:\WINDOWS\system32\fhuuiwdv.dll
2007-11-20 12:08 71,232 --a--c--- C:\WINDOWS\system32\ytwrvmwl.exe
2007-11-19 16:44 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\ArcSoft
2007-11-19 16:42 230,432 --a--c--- C:\PA7311.DAT
2007-11-19 16:39 <DIR> d-------- C:\Program Files\VGA USB Camera
2007-11-19 16:39 6,656 --a------ C:\WINDOWS\system32\CoInst.dll
2007-11-19 16:39 518 --a------ C:\WINDOWS\system32\SP7311.INI
2007-11-19 15:40 53,248 --a------ C:\WINDOWS\system32\PAStiSvc.exe
2007-11-19 15:39 <DIR> d-------- C:\WINDOWS\PixArt
2007-11-19 15:11 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-11-19 15:11 <DIR> d-------- C:\Program Files\ArcSoft
2007-11-19 15:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-11-19 15:11 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-11-19 15:11 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2007-11-19 12:18 685,712 --ahs---- C:\WINDOWS\system32\xjbmwhgg.ini
2007-11-19 12:18 85,056 --a--c--- C:\WINDOWS\system32\gghwmbjx.dll
2007-11-19 12:15 83,008 --a--c--- C:\WINDOWS\system32\redpfdtq.dll
2007-11-18 12:14 79,424 --a--c--- C:\WINDOWS\system32\dvodghbp.dll
2007-11-18 12:11 677,929 --ahs---- C:\WINDOWS\system32\nihodhut.ini
2007-11-18 12:11 85,056 --a--c--- C:\WINDOWS\system32\tuhdohin.dll
2007-11-18 12:08 71,232 --a--c--- C:\WINDOWS\system32\fvlxugyf.exe
2007-11-17 12:16 85,056 --a--c--- C:\WINDOWS\system32\xodqlyvu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 06:49 36,864 -c--a-w C:\svchost.exe
2007-11-27 09:38 --------- d-----w C:\Program Files\Real
2007-11-27 08:56 --------- d-----w C:\Program Files\Common Files\Real
2007-11-27 08:03 --------- d-----w C:\Program Files\Stamps.com Internet Postage
2007-11-27 07:51 --------- dc----w C:\Documents and Settings\All Users\Application Data\{75EE35BC-E993-41FD-9DBA-9AD37F50E521}
2007-11-27 01:05 9,356 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-11-26 08:37 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 08:14 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\IGN_DLM
2007-11-23 05:51 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-21 17:49 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AT&T
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\My Battle for Middle-earth Files
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Audacity
2007-11-21 08:40 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\yahoo!
2007-11-21 08:40 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Viewpoint
2007-11-21 06:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 07:21 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-20 07:20 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-19 22:23 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-19 18:44 --------- d-----w C:\Program Files\Google
2007-11-19 18:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 17:42 --------- d-----w C:\Program Files\Yahoo!
2007-11-19 17:42 --------- d-----w C:\Program Files\QuickTime
2007-11-19 17:42 --------- d-----w C:\Program Files\Online Backup
2007-11-19 17:42 --------- d-----w C:\Program Files\MSN Toolbar Suite
2007-11-19 17:42 --------- d-----w C:\Program Files\MSN Messenger
2007-11-19 17:41 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-19 17:41 --------- d-----w C:\Program Files\Java
2007-11-19 17:41 --------- d-----w C:\Program Files\ICOO Loader
2007-11-19 17:41 --------- d-----w C:\Program Files\HPQ
2007-11-19 17:41 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-19 17:40 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-19 17:40 --------- d-----w C:\Program Files\America Online 9.0i
2007-11-17 19:13 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-15 22:05 --------- d-----w C:\Program Files\Advanced System Optimizer
2007-11-15 21:55 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 22:35 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-10 18:52 --------- d-----w C:\Program Files\InterActual
2007-11-08 23:16 --------- d-----w C:\Program Files\coolpro2
2007-11-04 18:29 --------- d-----w C:\Program Files\Sonic
2007-10-25 07:25 --------- d-----w C:\Program Files\MSECache
2007-10-25 07:05 --------- d-----w C:\Program Files\Download Manager
2007-10-24 06:44 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\QQ Games Plugin
2007-10-22 22:54 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-10-20 22:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\muvee Technologies
2007-10-20 17:52 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-10-20 00:11 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Nero
2007-10-20 00:03 --------- d-----w C:\Program Files\Common Files\Nero
2007-10-20 00:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-20 00:01 --------- d-----w C:\Program Files\Nero
2007-10-19 20:13 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2007-10-19 19:47 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-19 17:47 --------- d-----w C:\Program Files\PConPoint
2007-10-19 17:07 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-19 16:06 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-19 15:52 --------- d-----w C:\Program Files\IncrediMail
2007-10-19 15:23 --------- d-----w C:\Program Files\AOL Companion
2007-10-19 05:41 --------- d-----w C:\Program Files\Audacity
2007-10-19 05:36 --------- dc----w C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-19 05:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-19 05:19 --------- d-----w C:\Program Files\BellSouth Application Management
2007-10-19 05:18 --------- d-----w C:\Program Files\AOL Computer Check-Up
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0f
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0e
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0b
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0
2007-10-19 04:49 --------- dc----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-19 04:40 --------- d-----w C:\Program Files\Learn2.com
2007-10-19 04:40 --------- d-----w C:\Program Files\HP
2007-10-19 04:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-10-19 04:34 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2007-10-19 04:33 1,716 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PY208AV-ABA a1030e_YC_0Pavi_QMXG530_E53NAheBLU5_47_ISalmon_SASUSTek Computer INC._V1.04_B3.15_T051019_WXH2_L409_M896_J80_7AMD_8Sempron_91.81_#050913_N10390900_Z11C1048C_G10396330.MRK
2007-10-19 04:30 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-10-19 03:44 --------- d-----w C:\Program Files\Webshots
2007-10-19 03:27 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-10-19 02:54 --------- d-----w C:\Program Files\Rhapsody
2007-10-19 02:21 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-19 02:16 --------- dc----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-19 02:16 --------- d-----w C:\Program Files\Raxco
2007-10-19 02:16 --------- d-----w C:\Program Files\Common Files\Authentium
2007-10-19 02:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\AT&T
2007-10-19 02:15 --------- d-----w C:\Program Files\CA
2007-10-19 02:15 --------- d-----w C:\Program Files\AT&T
2007-10-19 02:13 --------- d-----w C:\Program Files\BellSouth
2007-10-19 02:10 132,675 ----a-w C:\Program Files\INSTALL.LOG
2007-10-19 02:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\BellSouth
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\All Users\Application Data\BellSouth
2007-10-19 00:08 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-18 23:50 4 -c--a-w C:\WINDOWSRegDefrag.dat
2007-10-17 21:39 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\URSoft
2007-10-17 18:12 --------- d-----w C:\Program Files\DFX
2007-10-17 08:45 --------- dc----w C:\Documents and Settings\All Users\Application Data\Babylon
2007-10-17 08:43 --------- dc----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-17 08:42 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-10-17 08:41 --------- dc----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-17 08:41 --------- d-----w C:\Program Files\Multimedia Transcoding Tool
2007-10-17 08:40 --------- d-----w C:\Program Files\AOL 9.0a
2007-10-17 08:37 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AOL
2007-10-17 04:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-01-10 17:15 290,817 --sh--w C:\WINDOWS\Fonts\svchost.exe
2005-11-15 21:39 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02914A9D-75B0-48FA-9FF4-6593633F86B9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14EF0ED5-350D-4D1E-BD83-912E8890233C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17ADD453-B11F-48B9-9A91-FF61E0443962}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DF88ED8-3757-4741-BD74-5380C9618EA9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{554AE99C-B34F-4708-8B30-09FFEDBBFFC4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68B23624-4DAA-4A6E-808A-AA0A766014FC}]
2007-08-02 08:43 282624 --a------ C:\Program Files\MSN Gaming Zone\niqy83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7398f3b7-2336-4a93-8f05-f9e77ef24dbc}]
2007-11-29 01:52 171520 --a------ C:\WINDOWS\system32\prowfvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7527f8af-4e27-40f5-a273-903aebd7ba40}]
2007-11-29 01:13 77888 --a--c--- C:\WINDOWS\system32\haecltty.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C6D3701-B4E2-4222-BA7B-A1148A7D043D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E08ACE5-DA89-48D4-B3EE-F0D4F9564C5A}]
2007-08-02 08:43 282624 --a------ C:\Program Files\MSN Gaming Zone\niqy4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{984CC232-B0BD-427B-99B6-A68494725B53}]
2007-08-02 08:43 282624 --a------ C:\Program Files\MSN Gaming Zone\niqy83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-29 01:17 144480 --a------ C:\WINDOWS\system32\pzvyotou.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC4E019E-26B4-45C5-ADEE-C26BD9BB2701}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}]
2007-11-14 02:21 37376 --a------ C:\WINDOWS\system32\nnnnkkk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E29E966E-BA13-4EB5-B7E4-9045E6799DF2}]
2007-11-29 01:52 322144 --a------ C:\WINDOWS\system32\mljjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6763192-2D5B-4DAF-A49F-0592182BD33E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E72C75C6-DD4F-47CA-9BED-E5265D6BB412}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6711FDD-6B25-4A67-B8C3-9B1BE96BC87A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\pzvyotou.dll [2007-11-29 01:17 144480]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\pzvyotou.dll [2007-11-29 01:17 144480]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 11:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 17:11]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 22:05]
"WebBuying"="C:\Program Files\Web Buying\v1.8.6\webbuying.exe" [2007-11-29 01:51]
"Insider"="C:\Program Files\Insider\Insider.exe" [2007-11-29 01:55]
"WinTouch"="C:\Documents and Settings\HP_Owner\Application Data\WinTouch\WinTouch.exe" [2007-11-29 02:00]
"SfKg6w"="C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Windows\rayiou.exe" [2007-11-29 02:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="Rundll32.exe" [2004-08-03 23:00 C:\WINDOWS\system32\rundll32.exe]
"CTHelper"="CTHELPER.EXE" [2003-11-14 03:18 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 10:00]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 12:12]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 15:09]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-04-12 16:23]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 13:04]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-01-10 12:15]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-10-22 10:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-27 03:53]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 13:55]
"0c9120a5"="C:\WINDOWS\system32\vpudnsyk.dll" [2007-11-29 01:22]
"runner1"="C:\WINDOWS\mrofinu1188.exe" [2007-11-29 01:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 04:13 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-15 22:44:01]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}"= C:\WINDOWS\system32\nnnnkkk.dll [2007-11-14 02:21 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnkkk]
nnnnkkk.dll 2007-11-14 02:21 37376 C:\WINDOWS\system32\nnnnkkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pzvyotou]
pzvyotou.dll 2007-11-29 01:17 144480 C:\WINDOWS\system32\pzvyotou.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\usysykju]
usysykju.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljjh.dll
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0c9120a5]
rundll32.exe C:\WINDOWS\system32\gocqxgou.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-07 11:07 496752 --a------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
c:\progra~1\common~1\instal~1\update~1\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall]
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\MBDownloader_876923.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257

R3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e29e2fbc-b976-11d9-bac2-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CORE
.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 04:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-11-26 13:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2007-11-28 22:15:06 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-11-29 06:48:23 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-22 11:57:40 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-29 07:02:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-11-29 06:48:22 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-11-27 08:01:31 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 01:48:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\pac.txt 279600 bytes
C:\WINDOWS\system32\prowfvt.dll 171520 bytes executable
C:\WINDOWS\system32\hjjlm.ini 320 bytes
C:\WINDOWS\system32\daSgo18

scan completed successfully
hidden files: 4

**************************************************************************
.
Completion time: 2007-11-29 2:04:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 23:38
C:\ComboFix3.txt ... 2007-11-15 19:47
.
--- E O F ---

#5 User is offline   rvbeaumont 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 15-November 07
  • Location:key west

Posted 29 November 2007 - 11:49 AM

well I forgot to unplug the internet,so the last one did nothing, and I think it's popping up again. I have unabled IE and working on firefox. Here's the latest
ComboFix 07-11-19.4 - HP_Owner 2007-11-29 4:20:52.16 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\My Documents\My Videos\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\HP_Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\HP_Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\HP_Owner\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\pzvyotou.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-29 01:51 <DIR> d-------- C:\WINDOWS\system32\mm6
2007-11-29 01:51 <DIR> d-------- C:\WINDOWS\system32\hv2
2007-11-29 01:51 <DIR> d-------- C:\WINDOWS\system32\ft21
2007-11-29 01:51 <DIR> d-------- C:\WINDOWS\system32\dr1
2007-11-29 01:51 <DIR> d-------- C:\WINDOWS\system32\daSgo18
2007-11-29 01:51 <DIR> d-------- C:\temp\bkR11
2007-11-29 01:51 37,376 --a------ C:\WINDOWS\system32\byxwwts.dll
2007-11-29 01:22 1,407,109 ---hs---- C:\WINDOWS\system32\kysndupv.ini
2007-11-29 01:22 85,056 --a--c--- C:\WINDOWS\system32\vpudnsyk.dll
2007-11-29 01:17 144,480 --------- C:\WINDOWS\system32\pzvyotou.dll_old
2007-11-29 01:17 144,480 --ah----- C:\WINDOWS\system32\pzvyotou.dll
2007-11-29 01:16 144,480 --a--c--- C:\WINDOWS\system32\xkiuhcwh.dll
2007-11-29 01:13 77,888 --a--c--- C:\WINDOWS\system32\haecltty.dll
2007-11-27 23:26 36,864 --a------ C:\WINDOWS\system32\gebxutu.dll
2007-11-27 19:58 789,288 --ahs---- C:\WINDOWS\system32\rpddfylh.ini
2007-11-27 18:55 294 --ahs---- C:\WINDOWS\system32\lekemoub.ini
2007-11-27 12:06 78,912 --a--c--- C:\WINDOWS\system32\hggwfuxq.dll
2007-11-27 12:03 85,056 --a--c--- C:\WINDOWS\system32\lqhqyjwt.dll
2007-11-27 12:03 526 --ahs---- C:\WINDOWS\system32\twjyqhql.ini
2007-11-27 04:09 78,912 --a--c--- C:\WINDOWS\system32\ucvacjes.dll
2007-11-27 04:09 354 --ahs---- C:\WINDOWS\system32\raopqtos.ini
2007-11-27 04:08 36,864 --a------ C:\WINDOWS\system32\nnnkkjh.dll
2007-11-27 03:57 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-27 03:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{FAE72283-E912-4CA0-A263-E07183A4AF20}
2007-11-27 03:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
2007-11-27 03:01 36 --ah----- C:\WINDOWS\system32\f9t.dat
2007-11-27 01:51 <DIR> d-------- C:\Program Files\iTunes
2007-11-26 20:40 80,960 --a--c--- C:\WINDOWS\system32\lyrgompo.dll
2007-11-26 20:37 85,056 --a--c--- C:\WINDOWS\system32\gocqxgou.dll
2007-11-26 20:37 534 --ahs---- C:\WINDOWS\system32\uogxqcog.ini
2007-11-26 20:09 80,960 --a--c--- C:\WINDOWS\system32\tktcfhak.dll
2007-11-26 20:09 474 --ahs---- C:\WINDOWS\system32\lqhtxddv.ini
2007-11-26 03:49 354 --ahs---- C:\WINDOWS\system32\pnevawfw.ini
2007-11-26 03:45 80,960 --a--c--- C:\WINDOWS\system32\qmckutyp.dll
2007-11-25 14:36 79,936 --a--c--- C:\WINDOWS\system32\rnghanvc.dll
2007-11-25 14:33 85,056 --a--c--- C:\WINDOWS\system32\mgigrpgh.dll
2007-11-25 14:33 294 --ahs---- C:\WINDOWS\system32\hgprgigm.ini
2007-11-25 13:35 79,936 --a--c--- C:\WINDOWS\system32\ynsnofiw.dll
2007-11-25 13:29 85,056 --a--c--- C:\WINDOWS\system32\hdisunts.dll
2007-11-25 13:29 414 --ahs---- C:\WINDOWS\system32\stnusidh.ini
2007-11-25 01:57 79,936 --a--c--- C:\WINDOWS\system32\okgnmwqk.dll
2007-11-25 01:52 354 --ahs---- C:\WINDOWS\system32\dcmwijdi.ini
2007-11-24 15:01 85,056 --a--c--- C:\WINDOWS\system32\txhsordg.dll
2007-11-24 15:01 294 --ahs---- C:\WINDOWS\system32\gdroshxt.ini
2007-11-24 14:58 81,472 --a--c--- C:\WINDOWS\system32\ddxfxlrq.dll
2007-11-23 12:17 83,520 --a--c--- C:\WINDOWS\system32\squneltu.dll
2007-11-23 12:11 85,056 --a--c--- C:\WINDOWS\system32\myvborev.dll
2007-11-23 12:11 294 --ahs---- C:\WINDOWS\system32\verobvym.ini
2007-11-23 02:50 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-23 02:50 83,520 --a--c--- C:\WINDOWS\system32\pesuexct.dll
2007-11-23 02:44 85,056 --a--c--- C:\WINDOWS\system32\wbgpqwru.dll
2007-11-23 02:44 294 --ahs---- C:\WINDOWS\system32\urwqpgbw.ini
2007-11-23 01:32 83,520 --a--c--- C:\WINDOWS\system32\lofpawas.dll
2007-11-23 01:29 85,056 --a--c--- C:\WINDOWS\system32\gawvyhes.dll
2007-11-23 01:29 294 --ahs---- C:\WINDOWS\system32\sehyvwag.ini
2007-11-23 01:00 83,520 --a--c--- C:\WINDOWS\system32\jwycvwpy.dll
2007-11-23 00:54 85,056 --a--c--- C:\WINDOWS\system32\xlhqqrlv.dll
2007-11-23 00:54 294 --ahs---- C:\WINDOWS\system32\vlrqqhlx.ini
2007-11-22 23:51 79,936 --a--c--- C:\WINDOWS\system32\rppbtokh.dll
2007-11-22 23:48 714,650 --ahs---- C:\WINDOWS\system32\ofspjqii.ini
2007-11-22 23:48 85,056 --a--c--- C:\WINDOWS\system32\iiqjpsfo.dll
2007-11-21 19:41 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\iWin
2007-11-21 16:42 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-11-21 16:30 <DIR> d-------- C:\Program Files\LimeWire
2007-11-21 15:20 917,504 --a------ C:\WINDOWS\system32\FLASH.OCX
2007-11-21 15:02 80,960 --a--c--- C:\WINDOWS\system32\bivsylaf.dll
2007-11-21 14:59 714,590 --ahs---- C:\WINDOWS\system32\ytxcdfwy.ini
2007-11-21 12:58 80,960 --a--c--- C:\WINDOWS\system32\rssruhne.dll
2007-11-21 12:52 714,461 --ahs---- C:\WINDOWS\system32\jqgrnofu.ini
2007-11-21 12:51 <DIR> d-------- C:\WINDOWS\system32\rMa05yy
2007-11-21 12:51 <DIR> d-------- C:\temp\abW9
2007-11-20 12:17 714,341 --ahs---- C:\WINDOWS\system32\jyahqbll.ini
2007-11-20 12:11 84,544 --a--c--- C:\WINDOWS\system32\fhuuiwdv.dll
2007-11-19 16:44 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\ArcSoft
2007-11-19 16:42 230,432 --a--c--- C:\PA7311.DAT
2007-11-19 16:39 <DIR> d-------- C:\Program Files\VGA USB Camera
2007-11-19 16:39 6,656 --a------ C:\WINDOWS\system32\CoInst.dll
2007-11-19 16:39 518 --a------ C:\WINDOWS\system32\SP7311.INI
2007-11-19 15:40 53,248 --a------ C:\WINDOWS\system32\PAStiSvc.exe
2007-11-19 15:39 <DIR> d-------- C:\WINDOWS\PixArt
2007-11-19 15:11 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-11-19 15:11 <DIR> d-------- C:\Program Files\ArcSoft
2007-11-19 15:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-11-19 15:11 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-11-19 15:11 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2007-11-19 12:18 685,712 --ahs---- C:\WINDOWS\system32\xjbmwhgg.ini
2007-11-19 12:18 85,056 --a--c--- C:\WINDOWS\system32\gghwmbjx.dll
2007-11-19 12:15 83,008 --a--c--- C:\WINDOWS\system32\redpfdtq.dll
2007-11-18 12:14 79,424 --a--c--- C:\WINDOWS\system32\dvodghbp.dll
2007-11-18 12:11 677,929 --ahs---- C:\WINDOWS\system32\nihodhut.ini
2007-11-18 12:11 85,056 --a--c--- C:\WINDOWS\system32\tuhdohin.dll
2007-11-17 12:16 677,938 --ahs---- C:\WINDOWS\system32\uvylqdox.ini
2007-11-17 12:16 85,056 --a--c--- C:\WINDOWS\system32\xodqlyvu.dll
2007-11-17 12:10 82,496 --a--c--- C:\WINDOWS\system32\xtjgbnjy.dll
2007-11-17 02:17 40,960 --a--c--- C:\Documents and Settings\HP_Owner\f.exe
2007-11-17 02:17 36,352 --a------ C:\WINDOWS\system32\rqrrspq.dll
2007-11-17 02:17 13,902 --a--c--- C:\Documents and Settings\HP_Owner\z.dat
2007-11-17 02:17 1,249 --a--c--- C:\Documents and Settings\HP_Owner\x.dat
2007-11-17 02:17 260 --a--c--- C:\6463.bat
2007-11-16 12:15 81,984 --a--c--- C:\WINDOWS\system32\pfuofenr.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 07:11 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 09:38 --------- d-----w C:\Program Files\Real
2007-11-27 08:56 --------- d-----w C:\Program Files\Common Files\Real
2007-11-27 08:03 --------- d-----w C:\Program Files\Stamps.com Internet Postage
2007-11-27 07:51 --------- dc----w C:\Documents and Settings\All Users\Application Data\{75EE35BC-E993-41FD-9DBA-9AD37F50E521}
2007-11-27 01:05 9,356 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-11-26 08:14 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\IGN_DLM
2007-11-23 05:51 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-21 17:49 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AT&T
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\My Battle for Middle-earth Files
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Audacity
2007-11-21 08:40 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\yahoo!
2007-11-21 08:40 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Viewpoint
2007-11-21 06:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 07:21 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-20 07:20 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-19 22:23 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-19 18:44 --------- d-----w C:\Program Files\Google
2007-11-19 18:32 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 17:42 --------- d-----w C:\Program Files\Yahoo!
2007-11-19 17:42 --------- d-----w C:\Program Files\QuickTime
2007-11-19 17:42 --------- d-----w C:\Program Files\Online Backup
2007-11-19 17:42 --------- d-----w C:\Program Files\MSN Toolbar Suite
2007-11-19 17:42 --------- d-----w C:\Program Files\MSN Messenger
2007-11-19 17:41 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-19 17:41 --------- d-----w C:\Program Files\Java
2007-11-19 17:41 --------- d-----w C:\Program Files\ICOO Loader
2007-11-19 17:41 --------- d-----w C:\Program Files\HPQ
2007-11-19 17:41 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-19 17:40 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-19 17:40 --------- d-----w C:\Program Files\America Online 9.0i
2007-11-17 19:13 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-15 22:05 --------- d-----w C:\Program Files\Advanced System Optimizer
2007-11-15 21:55 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 22:35 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-10 18:52 --------- d-----w C:\Program Files\InterActual
2007-11-08 23:16 --------- d-----w C:\Program Files\coolpro2
2007-11-04 18:29 --------- d-----w C:\Program Files\Sonic
2007-10-25 07:25 --------- d-----w C:\Program Files\MSECache
2007-10-25 07:05 --------- d-----w C:\Program Files\Download Manager
2007-10-24 06:44 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\QQ Games Plugin
2007-10-22 22:54 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-10-20 22:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\muvee Technologies
2007-10-20 17:52 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-10-20 00:11 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Nero
2007-10-20 00:03 --------- d-----w C:\Program Files\Common Files\Nero
2007-10-20 00:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-20 00:01 --------- d-----w C:\Program Files\Nero
2007-10-19 20:13 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2007-10-19 19:47 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-19 17:47 --------- d-----w C:\Program Files\PConPoint
2007-10-19 17:07 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-19 16:06 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-19 15:52 --------- d-----w C:\Program Files\IncrediMail
2007-10-19 15:23 --------- d-----w C:\Program Files\AOL Companion
2007-10-19 05:41 --------- d-----w C:\Program Files\Audacity
2007-10-19 05:36 --------- dc----w C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-19 05:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-19 05:19 --------- d-----w C:\Program Files\BellSouth Application Management
2007-10-19 05:18 --------- d-----w C:\Program Files\AOL Computer Check-Up
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0f
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0e
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0b
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0
2007-10-19 04:49 --------- dc----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-19 04:40 --------- d-----w C:\Program Files\Learn2.com
2007-10-19 04:40 --------- d-----w C:\Program Files\HP
2007-10-19 04:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-10-19 04:34 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2007-10-19 04:33 1,716 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PY208AV-ABA a1030e_YC_0Pavi_QMXG530_E53NAheBLU5_47_ISalmon_SASUSTek Computer INC._V1.04_B3.15_T051019_WXH2_L409_M896_J80_7AMD_8Sempron_91.81_#050913_N10390900_Z11C1048C_G10396330.MRK
2007-10-19 04:30 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-10-19 03:44 --------- d-----w C:\Program Files\Webshots
2007-10-19 03:27 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-10-19 02:54 --------- d-----w C:\Program Files\Rhapsody
2007-10-19 02:21 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-19 02:16 --------- dc----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-19 02:16 --------- d-----w C:\Program Files\Raxco
2007-10-19 02:16 --------- d-----w C:\Program Files\Common Files\Authentium
2007-10-19 02:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\AT&T
2007-10-19 02:15 --------- d-----w C:\Program Files\CA
2007-10-19 02:15 --------- d-----w C:\Program Files\AT&T
2007-10-19 02:13 --------- d-----w C:\Program Files\BellSouth
2007-10-19 02:10 132,675 ----a-w C:\Program Files\INSTALL.LOG
2007-10-19 02:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\BellSouth
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\All Users\Application Data\BellSouth
2007-10-19 00:08 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-18 23:50 4 -c--a-w C:\WINDOWSRegDefrag.dat
2007-10-17 21:39 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\URSoft
2007-10-17 18:12 --------- d-----w C:\Program Files\DFX
2007-10-17 08:45 --------- dc----w C:\Documents and Settings\All Users\Application Data\Babylon
2007-10-17 08:43 --------- dc----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-17 08:42 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-10-17 08:41 --------- dc----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-17 08:41 --------- d-----w C:\Program Files\Multimedia Transcoding Tool
2007-10-17 08:40 --------- d-----w C:\Program Files\AOL 9.0a
2007-10-17 08:37 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AOL
2007-10-17 04:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-12 04:03 --------- dc----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-01-10 17:15 290,817 --sh--w C:\WINDOWS\Fonts\svchost.exe
2005-11-15 21:39 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02914A9D-75B0-48FA-9FF4-6593633F86B9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14EF0ED5-350D-4D1E-BD83-912E8890233C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17ADD453-B11F-48B9-9A91-FF61E0443962}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DF88ED8-3757-4741-BD74-5380C9618EA9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{554AE99C-B34F-4708-8B30-09FFEDBBFFC4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68B23624-4DAA-4A6E-808A-AA0A766014FC}]
C:\Program Files\MSN Gaming Zone\niqy83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7527f8af-4e27-40f5-a273-903aebd7ba40}]
2007-11-29 01:13 77888 --a--c--- C:\WINDOWS\system32\haecltty.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C6D3701-B4E2-4222-BA7B-A1148A7D043D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E08ACE5-DA89-48D4-B3EE-F0D4F9564C5A}]
C:\Program Files\MSN Gaming Zone\niqy4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{984CC232-B0BD-427B-99B6-A68494725B53}]
C:\Program Files\MSN Gaming Zone\niqy83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-29 04:14 144480 --ah----- C:\WINDOWS\system32\pzvyotou.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC4E019E-26B4-45C5-ADEE-C26BD9BB2701}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}]
2007-11-14 02:21 37376 --a------ C:\WINDOWS\system32\nnnnkkk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E29E966E-BA13-4EB5-B7E4-9045E6799DF2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6763192-2D5B-4DAF-A49F-0592182BD33E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E72C75C6-DD4F-47CA-9BED-E5265D6BB412}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6711FDD-6B25-4A67-B8C3-9B1BE96BC87A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\pzvyotou.dll [2007-11-29 04:14 144480]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\pzvyotou.dll [2007-11-29 04:14 144480]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 11:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 17:11]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 22:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Srro"="C:\DOCUME~1\HP_Owner\MYDOCU~1\MCROSO~1.NET\wucrtupd.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB1320"="command /c del C:\WINDOWS\system32\pzvyotou.dll_old" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="Rundll32.exe" [2004-08-03 23:00 C:\WINDOWS\system32\rundll32.exe]
"CTHelper"="CTHELPER.EXE" [2003-11-14 03:18 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 10:00]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 12:12]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 15:09]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-04-12 16:23]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 13:04]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-01-10 12:15]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-10-22 10:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-27 03:53]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 13:55]
"0c9120a5"="C:\WINDOWS\system32\vpudnsyk.dll" [2007-11-29 01:22]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-03 23:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2007-08-31 16:46]
"SpybotDeletingA5729"="command /c del C:\WINDOWS\system32\pzvyotou.dll_old" []
"SpybotDeletingC3972"="cmd /c del C:\WINDOWS\system32\pzvyotou.dll_old" []
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-03 23:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 04:13 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-15 22:44:01]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}"= C:\WINDOWS\system32\nnnnkkk.dll [2007-11-14 02:21 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnkkk]
nnnnkkk.dll 2007-11-14 02:21 37376 C:\WINDOWS\system32\nnnnkkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pzvyotou]
pzvyotou.dll 2007-11-29 04:14 144480 C:\WINDOWS\system32\pzvyotou.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\usysykju]
usysykju.dll
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0c9120a5]
rundll32.exe C:\WINDOWS\system32\gocqxgou.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-07 11:07 496752 --a------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
c:\progra~1\common~1\instal~1\update~1\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

R3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e29e2fbc-b976-11d9-bac2-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 04:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-11-29 13:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2007-11-28 22:15:06 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-11-29 14:28:58 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-29 08:00:44 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-29 14:42:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-11-29 14:28:58 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-11-27 08:01:31 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 09:28:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 9:42:26 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-29 03:22
C:\ComboFix3.txt ... 2007-11-29 02:04
.
--- E O F ---

#6 User is offline   Yourhighness 

  • The BSG Malware Fighter
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,925
  • Joined: 20-April 06
  • Gender:Male
  • Location:Hamburg

Posted 30 November 2007 - 05:02 PM

Hey rvbeaumont,

while it is noble that you are trying to help and are probably a bit frustrated by your infected pc, please only run the tools we ask you to. In this case there was only a request for a HijackThis log, not a ComboFix log!

Please note that you are infected with a trojan (horse) or a Backdoor / Backdoor Server.

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately:
  • Disconnect the infected computer from the internet until the computer can be cleaned.
  • From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... (Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information).
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?

However, since the infection looks relatively small from first sight, I am happy to try and clean your PC (I am just providing you with the above information to underline the impact that can occur with files like these on your pc).

Should you have any questions, please feel free to ask.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    http://www.bleepingcomputer.com/forums/index.php?showtopic=116688&st=0&p=662850&#entry662850

File::
C:\WINDOWS\system32\pzvyotou.dllbox
C:\WINDOWS\system32\kysndupv.ini
C:\WINDOWS\system32\pzvyotou.dll
C:\WINDOWS\system32\xkiuhcwh.dll
C:\WINDOWS\system32\haecltty.dll
C:\WINDOWS\system32\ndkttktx.exe
C:\WINDOWS\system32\gebxutu.dll
C:\WINDOWS\system32\rpddfylh.ini
C:\WINDOWS\system32\astbfaoq.exe
C:\WINDOWS\system32\lekemoub.ini
C:\WINDOWS\system32\hggwfuxq.dll
C:\WINDOWS\system32\lqhqyjwt.dll
C:\WINDOWS\system32\twjyqhql.ini
C:\WINDOWS\system32\hoebwqke.exe
C:\WINDOWS\system32\ucvacjes.dll
C:\WINDOWS\system32\raopqtos.ini
C:\WINDOWS\system32\nnnkkjh.dll
C:\WINDOWS\system32\amlmghtc.exe
C:\WINDOWS\system32\lyrgompo.dll
C:\WINDOWS\system32\gocqxgou.dll
C:\WINDOWS\system32\uogxqcog.ini
C:\WINDOWS\system32\ahjllxju.exe
C:\WINDOWS\system32\tktcfhak.dll
C:\WINDOWS\system32\lqhtxddv.ini
C:\WINDOWS\system32\gnbomdsc.exe
C:\WINDOWS\system32\pnevawfw.ini
C:\WINDOWS\system32\qmckutyp.dll
C:\WINDOWS\system32\qccvxgpq.exe
C:\WINDOWS\system32\rnghanvc.dll
C:\WINDOWS\system32\mgigrpgh.dll
C:\WINDOWS\system32\hgprgigm.ini
C:\WINDOWS\system32\pkjrdxeq.exe
C:\WINDOWS\system32\ynsnofiw.dll
C:\WINDOWS\system32\hdisunts.dll
C:\WINDOWS\system32\stnusidh.ini
C:\WINDOWS\system32\gjkqifcb.exe
C:\WINDOWS\system32\okgnmwqk.dll
C:\WINDOWS\system32\dcmwijdi.ini
C:\WINDOWS\system32\jusuqald.exe
C:\WINDOWS\system32\txhsordg.dll
C:\WINDOWS\system32\gdroshxt.ini
C:\WINDOWS\system32\ddxfxlrq.dll
C:\WINDOWS\system32\hgnccvss.exe
C:\WINDOWS\system32\squneltu.dll
C:\WINDOWS\system32\myvborev.dll
C:\WINDOWS\system32\datqxpxm.exe
C:\WINDOWS\system32\pesuexct.dll
C:\WINDOWS\system32\ennqbiwg.exe
C:\WINDOWS\system32\lofpawas.dll
C:\WINDOWS\system32\gawvyhes.dll
C:\WINDOWS\system32\sehyvwag.ini
C:\WINDOWS\system32\ikersexg.exe
C:\WINDOWS\system32\jwycvwpy.dll
C:\WINDOWS\system32\xlhqqrlv.dll
C:\WINDOWS\system32\iipiulaw.exe
C:\WINDOWS\system32\rppbtokh.dll
C:\WINDOWS\system32\ofspjqii.ini
C:\WINDOWS\system32\iiqjpsfo.dll
C:\WINDOWS\system32\yskbmyoy.exe
C:\WINDOWS\system32\bivsylaf.dll
C:\WINDOWS\system32\ytxcdfwy.ini
C:\WINDOWS\system32\mcxotbcu.exe
C:\WINDOWS\system32\rssruhne.dll
C:\WINDOWS\system32\jqgrnofu.ini
C:\WINDOWS\system32\niyldnmh.exe
C:\WINDOWS\system32\jyahqbll.ini
C:\WINDOWS\system32\fhuuiwdv.dll
C:\WINDOWS\system32\ytwrvmwl.exe
C:\WINDOWS\system32\xjbmwhgg.ini
C:\WINDOWS\system32\gghwmbjx.dll
C:\WINDOWS\system32\redpfdtq.dll
C:\WINDOWS\system32\dvodghbp.dll
C:\WINDOWS\system32\nihodhut.ini
C:\WINDOWS\system32\tuhdohin.dll
C:\WINDOWS\system32\fvlxugyf.exe
C:\WINDOWS\system32\xodqlyvu.dll
C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
C:\WINDOWS\system32\prowfvt.dll
C:\WINDOWS\system32\haecltty.dll
C:\WINDOWS\system32\pzvyotou.dll
C:\WINDOWS\system32\nnnnkkk.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\pzvyotou.dll
C:\WINDOWS\system32\pzvyotou.dll
C:\WINDOWS\system32\vpudnsyk.dll

Folder::
C:\WINDOWS\system32\rMa05yy

Collect::[1]
C:\svchost.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\MSN Gaming Zone\niqy83122.dll
C:\Program Files\MSN Gaming Zone\niqy4444.dll
C:\Program Files\MSN Gaming Zone\niqy83122.dll
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Windows\rayiou.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\gocqxgou.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\prowfvt.dll
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\daSgo18
C:\WINDOWS\system32\mm6
C:\WINDOWS\system32\hv2
C:\WINDOWS\system32\ft21
C:\WINDOWS\system32\dr1
C:\WINDOWS\system32\byxwwts.dll
C:\WINDOWS\system32\pzvyotou.dll_old
C:\WINDOWS\system32\f9t.dat
C:\WINDOWS\system32\verobvym.ini
C:\WINDOWS\system32\wbgpqwru.dll
C:\WINDOWS\system32\urwqpgbw.ini
C:\WINDOWS\system32\vlrqqhlx.ini
C:\WINDOWS\system32\uvylqdox.ini
C:\WINDOWS\system32\xtjgbnjy.dll
C:\Documents and Settings\HP_Owner\f.exe
C:\WINDOWS\system32\rqrrspq.dll
C:\Documents and Settings\HP_Owner\z.dat
C:\Documents and Settings\HP_Owner\x.dat
C:\6463.bat
C:\WINDOWS\system32\pfuofenr.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02914A9D-75B0-48FA-9FF4-6593633F86B9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14EF0ED5-350D-4D1E-BD83-912E8890233C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17ADD453-B11F-48B9-9A91-FF61E0443962}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DF88ED8-3757-4741-BD74-5380C9618EA9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{554AE99C-B34F-4708-8B30-09FFEDBBFFC4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68B23624-4DAA-4A6E-808A-AA0A766014FC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7398f3b7-2336-4a93-8f05-f9e77ef24dbc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7527f8af-4e27-40f5-a273-903aebd7ba40}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C6D3701-B4E2-4222-BA7B-A1148A7D043D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E08ACE5-DA89-48D4-B3EE-F0D4F9564C5A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{984CC232-B0BD-427B-99B6-A68494725B53}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC4E019E-26B4-45C5-ADEE-C26BD9BB2701}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E29E966E-BA13-4EB5-B7E4-9045E6799DF2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6763192-2D5B-4DAF-A49F-0592182BD33E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E72C75C6-DD4F-47CA-9BED-E5265D6BB412}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6711FDD-6B25-4A67-B8C3-9B1BE96BC87A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SfKg6w"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Host Process"=-
"0c9120a5"=-
"runner1"=-
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnkkk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pzvyotou]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\usysykju]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0c9120a5]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBInstall]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e29e2fbc-b976-11d9-bac2-806d6172696f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Srro"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"combofix"=


  • Save this as CFScript.txt

    Posted Image

  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.

    Please include a link to this topic in the message.
Step #2

It is vital that you uninstall ComboFix as described below and download a fresh copy, as there have been some updates to the tool!
  • Now please navigate to: Start >> Run...
  • Type: Combofix /u and hit Enter
  • This will delete ComboFix
Step #3

Please download ComboFix from here. Do not run it yet!

Step #4

Download SDFix and save it to your Desktop.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Step #5

Please follow step 9 from this guide: "Preparation Guide For Use Before Posting A Hijackthis Log."

Step #6

Please post back with the log from ComboFix, the SDFix log, and a fresh HijackThis log.
"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image

#7 User is offline   rvbeaumont 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 15-November 07
  • Location:key west

Posted 30 November 2007 - 06:07 PM

sent now on stage 2
ComboFix 07-11-19.4 - HP_Owner 2007-11-30 17:38:29.17 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
C:\WINDOWS\system32\ahjllxju.exe
C:\WINDOWS\system32\amlmghtc.exe
C:\WINDOWS\system32\astbfaoq.exe
C:\WINDOWS\system32\bivsylaf.dll
C:\WINDOWS\system32\datqxpxm.exe
C:\WINDOWS\system32\dcmwijdi.ini
C:\WINDOWS\system32\ddxfxlrq.dll
C:\WINDOWS\system32\dvodghbp.dll
C:\WINDOWS\system32\ennqbiwg.exe
C:\WINDOWS\system32\fhuuiwdv.dll
C:\WINDOWS\system32\fvlxugyf.exe
C:\WINDOWS\system32\gawvyhes.dll
C:\WINDOWS\system32\gdroshxt.ini
C:\WINDOWS\system32\gebxutu.dll
C:\WINDOWS\system32\gghwmbjx.dll
C:\WINDOWS\system32\gjkqifcb.exe
C:\WINDOWS\system32\gnbomdsc.exe
C:\WINDOWS\system32\gocqxgou.dll
C:\WINDOWS\system32\haecltty.dll
C:\WINDOWS\system32\hdisunts.dll
C:\WINDOWS\system32\hggwfuxq.dll
C:\WINDOWS\system32\hgnccvss.exe
C:\WINDOWS\system32\hgprgigm.ini
C:\WINDOWS\system32\hoebwqke.exe
C:\WINDOWS\system32\iipiulaw.exe
C:\WINDOWS\system32\iiqjpsfo.dll
C:\WINDOWS\system32\ikersexg.exe
C:\WINDOWS\system32\jqgrnofu.ini
C:\WINDOWS\system32\jusuqald.exe
C:\WINDOWS\system32\jwycvwpy.dll
C:\WINDOWS\system32\jyahqbll.ini
C:\WINDOWS\system32\kysndupv.ini
C:\WINDOWS\system32\lekemoub.ini
C:\WINDOWS\system32\lofpawas.dll
C:\WINDOWS\system32\lqhqyjwt.dll
C:\WINDOWS\system32\lqhtxddv.ini
C:\WINDOWS\system32\lyrgompo.dll
C:\WINDOWS\system32\mcxotbcu.exe
C:\WINDOWS\system32\mgigrpgh.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\myvborev.dll
C:\WINDOWS\system32\ndkttktx.exe
C:\WINDOWS\system32\nihodhut.ini
C:\WINDOWS\system32\niyldnmh.exe
C:\WINDOWS\system32\nnnkkjh.dll
C:\WINDOWS\system32\nnnnkkk.dll
C:\WINDOWS\system32\ofspjqii.ini
C:\WINDOWS\system32\okgnmwqk.dll
C:\WINDOWS\system32\pesuexct.dll
C:\WINDOWS\system32\pkjrdxeq.exe
C:\WINDOWS\system32\pnevawfw.ini
C:\WINDOWS\system32\prowfvt.dll
C:\WINDOWS\system32\pzvyotou.dll
C:\WINDOWS\system32\pzvyotou.dllbox
C:\WINDOWS\system32\qccvxgpq.exe
C:\WINDOWS\system32\qmckutyp.dll
C:\WINDOWS\system32\raopqtos.ini
C:\WINDOWS\system32\redpfdtq.dll
C:\WINDOWS\system32\rnghanvc.dll
C:\WINDOWS\system32\rpddfylh.ini
C:\WINDOWS\system32\rppbtokh.dll
C:\WINDOWS\system32\rssruhne.dll
C:\WINDOWS\system32\sehyvwag.ini
C:\WINDOWS\system32\squneltu.dll
C:\WINDOWS\system32\stnusidh.ini
C:\WINDOWS\system32\tktcfhak.dll
C:\WINDOWS\system32\tuhdohin.dll
C:\WINDOWS\system32\twjyqhql.ini
C:\WINDOWS\system32\txhsordg.dll
C:\WINDOWS\system32\ucvacjes.dll
C:\WINDOWS\system32\uogxqcog.ini
C:\WINDOWS\system32\vpudnsyk.dll
C:\WINDOWS\system32\xjbmwhgg.ini
C:\WINDOWS\system32\xkiuhcwh.dll
C:\WINDOWS\system32\xlhqqrlv.dll
C:\WINDOWS\system32\xodqlyvu.dll
C:\WINDOWS\system32\ynsnofiw.dll
C:\WINDOWS\system32\yskbmyoy.exe
C:\WINDOWS\system32\ytwrvmwl.exe
C:\WINDOWS\system32\ytxcdfwy.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6463.bat
C:\check_LSA7.txt
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Windows\rayiou.exe
C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
C:\Documents and Settings\HP_Owner\f.exe
C:\Documents and Settings\HP_Owner\x.dat
C:\Documents and Settings\HP_Owner\z.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\bivsylaf.dll
C:\WINDOWS\system32\byxwwts.dll
C:\WINDOWS\system32\dcmwijdi.ini
C:\WINDOWS\system32\ddxfxlrq.dll
C:\WINDOWS\system32\dvodghbp.dll
C:\WINDOWS\system32\f9t.dat
C:\WINDOWS\system32\fhuuiwdv.dll
C:\WINDOWS\system32\gawvyhes.dll
C:\WINDOWS\system32\gdroshxt.ini
C:\WINDOWS\system32\gebxutu.dll
C:\WINDOWS\system32\gghwmbjx.dll
C:\WINDOWS\system32\gocqxgou.dll
C:\WINDOWS\system32\haecltty.dll
C:\WINDOWS\system32\hdisunts.dll
C:\WINDOWS\system32\hggwfuxq.dll
C:\WINDOWS\system32\hgprgigm.ini
C:\WINDOWS\system32\iiqjpsfo.dll
C:\WINDOWS\system32\jqgrnofu.ini
C:\WINDOWS\system32\jwycvwpy.dll
C:\WINDOWS\system32\jyahqbll.ini
C:\WINDOWS\system32\kysndupv.ini
C:\WINDOWS\system32\lekemoub.ini
C:\WINDOWS\system32\lofpawas.dll
C:\WINDOWS\system32\lqhqyjwt.dll
C:\WINDOWS\system32\lqhtxddv.ini
C:\WINDOWS\system32\lyrgompo.dll
C:\WINDOWS\system32\mgigrpgh.dll
C:\WINDOWS\system32\myvborev.dll
C:\WINDOWS\system32\nihodhut.ini
C:\WINDOWS\system32\nnnkkjh.dll
C:\WINDOWS\system32\nnnnkkk.dll
C:\WINDOWS\system32\ofspjqii.ini
C:\WINDOWS\system32\okgnmwqk.dll
C:\WINDOWS\system32\pesuexct.dll
C:\WINDOWS\system32\pfuofenr.dll
C:\WINDOWS\system32\pnevawfw.ini
C:\WINDOWS\system32\pqstv.bak2
C:\WINDOWS\system32\pqstv.ini
C:\WINDOWS\system32\qmckutyp.dll
C:\WINDOWS\system32\raopqtos.ini
C:\WINDOWS\system32\redpfdtq.dll
C:\WINDOWS\system32\rMa05yy
C:\WINDOWS\system32\rMa05yy\rMa05yy1080.exe
C:\WINDOWS\system32\rnghanvc.dll
C:\WINDOWS\system32\rpddfylh.ini
C:\WINDOWS\system32\rppbtokh.dll
C:\WINDOWS\system32\rqrrspq.dll
C:\WINDOWS\system32\rssruhne.dll
C:\WINDOWS\system32\sehyvwag.ini
C:\WINDOWS\system32\squneltu.dll
C:\WINDOWS\system32\stnusidh.ini
C:\WINDOWS\system32\tktcfhak.dll
C:\WINDOWS\system32\tuhdohin.dll
C:\WINDOWS\system32\twjyqhql.ini
C:\WINDOWS\system32\txhsordg.dll
C:\WINDOWS\system32\ucvacjes.dll
C:\WINDOWS\system32\uogxqcog.ini
C:\WINDOWS\system32\urwqpgbw.ini
C:\WINDOWS\system32\uvylqdox.ini
C:\WINDOWS\system32\verobvym.ini
C:\WINDOWS\system32\vlrqqhlx.ini
C:\WINDOWS\system32\vpudnsyk.dll
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\wbgpqwru.dll
C:\WINDOWS\system32\xjbmwhgg.ini
C:\WINDOWS\system32\xkiuhcwh.dll
C:\WINDOWS\system32\xlhqqrlv.dll
C:\WINDOWS\system32\xodqlyvu.dll
C:\WINDOWS\system32\xtjgbnjy.dll
C:\WINDOWS\system32\ynsnofiw.dll
C:\WINDOWS\system32\ytxcdfwy.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-30 13:06 2,557,396 --ahs---- C:\WINDOWS\system32\bjqxhqrp.ini
2007-11-30 13:06 85,056 --a--c--- C:\WINDOWS\system32\prqhxqjb.dll
2007-11-30 13:03 78,912 --a--c--- C:\WINDOWS\system32\alwqoyxj.dll
2007-11-29 13:05 77,888 --a--c--- C:\WINDOWS\system32\wroeviwd.dll
2007-11-29 13:01 789,719 --ahs---- C:\WINDOWS\system32\lcaiwpby.ini
2007-11-29 13:01 85,056 --a--c--- C:\WINDOWS\system32\ybpwiacl.dll
2007-11-29 01:51 <DIR> d-------- C:\WINDOWS\system32\mm6
2007-11-29 01:51 <DIR> d-------- C:\WINDOWS\system32\hv2
2007-11-29 01:51 <DIR> d-------- C:\WINDOWS\system32\ft21
2007-11-29 01:51 <DIR> d-------- C:\WINDOWS\system32\dr1
2007-11-29 01:51 <DIR> d-------- C:\WINDOWS\system32\daSgo18
2007-11-29 01:51 <DIR> d-------- C:\temp\bkR11
2007-11-27 03:57 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-27 03:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{FAE72283-E912-4CA0-A263-E07183A4AF20}
2007-11-27 03:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
2007-11-27 01:51 <DIR> d-------- C:\Program Files\iTunes
2007-11-23 02:50 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-21 19:41 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\iWin
2007-11-21 16:42 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-11-21 16:30 <DIR> d-------- C:\Program Files\LimeWire
2007-11-21 15:20 917,504 --a------ C:\WINDOWS\system32\FLASH.OCX
2007-11-21 12:51 <DIR> d-------- C:\temp\abW9
2007-11-19 16:44 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\ArcSoft
2007-11-19 16:42 230,432 --a--c--- C:\PA7311.DAT
2007-11-19 16:39 <DIR> d-------- C:\Program Files\VGA USB Camera
2007-11-19 16:39 6,656 --a------ C:\WINDOWS\system32\CoInst.dll
2007-11-19 16:39 518 --a------ C:\WINDOWS\system32\SP7311.INI
2007-11-19 15:40 53,248 --a------ C:\WINDOWS\system32\PAStiSvc.exe
2007-11-19 15:39 <DIR> d-------- C:\WINDOWS\PixArt
2007-11-19 15:11 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-11-19 15:11 <DIR> d-------- C:\Program Files\ArcSoft
2007-11-19 15:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-11-19 15:11 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-11-19 15:11 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2007-11-16 12:09 675,970 --ahs---- C:\WINDOWS\system32\utupynxr.ini
2007-11-16 12:09 85,056 --a--c--- C:\WINDOWS\system32\rxnyputu.dll
2007-11-15 22:35 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-15 15:32 <DIR> d-------- C:\Program Files\RegCure
2007-11-15 14:06 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-15 01:32 144,480 --a--c--- C:\WINDOWS\system32\criktbeb.dll
2007-11-14 02:37 6,058,496 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-14 02:37 2,455,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-14 02:37 991,232 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-14 02:37 383,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-14 02:37 63,488 --a------ C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-14 02:13 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-13 22:43 37,376 --a------ C:\WINDOWS\system32\khfcdba.dll
2007-11-13 22:07 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-13 20:24 144,480 --a--c--- C:\WINDOWS\system32\aipbnwrm.dll
2007-11-13 20:21 674,420 --ahs---- C:\WINDOWS\system32\hrnnknwb.ini
2007-11-13 20:21 85,056 --a--c--- C:\WINDOWS\system32\bwnknnrh.dll
2007-11-13 20:18 80,448 --a--c--- C:\WINDOWS\system32\jwwspdfs.dll
2007-11-13 05:01 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Roxio
2007-11-13 02:24 <DIR> d-------- C:\Program Files\WinMX Fix v.3.0
2007-11-13 02:24 <DIR> d-------- C:\Program Files\iPod
2007-11-13 02:23 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-11-13 02:23 <DIR> d-------- C:\Program Files\InterVideo
2007-11-13 02:23 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Roxio
2007-11-13 02:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 02:22 <DIR> d-------- C:\audio
2007-11-13 02:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion(2)
2007-11-08 23:11 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-08 23:09 134 --a--c--- C:\n.bat
2007-11-08 23:08 35,328 --a------ C:\WINDOWS\system32\yayxutq.dll
2007-11-08 23:08 0 --a--c--- C:\z.dat
2007-11-08 23:08 0 --a--c--- C:\x.dat
2007-11-07 15:42 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-11-07 00:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-11-06 01:20 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-04 20:10 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-11-04 13:33 <DIR> d----c--- C:\c6616f9bfd906f1ad04bbed7e3dd4f
2007-11-04 13:30 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-11-04 13:30 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Sonic
2007-11-04 01:28 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Sierra Entertainment
2007-11-04 01:28 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-03 17:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-30 01:47 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Super-Cow
2007-10-29 01:58 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-10-29 01:58 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-29 01:57 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-10-29 01:57 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-10-29 01:57 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-10-29 01:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-10-29 01:57 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-10-29 01:56 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-10-25 02:25 <DIR> d-------- C:\Program Files\MSECache
2007-10-25 02:05 <DIR> d-------- C:\Program Files\Download Manager
2007-10-24 01:44 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\QQ Games Plugin
2007-10-23 18:22 86,082 --a------ C:\WINDOWS\system32\ftdiunin.exe
2007-10-23 18:22 77,890 --a------ C:\WINDOWS\system32\FTLang.dll
2007-10-23 18:22 60,572 --a------ C:\WINDOWS\system32\drivers\ftser2k.sys
2007-10-23 18:22 48,625 --a------ C:\WINDOWS\system32\ftserui2.dll
2007-10-23 18:22 28,449 --a------ C:\WINDOWS\system32\drivers\ftdibus.sys
2007-10-23 18:22 110 --a------ C:\WINDOWS\system32\ftdiun2k.ini
2007-10-20 12:33 85,376 --a------ C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-10-20 12:33 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-10-20 12:33 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-10-20 12:33 17,024 --a------ C:\WINDOWS\system32\dllcache\ccdecode.sys
2007-10-20 12:33 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2007-10-20 12:33 5,504 --a------ C:\WINDOWS\system32\dllcache\mstee.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-11-15 21:39 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8cefb8af-1687-4267-9e47-e5174d07b29d}]
2007-11-30 13:03 78912 --a--c--- C:\WINDOWS\system32\alwqoyxj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E08ACE5-DA89-48D4-B3EE-F0D4F9564C5A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{984CC232-B0BD-427B-99B6-A68494725B53}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC4E019E-26B4-45C5-ADEE-C26BD9BB2701}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E29E966E-BA13-4EB5-B7E4-9045E6799DF2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6763192-2D5B-4DAF-A49F-0592182BD33E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E72C75C6-DD4F-47CA-9BED-E5265D6BB412}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBDE85A0-FF65-4ECB-93AB-5AB026BEBB5B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6711FDD-6B25-4A67-B8C3-9B1BE96BC87A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 11:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 17:11]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 22:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-02 23:06]
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-17 03:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="Rundll32.exe" [2004-08-03 23:00 C:\WINDOWS\system32\rundll32.exe]
"CTHelper"="CTHELPER.EXE" [2003-11-14 03:18 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 10:00]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 12:12]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 15:09]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-04-12 16:23]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 13:04]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-10-22 10:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-27 03:53]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 13:55]
"0c9120a5"="C:\WINDOWS\system32\vpudnsyk.dll" []
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-03 23:00]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 04:13 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-15 22:44:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnkkk]
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-07 11:07 496752 --a------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
c:\progra~1\common~1\instal~1\update~1\issch.exe -start

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}

.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 04:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-11-29 13:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2007-11-28 22:15:06 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-11-30 22:55:31 C:\WINDOWS\Tasks\RegCure Program Check.job"
"2007-11-29 08:00:44 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-30 23:02:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-11-30 22:55:28 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-11-27 08:01:31 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 17:55:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R??o?u?r?c?e?\?D?e?t?e?c?t?o?r?\?C?T?D?e?t?e?c?t?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 18:02:29 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-29 09:42
C:\ComboFix3.txt ... 2007-11-29 03:22
.
--- E O F ---

#8 User is offline   Yourhighness 

  • The BSG Malware Fighter
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,925
  • Joined: 20-April 06
  • Gender:Male
  • Location:Hamburg

Posted 01 December 2007 - 01:35 AM

Hey rvbeaumont,

if you want me to assist you in cleaning this badly infected machine, you have to do what I asked you to do. I am now asking you for the third time to please read the "Preparation Guide for Use before posting a HijackThis log", underlining once again the "HijackThis" part with reference to point 9 in this guide.

We can only continue the cleaning process when all steps have been carried out as mentioned in my last post. Otherwise we might miss vital information / issues on your pc...

Please read that guide and post the missing information. Thanks.

This post has been edited by Yourhighness: 01 December 2007 - 01:36 AM

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image

#9 User is offline   rvbeaumont 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 15-November 07
  • Location:key west

Posted 01 December 2007 - 02:08 AM

SDFix: Version 1.116

Run by HP_Owner on Fri 11/30/2007 at 06:24 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\HP_Owner\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\X.DAT - Deleted
C:\Z.DAT - Deleted
C:\Temp\abW9\tPho.log - Deleted
C:\n.bat - Deleted
C:\WINDOWS\Fonts\Crack.exe - Deleted
C:\WINDOWS\Fonts\Setup.exe - Deleted
C:\WINDOWS\Fonts\*.zip - 1 File(s) 118,336 bytes - Deleted
C:\WINDOWS\Fonts\'\*.zip - 20222 File(s) 12,900,321,570 bytes - Deleted



Folder C:\Temp\abW9 - Removed
Folder C:\WINDOWS\Fonts\' - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 01:48:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000023
"TracesSuccessful"=dword:00000001

scanning hidden files ...

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\rvbeaumont@msn.com\SharingMetadata\nyschwartz@msn.com\DFSR\Staging\CS{1DD43710-461C-5930-D7BC-29ACF9725A72}\01\10-{1DD43710-461C-5930-D7BC-29ACF9725A72}-v1-{CB658601-5174-45DF-81E8-54554094D33D}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\rvbeaumont@msn.com\SharingMetadata\nyschwartz@msn.com\DFSR\Staging\CS{1DD43710-461C-5930-D7BC-29ACF9725A72}\11\11-{CB658601-5174-45DF-81E8-54554094D33D}-v11-{CB658601-5174-45DF-81E8-54554094D33D}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 822 bytes hidden from API
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\rvbeaumont@msn.com\SharingMetadata\nyschwartz@msn.com\DFSR\Staging\CS{1DD43710-461C-5930-D7BC-29ACF9725A72}\11\11-{CB658601-5174-45DF-81E8-54554094D33D}-v11-{CB658601-5174-45DF-81E8-54554094D33D}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 88 bytes hidden from API
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\rvbeaumont@msn.com\SharingMetadata\nyschwartz@msn.com\DFSR\Staging\CS{1DD43710-461C-5930-D7BC-29ACF9725A72}\12\12-{CB658601-5174-45DF-81E8-54554094D33D}-v12-{CB658601-5174-45DF-81E8-54554094D33D}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 786 bytes hidden from API
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\rvbeaumont@msn.com\SharingMetadata\nyschwartz@msn.com\DFSR\Staging\CS{1DD43710-461C-5930-D7BC-29ACF9725A72}\12\12-{CB658601-5174-45DF-81E8-54554094D33D}-v12-{CB658601-5174-45DF-81E8-54554094D33D}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 88 bytes hidden from API
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\rvbeaumont@msn.com\SharingMetadata\nyschwartz@msn.com\DFSR\Staging\CS{1DD43710-461C-5930-D7BC-29ACF9725A72}\13\13-{CB658601-5174-45DF-81E8-54554094D33D}-v13-{CB658601-5174-45DF-81E8-54554094D33D}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 2622 bytes hidden from API
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\rvbeaumont@msn.com\SharingMetadata\nyschwartz@msn.com\DFSR\Staging\CS{1DD43710-461C-5930-D7BC-29ACF9725A72}\13\13-{CB658601-5174-45DF-81E8-54554094D33D}-v13-{CB658601-5174-45DF-81E8-54554094D33D}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 304 bytes hidden from API
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\rvbeaumont@msn.com\SharingMetadata\nyschwartz@msn.com\DFSR\Staging\CS{1DD43710-461C-5930-D7BC-29ACF9725A72}\17\17-{CB658601-5174-45DF-81E8-54554094D33D}-v17-{CB658601-5174-45DF-81E8-54554094D33D}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 22116 bytes hidden from API
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\rvbeaumont@msn.com\SharingMetadata\nyschwartz@msn.com\DFSR\Staging\CS{1DD43710-461C-5930-D7BC-29ACF9725A72}\17\17-{CB658601-5174-45DF-81E8-54554094D33D}-v17-{CB658601-5174-45DF-81E8-54554094D33D}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 1632 bytes hidden from API
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\rvbeaumont@msn.com\SharingMetadata\nyschwartz@msn.com\DFSR\Staging\CS{1DD43710-461C-5930-D7BC-29ACF9725A72}\17\17-{CB658601-5174-45DF-81E8-54554094D33D}-v17-{CB658601-5174-45DF-81E8-54554094D33D}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 2456 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 10


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\HP_Owner\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 18 Oct 2007 213 A.SHR --- "C:\BOOT.BAK"
Fri 19 Nov 2004 54,872 A..H. --- "C:\Program Files\America Online 9.0b\AOLphx.exe"
Fri 19 Nov 2004 31,832 A..H. --- "C:\Program Files\America Online 9.0b\rbm.exe"
Tue 24 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0c\aoltray.exe"
Mon 30 Aug 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0i\aolphx.exe"
Mon 30 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0i\aoltray.exe"
Mon 30 Aug 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0i\RBM.exe"
Tue 24 Aug 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Tue 24 Aug 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Tue 24 Aug 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Tue 3 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 15 Nov 2005 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sun 21 Oct 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 May 2007 170,299 A.SH. --- "C:\Program Files\Common Files\Motive\MCCDNSHLP_1-0-0_DSR.dll"
Fri 19 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 18 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f686eb18ed8be61735e890e67439840\BIT3F.tmp"
Fri 19 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT45.tmp"
Wed 21 Nov 2007 8,332 ...HR --- "C:\Documents and Settings\HP_Owner\Application Data\SecuROM\UserData\securom_v7_01.bak"
Fri 28 Sep 2007 85,309 A..H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe"

Finished!

Hijack is coming next

This post has been edited by rvbeaumont: 01 December 2007 - 02:16 AM

#10 User is offline   rvbeaumont 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 15-November 07
  • Location:key west

Posted 01 December 2007 - 02:17 AM

doing cleaning now, and will send hijack

#11 User is offline   Yourhighness 

  • The BSG Malware Fighter
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,925
  • Joined: 20-April 06
  • Gender:Male
  • Location:Hamburg

Posted 01 December 2007 - 12:40 PM

Hi rvbeaumont,

how is the HijackThis log looking? Its been 10 hours and I am still waiting for it :thumbsup:. Report back with that log and we shall go from there then.
"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image

#12 User is offline   rvbeaumont 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 15-November 07
  • Location:key west

Posted 01 December 2007 - 04:08 PM

sorry thought it sent it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:25 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe
C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\America Online 9.0i\waol.exe
C:\Program Files\America Online 9.0i\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.manhunt.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.manhunt.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet Security Suite\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {d92b70d4-715e-74e9-7624-7861fa8bfec8} - {8cefb8af-1687-4267-9e47-e5174d07b29d} - C:\WINDOWS\system32\alwqoyxj.dll
O2 - BHO: (no name) - {8E08ACE5-DA89-48D4-B3EE-F0D4F9564C5A} - (no file)
O2 - BHO: (no name) - {984CC232-B0BD-427B-99B6-A68494725B53} - (no file)
O2 - BHO: (no name) - {BC4E019E-26B4-45C5-ADEE-C26BD9BB2701} - (no file)
O2 - BHO: (no name) - {E0B54BEC-9209-4B5D-94E5-A8906DE18FFB} - (no file)
O2 - BHO: (no name) - {E29E966E-BA13-4EB5-B7E4-9045E6799DF2} - (no file)
O2 - BHO: (no name) - {E6763192-2D5B-4DAF-A49F-0592182BD33E} - (no file)
O2 - BHO: (no name) - {E72C75C6-DD4F-47CA-9BED-E5265D6BB412} - (no file)
O2 - BHO: (no name) - {EBDE85A0-FF65-4ECB-93AB-5AB026BEBB5B} - (no file)
O2 - BHO: (no name) - {F6711FDD-6B25-4A67-B8C3-9B1BE96BC87A} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [AT&T Internet Security Suite] "C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [0c9120a5] rundll32.exe "C:\WINDOWS\system32\vpudnsyk.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0EBA04-3B3A-48DD-B382-C96E75AB5632}: NameServer = 205.188.146.145
O20 - Winlogon Notify: nnnnkkk - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 13483 bytes

#13 User is offline   Yourhighness 

  • The BSG Malware Fighter
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,925
  • Joined: 20-April 06
  • Gender:Male
  • Location:Hamburg

Posted 02 December 2007 - 10:19 AM

Hey Rvbeaumont,

thanks for posting back with the results. We really do need a HijackThis log to work with, but since you are severly infected we will do some further cleaning until you finally post that HijackThis log asap.

Step #1

The most current version of Limewire is reported to include spyware. LimeWire 4.9.28 is clean (Older and newer version may not be). Chances are junk was bundled with this product even if you paid for it. If you are going to use p2p file sharing, I suggest you choose a safe program from here: http://p2p.malwareremoval.com/.

If you use P2P software, make sure you are careful about what you open and what P2P program you install. Malware is all over the P2P networks and the programs often come bundled with Adware and Spyware.

Further readings of interest in regards to the p2p "issue" are: http://pcpitstop.com/spycheck/p2p.asp and this: http://pcpitstop.com/spycheck/badtorrent.asp

Step #2

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #3

You have the program Spybot S&D (Teatimer option) running on your machine and that is good. But prior to doing the fix below with HiJackThis and/or other tools required it needs to be turned off. Please do the following:
  • Right click the running icon of Spybot's Teatimer, and choose Exit.
Step #4
  • Open notepad and copy/paste the text in the codebox below into it:

    http://www.bleepingcomputer.com/forums/index.php?showtopic=116688&view=findpost&p=674931

File::
C:\WINDOWS\system32\bjqxhqrp.ini
C:\WINDOWS\system32\prqhxqjb.dll
C:\WINDOWS\system32\alwqoyxj.dll
C:\WINDOWS\system32\wroeviwd.dll
C:\WINDOWS\system32\lcaiwpby.ini
C:\WINDOWS\system32\ybpwiacl.dll
C:\WINDOWS\system32\utupynxr.ini
C:\WINDOWS\system32\rxnyputu.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\criktbeb.dll
C:\WINDOWS\system32\khfcdba.dll
C:\WINDOWS\system32\aipbnwrm.dll
C:\WINDOWS\system32\hrnnknwb.ini
C:\WINDOWS\system32\bwnknnrh.dll
C:\WINDOWS\system32\jwwspdfs.dll
C:\WINDOWS\system32\yayxutq.dll
C:\WINDOWS\system32\vpudnsyk.dll

Suspect::[1]
C:\WINDOWS\system32\cmd.exe

Folder::
C:\WINDOWS\system32\mm6
C:\WINDOWS\system32\hv2
C:\WINDOWS\system32\ft21
C:\WINDOWS\system32\dr1
C:\WINDOWS\system32\daSgo18

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8cefb8af-1687-4267-9e47-e5174d07b29d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E08ACE5-DA89-48D4-B3EE-F0D4F9564C5A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{984CC232-B0BD-427B-99B6-A68494725B53}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC4E019E-26B4-45C5-ADEE-C26BD9BB2701}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0B54BEC-9209-4B5D-94E5-A8906DE18FFB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E29E966E-BA13-4EB5-B7E4-9045E6799DF2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6763192-2D5B-4DAF-A49F-0592182BD33E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E72C75C6-DD4F-47CA-9BED-E5265D6BB412}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EBDE85A0-FF65-4ECB-93AB-5AB026BEBB5B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6711FDD-6B25-4A67-B8C3-9B1BE96BC87A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"0c9120a5"=-
"combofix"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnkkk]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Local Page" =-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d92b70d4-715e-74e9-7624-7861fa8bfec8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d92b70d4-715e-74e9-7624-7861fa8bfec8}]


  • Save this as CFScript.txt

    Posted Image

  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
    Please submit this file via the html page that should popup after running ComboFix.

    Please include a link to this topic in the message.
Step #5

Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close ALL applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
The logs can be quite lengthy..use two post if you need to get them all in.

Step #6

Please post back with a fresh ComboFix log and the main.txt and the extra.txt from the DSS log.
"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image

#14 User is offline   rvbeaumont 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 15-November 07
  • Location:key west

Posted 02 December 2007 - 08:49 PM

ignore this one and got to next




have submitted the combofix, and shall add it here too. going to work, will work on the rest around 1:30 easten time
ComboFix 07-11-19.4C - HP_Owner 2007-12-02 20:33:50.18 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.504 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\aipbnwrm.dll
C:\WINDOWS\system32\alwqoyxj.dll
C:\WINDOWS\system32\bjqxhqrp.ini
C:\WINDOWS\system32\bwnknnrh.dll
C:\WINDOWS\system32\criktbeb.dll
C:\WINDOWS\system32\hrnnknwb.ini
C:\WINDOWS\system32\jwwspdfs.dll
C:\WINDOWS\system32\khfcdba.dll
C:\WINDOWS\system32\lcaiwpby.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\prqhxqjb.dll
C:\WINDOWS\system32\rxnyputu.dll
C:\WINDOWS\system32\utupynxr.ini
C:\WINDOWS\system32\vpudnsyk.dll
C:\WINDOWS\system32\wroeviwd.dll
C:\WINDOWS\system32\yayxutq.dll
C:\WINDOWS\system32\ybpwiacl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aipbnwrm.dll
C:\WINDOWS\system32\alwqoyxj.dll
C:\WINDOWS\system32\bjqxhqrp.ini
C:\WINDOWS\system32\bwnknnrh.dll
C:\WINDOWS\system32\criktbeb.dll
C:\WINDOWS\system32\daSgo18
C:\WINDOWS\system32\daSgo18\daSgo182328.exe
C:\WINDOWS\system32\dr1
C:\WINDOWS\system32\ft21
C:\WINDOWS\system32\hrnnknwb.ini
C:\WINDOWS\system32\hv2
C:\WINDOWS\system32\jwwspdfs.dll
C:\WINDOWS\system32\lcaiwpby.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mm6
C:\WINDOWS\system32\mm6\ncstdb33.exe
C:\WINDOWS\system32\prqhxqjb.dll
C:\WINDOWS\system32\rxnyputu.dll
C:\WINDOWS\system32\utupynxr.ini
C:\WINDOWS\system32\wroeviwd.dll
C:\WINDOWS\system32\ybpwiacl.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-12-01 16:44 468 --a--c--- C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-12-01 02:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-01 02:12 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-30 18:19 <DIR> d-------- C:\WINDOWS\SDFIX
2007-11-29 01:51 <DIR> d-------- C:\temp\bkR11
2007-11-27 03:57 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-27 03:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{FAE72283-E912-4CA0-A263-E07183A4AF20}
2007-11-27 03:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
2007-11-27 01:51 <DIR> d-------- C:\Program Files\iTunes
2007-11-23 02:50 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-21 19:41 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\iWin
2007-11-21 16:42 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-11-21 16:30 <DIR> d-------- C:\Program Files\LimeWire
2007-11-19 16:44 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\ArcSoft
2007-11-19 16:42 230,432 --a--c--- C:\PA7311.DAT
2007-11-19 16:39 <DIR> d-------- C:\Program Files\VGA USB Camera
2007-11-19 15:39 <DIR> d-------- C:\WINDOWS\PixArt
2007-11-19 15:11 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-11-19 15:11 <DIR> d-------- C:\Program Files\ArcSoft
2007-11-19 15:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-11-19 15:11 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-11-19 15:11 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2007-11-15 15:32 <DIR> d-------- C:\Program Files\RegCure
2007-11-15 14:06 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-14 02:37 6,058,496 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-14 02:37 2,455,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-14 02:37 991,232 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-14 02:37 459,264 --a------ C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-14 02:37 383,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-14 02:37 267,776 --a------ C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-14 02:37 63,488 --a------ C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-14 02:37 52,224 --a------ C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-14 02:37 13,824 --a------ C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-14 02:13 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-13 05:01 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Roxio
2007-11-13 02:24 <DIR> d-------- C:\Program Files\WinMX Fix v.3.0
2007-11-13 02:24 <DIR> d-------- C:\Program Files\iPod
2007-11-13 02:23 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-11-13 02:23 <DIR> d-------- C:\Program Files\InterVideo
2007-11-13 02:23 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Roxio
2007-11-13 02:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 02:22 <DIR> d-------- C:\audio
2007-11-13 02:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion(2)
2007-11-08 23:11 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-07 15:42 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-11-07 00:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-11-06 01:20 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-04 20:10 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-11-04 13:33 <DIR> d----c--- C:\c6616f9bfd906f1ad04bbed7e3dd4f
2007-11-04 13:30 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-11-04 13:30 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Sonic
2007-11-04 01:28 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Sierra Entertainment
2007-11-04 01:28 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-03 17:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 07:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-30 00:40 --------- d-----w C:\Program Files\Real
2007-11-29 07:11 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 08:56 --------- d-----w C:\Program Files\Common Files\Real
2007-11-27 08:03 --------- d-----w C:\Program Files\Stamps.com Internet Postage
2007-11-27 07:51 --------- dc----w C:\Documents and Settings\All Users\Application Data\{75EE35BC-E993-41FD-9DBA-9AD37F50E521}
2007-11-26 08:14 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\IGN_DLM
2007-11-23 05:51 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-21 17:49 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AT&T
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\My Battle for Middle-earth Files
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Audacity
2007-11-21 08:40 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\yahoo!
2007-11-21 08:40 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Viewpoint
2007-11-21 06:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 07:21 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-20 07:20 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-19 22:23 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-19 18:44 --------- d-----w C:\Program Files\Google
2007-11-19 17:42 --------- d-----w C:\Program Files\Yahoo!
2007-11-19 17:42 --------- d-----w C:\Program Files\QuickTime
2007-11-19 17:42 --------- d-----w C:\Program Files\Online Backup
2007-11-19 17:42 --------- d-----w C:\Program Files\MSN Toolbar Suite
2007-11-19 17:42 --------- d-----w C:\Program Files\MSN Messenger
2007-11-19 17:41 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-19 17:41 --------- d-----w C:\Program Files\Java
2007-11-19 17:41 --------- d-----w C:\Program Files\ICOO Loader
2007-11-19 17:41 --------- d-----w C:\Program Files\HPQ
2007-11-19 17:41 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-19 17:40 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-19 17:40 --------- d-----w C:\Program Files\America Online 9.0i
2007-11-17 19:13 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-15 22:05 --------- d-----w C:\Program Files\Advanced System Optimizer
2007-11-15 21:55 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 22:35 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-10 18:52 --------- d-----w C:\Program Files\InterActual
2007-11-08 23:16 --------- d-----w C:\Program Files\coolpro2
2007-11-04 18:29 --------- d-----w C:\Program Files\Sonic
2007-10-30 06:53 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Super-Cow
2007-10-25 07:25 --------- d-----w C:\Program Files\MSECache
2007-10-25 07:05 --------- d-----w C:\Program Files\Download Manager
2007-10-24 06:44 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\QQ Games Plugin
2007-10-22 22:54 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-10-20 22:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\muvee Technologies
2007-10-20 17:52 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-10-20 00:11 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Nero
2007-10-20 00:03 --------- d-----w C:\Program Files\Common Files\Nero
2007-10-20 00:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-20 00:01 --------- d-----w C:\Program Files\Nero
2007-10-19 20:13 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2007-10-19 19:47 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-19 17:47 --------- d-----w C:\Program Files\PConPoint
2007-10-19 17:07 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-19 16:06 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-19 15:52 --------- d-----w C:\Program Files\IncrediMail
2007-10-19 15:23 --------- d-----w C:\Program Files\AOL Companion
2007-10-19 05:41 --------- d-----w C:\Program Files\Audacity
2007-10-19 05:36 --------- dc----w C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-19 05:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-19 05:19 --------- d-----w C:\Program Files\BellSouth Application Management
2007-10-19 05:18 --------- d-----w C:\Program Files\AOL Computer Check-Up
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0f
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0e
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0b
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0
2007-10-19 04:49 --------- dc----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-19 04:40 --------- d-----w C:\Program Files\Learn2.com
2007-10-19 04:40 --------- d-----w C:\Program Files\HP
2007-10-19 04:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-10-19 04:34 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2007-10-19 04:33 1,716 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PY208AV-ABA a1030e_YC_0Pavi_QMXG530_E53NAheBLU5_47_ISalmon_SASUSTek Computer INC._V1.04_B3.15_T051019_WXH2_L409_M896_J80_7AMD_8Sempron_91.81_#050913_N10390900_Z11C1048C_G10396330.MRK
2007-10-19 04:30 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-10-19 03:44 --------- d-----w C:\Program Files\Webshots
2007-10-19 03:27 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-10-19 02:54 --------- d-----w C:\Program Files\Rhapsody
2007-10-19 02:21 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-19 02:16 --------- dc----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-19 02:16 --------- d-----w C:\Program Files\Raxco
2007-10-19 02:16 --------- d-----w C:\Program Files\Common Files\Authentium
2007-10-19 02:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\AT&T
2007-10-19 02:15 --------- d-----w C:\Program Files\CA
2007-10-19 02:15 --------- d-----w C:\Program Files\AT&T
2007-10-19 02:13 --------- d-----w C:\Program Files\BellSouth
2007-10-19 02:10 132,675 ----a-w C:\Program Files\INSTALL.LOG
2007-10-19 02:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\BellSouth
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\All Users\Application Data\BellSouth
2007-10-19 00:08 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-18 23:50 4 -c--a-w C:\WINDOWSRegDefrag.dat
2007-10-17 21:39 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\URSoft
2007-10-17 18:12 --------- d-----w C:\Program Files\DFX
2007-10-17 08:45 --------- dc----w C:\Documents and Settings\All Users\Application Data\Babylon
2007-10-17 08:43 --------- dc----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-17 08:42 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-10-17 08:41 --------- dc----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-17 08:41 --------- d-----w C:\Program Files\Multimedia Transcoding Tool
2007-10-17 08:40 --------- d-----w C:\Program Files\AOL 9.0a
2007-10-17 08:37 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AOL
2007-10-17 04:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-12 04:03 --------- dc----w C:\Documents and Settings\All Users\Application Data\HipSoft
2005-11-15 21:39 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 11:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 17:11]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 22:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-02 23:06]
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-17 03:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="Rundll32.exe" [2004-08-03 23:00 C:\WINDOWS\system32\rundll32.exe]
"CTHelper"="CTHELPER.EXE" [2003-11-14 03:18 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 10:00]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 12:12]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 15:09]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-04-12 16:23]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 13:04]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-10-22 10:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-27 03:53]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 13:55]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 04:13 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-15 22:44:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnkkk]
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-07 11:07 496752 --a------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
c:\progra~1\common~1\instal~1\update~1\issch.exe -start

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
S3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}

.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 04:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-11-29 13:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2007-11-28 22:15:06 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-12-03 01:42:03 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-29 08:00:44 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-03 01:42:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-12-03 01:42:03 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-01 08:01:15 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 20:42:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 20:46:37 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-30 18:02
C:\ComboFix3.txt ... 2007-11-29 09:42
.
--- E O F ---

This post has been edited by rvbeaumont: 03 December 2007 - 01:33 AM

#15 User is offline   rvbeaumont 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 41
  • Joined: 15-November 07
  • Location:key west

Posted 03 December 2007 - 01:34 AM

ok this one was without s&d on

ComboFix 07-11-19.4C - HP_Owner 2007-12-03 1:22:51.19 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.512 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\aipbnwrm.dll
C:\WINDOWS\system32\alwqoyxj.dll
C:\WINDOWS\system32\bjqxhqrp.ini
C:\WINDOWS\system32\bwnknnrh.dll
C:\WINDOWS\system32\criktbeb.dll
C:\WINDOWS\system32\hrnnknwb.ini
C:\WINDOWS\system32\jwwspdfs.dll
C:\WINDOWS\system32\khfcdba.dll
C:\WINDOWS\system32\lcaiwpby.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\prqhxqjb.dll
C:\WINDOWS\system32\rxnyputu.dll
C:\WINDOWS\system32\utupynxr.ini
C:\WINDOWS\system32\vpudnsyk.dll
C:\WINDOWS\system32\wroeviwd.dll
C:\WINDOWS\system32\yayxutq.dll
C:\WINDOWS\system32\ybpwiacl.dll
.

((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-12-01 16:44 468 --a--c--- C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-12-01 02:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-01 02:12 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-30 18:19 <DIR> d-------- C:\WINDOWS\SDFIX
2007-11-29 01:51 <DIR> d-------- C:\temp\bkR11
2007-11-27 03:57 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-27 03:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{FAE72283-E912-4CA0-A263-E07183A4AF20}
2007-11-27 03:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\{EF257B1A-26EA-4A90-9BCC-54CA818488E8}
2007-11-27 01:51 <DIR> d-------- C:\Program Files\iTunes
2007-11-23 02:50 <DIR> d-------- C:\Program Files\Microsoft Games
2007-11-21 19:41 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\iWin
2007-11-21 16:42 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\SampleView
2007-11-21 16:30 <DIR> d-------- C:\Program Files\LimeWire
2007-11-19 16:44 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\ArcSoft
2007-11-19 16:42 230,432 --a--c--- C:\PA7311.DAT
2007-11-19 16:39 <DIR> d-------- C:\Program Files\VGA USB Camera
2007-11-19 15:39 <DIR> d-------- C:\WINDOWS\PixArt
2007-11-19 15:11 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2007-11-19 15:11 <DIR> d-------- C:\Program Files\ArcSoft
2007-11-19 15:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2007-11-19 15:11 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-11-19 15:11 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2007-11-15 15:32 <DIR> d-------- C:\Program Files\RegCure
2007-11-15 14:06 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-14 02:37 6,058,496 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-14 02:37 2,455,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-14 02:37 991,232 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-14 02:37 459,264 --a------ C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-14 02:37 383,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-14 02:37 267,776 --a------ C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-14 02:37 63,488 --a------ C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-14 02:37 52,224 --a------ C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-14 02:37 13,824 --a------ C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-14 02:13 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-13 05:01 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Roxio
2007-11-13 02:24 <DIR> d-------- C:\Program Files\WinMX Fix v.3.0
2007-11-13 02:24 <DIR> d-------- C:\Program Files\iPod
2007-11-13 02:23 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-11-13 02:23 <DIR> d-------- C:\Program Files\InterVideo
2007-11-13 02:23 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Roxio
2007-11-13 02:22 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 02:22 <DIR> d-------- C:\audio
2007-11-13 02:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion(2)
2007-11-08 23:11 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-07 15:42 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-11-07 00:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-11-06 01:20 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-11-04 20:10 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-11-04 13:33 <DIR> d----c--- C:\c6616f9bfd906f1ad04bbed7e3dd4f
2007-11-04 13:30 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-11-04 13:30 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Sonic
2007-11-04 01:28 <DIR> d----c--- C:\Documents and Settings\HP_Owner\Application Data\Sierra Entertainment
2007-11-04 01:28 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-11-03 17:00 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 07:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-30 00:40 --------- d-----w C:\Program Files\Real
2007-11-29 07:11 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 08:56 --------- d-----w C:\Program Files\Common Files\Real
2007-11-27 08:03 --------- d-----w C:\Program Files\Stamps.com Internet Postage
2007-11-27 07:51 --------- dc----w C:\Documents and Settings\All Users\Application Data\{75EE35BC-E993-41FD-9DBA-9AD37F50E521}
2007-11-26 08:14 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\IGN_DLM
2007-11-23 05:51 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-21 17:49 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\AT&T
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\My Battle for Middle-earth Files
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Move Networks
2007-11-21 08:40 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Audacity
2007-11-21 08:40 --------- d--h--r C:\Documents and Settings\HP_Owner\Application Data\yahoo!
2007-11-21 08:40 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Viewpoint
2007-11-21 06:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 07:21 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-20 07:20 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-19 22:23 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-19 18:44 --------- d-----w C:\Program Files\Google
2007-11-19 17:42 --------- d-----w C:\Program Files\Yahoo!
2007-11-19 17:42 --------- d-----w C:\Program Files\QuickTime
2007-11-19 17:42 --------- d-----w C:\Program Files\Online Backup
2007-11-19 17:42 --------- d-----w C:\Program Files\MSN Toolbar Suite
2007-11-19 17:42 --------- d-----w C:\Program Files\MSN Messenger
2007-11-19 17:41 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-19 17:41 --------- d-----w C:\Program Files\Java
2007-11-19 17:41 --------- d-----w C:\Program Files\ICOO Loader
2007-11-19 17:41 --------- d-----w C:\Program Files\HPQ
2007-11-19 17:41 --------- d-----w C:\Program Files\GameSpy Arcade
2007-11-19 17:40 --------- d-----w C:\Program Files\Common Files\aolshare
2007-11-19 17:40 --------- d-----w C:\Program Files\America Online 9.0i
2007-11-17 19:13 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-15 22:05 --------- d-----w C:\Program Files\Advanced System Optimizer
2007-11-15 21:55 --------- d-----w C:\Program Files\Trend Micro
2007-11-13 22:35 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-10 18:52 --------- d-----w C:\Program Files\InterActual
2007-11-08 23:16 --------- d-----w C:\Program Files\coolpro2
2007-11-04 18:29 --------- d-----w C:\Program Files\Sonic
2007-10-30 06:53 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Super-Cow
2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 07:25 --------- d-----w C:\Program Files\MSECache
2007-10-25 07:05 --------- d-----w C:\Program Files\Download Manager
2007-10-24 06:44 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\QQ Games Plugin
2007-10-22 22:54 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-10-22 07:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 07:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-20 22:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\muvee Technologies
2007-10-20 17:52 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-10-20 00:11 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Nero
2007-10-20 00:03 --------- d-----w C:\Program Files\Common Files\Nero
2007-10-20 00:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Nero
2007-10-20 00:01 --------- d-----w C:\Program Files\Nero
2007-10-19 20:13 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2007-10-19 19:47 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-19 17:47 --------- d-----w C:\Program Files\PConPoint
2007-10-19 17:07 --------- d-----w C:\Program Files\Easy Internet signup
2007-10-19 16:06 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-19 15:52 --------- d-----w C:\Program Files\IncrediMail
2007-10-19 15:23 --------- d-----w C:\Program Files\AOL Companion
2007-10-19 05:41 --------- d-----w C:\Program Files\Audacity
2007-10-19 05:36 --------- dc----w C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-19 05:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-19 05:19 --------- d-----w C:\Program Files\BellSouth Application Management
2007-10-19 05:18 --------- d-----w C:\Program Files\AOL Computer Check-Up
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0f
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0e
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0b
2007-10-19 05:18 --------- d-----w C:\Program Files\America Online 9.0
2007-10-19 04:49 --------- dc----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-19 04:40 --------- d-----w C:\Program Files\Learn2.com
2007-10-19 04:40 --------- d-----w C:\Program Files\HP
2007-10-19 04:35 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Symantec
2007-10-19 04:34 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
2007-10-19 04:33 1,716 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PY208AV-ABA a1030e_YC_0Pavi_QMXG530_E53NAheBLU5_47_ISalmon_SASUSTek Computer INC._V1.04_B3.15_T051019_WXH2_L409_M896_J80_7AMD_8Sempron_91.81_#050913_N10390900_Z11C1048C_G10396330.MRK
2007-10-19 04:30 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-10-19 03:44 --------- d-----w C:\Program Files\Webshots
2007-10-19 03:27 8,413 ----a-w C:\WINDOWS\system32\drivers\mcstrm.sys
2007-10-19 02:54 --------- d-----w C:\Program Files\Rhapsody
2007-10-19 02:21 --------- d-----w C:\Program Files\Common Files\Scanner
2007-10-19 02:16 --------- dc----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-19 02:16 --------- d-----w C:\Program Files\Raxco
2007-10-19 02:16 --------- d-----w C:\Program Files\Common Files\Authentium
2007-10-19 02:15 --------- dc----w C:\Documents and Settings\All Users\Application Data\AT&T
2007-10-19 02:15 --------- d-----w C:\Program Files\CA
2007-10-19 02:15 --------- d-----w C:\Program Files\AT&T
2007-10-19 02:13 --------- d-----w C:\Program Files\BellSouth
2007-10-19 02:10 132,675 ----a-w C:\Program Files\INSTALL.LOG
2007-10-19 02:01 --------- dc----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\BellSouth
2007-10-19 00:17 --------- dc----w C:\Documents and Settings\All Users\Application Data\BellSouth
2007-10-19 00:08 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-10-18 23:50 4 -c--a-w C:\WINDOWSRegDefrag.dat
2007-10-17 21:39 --------- dc----w C:\Documents and Settings\HP_Owner\Application Data\URSoft
2007-10-17 18:12 --------- d-----w C:\Program Files\DFX
2007-10-17 08:45 --------- dc----w C:\Documents and Settings\All Users\Application Data\Babylon
2007-10-17 08:43 --------- dc----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-17 08:42 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-10-17 08:41 --------- dc----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-17 08:41 --------- d-----w C:\Program Files\Multimedia Transcoding Tool
2007-10-17 08:40 --------- d-----w C:\Program Files\AOL 9.0a
2005-11-15 21:39 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-10-09 11:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 17:11]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-18 22:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-02 23:06]
"MtdAcq"="C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe" [2002-10-17 03:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="Rundll32.exe" [2004-08-03 23:00 C:\WINDOWS\system32\rundll32.exe]
"CTHelper"="CTHELPER.EXE" [2003-11-14 03:18 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 10:00]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 12:12]
"AT&T Internet Security Suite"="C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 15:09]
"HostManager"="C:\Program Files\Common Files\AOL\1192809728\ee\AOLSoftware.exe" [2007-04-12 16:23]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-08-30 13:04]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-10-22 10:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-27 03:53]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-11-16 13:55]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 04:13 C:\WINDOWS\MIDIDEF.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-09-15 22:44:01]
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-07 11:07 496752 --a------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
c:\progra~1\common~1\instal~1\update~1\issch.exe -start

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
S3 PAC7311;VGA USB Camera;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS
S3 Radialpoint Security Services;AT&T Internet Security Suite;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}

.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 04:55:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-11-29 13:57:00 C:\WINDOWS\Tasks\Find Duplicate Files.job"
- C:\PROGRA~1\ADVANC~1\finddupe.exe
"2007-11-28 22:15:06 C:\WINDOWS\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-23 02:40:25 C:\WINDOWS\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-05-28 00:35:29 C:\WINDOWS\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job"
- c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe;Sched HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0
"2007-12-03 06:15:58 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-29 08:00:44 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-12-03 06:27:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
"2007-12-03 06:15:58 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2007-12-01 08:01:15 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 01:29:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-03 1:30:16
C:\ComboFix2.txt ... 2007-12-02 20:46
C:\ComboFix3.txt ... 2007-11-30 18:02
.
--- E O F ---


now will get the rest for you

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users