Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log. Please Help...


  • Please log in to reply
11 replies to this topic

#1 chris777

chris777

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 22 July 2007 - 04:11 PM

I have something trying to open links to localsrv.net and 89.188.16.50 web sites.

I also have trendmicro Pc-cillin telling me that about 50 computers are trying to connect thru a wireless card (I don't have a wireless card in this computer.)

Here is my Hijack this log.

Please, can someone help? :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:35 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\aerfrmpA.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PCCMAIN.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PccHCMS.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A020571-0A79-4DA6-97A1-C371E3187BC9} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {ACF16FDC-4E35-476C-A992-EB13E59491D9} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\tuvuvww.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\Run: [aerfrmpA] C:\WINDOWS\aerfrmpA.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184896752421
O20 - AppInit_DLLs:
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll (file missing)
O20 - Winlogon Notify: tuvuvww - C:\WINDOWS\SYSTEM32\tuvuvww.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\bapryk.html

--
End of file - 10121 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 22 July 2007 - 04:35 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum chris777 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop Net Agent
sc delete Net Agent

-----------------------------------------

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge it into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

-----------------------------------------

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-----------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a fresh Hijackthis log.

Edited by RichieUK, 22 July 2007 - 04:36 PM.

Posted Image
Posted Image

#3 chris777

chris777
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 22 July 2007 - 08:25 PM

Thanks so much for the Help Richie!

Here is the log file for VundoFix:


VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:53:02 PM 7/21/2007

Listing files found while scanning....

C:\WINDOWS\system32\awvvt.dll
C:\windows\system32\dkxqkjyt.ini
C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\ssqpp.dll
C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tyjkqxkd.dll
C:\WINDOWS\system32\wtkbkvvd.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\awvvt.dll Has been deleted!

Attempting to delete C:\windows\system32\dkxqkjyt.ini
C:\windows\system32\dkxqkjyt.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tyjkqxkd.dll
C:\WINDOWS\system32\tyjkqxkd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wtkbkvvd.dll
C:\WINDOWS\system32\wtkbkvvd.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 5:57:35 PM 7/22/2007

Listing files found while scanning....

C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.bak2
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\ssqpp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ppqss.bak2
C:\WINDOWS\system32\ppqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\ppqss.ini Has been deleted!

Performing Repairs to the registry.
Done!

------------------------------------

Here is the file for ComboFix:


"chris777" - 2007-07-22 18:11:09 - ComboFix 07-07-23.3 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awvtt.dll
C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\ddcbcbc.dll
C:\WINDOWS\system32\yayyxxv.dll
C:\WINDOWS\system32\ddcbcbc.dll
C:\WINDOWS\system32\yayyxxv.dll
C:\WINDOWS\system32\tuvuvww.dll
C:\WINDOWS\system32\tuvuvww.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\bapryk.html
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\fnts~1
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z1\mwspasrt83122.exe
C:\WINDOWS\system32\Z3
C:\WINDOWS\system32\Z3\w0716.exe
C:\WINDOWS\system32\Z5
C:\WINDOWS\system32\Z7
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\core
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))


2007-07-22 18:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-22 17:45 8,286 --a------ C:\WINDOWS\system32\gebcb.dll
2007-07-22 16:45 8,286 --a------ C:\WINDOWS\system32\vtstr.dll
2007-07-22 15:45 8,286 --a------ C:\WINDOWS\system32\ddccy.dll
2007-07-22 12:44 8,286 --a------ C:\WINDOWS\system32\jkhhg.dll
2007-07-21 19:53 <DIR> d-------- C:\VundoFix Backups
2007-07-21 19:31 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-21 16:02 8,286 --a------ C:\WINDOWS\system32\awtqr.dll
2007-07-21 14:29 8,286 --a------ C:\WINDOWS\system32\geedd.dll
2007-07-21 11:24 8,286 --a------ C:\WINDOWS\system32\jkkli.dll
2007-07-21 10:24 8,286 --a------ C:\WINDOWS\system32\vtutu.dll
2007-07-21 08:24 8,286 --a------ C:\WINDOWS\system32\mljji.dll
2007-07-21 07:25 8,286 --a------ C:\WINDOWS\system32\mljjh.dll
2007-07-21 06:24 8,286 --a------ C:\WINDOWS\system32\ddabx.dll
2007-07-21 00:24 8,286 --a------ C:\WINDOWS\system32\vturo.dll
2007-07-20 22:24 8,286 --a------ C:\WINDOWS\system32\ddccb.dll
2007-07-20 18:14 <DIR> d-------- C:\DOCUME~1\CHRISM~1\APPLIC~1\OfficeUpdate12
2007-07-20 17:24 8,286 --a------ C:\WINDOWS\system32\awtsr.dll
2007-07-20 13:51 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-20 13:51 <DIR> d-------- C:\Program Files\MSBuild
2007-07-20 13:48 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-20 13:47 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-20 13:46 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-07-20 13:41 8,286 --a------ C:\WINDOWS\system32\pmnnl.dll
2007-07-20 13:41 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-07-20 13:41 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-07-20 13:41 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-07-20 10:35 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-20 08:40 8,286 --a------ C:\WINDOWS\system32\awtqn.dll
2007-07-20 07:40 8,286 --a------ C:\WINDOWS\system32\mljgg.dll
2007-07-19 19:00 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-19 13:27 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-07-19 13:20 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-07-19 13:20 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-07-19 13:20 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-07-19 13:19 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-07-19 13:19 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-07-19 13:19 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-07-19 13:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-07-19 12:47 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-19 12:40 <DIR> d-------- C:\WINDOWS\system32\Z11
2007-07-19 12:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-19 12:40 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Juniper Networks
2007-07-19 09:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-19 09:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-18 20:08 976,352 -r-hs---- C:\WINDOWS\aerfrmpA.exe
2007-07-18 20:08 <DIR> d-------- C:\Temp\brr
2007-07-18 20:08 <DIR> d-------- C:\Temp\0c2
2007-07-18 20:08 <DIR> d-------- C:\Temp
2007-07-12 00:58 <DIR> d-------- C:\DOCUME~1\CHRISM~1\.housecall6.6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 20:48:22 -------- d-----w C:\Program Files\Trend Micro
2007-07-21 18:36:28 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-20 19:40:01 -------- d-----w C:\Program Files\AWS
2007-07-19 19:39:57 -------- d-----w C:\Program Files\iTunes
2007-07-19 19:39:38 -------- d-----w C:\DOCUME~1\CHRISM~1\APPLIC~1\Juniper Networks
2007-07-17 01:04:05 6,684 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-12 07:49:30 -------- d-----w C:\Program Files\Yahoo!
2007-07-12 06:59:56 -------- d-----w C:\Program Files\America Online 9.0
2007-07-12 06:36:31 -------- d-----w C:\Program Files\Skype
2007-06-19 19:08:46 524,288 ----a-w C:\WINDOWS\opuc.dll
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-25 06:04:54 56 --sh--r C:\WINDOWS\system32\B1F097C561.sys
2007-05-24 23:58:30 -------- d--h--r C:\DOCUME~1\CHRISM~1\APPLIC~1\yahoo!
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-06-25 16:36:38 56 --sh--r C:\WINDOWS\system32\76A86CFECA.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A020571-0A79-4DA6-97A1-C371E3187BC9}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACF16FDC-4E35-476C-A992-EB13E59491D9}]
C:\WINDOWS\system32\mllmj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" []
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 21:20 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" []
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2006-12-22 13:27]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-12-22 13:28]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-22 23:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-04 07:57:05]
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2003-06-23 23:31:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\bapryk.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmj]
C:\WINDOWS\system32\mllmj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpp]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

R0 DRVMCDB;DRVMCDB;C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
R0 iastor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iastor.sys
R1 DLACDBHM;DLACDBHM;C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
R1 DLARTL_N;DLARTL_N;C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
R1 ELhid;ELhid;C:\WINDOWS\system32\DRIVERS\ELhid.sys
R1 ELkbd;ELkbd;C:\WINDOWS\system32\DRIVERS\ELkbd.sys
R1 ELmon;ELmon;C:\WINDOWS\system32\DRIVERS\ELmon.sys
R1 ELmou;ELmou;C:\WINDOWS\system32\DRIVERS\ELmou.sys
R1 NEOFLTR_530_11531;Juniper Networks TDI Filter Driver (NEOFLTR_530_11531);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_530_11531.SYS
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\system32\DRIVERS\tmtdi.sys
R2 DLABOIOM;DLABOIOM;C:\WINDOWS\system32\DLA\DLABOIOM.SYS
R2 DLADResN;DLADResN;C:\WINDOWS\system32\DLA\DLADResN.SYS
R2 DLAIFS_M;DLAIFS_M;C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
R2 DLAOPIOM;DLAOPIOM;C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
R2 DLAPoolM;DLAPoolM;C:\WINDOWS\system32\DLA\DLAPoolM.SYS
R2 DLAUDF_M;DLAUDF_M;C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
R2 DLAUDFAM;DLAUDFAM;C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
R2 DRVNDDM;DRVNDDM;C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R2 tmmbd;Trend Micro MBD Driver;C:\WINDOWS\system32\DRIVERS\tm_mbd_c.sys
R2 tmpreflt;tmpreflt;C:\WINDOWS\system32\DRIVERS\tmpreflt.sys
R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
R2 vsapint;vsapint;C:\WINDOWS\system32\DRIVERS\vsapint.sys
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e1e5132.sys
R3 ELacpi;ELacpi;C:\WINDOWS\system32\DRIVERS\ELacpi.sys
R3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver;C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
R3 tmcfw;Trend Micro Common Firewall Service;C:\WINDOWS\system32\DRIVERS\TM_CFW.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-22 18:16:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-22 18:17:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-22 18:17

--- E O F ---

-----------------------------------------------------------

here is the Hijack THis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:55 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A020571-0A79-4DA6-97A1-C371E3187BC9} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {ACF16FDC-4E35-476C-A992-EB13E59491D9} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184896752421
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\bapryk.html

--
End of file - 8968 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 23 July 2007 - 03:18 AM

Copy and paste ALL the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\aerfrmpA.exe
C:\Program Files\Common Files\bapryk.html

Folder::
C:\WINDOWS\system32\Z11
C:\Temp\brr
C:\Temp\0c2

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpp]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A020571-0A79-4DA6-97A1-C371E3187BC9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACF16FDC-4E35-476C-A992-EB13E59491D9}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 chris777

chris777
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 24 July 2007 - 03:11 PM

Thanks Again Richie!

Here is the combofix log:

"chris777" - 2007-07-24 12:51:19 - ComboFix 07-07-23.3 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Chris Moore\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\0c2
C:\Temp\0c2\tmpFF.log
C:\Temp\brr
C:\Temp\brr\tmpZTF.log
C:\WINDOWS\aerfrmpA.exe
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\Z11


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-22 18:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 19:53 <DIR> d-------- C:\VundoFix Backups
2007-07-21 19:31 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-20 18:14 <DIR> d-------- C:\DOCUME~1\CHRISM~1\APPLIC~1\OfficeUpdate12
2007-07-20 13:51 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-20 13:51 <DIR> d-------- C:\Program Files\MSBuild
2007-07-20 13:48 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-20 13:47 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-20 13:46 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-07-20 13:41 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-07-20 13:41 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-07-20 13:41 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-07-20 10:35 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-19 19:00 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-19 13:27 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-07-19 13:20 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-07-19 13:20 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-07-19 13:20 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-07-19 13:19 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-07-19 13:19 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-07-19 13:19 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-07-19 13:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-07-19 12:47 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-19 12:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-19 12:40 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Juniper Networks
2007-07-19 09:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-19 09:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-18 20:08 <DIR> d-------- C:\Temp
2007-07-12 00:58 <DIR> d-------- C:\DOCUME~1\CHRISM~1\.housecall6.6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 22:54:10 -------- d-----w C:\DOCUME~1\CHRISM~1\APPLIC~1\Juniper Networks
2007-07-22 20:48:22 -------- d-----w C:\Program Files\Trend Micro
2007-07-21 18:36:28 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-20 19:40:01 -------- d-----w C:\Program Files\AWS
2007-07-19 19:39:57 -------- d-----w C:\Program Files\iTunes
2007-07-17 01:04:05 6,684 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-12 07:49:30 -------- d-----w C:\Program Files\Yahoo!
2007-07-12 06:59:56 -------- d-----w C:\Program Files\America Online 9.0
2007-07-12 06:36:31 -------- d-----w C:\Program Files\Skype
2007-06-19 19:08:46 524,288 ----a-w C:\WINDOWS\opuc.dll
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-25 06:04:54 56 --sh--r C:\WINDOWS\system32\B1F097C561.sys
2007-05-24 23:58:30 -------- d--h--r C:\DOCUME~1\CHRISM~1\APPLIC~1\yahoo!
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-06-25 16:36:38 56 --sh--r C:\WINDOWS\system32\76A86CFECA.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" []
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 21:20 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" []
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2006-12-22 13:27]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-12-22 13:28]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-22 23:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-04 07:57:05]
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2003-06-23 23:31:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\bapryk.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

R0 DRVMCDB;DRVMCDB;C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
R0 iastor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iastor.sys
R1 DLACDBHM;DLACDBHM;C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
R1 DLARTL_N;DLARTL_N;C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
R1 ELhid;ELhid;C:\WINDOWS\system32\DRIVERS\ELhid.sys
R1 ELkbd;ELkbd;C:\WINDOWS\system32\DRIVERS\ELkbd.sys
R1 ELmon;ELmon;C:\WINDOWS\system32\DRIVERS\ELmon.sys
R1 ELmou;ELmou;C:\WINDOWS\system32\DRIVERS\ELmou.sys
R1 NEOFLTR_530_11531;Juniper Networks TDI Filter Driver (NEOFLTR_530_11531);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_530_11531.SYS
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\system32\DRIVERS\tmtdi.sys
R2 DLABOIOM;DLABOIOM;C:\WINDOWS\system32\DLA\DLABOIOM.SYS
R2 DLADResN;DLADResN;C:\WINDOWS\system32\DLA\DLADResN.SYS
R2 DLAIFS_M;DLAIFS_M;C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
R2 DLAOPIOM;DLAOPIOM;C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
R2 DLAPoolM;DLAPoolM;C:\WINDOWS\system32\DLA\DLAPoolM.SYS
R2 DLAUDF_M;DLAUDF_M;C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
R2 DLAUDFAM;DLAUDFAM;C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
R2 DRVNDDM;DRVNDDM;C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R2 tmmbd;Trend Micro MBD Driver;C:\WINDOWS\system32\DRIVERS\tm_mbd_c.sys
R2 tmpreflt;tmpreflt;C:\WINDOWS\system32\DRIVERS\tmpreflt.sys
R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
R2 vsapint;vsapint;C:\WINDOWS\system32\DRIVERS\vsapint.sys
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e1e5132.sys
R3 ELacpi;ELacpi;C:\WINDOWS\system32\DRIVERS\ELacpi.sys
R3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver;C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
R3 tmcfw;Trend Micro Common Firewall Service;C:\WINDOWS\system32\DRIVERS\TM_CFW.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 12:53:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-24 12:53:38
C:\ComboFix-quarantined-files.txt ... 2007-07-24 12:53
C:\ComboFix2.txt ... 2007-07-22 18:17

--- E O F ---

--------------------------------------------------------

Here is the HiJackTHis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:13 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184896752421
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\bapryk.html

--
End of file - 8585 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 24 July 2007 - 03:49 PM

Copy and paste ALL the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\aerfrmpA.exe
C:\Program Files\Common Files\bapryk.html

Folder::
C:\Temp\brr
C:\Temp\0c2
C:\WINDOWS\system32\Z11

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A020571-0A79-4DA6-97A1-C371E3187BC9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACF16FDC-4E35-476C-A992-EB13E59491D9}]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpp]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 chris777

chris777
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 24 July 2007 - 04:20 PM

Here are the latest files:


"chris777" - 2007-07-24 14:12:22 - ComboFix 07-07-23.3 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Chris Moore\Desktop\CFScript.txt


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-22 18:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 19:53 <DIR> d-------- C:\VundoFix Backups
2007-07-21 19:31 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-20 18:14 <DIR> d-------- C:\DOCUME~1\CHRISM~1\APPLIC~1\OfficeUpdate12
2007-07-20 13:51 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-20 13:51 <DIR> d-------- C:\Program Files\MSBuild
2007-07-20 13:48 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-20 13:47 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-20 13:46 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-07-20 13:41 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-07-20 13:41 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-07-20 13:41 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-07-20 10:35 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-19 19:00 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-19 13:27 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-07-19 13:20 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-07-19 13:20 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-07-19 13:20 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-07-19 13:19 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-07-19 13:19 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-07-19 13:19 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-07-19 13:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-07-19 12:47 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-19 12:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-19 12:40 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Juniper Networks
2007-07-19 09:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-19 09:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-18 20:08 <DIR> d-------- C:\Temp
2007-07-12 00:58 <DIR> d-------- C:\DOCUME~1\CHRISM~1\.housecall6.6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 21:02:18 6,788 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-23 22:54:10 -------- d-----w C:\DOCUME~1\CHRISM~1\APPLIC~1\Juniper Networks
2007-07-22 20:48:22 -------- d-----w C:\Program Files\Trend Micro
2007-07-21 18:36:28 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-20 19:40:01 -------- d-----w C:\Program Files\AWS
2007-07-19 19:39:57 -------- d-----w C:\Program Files\iTunes
2007-07-12 07:49:30 -------- d-----w C:\Program Files\Yahoo!
2007-07-12 06:59:56 -------- d-----w C:\Program Files\America Online 9.0
2007-07-12 06:36:31 -------- d-----w C:\Program Files\Skype
2007-06-19 19:08:46 524,288 ----a-w C:\WINDOWS\opuc.dll
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-25 06:04:54 56 --sh--r C:\WINDOWS\system32\B1F097C561.sys
2007-05-24 23:58:30 -------- d--h--r C:\DOCUME~1\CHRISM~1\APPLIC~1\yahoo!
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-06-25 16:36:38 56 --sh--r C:\WINDOWS\system32\76A86CFECA.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" []
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 21:20 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" []
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2006-12-22 13:27]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-12-22 13:28]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-22 23:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-04 07:57:05]
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2003-06-23 23:31:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

R0 DRVMCDB;DRVMCDB;C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
R0 iastor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iastor.sys
R1 DLACDBHM;DLACDBHM;C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
R1 DLARTL_N;DLARTL_N;C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
R1 ELhid;ELhid;C:\WINDOWS\system32\DRIVERS\ELhid.sys
R1 ELkbd;ELkbd;C:\WINDOWS\system32\DRIVERS\ELkbd.sys
R1 ELmon;ELmon;C:\WINDOWS\system32\DRIVERS\ELmon.sys
R1 ELmou;ELmou;C:\WINDOWS\system32\DRIVERS\ELmou.sys
R1 NEOFLTR_530_11531;Juniper Networks TDI Filter Driver (NEOFLTR_530_11531);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_530_11531.SYS
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\system32\DRIVERS\tmtdi.sys
R2 DLABOIOM;DLABOIOM;C:\WINDOWS\system32\DLA\DLABOIOM.SYS
R2 DLADResN;DLADResN;C:\WINDOWS\system32\DLA\DLADResN.SYS
R2 DLAIFS_M;DLAIFS_M;C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
R2 DLAOPIOM;DLAOPIOM;C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
R2 DLAPoolM;DLAPoolM;C:\WINDOWS\system32\DLA\DLAPoolM.SYS
R2 DLAUDF_M;DLAUDF_M;C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
R2 DLAUDFAM;DLAUDFAM;C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
R2 DRVNDDM;DRVNDDM;C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R2 tmmbd;Trend Micro MBD Driver;C:\WINDOWS\system32\DRIVERS\tm_mbd_c.sys
R2 tmpreflt;tmpreflt;C:\WINDOWS\system32\DRIVERS\tmpreflt.sys
R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
R2 vsapint;vsapint;C:\WINDOWS\system32\DRIVERS\vsapint.sys
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e1e5132.sys
R3 ELacpi;ELacpi;C:\WINDOWS\system32\DRIVERS\ELacpi.sys
R3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 ndiscm;Motorola SURFboard USB Cable Modem Windows Driver;C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
R3 tmcfw;Trend Micro Common Firewall Service;C:\WINDOWS\system32\DRIVERS\TM_CFW.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 14:13:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-24 14:14:03
C:\ComboFix-quarantined-files.txt ... 2007-07-24 14:13
C:\ComboFix2.txt ... 2007-07-24 12:53
C:\ComboFix3.txt ... 2007-07-22 18:17

--- E O F ---

-----------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:10 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184896752421
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 8503 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 24 July 2007 - 04:27 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
--------------------------------------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

--------------------------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

--------------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#9 chris777

chris777
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 24 July 2007 - 06:35 PM

Performed the above steps and the computer seems to be running fine so far. It may be running a little bit faster with web page loading.
Here is the SuperAntiSpyware Scan Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/24/2007 at 03:52 PM

Application Version : 3.9.1008

Core Rules Database Version : 3273
Trace Rules Database Version: 1284

Scan type : Complete Scan
Total Scan Time : 00:33:29

Memory items scanned : 465
Memory threats detected : 0
Registry items scanned : 5883
Registry threats detected : 1
File items scanned : 40534
File threats detected : 18

Adware.MyWay
HKU\S-1-5-21-1151155317-2460885707-2870327937-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{014DA6C9-189F-421A-88CD-07CFE51CFF10}

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINADMIN.EXE.VIR

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DDCBCBC.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TUVUVWW.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP308\A0025711.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP322\A0028924.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP322\A0028928.DLL

Adware.ZenoSearch
C:\QOOBOX\QUARANTINE\C\WINDOWS\TISKY009.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP308\A0025721.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP322\A0028902.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP306\A0025580.EXE

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP308\A0025717.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP308\A0025720.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP321\A0028763.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP321\A0028764.EXE

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP308\A0025718.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP321\A0028766.DLL

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP308\A0025723.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP322\A0028925.DLL


---------------------------------------

Here is the HijackTHis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:54 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184896752421
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 8724 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 24 July 2007 - 06:56 PM

Find and delete:
fix.bat
fix.reg
VundoFix.exe
Combofix.exe

C:\VundoFix Backups
C:\QOOBOX

-----------------------------------------------

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

-----------------------------------------------

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.
Posted Image
Posted Image

#11 chris777

chris777
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 24 July 2007 - 09:03 PM

Here is the CounterSpy Log:


Scan History Details
Start Date: 7/24/2007 5:48:04 PM
End Date: 7/24/2007 6:32:48 PM
Total Time: 44 Min 44 Sec
Detected security risks

Weatherbug Low Risk Adware more information...
Details: Weatherbug is an ad supported desktop weather applicaton that provides updates on weather conditions and displays real time temperatures in the taskbar icon.
Status: Deleted

Files detected
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\102x96DisneyQuestforGold.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\102x96Professional.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\102x96video.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_Arrid_Mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_Arrid_Wrap_Bg.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_blueyellow.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_blueyellow_mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_brand_Expedia_APPROVED.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_brand_Expedia_MASK.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_brandwrap_cherryb_approved.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_brandwrap_cherryb_mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_brandwrap_spring2.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_brandwrap_spring2_mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_CitySearch-mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_CitySearchNEW.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_Default_Spring_Mobile_BG_0506.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_Default_Spring_Mobile_MASK_0506.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_Generic2006_Fall_091406.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_Generic2006_Fall_091406.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_generic_summerAPPROVED.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_generic_summerMASK.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_Generic_Sun_0306_Final.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_Generic_Sun_0306_Final.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_GenericPLUS_approved.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_GenericPLUS_MASK.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_GenericPLUS_Summer_082906.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_GenericPLUS_Summer_082906.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_nav_light_round_0706.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_nav_light_square_0206.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60_nav_light_square_0706.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales-NationWideEST647.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales-NationWideEST647_mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales_HBO_mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales_HBO_shell_revised.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales_history_MASK.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales_history_shell.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales_historychannel_mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales_historychannel_shell.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales_lipitor_mask_revised.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales_lipitor_shell_revised.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales_Vicks_Mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\60Sales_Vicks_Shell.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\Adderall_BRWP_Final.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\Adderall_Mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\nav_Generic2006.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\nav_Generic2006_0706.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\Orkin_Mask.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\Orkin_Replacement.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\SponsorTile40.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\SponsorTile42.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\topnav_Generic2005_121505.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\topnav_square_121505.jpg
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\Visa_Mask_revised.bmp
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG\Visa_revised.jpg
C:\PROGRAM FILES\AWS\download.txt
C:\PROGRAM FILES\AWS\eula.txt
C:\PROGRAM FILES\AWS\WeatherBug\REMOVE.EXE
C:\PROGRAM FILES\AWS\WxBugSetup60b6.04.0.9m.EXE
C:\DOCUMENTS AND SETTINGS\CHRIS MOORE\APPLICATION DATA\WEATHERBUG
C:\PROGRAM FILES\AWS
C:\PROGRAM FILES\AWS\WEATHERBUG
C:\PROGRAM FILES\AWS\WEATHERBUG\BAK

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\WEATHERBUG.BARBUTTON
HKEY_LOCAL_MACHINE\Software\Classes\WEATHERBUG.BARBUTTON
HKEY_LOCAL_MACHINE\Software\Classes\WEATHERBUG.BARBUTTON.1
HKEY_LOCAL_MACHINE\Software\Classes\WEATHERBUG.BARBUTTON.1
HKEY_LOCAL_MACHINE\Software\Classes\WEATHERBUG.BARBUTTON.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\WEATHERBUG.BARBUTTON.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\WEATHERBUG.BARBUTTON\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\WEATHERBUG.BARBUTTON\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\WEATHERBUG.BARBUTTON\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\WEATHERBUG.BARBUTTON\CurVer
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\DownLoad
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\Setup
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\Setup
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\MiniBug\Setup
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Command
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Command
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Command
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Command
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Command
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Command
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Command
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Command
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\CurrentStation
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\CurrentStation
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\CurrentStation
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\CurrentStation
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\CurrentStation
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Design
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Forecast
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Links
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Local
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Options
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Reg
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\setup
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\setup
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\setup
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\setup
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\setup
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\setup
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Warning
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Warning
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Warning
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Warning
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Warning
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Warning
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\WeatherData
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web
HKEY_USERS\S-1-5-21-1151155317-2460885707-2870327937-1005\SOFTWARE\AWS\Weather\Web

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 25 July 2007 - 05:35 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users