Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting Popups, Can't Get Rid Of Them


  • Please log in to reply
31 replies to this topic

#1 deusmeister

deusmeister

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 14 July 2007 - 12:51 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:05 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\AOL\1146620640\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.gloryworks.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1146620640\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [khxmixodx] c:\windows\system32\khxmixodx.exe khxmixodx
O4 - HKLM\..\Run: [ufettf] c:\windows\system32\ufettf.exe ufettf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [behcgvj] c:\windows\system32\behcgvj.exe behcgvj
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kzfytrxl] "c:\windows\system32\kzfytrxl.exe" kzfytrxl
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [fundaqbpcw] "c:\windows\system32\fundaqbpcw.exe" fundaqbpcw
O4 - HKCU\..\Run: [yvkonb] "c:\windows\system32\yvkonb.exe" yvkonb
O4 - HKCU\..\Run: [kogcnyxfdm] "c:\windows\system32\kogcnyxfdm.exe" kogcnyxfdm
O4 - HKCU\..\Run: [epkilgy] "c:\windows\system32\epkilgy.exe" epkilgy
O4 - HKCU\..\Run: [rhjtsemme] "c:\windows\system32\rhjtsemme.exe" rhjtsemme
O4 - HKCU\..\Run: [frybvzgs] "c:\windows\system32\frybvzgs.exe" frybvzgs
O4 - HKCU\..\Run: [usmophkztl] c:\windows\system32\usmophkztl.exe usmophkztl
O4 - HKCU\..\Run: [zjhnpzhrx] c:\windows\system32\zjhnpzhrx.exe zjhnpzhrx
O4 - HKCU\..\Run: [firyxtb] c:\windows\system32\firyxtb.exe firyxtb
O4 - HKCU\..\Run: [dmskhidf] c:\windows\system32\dmskhidf.exe dmskhidf
O4 - HKCU\..\Run: [jufofczn] c:\windows\system32\jufofczn.exe jufofczn
O4 - HKCU\..\Run: [lccclkr] c:\windows\system32\lccclkr.exe lccclkr
O4 - HKCU\..\Run: [cvbfthvg] c:\windows\system32\cvbfthvg.exe cvbfthvg
O4 - HKCU\..\Run: [khbcshz] c:\windows\system32\khbcshz.exe khbcshz
O4 - HKCU\..\Run: [dratahwtx] c:\windows\system32\dratahwtx.exe dratahwtx
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKCU\..\Run: [qznfse] c:\windows\system32\qznfse.exe qznfse
O4 - HKCU\..\Run: [txkivzy] c:\windows\system32\txkivzy.exe txkivzy
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://fugumce.stream.aol.com/mce_vod/serv.../ServiceMgr.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://lamer.dns2go.com:88/LNetCam.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163225110078
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14508 bytes

For the past couple of months I have been getting popups and can not get rid of them. I think that one of my family members downloaded one of those fake antivirus programs so that may have something to do with it.
In the past, I also went on these survey sites and signed up for a lot of websites, and I think they are still tracking me somehow. Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 14 July 2007 - 03:15 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum deusmeister :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 deusmeister

deusmeister
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 14 July 2007 - 03:48 PM

"Dad" - 07/14/2007 16:34:40 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hfnunjkwp.dat
C:\WINDOWS\system32\hfnunjkwp.exe
C:\WINDOWS\system32\hfnunjkwp_nav.dat
C:\WINDOWS\system32\hfnunjkwp_navps.dat
C:\WINDOWS\system32\nvs2.inf


((((((((((((((((((((((((( Files Created from 2007-06-14 to 2007-07-14 )))))))))))))))))))))))))))))))


2007-07-14 16:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 15:32 <DIR> d-------- C:\Program Files\iTunes
2007-07-14 15:32 <DIR> d-------- C:\Program Files\iPod
2007-07-14 15:30 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-14 15:29 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-14 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-14 13:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-12 17:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-12 17:37 <DIR> d-------- C:\Program Files\Bonjour
2007-07-12 17:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-07-09 22:03 296 --a------ C:\WINDOWS\system32\azvfjr_navps.dat
2007-07-09 22:02 4,648 --a------ C:\WINDOWS\system32\azvfjr.dat
2007-07-09 22:02 263,168 --a------ C:\WINDOWS\system32\azvfjr.exe
2007-07-09 21:20 4,483 --a------ C:\WINDOWS\system32\hfnunjkwp.dat
2007-07-06 02:05 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Joost
2007-07-05 20:29 <DIR> d-------- C:\Program Files\Joost
2007-07-05 20:29 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Joost
2007-07-04 14:16 <DIR> d-------- C:\dos
2007-07-04 14:15 <DIR> d-------- C:\DOSbox
2007-07-03 15:30 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-03 14:12 <DIR> d-------- C:\UT2004
2007-07-03 13:29 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\WinBatch
2007-07-02 18:27 122,880 --a------ C:\WINDOWS\UnGins.exe
2007-07-01 20:50 <DIR> d-------- C:\Program Files\RondoWin32
2007-06-29 22:00 4,294 --a------ C:\WINDOWS\system32\vmnueyq.dat
2007-06-29 22:00 296 --a------ C:\WINDOWS\system32\vmnueyq_navps.dat
2007-06-29 22:00 284,160 --a------ C:\WINDOWS\system32\vmnueyq.exe
2007-06-29 21:18 4,482 --a------ C:\WINDOWS\system32\txkivzy.dat
2007-06-27 21:17 8,029 --a------ C:\WINDOWS\system32\qznfse.dat
2007-06-27 21:17 269,824 --a------ C:\WINDOWS\system32\qznfse.exe
2007-06-27 21:17 254,865 --a------ C:\WINDOWS\system32\qznfse_nav.dat
2007-06-27 21:17 2,556 --a------ C:\WINDOWS\system32\qznfse_navps.dat
2007-06-23 18:32 0 -ra------ C:\logwmemory.bin
2007-06-23 18:28 <DIR> d-------- C:\Soldat
2007-06-19 18:04 314,368 --a------ C:\WINDOWS\uninst.exe
2007-06-19 18:04 <DIR> d-------- C:\Program Files\LucasArts
2007-06-19 00:56 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-18 19:35 <DIR> d-------- C:\Program Files\ScummVM
2007-06-17 20:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Ahead
2007-06-17 20:33 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Ahead
2007-06-17 20:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-17 16:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\fretsonfire
2007-06-17 16:44 <DIR> d-------- C:\Program Files\Frets on Fire
2007-06-17 16:44 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\fretsonfire
2007-06-16 23:40 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-06-16 19:37 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-16 16:01 28,202 --a------ C:\WINDOWS\system32\dmskhidf.dat
2007-06-16 16:01 1,746 --a------ C:\WINDOWS\system32\dmskhidf_navps.dat
2007-06-16 16:00 463,360 --a------ C:\WINDOWS\system32\arexuyves.exe
2007-06-16 16:00 4,664 --a------ C:\WINDOWS\system32\arexuyves.dat
2007-06-16 16:00 296 --a------ C:\WINDOWS\system32\arexuyves_navps.dat
2007-06-16 16:00 268,015 --a------ C:\WINDOWS\system32\arexuyves_nav.dat
2007-06-16 15:21 445,440 --a------ C:\WINDOWS\system32\txkivzy.exe
2007-06-14 15:21 7,095 --a------ C:\WINDOWS\system32\tqgiiqt.dat
2007-06-14 15:21 401,408 --a------ C:\WINDOWS\system32\tqgiiqt.exe
2007-06-14 15:21 268,015 --a------ C:\WINDOWS\system32\tqgiiqt_nav.dat
2007-06-14 15:21 1,473 --a------ C:\WINDOWS\system32\tqgiiqt_navps.dat
2007-06-14 00:07 <DIR> d-------- C:\Program Files\FLVPlayer
2007-06-13 19:36 8,087 --a------ C:\WINDOWS\system32\dratahwtx.dat
2007-06-13 19:36 407,552 --a------ C:\WINDOWS\system32\dratahwtx.exe
2007-06-13 19:36 268,015 --a------ C:\WINDOWS\system32\dratahwtx_nav.dat
2007-06-13 19:36 2,521 --a------ C:\WINDOWS\system32\dratahwtx_navps.dat
2007-06-13 00:32 <DIR> d-------- C:\Program Files\DivX
2007-06-11 02:09 <DIR> d-------- C:\b
2007-06-09 23:49 <DIR> d-------- C:\Program Files\Tank Wars
2007-06-09 17:16 <DIR> d-------- C:\Program Files\Project64 1.6
2007-06-08 21:17 405,504 --a------ C:\WINDOWS\system32\khbcshz.exe
2007-06-08 21:17 4,368 --a------ C:\WINDOWS\system32\khbcshz.dat
2007-06-08 21:17 268,015 --a------ C:\WINDOWS\system32\khbcshz_nav.dat
2007-06-08 21:17 2,048 --a------ C:\WINDOWS\system32\khbcshz_navps.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-14 19:31:33 -------- d-----w C:\Program Files\QuickTime
2007-07-14 19:22:57 -------- d-----w C:\Program Files\Common Files\AOL
2007-07-14 02:03:55 -------- d-----w C:\Program Files\Soulseek
2007-07-13 13:53:06 -------- d-----w C:\Program Files\Quicken
2007-07-10 18:23:37 -------- d-----w C:\Program Files\LimeWire
2007-06-29 18:38:14 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-24 05:52:17 -------- d-----w C:\Program Files\Winamp
2007-06-20 23:12:54 -------- d-----w C:\Program Files\StepMania
2007-06-15 13:08:01 -------- d-----w C:\Program Files\Google
2007-06-13 04:32:27 6,182 ----a-w C:\WINDOWS\mozver.dat
2007-06-08 19:13:11 7,175 ----a-w C:\WINDOWS\system32\cvbfthvg.dat
2007-06-08 19:12:59 2,614 ----a-w C:\WINDOWS\system32\cvbfthvg_navps.dat
2007-06-08 19:12:24 846 ----a-w C:\WINDOWS\system32\fmbvnap_navps.dat
2007-06-08 19:11:59 5,817 ----a-w C:\WINDOWS\system32\fmbvnap.dat
2007-06-08 04:03:59 -------- d-----w C:\Program Files\AIM6
2007-06-08 04:03:45 -------- d-----w C:\Program Files\Viewpoint
2007-06-07 02:00:31 389,120 ----a-w C:\WINDOWS\system32\cvbfthvg.exe
2007-06-07 01:17:31 262,293 ----a-w C:\WINDOWS\system32\cvbfthvg_nav.dat
2007-06-07 01:17:19 386,048 ----a-w C:\WINDOWS\system32\fmbvnap.exe
2007-06-07 01:17:18 262,293 ----a-w C:\WINDOWS\system32\fmbvnap_nav.dat
2007-06-05 05:17:32 844 ----a-w C:\WINDOWS\system32\jufofczn_navps.dat
2007-06-05 05:17:16 1,476 ----a-w C:\WINDOWS\system32\lccclkr_navps.dat
2007-06-05 05:16:58 4,571 ----a-w C:\WINDOWS\system32\jufofczn.dat
2007-06-05 05:16:50 4,707 ----a-w C:\WINDOWS\system32\lccclkr.dat
2007-06-05 02:00:42 351,744 ----a-w C:\WINDOWS\system32\lccclkr.exe
2007-06-05 01:17:07 262,293 ----a-w C:\WINDOWS\system32\lccclkr_nav.dat
2007-06-05 01:10:40 354,816 ----a-w C:\WINDOWS\system32\jufofczn.exe
2007-06-05 01:10:40 262,293 ----a-w C:\WINDOWS\system32\jufofczn_nav.dat
2007-06-04 22:01:58 -------- d-----w C:\Program Files\GameTap
2007-06-04 22:01:24 -------- d-----w C:\DOCUME~1\Dad\APPLIC~1\InstallShield
2007-06-01 13:58:21 -------- d-----w C:\Program Files\MSN Games
2007-05-31 02:56:17 -------- d-----w C:\Program Files\Common Files\xing shared
2007-05-31 02:56:11 -------- d-----w C:\Program Files\Common Files\Real
2007-05-31 02:56:01 -------- d-----w C:\Program Files\Real
2007-05-24 07:07:25 2,228 ----a-w C:\WINDOWS\system32\firyxtb_navps.dat
2007-05-24 07:06:48 7,397 ----a-w C:\WINDOWS\system32\firyxtb.dat
2007-05-21 22:55:17 3,365 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2007-05-21 22:54:36 10,884,472 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-21 22:46:58 3,590 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2007-05-21 22:43:23 13,015 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-05-21 22:43:20 -------- d-----w C:\Program Files\Illustrate
2007-05-21 22:38:23 -------- d-----w C:\Program Files\MP4 to MP3 Converter
2007-05-21 21:36:22 361,984 ----a-w C:\WINDOWS\system32\firyxtb.exe
2007-05-21 14:33:00 -------- d-----w C:\Program Files\HP
2007-05-21 14:32:33 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-19 21:35:41 259,113 ----a-w C:\WINDOWS\system32\firyxtb_nav.dat
2007-05-19 19:36:16 -------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-05-19 01:16:44 -------- d-----w C:\Program Files\CDisplay
2007-05-16 15:12:02 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 02:33:52 -------- d-----w C:\Program Files\ConsoleClassix.com
2007-05-11 21:41:47 4,646 ----a-w C:\WINDOWS\system32\zjhnpzhrx.dat
2007-05-11 21:41:46 3,613 ----a-w C:\WINDOWS\system32\zjhnpzhrx_navps.dat
2007-05-10 22:37:48 259,113 ----a-w C:\WINDOWS\system32\zjhnpzhrx_nav.dat
2007-05-08 22:37:06 336,896 ----a-w C:\WINDOWS\system32\zjhnpzhrx.exe
2007-05-07 11:32:51 334,336 ----a-w C:\WINDOWS\system32\dmskhidf.exe
2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-09-05 01:35:21 0 ----a-w C:\DOCUME~1\Dad\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
12/18/2006 05:16 AM 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
03/14/2007 03:43 AM 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
06/14/2007 09:37 AM 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
05/30/2006 11:20 AM 208896 --a------ C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
05/31/2007 07:19 PM 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/02/2005 08:19 PM C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [01/24/2006 02:15 PM C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [01/23/2006 06:53 AM C:\WINDOWS\RTHDCPL.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/01/2005 07:35 PM]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [11/01/2005 06:01 AM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [11/09/2005 01:29 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [05/12/2005 03:12 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/22/2007 07:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 04:44 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [08/11/2005 03:30 PM]
"ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [08/11/2005 03:30 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/30/2007 10:55 PM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [09/07/2006 01:19 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2007 09:18 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/09/2004 05:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/02/2007 08:25 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [04/03/2007 06:29 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"AOLRebootNeeded"=regsvr32.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc06a7f9-da41-11da-8721-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - APPLE_MOBILE_DEVICE

Contents of the 'Scheduled Tasks' folder
2007-07-14 15:41:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 16:40:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 07/14/2007 16:41:13
C:\ComboFix-quarantined-files.txt ... 07/14/2007 04:41 PM

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:03 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.gloryworks.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kzfytrxl] "c:\windows\system32\kzfytrxl.exe" kzfytrxl
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [fundaqbpcw] "c:\windows\system32\fundaqbpcw.exe" fundaqbpcw
O4 - HKCU\..\Run: [yvkonb] "c:\windows\system32\yvkonb.exe" yvkonb
O4 - HKCU\..\Run: [kogcnyxfdm] "c:\windows\system32\kogcnyxfdm.exe" kogcnyxfdm
O4 - HKCU\..\Run: [epkilgy] "c:\windows\system32\epkilgy.exe" epkilgy
O4 - HKCU\..\Run: [rhjtsemme] "c:\windows\system32\rhjtsemme.exe" rhjtsemme
O4 - HKCU\..\Run: [frybvzgs] "c:\windows\system32\frybvzgs.exe" frybvzgs
O4 - HKCU\..\Run: [usmophkztl] c:\windows\system32\usmophkztl.exe usmophkztl
O4 - HKCU\..\Run: [zjhnpzhrx] c:\windows\system32\zjhnpzhrx.exe zjhnpzhrx
O4 - HKCU\..\Run: [firyxtb] c:\windows\system32\firyxtb.exe firyxtb
O4 - HKCU\..\Run: [dmskhidf] c:\windows\system32\dmskhidf.exe dmskhidf
O4 - HKCU\..\Run: [jufofczn] c:\windows\system32\jufofczn.exe jufofczn
O4 - HKCU\..\Run: [lccclkr] c:\windows\system32\lccclkr.exe lccclkr
O4 - HKCU\..\Run: [cvbfthvg] c:\windows\system32\cvbfthvg.exe cvbfthvg
O4 - HKCU\..\Run: [khbcshz] c:\windows\system32\khbcshz.exe khbcshz
O4 - HKCU\..\Run: [dratahwtx] c:\windows\system32\dratahwtx.exe dratahwtx
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKCU\..\Run: [qznfse] c:\windows\system32\qznfse.exe qznfse
O4 - HKCU\..\Run: [txkivzy] c:\windows\system32\txkivzy.exe txkivzy
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://fugumce.stream.aol.com/mce_vod/serv.../ServiceMgr.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://lamer.dns2go.com:88/LNetCam.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163225110078
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13914 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 14 July 2007 - 04:08 PM

Copy and paste ALL the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\azvfjr_navps.dat
C:\WINDOWS\system32\azvfjr.dat
C:\WINDOWS\system32\azvfjr.exe
C:\WINDOWS\system32\hfnunjkwp.dat
C:\WINDOWS\system32\vmnueyq.dat
C:\WINDOWS\system32\vmnueyq_navps.dat
C:\WINDOWS\system32\vmnueyq.exe
C:\WINDOWS\system32\txkivzy.dat
C:\WINDOWS\system32\qznfse.dat
C:\WINDOWS\system32\qznfse.exe
C:\WINDOWS\system32\qznfse_nav.dat
C:\WINDOWS\system32\qznfse_navps.dat
C:\WINDOWS\system32\dmskhidf.dat
C:\WINDOWS\system32\dmskhidf_navps.dat
C:\WINDOWS\system32\arexuyves.exe
C:\WINDOWS\system32\arexuyves.dat
C:\WINDOWS\system32\arexuyves_navps.dat
C:\WINDOWS\system32\arexuyves_nav.dat
C:\WINDOWS\system32\txkivzy.exe
C:\WINDOWS\system32\tqgiiqt.dat
C:\WINDOWS\system32\tqgiiqt.exe
C:\WINDOWS\system32\tqgiiqt_nav.dat
C:\WINDOWS\system32\tqgiiqt_navps.dat
C:\WINDOWS\system32\dratahwtx.dat
C:\WINDOWS\system32\dratahwtx.exe
C:\WINDOWS\system32\dratahwtx_nav.dat
C:\WINDOWS\system32\dratahwtx_navps.dat
C:\WINDOWS\system32\khbcshz.exe
C:\WINDOWS\system32\khbcshz.dat
C:\WINDOWS\system32\khbcshz_nav.dat
C:\WINDOWS\system32\khbcshz_navps.dat
C:\WINDOWS\system32\cvbfthvg.dat
C:\WINDOWS\system32\cvbfthvg_navps.dat
C:\WINDOWS\system32\fmbvnap_navps.dat
C:\WINDOWS\system32\fmbvnap.dat
C:\WINDOWS\system32\cvbfthvg.exe
C:\WINDOWS\system32\cvbfthvg_nav.dat
C:\WINDOWS\system32\fmbvnap.exe
C:\WINDOWS\system32\fmbvnap_nav.dat
C:\WINDOWS\system32\jufofczn_navps.dat
C:\WINDOWS\system32\lccclkr_navps.dat
C:\WINDOWS\system32\jufofczn.dat
C:\WINDOWS\system32\lccclkr.dat
C:\WINDOWS\system32\lccclkr.exe
C:\WINDOWS\system32\lccclkr_nav.dat
C:\WINDOWS\system32\jufofczn.exe
C:\WINDOWS\system32\jufofczn_nav.dat
C:\WINDOWS\system32\firyxtb_navps.dat
C:\WINDOWS\system32\firyxtb.dat
C:\WINDOWS\system32\firyxtb.exe
C:\WINDOWS\system32\firyxtb_nav.dat
C:\WINDOWS\system32\zjhnpzhrx.dat
C:\WINDOWS\system32\zjhnpzhrx_navps.dat
C:\WINDOWS\system32\zjhnpzhrx_nav.dat
C:\WINDOWS\system32\zjhnpzhrx.exe
C:\WINDOWS\system32\dmskhidf.exe

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 deusmeister

deusmeister
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 14 July 2007 - 04:25 PM

"Dad" - 2007-07-14 17:16:35 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Matt\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\arexuyves.dat
C:\WINDOWS\system32\arexuyves.exe
C:\WINDOWS\system32\arexuyves_nav.dat
C:\WINDOWS\system32\arexuyves_navps.dat
C:\WINDOWS\system32\azvfjr.dat
C:\WINDOWS\system32\azvfjr.exe
C:\WINDOWS\system32\azvfjr_navps.dat
C:\WINDOWS\system32\cvbfthvg.dat
C:\WINDOWS\system32\cvbfthvg.exe
C:\WINDOWS\system32\cvbfthvg_nav.dat
C:\WINDOWS\system32\cvbfthvg_navps.dat
C:\WINDOWS\system32\dmskhidf.dat
C:\WINDOWS\system32\dmskhidf.exe
C:\WINDOWS\system32\dmskhidf_navps.dat
C:\WINDOWS\system32\dratahwtx.dat
C:\WINDOWS\system32\dratahwtx.exe
C:\WINDOWS\system32\dratahwtx_nav.dat
C:\WINDOWS\system32\dratahwtx_navps.dat
C:\WINDOWS\system32\firyxtb.dat
C:\WINDOWS\system32\firyxtb.exe
C:\WINDOWS\system32\firyxtb_nav.dat
C:\WINDOWS\system32\firyxtb_navps.dat
C:\WINDOWS\system32\fmbvnap.dat
C:\WINDOWS\system32\fmbvnap.exe
C:\WINDOWS\system32\fmbvnap_nav.dat
C:\WINDOWS\system32\fmbvnap_navps.dat
C:\WINDOWS\system32\hfnunjkwp.dat
C:\WINDOWS\system32\jufofczn.dat
C:\WINDOWS\system32\jufofczn.exe
C:\WINDOWS\system32\jufofczn_nav.dat
C:\WINDOWS\system32\jufofczn_navps.dat
C:\WINDOWS\system32\khbcshz.dat
C:\WINDOWS\system32\khbcshz.exe
C:\WINDOWS\system32\khbcshz_nav.dat
C:\WINDOWS\system32\khbcshz_navps.dat
C:\WINDOWS\system32\lccclkr.dat
C:\WINDOWS\system32\lccclkr.exe
C:\WINDOWS\system32\lccclkr_nav.dat
C:\WINDOWS\system32\lccclkr_navps.dat
C:\WINDOWS\system32\qznfse.dat
C:\WINDOWS\system32\qznfse.exe
C:\WINDOWS\system32\qznfse_nav.dat
C:\WINDOWS\system32\qznfse_navps.dat
C:\WINDOWS\system32\tqgiiqt.dat
C:\WINDOWS\system32\tqgiiqt.exe
C:\WINDOWS\system32\tqgiiqt_nav.dat
C:\WINDOWS\system32\tqgiiqt_navps.dat
C:\WINDOWS\system32\txkivzy.dat
C:\WINDOWS\system32\txkivzy.exe
C:\WINDOWS\system32\vmnueyq.dat
C:\WINDOWS\system32\vmnueyq.exe
C:\WINDOWS\system32\vmnueyq_navps.dat
C:\WINDOWS\system32\zjhnpzhrx.dat
C:\WINDOWS\system32\zjhnpzhrx.exe
C:\WINDOWS\system32\zjhnpzhrx_nav.dat
C:\WINDOWS\system32\zjhnpzhrx_navps.dat


((((((((((((((((((((((((( Files Created from 2007-06-14 to 2007-07-14 )))))))))))))))))))))))))))))))


2007-07-14 16:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 15:32 <DIR> d-------- C:\Program Files\iTunes
2007-07-14 15:32 <DIR> d-------- C:\Program Files\iPod
2007-07-14 15:30 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-14 15:29 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-14 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-14 13:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-12 17:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-12 17:37 <DIR> d-------- C:\Program Files\Bonjour
2007-07-12 17:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-07-09 21:20 4,483 --a------ C:\WINDOWS\system32\hfnunjkwp.dat
2007-07-06 02:05 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Joost
2007-07-05 20:29 <DIR> d-------- C:\Program Files\Joost
2007-07-05 20:29 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Joost
2007-07-04 14:16 <DIR> d-------- C:\dos
2007-07-04 14:15 <DIR> d-------- C:\DOSbox
2007-07-03 15:30 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-03 14:12 <DIR> d-------- C:\UT2004
2007-07-03 13:29 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\WinBatch
2007-07-02 18:27 122,880 --a------ C:\WINDOWS\UnGins.exe
2007-07-01 20:50 <DIR> d-------- C:\Program Files\RondoWin32
2007-06-23 18:32 0 -ra------ C:\logwmemory.bin
2007-06-23 18:28 <DIR> d-------- C:\Soldat
2007-06-19 18:04 314,368 --a------ C:\WINDOWS\uninst.exe
2007-06-19 18:04 <DIR> d-------- C:\Program Files\LucasArts
2007-06-19 00:56 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-18 19:35 <DIR> d-------- C:\Program Files\ScummVM
2007-06-17 20:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Ahead
2007-06-17 20:33 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Ahead
2007-06-17 20:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-17 16:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\fretsonfire
2007-06-17 16:44 <DIR> d-------- C:\Program Files\Frets on Fire
2007-06-17 16:44 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\fretsonfire
2007-06-16 23:40 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-06-16 19:37 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-14 00:07 <DIR> d-------- C:\Program Files\FLVPlayer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-14 19:31:33 -------- d-----w C:\Program Files\QuickTime
2007-07-14 19:22:57 -------- d-----w C:\Program Files\Common Files\AOL
2007-07-14 02:03:55 -------- d-----w C:\Program Files\Soulseek
2007-07-13 13:53:06 -------- d-----w C:\Program Files\Quicken
2007-07-10 18:23:37 -------- d-----w C:\Program Files\LimeWire
2007-06-29 18:38:14 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-24 05:52:17 -------- d-----w C:\Program Files\Winamp
2007-06-23 22:30:15 -------- d-----w C:\Program Files\Project64 1.6
2007-06-20 23:12:54 -------- d-----w C:\Program Files\StepMania
2007-06-15 13:08:01 -------- d-----w C:\Program Files\Google
2007-06-14 04:06:50 -------- d-----w C:\Program Files\DivX
2007-06-13 04:32:27 6,182 ----a-w C:\WINDOWS\mozver.dat
2007-06-10 03:50:04 -------- d-----w C:\Program Files\Tank Wars
2007-06-08 04:03:59 -------- d-----w C:\Program Files\AIM6
2007-06-08 04:03:45 -------- d-----w C:\Program Files\Viewpoint
2007-06-04 22:01:58 -------- d-----w C:\Program Files\GameTap
2007-06-04 22:01:24 -------- d-----w C:\DOCUME~1\Dad\APPLIC~1\InstallShield
2007-06-01 13:58:21 -------- d-----w C:\Program Files\MSN Games
2007-05-31 02:56:17 -------- d-----w C:\Program Files\Common Files\xing shared
2007-05-31 02:56:11 -------- d-----w C:\Program Files\Common Files\Real
2007-05-31 02:56:01 -------- d-----w C:\Program Files\Real
2007-05-21 22:55:17 3,365 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2007-05-21 22:54:36 10,884,472 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-21 22:46:58 3,590 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2007-05-21 22:43:23 13,015 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-05-21 22:43:20 -------- d-----w C:\Program Files\Illustrate
2007-05-21 22:38:23 -------- d-----w C:\Program Files\MP4 to MP3 Converter
2007-05-21 14:33:00 -------- d-----w C:\Program Files\HP
2007-05-21 14:32:33 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-19 19:36:16 -------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-05-19 01:16:44 -------- d-----w C:\Program Files\CDisplay
2007-05-16 15:12:02 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 02:33:52 -------- d-----w C:\Program Files\ConsoleClassix.com
2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-09-05 01:35:21 0 ----a-w C:\DOCUME~1\Dad\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-06-14 09:37 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
2006-05-30 11:20 208896 --a------ C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-05-31 19:19 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 20:19 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-01-24 14:15 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 06:53 C:\WINDOWS\RTHDCPL.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 19:35]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 06:01]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 13:29]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 03:12]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-22 07:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2005-08-11 15:30]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-30 22:55]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-02 20:25]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - APPLE_MOBILE_DEVICE
*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-07-14 15:41:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 17:18:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-14 17:18:43
C:\ComboFix-quarantined-files.txt ... 2007-07-14 17:18
C:\ComboFix2.txt ... 2007-07-14 16:41

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:19 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.gloryworks.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kzfytrxl] "c:\windows\system32\kzfytrxl.exe" kzfytrxl
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [fundaqbpcw] "c:\windows\system32\fundaqbpcw.exe" fundaqbpcw
O4 - HKCU\..\Run: [yvkonb] "c:\windows\system32\yvkonb.exe" yvkonb
O4 - HKCU\..\Run: [kogcnyxfdm] "c:\windows\system32\kogcnyxfdm.exe" kogcnyxfdm
O4 - HKCU\..\Run: [epkilgy] "c:\windows\system32\epkilgy.exe" epkilgy
O4 - HKCU\..\Run: [rhjtsemme] "c:\windows\system32\rhjtsemme.exe" rhjtsemme
O4 - HKCU\..\Run: [frybvzgs] "c:\windows\system32\frybvzgs.exe" frybvzgs
O4 - HKCU\..\Run: [usmophkztl] c:\windows\system32\usmophkztl.exe usmophkztl
O4 - HKCU\..\Run: [zjhnpzhrx] c:\windows\system32\zjhnpzhrx.exe zjhnpzhrx
O4 - HKCU\..\Run: [firyxtb] c:\windows\system32\firyxtb.exe firyxtb
O4 - HKCU\..\Run: [dmskhidf] c:\windows\system32\dmskhidf.exe dmskhidf
O4 - HKCU\..\Run: [jufofczn] c:\windows\system32\jufofczn.exe jufofczn
O4 - HKCU\..\Run: [lccclkr] c:\windows\system32\lccclkr.exe lccclkr
O4 - HKCU\..\Run: [cvbfthvg] c:\windows\system32\cvbfthvg.exe cvbfthvg
O4 - HKCU\..\Run: [khbcshz] c:\windows\system32\khbcshz.exe khbcshz
O4 - HKCU\..\Run: [dratahwtx] c:\windows\system32\dratahwtx.exe dratahwtx
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKCU\..\Run: [qznfse] c:\windows\system32\qznfse.exe qznfse
O4 - HKCU\..\Run: [txkivzy] c:\windows\system32\txkivzy.exe txkivzy
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://fugumce.stream.aol.com/mce_vod/serv.../ServiceMgr.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://lamer.dns2go.com:88/LNetCam.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163225110078
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13768 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 14 July 2007 - 04:43 PM

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\hfnunjkwp.dat
C:\Program Files\Viewpoint


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

-------------------------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKCU\..\Run: [kzfytrxl] "c:\windows\system32\kzfytrxl.exe" kzfytrxl
O4 - HKCU\..\Run: [fundaqbpcw] "c:\windows\system32\fundaqbpcw.exe" fundaqbpcw
O4 - HKCU\..\Run: [yvkonb] "c:\windows\system32\yvkonb.exe" yvkonb
O4 - HKCU\..\Run: [kogcnyxfdm] "c:\windows\system32\kogcnyxfdm.exe" kogcnyxfdm
O4 - HKCU\..\Run: [epkilgy] "c:\windows\system32\epkilgy.exe" epkilgy
O4 - HKCU\..\Run: [rhjtsemme] "c:\windows\system32\rhjtsemme.exe" rhjtsemme
O4 - HKCU\..\Run: [frybvzgs] "c:\windows\system32\frybvzgs.exe" frybvzgs
O4 - HKCU\..\Run: [usmophkztl] c:\windows\system32\usmophkztl.exe usmophkztl
O4 - HKCU\..\Run: [zjhnpzhrx] c:\windows\system32\zjhnpzhrx.exe zjhnpzhrx
O4 - HKCU\..\Run: [firyxtb] c:\windows\system32\firyxtb.exe firyxtb
O4 - HKCU\..\Run: [dmskhidf] c:\windows\system32\dmskhidf.exe dmskhidf
O4 - HKCU\..\Run: [jufofczn] c:\windows\system32\jufofczn.exe jufofczn
O4 - HKCU\..\Run: [lccclkr] c:\windows\system32\lccclkr.exe lccclkr
O4 - HKCU\..\Run: [cvbfthvg] c:\windows\system32\cvbfthvg.exe cvbfthvg
O4 - HKCU\..\Run: [khbcshz] c:\windows\system32\khbcshz.exe khbcshz
O4 - HKCU\..\Run: [dratahwtx] c:\windows\system32\dratahwtx.exe dratahwtx
O4 - HKCU\..\Run: [qznfse] c:\windows\system32\qznfse.exe qznfse
O4 - HKCU\..\Run: [txkivzy] c:\windows\system32\txkivzy.exe txkivzy
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#7 deusmeister

deusmeister
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 14 July 2007 - 06:06 PM

I couldn't find any log of Superantispyware. Under the Scanner Logs section, there is just a file called "Log" and I can't view it. In case you want to know, there were 142 tracking cookies, and there 2 malware installer files called "Pkg/Gen." Also, I am still getting popups. I don't know what to do. :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:36 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.gloryworks.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hfnunjkwp] c:\windows\system32\hfnunjkwp.exe hfnunjkwp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKCU\..\Run: [hfnunjkwp] c:\windows\system32\hfnunjkwp.exe hfnunjkwp
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://fugumce.stream.aol.com/mce_vod/serv.../ServiceMgr.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://lamer.dns2go.com:88/LNetCam.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163225110078
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 12574 bytes

Edited by deusmeister, 14 July 2007 - 06:10 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 14 July 2007 - 06:20 PM

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Viewpoint Manager Service
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

-------------------------------------------------------

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [hfnunjkwp] c:\windows\system32\hfnunjkwp.exe hfnunjkwp
O4 - HKCU\..\Run: [hfnunjkwp] c:\windows\system32\hfnunjkwp.exe hfnunjkwp
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://lamer.dns2go.com:88/LNetCam.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

Exit Hijackthis.

-------------------------------------------------------

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#9 deusmeister

deusmeister
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 14 July 2007 - 06:40 PM

"Dad" - 2007-07-14 19:31:34 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-14 to 2007-07-14 )))))))))))))))))))))))))))))))


2007-07-14 18:56 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\SUPERAntiSpyware.com
2007-07-14 17:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-14 17:50 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\SUPERAntiSpyware.com
2007-07-14 17:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-14 17:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-14 17:33 262,465 --a------ C:\WINDOWS\system32\crbrhhxuam_nav.dat
2007-07-14 17:32 845 --a------ C:\WINDOWS\system32\crbrhhxuam_navps.dat
2007-07-14 17:32 5,629 --a------ C:\WINDOWS\system32\crbrhhxuam.dat
2007-07-14 17:32 269,312 --a------ C:\WINDOWS\system32\crbrhhxuam.exe
2007-07-14 16:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 15:32 <DIR> d-------- C:\Program Files\iTunes
2007-07-14 15:32 <DIR> d-------- C:\Program Files\iPod
2007-07-14 15:29 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-14 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-14 13:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-12 17:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-12 17:37 <DIR> d-------- C:\Program Files\Bonjour
2007-07-12 17:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-07-06 02:05 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Joost
2007-07-05 20:29 <DIR> d-------- C:\Program Files\Joost
2007-07-05 20:29 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Joost
2007-07-04 14:16 <DIR> d-------- C:\dos
2007-07-04 14:15 <DIR> d-------- C:\DOSbox
2007-07-03 15:30 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-03 14:12 <DIR> d-------- C:\UT2004
2007-07-03 13:29 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\WinBatch
2007-07-02 18:27 122,880 --a------ C:\WINDOWS\UnGins.exe
2007-07-01 20:50 <DIR> d-------- C:\Program Files\RondoWin32
2007-06-23 18:32 0 -ra------ C:\logwmemory.bin
2007-06-23 18:28 <DIR> d-------- C:\Soldat
2007-06-19 18:04 314,368 --a------ C:\WINDOWS\uninst.exe
2007-06-19 18:04 <DIR> d-------- C:\Program Files\LucasArts
2007-06-19 00:56 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-18 19:35 <DIR> d-------- C:\Program Files\ScummVM
2007-06-17 20:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Ahead
2007-06-17 20:33 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Ahead
2007-06-17 20:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-17 16:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\fretsonfire
2007-06-17 16:44 <DIR> d-------- C:\Program Files\Frets on Fire
2007-06-17 16:44 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\fretsonfire
2007-06-16 23:40 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-06-16 19:37 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-14 00:07 <DIR> d-------- C:\Program Files\FLVPlayer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-14 21:29:49 -------- d-----w C:\Program Files\Common Files\AOL
2007-07-14 19:31:33 -------- d-----w C:\Program Files\QuickTime
2007-07-14 02:03:55 -------- d-----w C:\Program Files\Soulseek
2007-07-13 13:53:06 -------- d-----w C:\Program Files\Quicken
2007-07-10 18:23:37 -------- d-----w C:\Program Files\LimeWire
2007-06-29 18:38:14 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-24 05:52:17 -------- d-----w C:\Program Files\Winamp
2007-06-23 22:30:15 -------- d-----w C:\Program Files\Project64 1.6
2007-06-20 23:12:54 -------- d-----w C:\Program Files\StepMania
2007-06-15 13:08:01 -------- d-----w C:\Program Files\Google
2007-06-14 04:06:50 -------- d-----w C:\Program Files\DivX
2007-06-13 04:32:27 6,182 ----a-w C:\WINDOWS\mozver.dat
2007-06-10 03:50:04 -------- d-----w C:\Program Files\Tank Wars
2007-06-08 04:03:59 -------- d-----w C:\Program Files\AIM6
2007-06-04 22:01:58 -------- d-----w C:\Program Files\GameTap
2007-06-04 22:01:24 -------- d-----w C:\DOCUME~1\Dad\APPLIC~1\InstallShield
2007-06-01 13:58:21 -------- d-----w C:\Program Files\MSN Games
2007-05-31 02:56:17 -------- d-----w C:\Program Files\Common Files\xing shared
2007-05-31 02:56:11 -------- d-----w C:\Program Files\Common Files\Real
2007-05-31 02:56:01 -------- d-----w C:\Program Files\Real
2007-05-21 22:55:17 3,365 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2007-05-21 22:54:36 10,884,472 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-21 22:46:58 3,590 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2007-05-21 22:43:23 13,015 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-05-21 22:43:20 -------- d-----w C:\Program Files\Illustrate
2007-05-21 22:38:23 -------- d-----w C:\Program Files\MP4 to MP3 Converter
2007-05-21 14:33:00 -------- d-----w C:\Program Files\HP
2007-05-21 14:32:33 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-19 19:36:16 -------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-05-19 01:16:44 -------- d-----w C:\Program Files\CDisplay
2007-05-16 15:12:02 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 02:33:52 -------- d-----w C:\Program Files\ConsoleClassix.com
2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-09-05 01:35:21 0 ----a-w C:\DOCUME~1\Dad\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-06-14 09:37 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
2006-05-30 11:20 208896 --a------ C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-05-31 19:19 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 20:19 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-01-24 14:15 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 06:53 C:\WINDOWS\RTHDCPL.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 19:35]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 06:01]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 13:29]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 03:12]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-22 07:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2005-08-11 15:30]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-30 22:55]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 17:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-02 20:25]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


Contents of the 'Scheduled Tasks' folder
2007-07-14 15:41:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 19:37:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-14 19:37:31
C:\ComboFix-quarantined-files.txt ... 2007-07-14 19:37
C:\ComboFix2.txt ... 2007-07-14 17:18
C:\ComboFix3.txt ... 2007-07-14 16:41

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:18 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.gloryworks.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKCU\..\Run: [hfnunjkwp] c:\windows\system32\hfnunjkwp.exe hfnunjkwp
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://fugumce.stream.aol.com/mce_vod/serv.../ServiceMgr.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163225110078
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 11781 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 14 July 2007 - 06:50 PM

Please download Brute Force Uninstaller to your desktop.
∑ Right click the BFU folder on your desktop, and choose Extract All
∑ Click "Next"
∑ In the box to choose where to extract the files to,
∑ Click "Browse"
∑ Click on the + sign next to "My Computer"
∑ Click on "Local Disk (C:) or whatever your primary drive is
∑ Click "Make New Folder"
∑ Type in BFU
∑ Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).

Copy and paste the following bold blue text below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: aftermath.bfu
Save it in the same folder you made earlier (c:\BFU).

RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\crbrhhxuam
RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\crbrhhxuam
FileDelete %SYSDIR%\crbrhhxuam_navps.dat
FileDelete %SYSDIR%\crbrhhxuam_nav.dat
FileDelete %SYSDIR%\crbrhhxuam.dat
FileDelete %SYSDIR%\crbrhhxuam.exe
FileDelete %SYSDIR%\crbrhhxuam_m2s.xml
FileDelete %WINDIR%\crbrhhxuam.exe-*.pf


Then, please go to Start > My Computer and navigate to the C:\BFU folder.
∑ Start the Brute Force Uninstaller by doubleclicking BFU.exe
∑ Behind the scriptline to execute field click the folder icon and select EGDACCESS.bfu
∑ Press Execute and let it do itís job. (You ought to see a progress bar if you did this correctly.)
∑ Wait for the complete script execution box to pop up and press OK.
∑ Behind the scriptline to execute field click the folder icon again and this time select aftermath.bfu
∑ Press Execute and let it do itís job.
∑ Wait for the complete script execution box to pop up and press OK.
∑ Press exit to terminate the BFU program.

Reboot and post a new HijackThis log.
Posted Image
Posted Image

#11 deusmeister

deusmeister
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 14 July 2007 - 07:07 PM

When I try to execute aftermath.bfu I get this runtime error and the program exits, but the other one executed fine.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:56 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.gloryworks.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKCU\..\Run: [hfnunjkwp] c:\windows\system32\hfnunjkwp.exe hfnunjkwp
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://fugumce.stream.aol.com/mce_vod/serv.../ServiceMgr.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163225110078
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 11975 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 15 July 2007 - 07:24 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKCU\..\Run: [hfnunjkwp] c:\windows\system32\hfnunjkwp.exe hfnunjkwp
Exit Hijackthis.

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#13 deusmeister

deusmeister
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 15 July 2007 - 11:56 AM

I am still getting some popups, and my computer is running the same.

"Dad" - 07/15/2007 12:39:20 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-15 03:38 971 --a------ C:\WINDOWS\system32\thjqqdjo_navps.dat
2007-07-15 03:38 4,664 --a------ C:\WINDOWS\system32\thjqqdjo.dat
2007-07-15 03:38 262,465 --a------ C:\WINDOWS\system32\thjqqdjo_nav.dat
2007-07-15 03:38 259,584 --a------ C:\WINDOWS\system32\thjqqdjo.exe
2007-07-14 19:58 <DIR> d-------- C:\WINDOWS\system32\bfubackups
2007-07-14 19:54 <DIR> d-------- C:\BFU
2007-07-14 18:56 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\SUPERAntiSpyware.com
2007-07-14 17:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-14 17:50 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\SUPERAntiSpyware.com
2007-07-14 17:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-14 17:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-14 17:33 262,465 --a------ C:\WINDOWS\system32\crbrhhxuam_nav.dat
2007-07-14 17:32 5,629 --a------ C:\WINDOWS\system32\crbrhhxuam.dat
2007-07-14 17:32 3,770 --a------ C:\WINDOWS\system32\crbrhhxuam_navps.dat
2007-07-14 17:32 269,312 --a------ C:\WINDOWS\system32\crbrhhxuam.exe
2007-07-14 16:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 15:32 <DIR> d-------- C:\Program Files\iTunes
2007-07-14 15:32 <DIR> d-------- C:\Program Files\iPod
2007-07-14 15:29 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-14 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-14 13:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-12 17:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-12 17:37 <DIR> d-------- C:\Program Files\Bonjour
2007-07-12 17:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-07-06 02:05 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Joost
2007-07-05 20:29 <DIR> d-------- C:\Program Files\Joost
2007-07-05 20:29 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Joost
2007-07-04 14:16 <DIR> d-------- C:\dos
2007-07-04 14:15 <DIR> d-------- C:\DOSbox
2007-07-03 15:30 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-03 14:12 <DIR> d-------- C:\UT2004
2007-07-03 13:29 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\WinBatch
2007-07-02 18:27 122,880 --a------ C:\WINDOWS\UnGins.exe
2007-07-01 20:50 <DIR> d-------- C:\Program Files\RondoWin32
2007-06-23 18:32 0 -ra------ C:\logwmemory.bin
2007-06-23 18:28 <DIR> d-------- C:\Soldat
2007-06-19 18:04 314,368 --a------ C:\WINDOWS\uninst.exe
2007-06-19 18:04 <DIR> d-------- C:\Program Files\LucasArts
2007-06-19 00:56 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-18 19:35 <DIR> d-------- C:\Program Files\ScummVM
2007-06-17 20:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Ahead
2007-06-17 20:33 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Ahead
2007-06-17 20:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-17 16:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\fretsonfire
2007-06-17 16:44 <DIR> d-------- C:\Program Files\Frets on Fire
2007-06-17 16:44 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\fretsonfire
2007-06-16 23:40 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-06-16 19:37 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-14 00:07 <DIR> d-------- C:\Program Files\FLVPlayer
2007-06-13 00:32 <DIR> d-------- C:\Program Files\DivX
2007-06-11 02:09 <DIR> d-------- C:\b
2007-06-09 23:49 <DIR> d-------- C:\Program Files\Tank Wars
2007-06-09 17:16 <DIR> d-------- C:\Program Files\Project64 1.6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 00:03:44 -------- d-----w C:\Program Files\LimeWire
2007-07-14 21:29:49 -------- d-----w C:\Program Files\Common Files\AOL
2007-07-14 19:31:33 -------- d-----w C:\Program Files\QuickTime
2007-07-14 02:03:55 -------- d-----w C:\Program Files\Soulseek
2007-07-13 13:53:06 -------- d-----w C:\Program Files\Quicken
2007-06-29 18:38:14 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-24 05:52:17 -------- d-----w C:\Program Files\Winamp
2007-06-20 23:12:54 -------- d-----w C:\Program Files\StepMania
2007-06-15 13:08:01 -------- d-----w C:\Program Files\Google
2007-06-13 04:32:27 6,182 ----a-w C:\WINDOWS\mozver.dat
2007-06-08 04:03:59 -------- d-----w C:\Program Files\AIM6
2007-06-04 22:01:58 -------- d-----w C:\Program Files\GameTap
2007-06-04 22:01:24 -------- d-----w C:\DOCUME~1\Dad\APPLIC~1\InstallShield
2007-06-01 13:58:21 -------- d-----w C:\Program Files\MSN Games
2007-05-31 02:56:17 -------- d-----w C:\Program Files\Common Files\xing shared
2007-05-31 02:56:11 -------- d-----w C:\Program Files\Common Files\Real
2007-05-31 02:56:01 -------- d-----w C:\Program Files\Real
2007-05-21 22:55:17 3,365 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2007-05-21 22:54:36 10,884,472 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-21 22:46:58 3,590 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2007-05-21 22:43:23 13,015 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-05-21 22:43:20 -------- d-----w C:\Program Files\Illustrate
2007-05-21 22:38:23 -------- d-----w C:\Program Files\MP4 to MP3 Converter
2007-05-21 14:33:00 -------- d-----w C:\Program Files\HP
2007-05-21 14:32:33 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-19 19:36:16 -------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-05-19 01:16:44 -------- d-----w C:\Program Files\CDisplay
2007-05-16 15:12:02 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-09-05 01:35:21 0 ----a-w C:\DOCUME~1\Dad\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
12/18/2006 05:16 AM 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
03/14/2007 03:43 AM 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
06/14/2007 09:37 AM 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
05/30/2006 11:20 AM 208896 --a------ C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
05/31/2007 07:19 PM 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/02/2005 08:19 PM C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [01/24/2006 02:15 PM C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [01/23/2006 06:53 AM C:\WINDOWS\RTHDCPL.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/01/2005 07:35 PM]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [11/01/2005 06:01 AM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [11/09/2005 01:29 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [05/12/2005 03:12 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/22/2007 07:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 04:44 PM]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [08/11/2005 03:30 PM]
"ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [08/11/2005 03:30 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/30/2007 10:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2007 09:18 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/09/2004 05:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/02/2007 08:25 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [12/20/2006 01:55 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


Contents of the 'Scheduled Tasks' folder
2007-07-14 15:41:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-15 12:46:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 07/15/2007 12:47:19
C:\ComboFix-quarantined-files.txt ... 07/15/2007 12:47 PM
C:\ComboFix2.txt ... 07/14/2007 07:37 PM
C:\ComboFix3.txt ... 07/14/2007 05:18 PM

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:16 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system\hpsysdrv.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
c:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.gloryworks.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://fugumce.stream.aol.com/mce_vod/serv.../ServiceMgr.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163225110078
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 11800 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 15 July 2007 - 12:46 PM

Please download Brute Force Uninstaller to your desktop.
∑ Right click the BFU folder on your desktop, and choose Extract All
∑ Click "Next"
∑ In the box to choose where to extract the files to,
∑ Click "Browse"
∑ Click on the + sign next to "My Computer"
∑ Click on "Local Disk (C:) or whatever your primary drive is
∑ Click "Make New Folder"
∑ Type in BFU
∑ Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).

Copy and paste ALL the following blue text in the quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: findEGDA.vbs

Dim Wshshell, fso ,ts , R, ArrR ,i
Const ForReading = 1

Set Wshshell = Wscript.CreateObject("Wscript.Shell")
Set fso = Wscript.CreateObject("Scripting.FilesystemObject")

Wshshell.run "regedit /a /e runnow.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Do until fso.FileExists("runnow.txt")
Wscript.sleep 100
Loop
Set ts = fso.OpenTextFile("runnow.txt" ,ForReading)
Do while not ts.AtEndOfStream
R = ts.Readall
loop
ts.close

R = Replace(R, "\\", "\")
R = Replace(R, Chr(34), "")

ArrR = Split(R,vbcrlf)
For i = 0 to Ubound(ArrR)
F = Lcase(right(ArrR(i),6))
If F = "-start" Then
ArrR(i) = Replace(arrR(i), "-start" , "-uninstall")
ArrR(i) = Mid(ArrR(i),Instr(ArrR(i),"=") + 1)
MsgBox ArrR(i)
Wshshell.Run ArrR(i)
End IF
Next


Set ts = nothing
Set fso = nothing
set wshshell = nothing


Double click findEGDA.vbs to run it.
If you have a resident script blocker it may warn you about or stop the vbs script.
Please allow it,it's harmless.
You will get a prompt looking like this:
c:\windows\system32\randomnamed.exe -uninstall
Click OK to execute that command.
You will be prompted if you are sure you want to uninstall,agree and confirm.

After a little while you will get a prompt the application was removed.

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do it's job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

--------------------------------------------------------

Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Post back with a new HijackThis log into your next reply.
Let me know whats happening now.

Edited by RichieUK, 15 July 2007 - 12:52 PM.

Posted Image
Posted Image

#15 deusmeister

deusmeister
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 15 July 2007 - 01:53 PM

That vbs scribt didn't seem to work right, I didn't get that randomnamed.exe file, it just said something about "cannot find the path name specified." I am still getting popups, but very less frequently, and they are mostly fake "antispyware" programs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:49 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system\hpsysdrv.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
c:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.gloryworks.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://fugumce.stream.aol.com/mce_vod/serv.../ServiceMgr.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163225110078
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 11799 bytes


"Dad" - 07/15/2007 14:39:34 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-15 14:38 971 --a------ C:\WINDOWS\system32\thjqqdjo_navps.dat
2007-07-15 14:38 5,629 --a------ C:\WINDOWS\system32\crbrhhxuam.dat
2007-07-15 14:37 4,400 --a------ C:\WINDOWS\system32\crbrhhxuam_navps.dat
2007-07-15 03:38 4,664 --a------ C:\WINDOWS\system32\thjqqdjo.dat
2007-07-15 03:38 259,584 --a------ C:\WINDOWS\system32\thjqqdjo.exe
2007-07-14 19:58 <DIR> d-------- C:\WINDOWS\system32\bfubackups
2007-07-14 19:54 <DIR> d-------- C:\BFU
2007-07-14 18:56 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\SUPERAntiSpyware.com
2007-07-14 17:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-14 17:50 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\SUPERAntiSpyware.com
2007-07-14 17:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-14 17:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-14 17:32 269,312 --a------ C:\WINDOWS\system32\crbrhhxuam.exe
2007-07-14 16:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 15:32 <DIR> d-------- C:\Program Files\iTunes
2007-07-14 15:32 <DIR> d-------- C:\Program Files\iPod
2007-07-14 15:29 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-14 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-14 13:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-12 17:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-07-12 17:37 <DIR> d-------- C:\Program Files\Bonjour
2007-07-12 17:25 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-07-06 02:05 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Joost
2007-07-05 20:29 <DIR> d-------- C:\Program Files\Joost
2007-07-05 20:29 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Joost
2007-07-04 14:16 <DIR> d-------- C:\dos
2007-07-04 14:15 <DIR> d-------- C:\DOSbox
2007-07-03 15:30 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-03 14:12 <DIR> d-------- C:\UT2004
2007-07-03 13:29 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\WinBatch
2007-07-02 18:27 122,880 --a------ C:\WINDOWS\UnGins.exe
2007-07-01 20:50 <DIR> d-------- C:\Program Files\RondoWin32
2007-06-23 18:32 0 -ra------ C:\logwmemory.bin
2007-06-23 18:28 <DIR> d-------- C:\Soldat
2007-06-19 18:04 314,368 --a------ C:\WINDOWS\uninst.exe
2007-06-19 18:04 <DIR> d-------- C:\Program Files\LucasArts
2007-06-19 00:56 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-18 19:35 <DIR> d-------- C:\Program Files\ScummVM
2007-06-17 20:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\Ahead
2007-06-17 20:33 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\Ahead
2007-06-17 20:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-17 16:45 <DIR> d-------- C:\DOCUME~1\Matt\APPLIC~1\fretsonfire
2007-06-17 16:44 <DIR> d-------- C:\Program Files\Frets on Fire
2007-06-17 16:44 <DIR> d-------- C:\DOCUME~1\Dad\APPLIC~1\fretsonfire
2007-06-16 23:40 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-06-16 19:37 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-14 00:07 <DIR> d-------- C:\Program Files\FLVPlayer
2007-06-13 00:32 <DIR> d-------- C:\Program Files\DivX
2007-06-11 02:09 <DIR> d-------- C:\b
2007-06-09 23:49 <DIR> d-------- C:\Program Files\Tank Wars
2007-06-09 17:16 <DIR> d-------- C:\Program Files\Project64 1.6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 00:03:44 -------- d-----w C:\Program Files\LimeWire
2007-07-14 21:29:49 -------- d-----w C:\Program Files\Common Files\AOL
2007-07-14 19:31:33 -------- d-----w C:\Program Files\QuickTime
2007-07-14 02:03:55 -------- d-----w C:\Program Files\Soulseek
2007-07-13 13:53:06 -------- d-----w C:\Program Files\Quicken
2007-06-29 18:38:14 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-24 05:52:17 -------- d-----w C:\Program Files\Winamp
2007-06-20 23:12:54 -------- d-----w C:\Program Files\StepMania
2007-06-15 13:08:01 -------- d-----w C:\Program Files\Google
2007-06-13 04:32:27 6,182 ----a-w C:\WINDOWS\mozver.dat
2007-06-08 04:03:59 -------- d-----w C:\Program Files\AIM6
2007-06-04 22:01:58 -------- d-----w C:\Program Files\GameTap
2007-06-04 22:01:24 -------- d-----w C:\DOCUME~1\Dad\APPLIC~1\InstallShield
2007-06-01 13:58:21 -------- d-----w C:\Program Files\MSN Games
2007-05-31 02:56:17 -------- d-----w C:\Program Files\Common Files\xing shared
2007-05-31 02:56:11 -------- d-----w C:\Program Files\Common Files\Real
2007-05-31 02:56:01 -------- d-----w C:\Program Files\Real
2007-05-21 22:55:17 3,365 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2007-05-21 22:54:36 10,884,472 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-21 22:46:58 3,590 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2007-05-21 22:43:23 13,015 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-05-21 22:43:20 -------- d-----w C:\Program Files\Illustrate
2007-05-21 22:38:23 -------- d-----w C:\Program Files\MP4 to MP3 Converter
2007-05-21 14:33:00 -------- d-----w C:\Program Files\HP
2007-05-21 14:32:33 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-19 19:36:16 -------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-05-19 01:16:44 -------- d-----w C:\Program Files\CDisplay
2007-05-16 15:12:02 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-09-05 01:35:21 0 ----a-w C:\DOCUME~1\Dad\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
12/18/2006 05:16 AM 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
03/14/2007 03:43 AM 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
06/14/2007 09:37 AM 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
05/30/2006 11:20 AM 208896 --a------ C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
05/31/2007 07:19 PM 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/02/2005 08:19 PM C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [01/24/2006 02:15 PM C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [01/23/2006 06:53 AM C:\WINDOWS\RTHDCPL.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [06/01/2005 07:35 PM]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [11/01/2005 06:01 AM]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [11/09/2005 01:29 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [05/12/2005 03:12 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/22/2007 07:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 03:43 AM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/02/2005 04:44 PM]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [08/11/2005 03:30 PM]
"ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [08/11/2005 03:30 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/30/2007 10:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2007 09:18 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/09/2004 05:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/02/2007 08:25 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [12/20/2006 01:55 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


Contents of the 'Scheduled Tasks' folder
2007-07-14 15:41:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-15 14:45:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 07/15/2007 14:46:06
C:\ComboFix-quarantined-files.txt ... 07/15/2007 02:45 PM
C:\ComboFix2.txt ... 07/15/2007 12:47 PM
C:\ComboFix3.txt ... 07/14/2007 07:37 PM

--- E O F ---

Edited by deusmeister, 15 July 2007 - 01:56 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users