Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijackthis Log


  • Please log in to reply
36 replies to this topic

#1 Kojiro

Kojiro

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 29 July 2007 - 03:44 PM

Logfile of HijackThis v1.99.1Scan saved at 4:34:53 PM, on 7/29/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeC:\WINDOWS\system32\drivers\CDAC11BA.EXEC:\Program Files\ewido\security suite\ewidoctrl.exeC:\WINDOWS\System32\svchost.exeC:\mysql\bin\mysqld-nt.exeC:\WINDOWS\System32\NMSSvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lexmark X74-X75\lxbbbmgr.exeC:\Program Files\Lexmark X74-X75\lxbbbmon.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Owner\My Documents\?ymbols\logonui.exeC:\DOCUME~1\Owner\MYDOCU~1\STEM32~1\dexplore.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\hijackthis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blankR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: crossfire-radio Toolbar - {53b3debe-7ea1-4999-a1ae-fcdba2aee48a} - C:\Program Files\crossfire-radio\tbcros.dllO4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -DelayO4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win9DC.tmp.exeO4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgaj.dll,startupO4 - HKLM\..\Run: [smgr] mgrs.exeO4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\vuglejrk.dll",sitypnowO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -HideO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\Owner\MYDOCU~1\STEM32~1\dexplore.exe" -vt yazbO4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exeO4 - HKCU\..\Run: [Tpphx] "C:\Documents and Settings\Owner\My Documents\?ymbols\logonui.exe"O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htmO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htmO8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htmO8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnkO11 - Options group: [INTERNATIONAL] International*O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO15 - Trusted Zone: [url="http://www.lyricshosting.com"]http://www.lyricshosting.com[/url]O15 - Trusted Zone: [url="http://www.ysbweb.com"]http://www.ysbweb.com[/url]O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - [url="http://www.linksysfix.com/netcheck/45/install/gtdownls.cab"]http://www.linksysfix.com/netcheck/45/install/gtdownls.cab[/url]O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXEO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: Icecast Media Server (Icecast) - Unknown owner - C:\Program Files\Icecast\icecastService.exe" "C:\Program Files\Icecast (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - L:\UTorrent\3DS Max 8\Install\3DS-MAX\mentalray\satellite\raysat_3dsmax8server.exeO23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exeO23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exeO23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYSO23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exeO23 - Service: Wireless Zero Configuration WZCSVCmnmsrvc (WZCSVCmnmsrvc) - Unknown owner - C:\WINDOWS\system32\adsldpcv.exe (file missing)O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Performed in resolution for the problem found in my topic: Virtumonde infection

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 29 July 2007 - 05:00 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Kojiro :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

First of all it appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

-----------------------------------------------------------

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-----------------------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


-----------------------------------------------------------

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

*NOTE*
Please post all replies directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 Kojiro

Kojiro
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 29 July 2007 - 06:05 PM

If you could see from the other topic I have posted, I have already tried both VundoFix and VirtumondeBeGone. They successfully destroy this infection, however it seems to reappear, I'm assuming on bootup, but this could be occurring anytime during the use of my computer. I have alot of protection services that seem to not run or stay running and I can't get new ones because my hard drive space is constantly depleting and I have no idea why.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 29 July 2007 - 06:41 PM

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


-----------------------------------------------------------

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

*NOTE*
Please post all replies directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#5 Kojiro

Kojiro
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 29 July 2007 - 07:28 PM

as you can see by the log i have run this tool several times this week each time it finds a new file reinfecting my pc



VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 5:42:11 AM 2/17/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 1:40:08 AM 7/23/2007

Listing files found while scanning....

C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.bak2
C:\WINDOWS\system32\hjllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 6:23:16 PM 7/23/2007

Listing files found while scanning....

C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtuts.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtuts.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 11:41:17 AM 7/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\jkkjg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjkkj.bak2
C:\WINDOWS\system32\gjkkj.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\jkkjg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 12:07:02 PM 7/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mljgg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\ggjlm.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mljgg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 1:15:58 PM 7/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 7:54:40 PM 7/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\gfhkj.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\jkhfg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\gfhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\gfhkj.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\jkhfg.dll Has been deleted!

Performing Repairs to the registry.
Done!

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 29 July 2007 - 07:31 PM

Now please follow my last instructions above please.
Posted Image
Posted Image

#7 Kojiro

Kojiro
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 29 July 2007 - 09:53 PM

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 11:52:54 AM 1/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\pmnnn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\pmnnn.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 5:42:11 AM 2/17/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 1:40:08 AM 7/23/2007

Listing files found while scanning....

C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.bak2
C:\WINDOWS\system32\hjllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 6:23:16 PM 7/23/2007

Listing files found while scanning....

C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtuts.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vtuts.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 11:41:17 AM 7/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\jkkjg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjkkj.bak2
C:\WINDOWS\system32\gjkkj.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\jkkjg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 12:07:02 PM 7/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mljgg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\ggjlm.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mljgg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 1:15:58 PM 7/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 7:54:40 PM 7/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\gfhkj.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\jkhfg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\gfhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\gfhkj.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\jkhfg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.5

Java version is 1.4.2.6

Java version is 1.5.0.6

Scan started at 8:52:47 PM 7/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\pqtss.ini
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\pqtss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\sstqp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\pqtss.ini
C:\WINDOWS\system32\pqtss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\pqtss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtss.bak2
C:\WINDOWS\system32\pqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\pqtss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtss.tmp
C:\WINDOWS\system32\pqtss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\sstqp.dll Has been deleted!

Performing Repairs to the registry.
Done!

ComboFix 07-07-30 - "Owner" 2007-07-29 9:45:14.1 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


Logfile of HijackThis v1.99.1
Scan saved at 10:37, on 2007-07-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\hijackthis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FF727AEC-D98D-4086-9A77-074E3591C381} - C:\WINDOWS\system32\sstqp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: crossfire-radio Toolbar - {53b3debe-7ea1-4999-a1ae-fcdba2aee48a} - C:\Program Files\crossfire-radio\tbcros.dll
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\Owner\MYDOCU~1\STEM32~1\dexplore.exe" -vt yazb
O4 - HKCU\..\Run: [Tpphx] "C:\Documents and Settings\Owner\My Documents\?ymbols\logonui.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.lyricshosting.com
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ecfcdebbfea - C:\WINDOWS\system32\ecfcdebbfea.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Icecast Media Server (Icecast) - Unknown owner - C:\Program Files\Icecast\icecastService.exe" "C:\Program Files\Icecast (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - L:\UTorrent\3DS Max 8\Install\3DS-MAX\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Wireless Zero Configuration WZCSVCmnmsrvc (WZCSVCmnmsrvc) - Unknown owner - C:\WINDOWS\system32\adsldpcv.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 30 July 2007 - 05:56 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\ecfcdebbfea.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

-------------------------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image

#9 Kojiro

Kojiro
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 30 July 2007 - 11:11 AM

removed the file
C:\WINDOWS\system32\ecfcdebbfea.dll
with OTMoveIt.exe as instructed

ComboFix 07-07-30 - "Owner" 2007-07-30 23:43:04.2 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))


2007-07-29 21:26 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 21:21 93,696 --a------ C:\WINDOWS\system32\drvpor.dll
2007-07-29 19:22 93,696 --a------ C:\WINDOWS\system32\drvfap.dll
2007-07-29 16:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 15:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-29 15:58 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 09:51 126,016 --a------ C:\WINDOWS\system32\gyxahill.dll
2007-07-29 01:58 93,696 --a------ C:\WINDOWS\system32\drvgaj.dll
2007-07-27 22:29 228,960 --a------ C:\WINDOWS\system32\jkkji.dll.vir
2007-07-27 11:38 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-27 10:16 <DIR> d-------- C:\Program Files\MSBuild
2007-07-27 10:07 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-27 10:03 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-27 09:58 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-07-27 09:50 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-07-27 09:50 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-07-27 09:50 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-07-25 07:20 92,672 --------- C:\WINDOWS\system32\ecfcdebbfea.dll
2007-07-23 21:15 181 --ahs---- C:\WINDOWS\system32\1355690235.dat
2007-07-23 16:41 <DIR> d-------- C:\Program Files\Magicantispy
2007-07-23 00:35 <DIR> d-------- C:\Program Files\Security Task Manager
2007-07-23 00:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-07-20 10:19 <DIR> d-------- C:\Program Files\ImvuTools2
2007-07-20 10:19 <DIR> d-------- C:\3dsmax7
2007-07-18 21:33 31,254 --a------ C:\WINDOWS\system32\urqpqpq.dll.vir
2007-07-18 21:33 <DIR> d-------- C:\Program Files\cbgbclmr
2007-07-09 15:07 200,704 --a--c--- C:\WINDOWS\system32\ssldivx.dll
2007-07-09 15:07 1,044,480 --a--c--- C:\WINDOWS\system32\libdivx.dll
2007-07-07 23:24 <DIR> d-------- C:\Program Files\The Rosetta Stone
2007-07-07 00:45 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-07-07 00:45 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Propellerhead Software
2007-07-07 00:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Propellerhead Software
2007-07-07 00:43 <DIR> d-------- C:\Program Files\Propellerhead
2007-06-17 13:11 <DIR> d-------- C:\Nexon
2007-06-05 22:54 765,952 --a--c--- C:\WINDOWS\system32\msvcp71d.dll
2007-06-05 22:54 544,768 --a--c--- C:\WINDOWS\system32\msvcr71d.dll
2007-06-01 10:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-06-01 10:09 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-06-01 10:09 <DIR> d-------- C:\Program Files\Autodesk


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 18:37 --------- d-------- C:\Program Files\Oberon Media
2007-07-29 18:22 --------- d-------- C:\Program Files\blueMSX
2007-07-29 15:56 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-29 13:04 --------- d-------- C:\Program Files\Common Files\aolback
2007-07-29 12:40 --------- d-------- C:\Program Files\Emulation
2007-07-29 12:39 --------- d-------- C:\Program Files\BYOND
2007-07-29 10:59 --------- d-------- C:\Program Files\SpywareBlaster
2007-07-29 10:02 2788 --a--c--- C:\WINDOWS\mozver.dat
2007-07-29 10:02 --------- d-------- C:\Program Files\DivX
2007-07-28 22:50 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-07-27 19:54 --------- d-------- C:\Program Files\SpywareGuard
2007-07-27 12:55 --------- d-------- C:\Program Files\Spyware Snooper
2007-07-20 10:24 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\IMVU
2007-07-19 19:47 --------- d-------- C:\Program Files\IMVU
2007-07-18 22:27 --------- d-------- C:\Program Files\uTorrent
2007-06-26 16:08 1682 --ahsc--- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-25 02:02 --------- d-------- C:\Program Files\LimeWire
2007-06-22 12:48 56 -r-hsc--- C:\WINDOWS\system32\1772B1580A.sys
2007-06-10 12:18 --------- d-------- C:\Program Files\World of Warcraft
2007-06-08 13:57 43520 --a--c--- C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\inetcomm.dll
2007-02-23 19:30 75000 --a--c--- C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-11-30 14:58:34 18,484 -csh--w C:\WINDOWS\system32\awvvt.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF727AEC-D98D-4086-9A77-074E3591C381}]
C:\WINDOWS\system32\sstqp.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{53B3DEBE-7EA1-4999-A1AE-FCDBA2AEE48A}"= C:\Program Files\crossfire-radio\tbcros.dll [2006-08-03 10:20 1035344]

[-HKEY_CLASSES_ROOT\CLSID\{53B3DEBE-7EA1-4999-A1AE-FCDBA2AEE48A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 16:09]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 21:10]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-01-30 12:23]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"Ltho"="C:\DOCUME~1\Owner\MYDOCU~1\STEM32~1\dexplore.exe" []
"Tpphx"="C:\Documents and Settings\Owner\My Documents\?ymbols\logonui.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ecfcdebbfea]
C:\WINDOWS\system32\ecfcdebbfea.dll 2007-07-27 10:30 92672 C:\WINDOWS\system32\ecfcdebbfea.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alchem]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Balm Software Idol Love]
C:\Documents and Settings\All Users\Application Data\armyantebalmsoftware\Inside Balm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1139715370\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nw5F]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\popcast]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
"L:\Program Files\Shareaza\Shareaza.exe" -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tukati:4]
C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wma Funk]
C:\DOCUME~1\Owner\APPLIC~1\INTERF~1\dart new.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R0 a347bus;a347bus;C:\WINDOWS\system32\DRIVERS\a347bus.sys
R0 a347scsi;a347scsi;C:\WINDOWS\system32\Drivers\a347scsi.sys
R0 sfsync04;StarForce Protection Synchronization Driver (version 4.x);C:\WINDOWS\system32\drivers\sfsync04.sys
R0 Vax347b;Vax347b;C:\WINDOWS\system32\DRIVERS\Vax347b.sys
R0 Vax347s;Vax347s;C:\WINDOWS\system32\Drivers\Vax347s.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 StyleXPHelper;StyleXPHelper;\??\C:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\system32\drivers\CdaC15BA.SYS
R2 Icecast;Icecast Media Server;"C:\Program Files\Icecast\icecastService.exe" "C:\Program Files\Icecast"
R2 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
R2 SQLBrowser;SQL Server Browser;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 E100B;Intel® PRO Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 GTWModem;GTW V.92 Voicemodem;C:\WINDOWS\system32\DRIVERS\GWMDM.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
S2 WZCSVCmnmsrvc;Wireless Zero Configuration WZCSVCmnmsrvc;C:\WINDOWS\system32\adsldpcv.exe srv
S3 ATI Remote Wonder II;ATI Remote Wonder II;C:\WINDOWS\system32\drivers\ATIRWVD.SYS
S3 BCMModem;BCM V.90 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMDM.sys
S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\system32\Drivers\SQcaptur.sys
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 iscFlash;iscFlash;\??\C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys
S3 NPPTNT2;NPPTNT2;\??\C:\WINDOWS\system32\npptNT2.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys
S3 PcdrNt;PcdrNt;C:\WINDOWS\system32\drivers\PcdrNt.sys
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S4 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;"L:\ProgramFiles\Macromedia\CFusionMX7\runtime\bin\jrunsvc.exe"
S4 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;"L:\ProgramFiles\Macromedia\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "L:\ProgramFiles\Macromedia\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
S4 wampapache;wampapache;"C:\Program Files\World of Warcraft\KEn_rpk_3_2\wamp\apache2\bin\Apache.exe" -k runservice
S4 wampmysqld;wampmysqld;"C:\Program Files\World of Warcraft\KEn_rpk_3_2\wamp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\World of Warcraft\KEn_rpk_3_2\wamp\mysql\my.ini" wampmysqld


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16028de5-4401-11d9-840b-00038a000015}]

*Newly Created Service* - NMSCFG

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{38AF5C72-FEB3-5DA4-0203-020501050704}]
C:\WINDOWS\system32\svchoost.exe

Contents of the 'Scheduled Tasks' folder
2007-07-31 03:00:00 C:\WINDOWS\Tasks\8F4AFDBC89956BB0.job - c:\docume~1\owner\applic~1\interf~1\weblogidol.exe
2007-07-26 10:59:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-07-29 05:43:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 23:49:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63DACC40-8A98-DA11-DFD5-D54879241B26}]
"dbpojlobfgnneaappfiaomccdchjbcgedleidjei"=hex:6b,61,6e,69,63,6b,6a,6c,68,67,69,65,63,67,6b,6e,67,67,66,62,66,..

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-30 23:52:43
C:\ComboFix-quarantined-files.txt ... 2007-07-30 23:51

--- E O F ---

#10 Kojiro

Kojiro
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 30 July 2007 - 11:21 AM

hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 12:16:35 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Icecast\icecastService.exe
L:\UTorrent\3DS Max 8\Install\3DS-MAX\mentalray\satellite\raysat_3dsmax8server.exe
C:\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FF727AEC-D98D-4086-9A77-074E3591C381} - C:\WINDOWS\system32\sstqp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: crossfire-radio Toolbar - {53b3debe-7ea1-4999-a1ae-fcdba2aee48a} - C:\Program Files\crossfire-radio\tbcros.dll
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\Owner\MYDOCU~1\STEM32~1\dexplore.exe" -vt yazb
O4 - HKCU\..\Run: [Tpphx] "C:\Documents and Settings\Owner\My Documents\?ymbols\logonui.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.lyricshosting.com
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ecfcdebbfea - C:\WINDOWS\system32\ecfcdebbfea.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Icecast Media Server (Icecast) - Unknown owner - C:\Program Files\Icecast\icecastService.exe" "C:\Program Files\Icecast (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - L:\UTorrent\3DS Max 8\Install\3DS-MAX\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Wireless Zero Configuration WZCSVCmnmsrvc (WZCSVCmnmsrvc) - Unknown owner - C:\WINDOWS\system32\adsldpcv.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 30 July 2007 - 11:33 AM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\drvpor.dll
C:\WINDOWS\system32\drvfap.dll
C:\WINDOWS\system32\gyxahill.dll
C:\WINDOWS\system32\drvgaj.dll
C:\WINDOWS\system32\jkkji.dll.vir
C:\WINDOWS\system32\ecfcdebbfea.dll
C:\WINDOWS\system32\1355690235.dat
C:\WINDOWS\system32\urqpqpq.dll.vir
C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\Tasks\8F4AFDBC89956BB0.job

Folder::
C:\Program Files\cbgbclmr
C:\Program Files\Magicantispy

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF727AEC-D98D-4086-9A77-074E3591C381}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ltho"=-
"Tpphx"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ecfcdebbfea]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Balm Software Idol Love]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wma Funk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{38AF5C72-FEB3-5DA4-0203-020501050704}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16028de5-4401-11d9-840b-00038a000015}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#12 Kojiro

Kojiro
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 30 July 2007 - 12:04 PM

removed the files as instructed

ComboFix 07-07-30 - "Owner" 2007-07-31 0:50:47.4 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))


2007-07-29 21:26 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 16:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 15:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-29 15:58 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-07-27 11:38 70,312 --a------ C:\Program Files\codec_setup.exe
2007-07-27 10:16 <DIR> d-------- C:\Program Files\MSBuild
2007-07-27 10:07 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-27 10:03 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-27 09:58 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-07-27 09:50 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-07-27 09:50 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-07-27 09:50 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-07-25 07:20 92,672 --------- C:\WINDOWS\system32\ecfcdebbfea.dll
2007-07-23 00:35 <DIR> d-------- C:\Program Files\Security Task Manager
2007-07-23 00:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-07-20 10:19 <DIR> d-------- C:\Program Files\ImvuTools2
2007-07-20 10:19 <DIR> d-------- C:\3dsmax7
2007-07-09 15:07 200,704 --a--c--- C:\WINDOWS\system32\ssldivx.dll
2007-07-09 15:07 1,044,480 --a--c--- C:\WINDOWS\system32\libdivx.dll
2007-07-07 23:24 <DIR> d-------- C:\Program Files\The Rosetta Stone
2007-07-07 00:45 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-07-07 00:45 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Propellerhead Software
2007-07-07 00:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Propellerhead Software
2007-07-07 00:43 <DIR> d-------- C:\Program Files\Propellerhead
2007-06-17 13:11 <DIR> d-------- C:\Nexon
2007-06-05 22:54 765,952 --a--c--- C:\WINDOWS\system32\msvcp71d.dll
2007-06-05 22:54 544,768 --a--c--- C:\WINDOWS\system32\msvcr71d.dll
2007-06-01 10:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-06-01 10:09 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-06-01 10:09 <DIR> d-------- C:\Program Files\Autodesk


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-31 00:22 --------- d-------- C:\Program Files\SpywareBlaster
2007-07-29 18:37 --------- d-------- C:\Program Files\Oberon Media
2007-07-29 18:22 --------- d-------- C:\Program Files\blueMSX
2007-07-29 15:56 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-29 13:04 --------- d-------- C:\Program Files\Common Files\aolback
2007-07-29 12:40 --------- d-------- C:\Program Files\Emulation
2007-07-29 12:39 --------- d-------- C:\Program Files\BYOND
2007-07-29 10:02 2788 --a--c--- C:\WINDOWS\mozver.dat
2007-07-29 10:02 --------- d-------- C:\Program Files\DivX
2007-07-28 22:50 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-07-27 19:54 --------- d-------- C:\Program Files\SpywareGuard
2007-07-27 12:55 --------- d-------- C:\Program Files\Spyware Snooper
2007-07-20 10:24 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\IMVU
2007-07-19 19:47 --------- d-------- C:\Program Files\IMVU
2007-07-18 22:27 --------- d-------- C:\Program Files\uTorrent
2007-06-26 16:08 1682 --ahsc--- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-25 02:02 --------- d-------- C:\Program Files\LimeWire
2007-06-22 12:48 56 -r-hsc--- C:\WINDOWS\system32\1772B1580A.sys
2007-06-10 12:18 --------- d-------- C:\Program Files\World of Warcraft
2007-06-08 13:57 43520 --a--c--- C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\inetcomm.dll
2007-02-23 19:30 75000 --a--c--- C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF727AEC-D98D-4086-9A77-074E3591C381}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{53B3DEBE-7EA1-4999-A1AE-FCDBA2AEE48A}"= C:\Program Files\crossfire-radio\tbcros.dll [2006-08-03 10:20 1035344]

[-HKEY_CLASSES_ROOT\CLSID\{53B3DEBE-7EA1-4999-A1AE-FCDBA2AEE48A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 16:09]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 21:10]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-01-30 12:23]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ecfcdebbfea]
C:\WINDOWS\system32\ecfcdebbfea.dll 2007-07-27 10:30 92672 C:\WINDOWS\system32\ecfcdebbfea.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alchem]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Balm Software Idol Love]
C:\Documents and Settings\All Users\Application Data\armyantebalmsoftware\Inside Balm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1139715370\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nw5F]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\popcast]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
"L:\Program Files\Shareaza\Shareaza.exe" -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tukati:4]
C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wma Funk]
C:\DOCUME~1\Owner\APPLIC~1\INTERF~1\dart new.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R0 a347bus;a347bus;C:\WINDOWS\system32\DRIVERS\a347bus.sys
R0 a347scsi;a347scsi;C:\WINDOWS\system32\Drivers\a347scsi.sys
R0 sfsync04;StarForce Protection Synchronization Driver (version 4.x);C:\WINDOWS\system32\drivers\sfsync04.sys
R0 Vax347b;Vax347b;C:\WINDOWS\system32\DRIVERS\Vax347b.sys
R0 Vax347s;Vax347s;C:\WINDOWS\system32\Drivers\Vax347s.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 StyleXPHelper;StyleXPHelper;\??\C:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\system32\drivers\CdaC15BA.SYS
R2 Icecast;Icecast Media Server;"C:\Program Files\Icecast\icecastService.exe" "C:\Program Files\Icecast"
R2 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
R2 SQLBrowser;SQL Server Browser;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 E100B;Intel® PRO Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 GTWModem;GTW V.92 Voicemodem;C:\WINDOWS\system32\DRIVERS\GWMDM.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
S2 WZCSVCmnmsrvc;Wireless Zero Configuration WZCSVCmnmsrvc;C:\WINDOWS\system32\adsldpcv.exe srv
S3 ATI Remote Wonder II;ATI Remote Wonder II;C:\WINDOWS\system32\drivers\ATIRWVD.SYS
S3 BCMModem;BCM V.90 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMDM.sys
S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\system32\Drivers\SQcaptur.sys
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 iscFlash;iscFlash;\??\C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys
S3 NPPTNT2;NPPTNT2;\??\C:\WINDOWS\system32\npptNT2.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys
S3 PcdrNt;PcdrNt;C:\WINDOWS\system32\drivers\PcdrNt.sys
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS
S3 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S4 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;"L:\ProgramFiles\Macromedia\CFusionMX7\runtime\bin\jrunsvc.exe"
S4 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;"L:\ProgramFiles\Macromedia\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "L:\ProgramFiles\Macromedia\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
S4 wampapache;wampapache;"C:\Program Files\World of Warcraft\KEn_rpk_3_2\wamp\apache2\bin\Apache.exe" -k runservice
S4 wampmysqld;wampmysqld;"C:\Program Files\World of Warcraft\KEn_rpk_3_2\wamp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\World of Warcraft\KEn_rpk_3_2\wamp\mysql\my.ini" wampmysqld


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16028de5-4401-11d9-840b-00038a000015}]

*Newly Created Service* - NMSCFG

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{38AF5C72-FEB3-5DA4-0203-020501050704}]
C:\WINDOWS\system32\svchoost.exe

Contents of the 'Scheduled Tasks' folder
2007-07-26 10:59:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-07-29 05:43:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 00:56:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63DACC40-8A98-DA11-DFD5-D54879241B26}]
"dbpojlobfgnneaappfiaomccdchjbcgedleidjei"=hex:6b,61,6e,69,63,6b,6a,6c,68,67,69,65,63,67,6b,6e,67,67,66,62,66,..

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-31 0:59:19
C:\ComboFix-quarantined-files.txt ... 2007-07-31 00:57
C:\ComboFix2.txt ... 2007-07-30 23:52

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 1:01:18 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Icecast\icecastService.exe
L:\UTorrent\3DS Max 8\Install\3DS-MAX\mentalray\satellite\raysat_3dsmax8server.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\hijackthis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FF727AEC-D98D-4086-9A77-074E3591C381} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: crossfire-radio Toolbar - {53b3debe-7ea1-4999-a1ae-fcdba2aee48a} - C:\Program Files\crossfire-radio\tbcros.dll
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.lyricshosting.com
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ecfcdebbfea - C:\WINDOWS\system32\ecfcdebbfea.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Icecast Media Server (Icecast) - Unknown owner - C:\Program Files\Icecast\icecastService.exe" "C:\Program Files\Icecast (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - L:\UTorrent\3DS Max 8\Install\3DS-MAX\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Wireless Zero Configuration WZCSVCmnmsrvc (WZCSVCmnmsrvc) - Unknown owner - C:\WINDOWS\system32\adsldpcv.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 30 July 2007 - 01:08 PM

Disable Spywareguard as its interfering.
Right click the running icon of Spywareguard in the system tray to open the program.
Then go to Menu/File,and choose Exit.
It will automatically restart at next boot.

---------------------------------------------------------

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\ecfcdebbfea.dll
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\ecfcdebbfea.dll
Then click on 'Send File'.
Post the results into your next reply.

---------------------------------------------------------

Download Deljob.exe and save it on your desktop.
Double click on Deljob.exe.
A log,(logit.txt) should open afterwards.
This log will be present on your desktop.
Post the contents of the logfile into your next reply.
Posted Image
Posted Image

#14 Kojiro

Kojiro
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 30 July 2007 - 01:31 PM

here:http://virusscan.jotti.org/
C:\WINDOWS\system32\ecfcdebbfea.dll
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
that was the result i received on a side note when i was browsing C:\WINDOWS\system32\ for the file i noticed uncountable multi numbered files with the ending extension of TMP i have never noticed these here before

i wasn't able to send to either

#15 Kojiro

Kojiro
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 30 July 2007 - 01:34 PM

--------------------------------------------------------
No LOP jobs found
--------------------------------------------------------
Files remaining after cleaning

AppleSoftwareUpdate.job
MP Scheduled Scan.job
--------------------------------------------------------
App data folders

Volume in drive C has no label.
Volume Serial Number is 50CE-30FB

Directory of C:\Documents and Settings\Owner\Application Data

07/29/2007 10:16 AM <DIR> .
07/29/2007 10:16 AM <DIR> ..
06/24/2006 09:38 PM <DIR> BITTOR~1 .bittorrent
12/25/2006 01:01 AM <DIR> acccore
10/07/2005 12:44 AM <DIR> Adobe
07/18/2005 01:53 PM <DIR> Ahead
10/04/2004 09:43 PM <DIR> Aim
06/17/2005 10:00 PM <DIR> ALIENS~1 Alien Skin
09/10/2005 10:44 PM <DIR> ALIVEG~1 Alive Games
07/28/2004 11:29 PM <DIR> ANVILS~1 Anvil Studio
05/09/2004 02:38 AM <DIR> AOL
08/23/2006 02:19 PM <DIR> APPLEC~1 Apple Computer
08/04/2005 05:16 PM <DIR> ArcSoft
01/07/2006 07:35 PM <DIR> ATI
06/10/2005 02:46 PM <DIR> ATIMMC~1 ATI MMC
03/10/2007 06:57 PM <DIR> Azureus
05/12/2005 05:41 PM <DIR> COWON
02/20/2005 09:25 PM <DIR> CYBERL~1 CyberLink
03/08/2005 05:28 PM <DIR> DMCache
11/23/2006 03:23 PM <DIR> EFRONT~1 e frontier
08/20/2004 03:26 PM <DIR> fltk.org
02/21/2006 05:54 PM <DIR> Google
09/26/2005 07:29 PM <DIR> GROUPE~1 Grouper Networks
06/18/2004 05:29 PM <DIR> GTek
05/02/2007 06:03 PM <DIR> Hamachi
08/10/2004 10:13 PM <DIR> Help
03/31/2004 11:53 PM <DIR> IDENTI~1 Identities
07/20/2007 10:24 AM <DIR> IMVU
04/01/2004 12:51 AM <DIR> INTERT~1 InterTrust
05/18/2005 04:41 PM <DIR> Ipswitch
06/02/2005 12:15 AM <DIR> Lavasoft
09/22/2005 08:04 PM <DIR> MACROM~1 Macromedia
04/09/2007 08:46 PM <DIR> MICROS~1 Microsoft
04/03/2005 04:55 PM <DIR> Mozilla
04/29/2004 08:48 PM <DIR> MSN6
05/11/2007 09:12 PM <DIR> MusicIP
07/09/2006 03:08 AM <DIR> MySpace
06/25/2005 09:43 AM <DIR> Opera
07/07/2007 01:03 AM <DIR> PROPEL~1 Propellerhead Software
10/29/2005 10:00 PM <DIR> Shareaza
11/19/2006 05:00 PM <DIR> Skype
07/14/2004 06:56 PM <DIR> Sun
07/29/2007 03:58 PM <DIR> SUPERA~1.COM SUPERAntiSpyware.com
04/01/2004 12:45 AM <DIR> Symantec
08/14/2006 01:42 PM <DIR> TEAMSP~1 teamspeak2
07/28/2007 10:50 PM <DIR> uTorrent
01/27/2007 04:07 PM <DIR> Ventrilo
10/13/2006 06:47 PM <DIR> Xfire
12/26/2005 12:32 PM <DIR> Yahoo!
09/18/2005 08:35 PM <DIR> YAHOO!~1 Yahoo! Messenger
06/18/2004 09:55 AM <DIR> YOU'VE~1 You've Got Pictures Screensaver
04/14/2006 12:08 PM <DIR> {27ABE~1 {27ABEAD9-B7C4-4994-891F-48F5F48861FA}
0 File(s) 0 bytes
52 Dir(s) 2,788,142,080 bytes free
Volume in drive C has no label.
Volume Serial Number is 50CE-30FB

Directory of C:\Documents and Settings\All Users\Application Data

07/29/2007 04:00 PM <DIR> .
07/29/2007 04:00 PM <DIR> ..
06/08/2005 10:13 PM <DIR> Adobe
06/08/2005 10:17 PM <DIR> ADOBES~1 Adobe Systems
02/27/2005 12:46 PM <DIR> Ahead
02/11/2006 11:36 PM <DIR> AOL
12/25/2006 12:59 AM <DIR> AOLDOW~1 AOL Downloads
12/25/2006 01:01 AM <DIR> AOLOCP~1 AOL OCP
12/09/2006 10:50 PM <DIR> APPLEC~1 Apple Computer
10/17/2006 07:31 PM <DIR> ARMYAN~1 armyantebalmsoftware
11/17/2006 09:30 PM <DIR> ATIMMC~1 ATI MMC
06/25/2007 01:34 AM <DIR> Autodesk
02/20/2005 08:48 PM <DIR> CYBERL~1 CyberLink
05/18/2005 03:37 PM <DIR> GROUPE~1 Grouper Networks
06/18/2004 05:29 PM <DIR> GTek
10/01/2005 09:34 PM <DIR> INSTAL~1 InstallShield
09/22/2005 06:43 PM <DIR> MACROM~1 Macromedia
06/12/2004 08:24 AM <DIR> MACROV~1 Macrovision
06/01/2007 10:16 AM <DIR> MICROS~1 Microsoft
04/09/2007 08:47 PM <DIR> MICROS~2 Microsoft Help
03/07/2005 10:42 PM <DIR> MSNMES~1.020 MSN Messenger 6.2.0205
04/29/2004 08:44 PM <DIR> MSN6
07/07/2007 12:45 AM <DIR> PROPEL~1 Propellerhead Software
06/18/2004 09:55 AM <DIR> PURENE~1 Pure Networks
07/23/2007 12:59 AM <DIR> SECTAS~1 SecTaskMan
01/06/2006 08:45 PM <DIR> Skype
08/22/2005 08:41 AM <DIR> SPYBOT~1 Spybot - Search & Destroy
07/29/2007 04:00 PM <DIR> SUPERA~1.COM SUPERAntiSpyware.com
06/21/2004 03:45 AM <DIR> Support.com
05/02/2007 06:08 PM <DIR> Symantec
05/23/2004 06:39 PM <DIR> VIEWPO~1 Viewpoint
08/03/2005 06:23 AM <DIR> WINDOW~1 Windows Genuine Advantage
05/02/2007 04:26 PM <DIR> yahoo!
02/13/2006 12:40 AM <DIR> YAHOO!~1 Yahoo! Companion
0 File(s) 0 bytes
34 Dir(s) 2,788,140,032 bytes free
--------------------------------------------------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users