Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Ntos And Other Viruses


  • Please log in to reply
6 replies to this topic

#1 Trickster74

Trickster74

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 12 August 2007 - 04:56 PM

My 12 year old son was surfing the web on my parent's PC ( which had no firewall at the time). He's managed to get it more infected than I've ever seen a PC. I can usually handle most things, but there are so many things going I, I can't handle them all.

I've downloaded and installed all the virus/spyware scanners, but a lot of them are locking up the computer when run. I've also gotten Zonealarm installed, so hopefully it's blocking further incoming junk. So far, since Saturday morning, it's blocked 434 incoming attempts.

Any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:31 PM, on 8/12/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1175578723\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\clcl14.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\America Online 4.0\aoltray.exe
c:\program files\common files\aol\1175578723\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1175578723\ee\aolsoftware.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\System32\ntos.exe,
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175578723\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [server] rundll32.exe "C:\DOCUME~1\Nathan\LOCALS~1\Temp\watchdll.dll",startwatcher
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsrngt.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6308 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 13 August 2007 - 04:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Trickster74 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Before i can provide you with any further assistance,you first need to go here and install Service Pack 1a;
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
This will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system.
As your machine stands right now it's exremely vulnerable to infection.
You need to get these updates installed first before we can proceed or we’ll both be wasting our time.

Do not install Service Pack 2.
If you install SP 2 on an infected machine it will cause serious problems within the operating system.

Post a new Hijackthis log into this topic when you've done the above.
Posted Image
Posted Image

#3 Trickster74

Trickster74
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 18 August 2007 - 06:52 PM

Done. Here's the new log- sorry it took so long, like I said, it's my parent's PC, so sometimes it takes me a while to get over.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:06 PM, on 8/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1175578723\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\program files\common files\aol\1175578723\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
c:\program files\common files\aol\1175578723\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\America Online 4.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\System32\ntos.exe,
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175578723\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [server] rundll32.exe "C:\DOCUME~1\Nathan\LOCALS~1\Temp\watchdll.dll",startwatcher
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsrngt.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6241 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 02 September 2007 - 04:08 AM

First of all you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 Trickster74

Trickster74
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 08 September 2007 - 11:11 AM

Actually, I already had AVG installed on my parent's PC. I ran that one. (192 things found).

Followed the other steps. Here are the SDFix, Combofix, and Hijack This logs:


SDFix: Version 1.102

Run by Dot on Sat 09/08/2007 at 10:33 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
core

ImagePath:
system32\drivers\core.sys

core - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\DLLH8J~1.EXE - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun1.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun10.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun11.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun13.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun15.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun16.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun17.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun19.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun22.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun25.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun26.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun27.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun29.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun3.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun31.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun32.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun34.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun36.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun37.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun38.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun39.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun40.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun41.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun43.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun45.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun46.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun47.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun49.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun5.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun51.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun52.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun53.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun55.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun57.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun58.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun61.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun63.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun64.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun65.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun68.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun7.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun70.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun71.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun72.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun75.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun77.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun78.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun79.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun82.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun84.exe - Deleted
C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun9.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun1.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun10.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun11.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun13.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun15.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun16.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun17.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun19.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun21.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun24.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun25.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun27.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun29.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun3.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun30.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun32.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun34.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun35.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun36.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun38.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun40.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun41.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun42.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun44.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun46.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun47.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun48.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun49.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun5.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun50.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun52.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun54.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun55.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun56.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun58.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun60.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun61.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun64.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun66.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun67.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun68.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun7.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun71.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun73.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun74.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun75.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun78.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun80.exe - Deleted
C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun9.exe - Deleted
C:\WINDOWS\System32KBRunOnce2.tm_ - Deleted
C:\WINDOWS\System32KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\dllh8jkd1q8.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted
C:\WINDOWS\system32\explorer.exe - Deleted
C:\WINDOWS\system32\ldinfo.ldr - Deleted
C:\WINDOWS\system32\n.ini - Deleted


Folder C:\Temp\fse - Removed
Folder C:\WINDOWS\system32\f06WtR - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\America Online 4.0\aolphx.exe
C:\America Online 4.0\aoltray.exe
C:\America Online 4.0\waol.exe
C:\Documents and Settings\Nathan\Application Data\?ystem32\n?tdde.exe
C:\Program Files\America Online 6.0\aolphx.exe
C:\Program Files\America Online 6.0\aoltray.exe
C:\Program Files\America Online 6.0\packethsvc.exe
C:\Program Files\America Online 6.0\RBM.exe
C:\Program Files\America Online 6.0\waol.exe
C:\Program Files\America Online 6.0\COMIT\cswitch.exe
C:\Program Files\America Online 9.0\AOLphx.exe
C:\Program Files\America Online 9.0\rbm.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\??pPatch\wuauclt.exe
C:\WINDOWS\vicakwwA.exe
C:\WINDOWS\xzbadduA.exe
C:\WINDOWS\SYSTEM32\PackethSvc.exe
C:\WINDOWS\SoftwareDistribution\Download\b4b20917c986769c3ff7ff42e8c8d15a\download\BIT7F.tmp
C:\WINDOWS\SYSTEM32\htwqxobi.tmp
C:\WINDOWS\SYSTEM32\lnmhwfnw.tmp

Finished

ComboFix 07-09-08.8 - "Dot" 2007-09-08 10:52:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.45 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Nathan\APPLIC~1\MCROSO~1
C:\DOCUME~1\Nathan\APPLIC~1\STEM32~1
C:\DOCUME~1\Nathan\APPLIC~1\WinTouch
C:\DOCUME~1\Nathan\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\Nathan\APPLIC~1\YSTEM3~1
C:\DOCUME~1\Nathan\APPLIC~1\YSTEM3~1\n?tdde.exe
C:\DOCUME~1\Nathan\err.log
C:\DOCUME~1\Nathan\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\Nathan\STARTM~1\Programs\Outerinfo\Terms.lnk
C:\DOCUME~1\Nathan\STARTM~1\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule2.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\ppatch~1
C:\Program Files\ppatch~1\??pPatch\
C:\Program Files\ppatch~1\wuauclt.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\i34yuc387.exe
C:\WINDOWS\Setup167.exe
C:\WINDOWS\system32\aedimvua.dll
C:\WINDOWS\system32\aefuenmi.exe
C:\WINDOWS\SYSTEM32\allkonho.ini
C:\WINDOWS\system32\aooikvms.exe
C:\WINDOWS\system32\bawegxsh.exe
C:\WINDOWS\system32\bbfijhnm.dll
C:\WINDOWS\system32\bjrwbalf.exe
C:\WINDOWS\system32\bpechpcv.exe
C:\WINDOWS\system32\bwkgdbfw.exe
C:\WINDOWS\system32\caycohdh.exe
C:\WINDOWS\system32\ccyyeuwg.exe
C:\WINDOWS\system32\cfswljww.dll
C:\WINDOWS\system32\cgomopph.dll
C:\WINDOWS\system32\comahmwv.dll
C:\WINDOWS\system32\cybkqstx.exe
C:\WINDOWS\system32\dbslmhby.exe
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\SYSTEM32\dofvrcfu.ini
C:\WINDOWS\system32\dupwcrfu.exe
C:\WINDOWS\system32\dvmkhpfq.dll
C:\WINDOWS\system32\efcawvu.dll
C:\WINDOWS\SYSTEM32\ejnebiak.ini
C:\WINDOWS\SYSTEM32\ejnebiak.ini2
C:\WINDOWS\system32\fgynndjs.dll
C:\WINDOWS\system32\frveteve.exe
C:\WINDOWS\system32\gwpbubpl.exe
C:\WINDOWS\system32\gysedpru.exe
C:\WINDOWS\system32\hdxtufme.exe
C:\WINDOWS\SYSTEM32\hppomogc.ini
C:\WINDOWS\system32\husnmvgw.exe
C:\WINDOWS\system32\ibpdumfo.exe
C:\WINDOWS\system32\ighkfnmw.exe
C:\WINDOWS\system32\igwaaklw.exe
C:\WINDOWS\system32\ikpjqglx.exe
C:\WINDOWS\system32\imlvieuj.dll
C:\WINDOWS\system32\iqugiapn.exe
C:\WINDOWS\system32\jahgrprt.exe
C:\WINDOWS\system32\jcexrjlm.exe
C:\WINDOWS\system32\jcsiwcom.exe
C:\WINDOWS\system32\jgqyjtnw.exe
C:\WINDOWS\system32\jjxadxyg.dll
C:\WINDOWS\SYSTEM32\jueivlmi.ini
C:\WINDOWS\system32\kaibenje.dll
C:\WINDOWS\system32\kdbptovx.exe
C:\WINDOWS\system32\khexdbqq.exe
C:\WINDOWS\system32\kibyukgq.exe
C:\WINDOWS\system32\kmusivbd.exe
C:\WINDOWS\system32\kygvvsdg.exe
C:\WINDOWS\system32\lfjyefxc.exe
C:\WINDOWS\system32\lxshchha.exe
C:\WINDOWS\SYSTEM32\mnhjifbb.ini
C:\WINDOWS\SYSTEM32\mnhjifbb.tmp
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\mpkmbwqy.dll
C:\WINDOWS\system32\mrfywpcb.exe
C:\WINDOWS\system32\msbind32.exe
C:\WINDOWS\system32\mwcxdnmq.exe
C:\WINDOWS\system32\obdsebrr.exe
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\ohnoklla.dll
C:\WINDOWS\system32\ookowhfr.exe
C:\WINDOWS\system32\pbuqtpyd.exe
C:\WINDOWS\system32\pkvuiceb.exe
C:\WINDOWS\system32\pmnkkll.dll
C:\WINDOWS\system32\pouqwefn.exe
C:\WINDOWS\system32\ppwhmoqa.exe
C:\WINDOWS\SYSTEM32\qfphkmvd.ini
C:\WINDOWS\system32\qgoqvepg.exe
C:\WINDOWS\system32\qlkolous.exe
C:\WINDOWS\system32\qraqxwlj.exe
C:\WINDOWS\system32\qsbxlhaq.exe
C:\WINDOWS\system32\rwrdcacs.exe
C:\WINDOWS\system32\seicfrjj.exe
C:\WINDOWS\SYSTEM32\sjdnnygf.ini
C:\WINDOWS\system32\sybwjlan.exe
C:\WINDOWS\system32\tcypivsk.exe
C:\WINDOWS\system32\tpxfvicr.exe
C:\WINDOWS\system32\ufcrvfod.dll
C:\WINDOWS\system32\ujahkchh.exe
C:\WINDOWS\system32\uufjvghe.exe
C:\WINDOWS\system32\uwjqsfse.exe
C:\WINDOWS\system32\voppuxum.exe
C:\WINDOWS\system32\vvxwnuai.exe
C:\WINDOWS\SYSTEM32\vwmhamoc.ini
C:\WINDOWS\system32\wasopnnb.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wiqcojvs.exe
C:\WINDOWS\system32\wsalceor.exe
C:\WINDOWS\SYSTEM32\wwjlwsfc.ini
C:\WINDOWS\system32\xdijcwmu.exe
C:\WINDOWS\system32\xfmlxcxb.exe
C:\WINDOWS\system32\xhtqrshi.exe
C:\WINDOWS\system32\xkfsgvmb.exe
C:\WINDOWS\system32\xngtknhs.exe
C:\WINDOWS\system32\xokmylnl.exe
C:\WINDOWS\system32\xpvgqmtl.exe
C:\WINDOWS\system32\xqofrdxt.exe
C:\WINDOWS\system32\xsgnffnc.exe
C:\WINDOWS\system32\xxfhlnrn.exe
C:\WINDOWS\system32\xxqwerdf.exe
C:\WINDOWS\system32\xxywurr.dll
C:\WINDOWS\system32\yevrmomu.exe
C:\WINDOWS\system32\yibuhofw.exe
C:\WINDOWS\SYSTEM32\yqwbmkpm.ini
C:\WINDOWS\SYSTEM32\yqwbmkpm.ini2
C:\WINDOWS\system32\yvnnfcay.exe
C:\WINDOWS\system32\ywcugjdo.exe
C:\WINDOWS\uni_eh45.exe
C:\WINDOWS\uninst1017.exe
C:\WINDOWS\xhelper.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN


((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.

2007-09-08 10:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 10:32 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-06 10:00 273,624 --a------ C:\WINDOWS\SYSTEM32\lodctr.dll
2007-09-01 10:35 <DIR> d-------- C:\MicroProse
2007-08-18 18:34 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-08-18 18:34 <DIR> d-------- C:\WINDOWS\ehome
2007-08-18 17:46 <DIR> d-------- C:\WinBackups
2007-08-17 10:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-08-12 15:50 <DIR> d-------- C:\HijackThis-
2007-08-12 15:30 0 --a------ C:\WINDOWS\mozver.dat
2007-08-11 12:23 <DIR> d-------- C:\DOCUME~1\Dot\APPLIC~1\Lavasoft
2007-08-11 11:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-11 11:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-11 11:24 <DIR> d-------- C:\DOCUME~1\Dot\APPLIC~1\SUPERAntiSpyware.com
2007-08-11 11:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-11 11:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-11 09:51 4 --a------ C:\WINDOWS\SYSTEM32\iebdfex.dll
2007-08-11 09:20 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-08-11 09:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-11 09:19 75,932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2007-08-11 09:19 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-11 09:19 74,396 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2007-08-11 09:19 24,608 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-08-11 09:19 2,080 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2007-08-11 09:17 110,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kl1.sys
2007-08-11 09:16 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-08-11 09:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-08-11 09:14 <DIR> d-------- C:\WINDOWS\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-08 10:50 448014 --a------ C:\WINDOWS\SYSTEM32\ielog.dll
2007-08-26 20:25 --------- d-------- C:\Program Files\America Online 6.0
2007-08-17 11:21 --------- d-------- C:\Program Files\THQ
2007-08-12 17:04 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-11 11:33 226 --a------ C:\PPCleanDeleteAtReboot.bat
2007-08-11 09:42 1364 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-11 09:42 1244 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-05 08:11 7298 --a------ C:\sysirza.exe
2007-08-04 20:17 7298 --a------ C:\sysfwql.exe
2007-08-04 18:52 7298 --a------ C:\sysmurl.exe
2007-08-04 17:25 7298 --a------ C:\syscaly.exe
2007-08-04 07:51 7298 --a------ C:\sysgixd.exe
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-26 05:29 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(3).dsk
2007-07-26 05:29 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(2).dsk
1989-12-12 15:10:10 1,176,352 --sh--r C:\WINDOWS\vicakwwA.exe
1989-12-12 15:10:10 346,352 --sh--r C:\WINDOWS\xzbadduA.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{084A5DE5-832E-489D-A704-216F7EEB82AC}]
C:\PROGRAM FILES\COMPLUS APPLICATIONS\HOKESOCUN1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C8D8EE0-330A-4FD7-7871-3CB60B49F29F}]
C:\WINDOWS\System32\rljzw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4551BB6-FD12-481F-B77F-08C33F4054BF}]
C:\Program Files\ComPlus Applications\hokesocun83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C06BE0E2-C558-4B86-8440-370F1CC5A21A}]
2007-07-26 05:35 228864 --a------ C:\DOCUME~1\Nathan\LOCALS~1\Temp\system2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}]
2007-09-08 11:04 70208 --a------ C:\WINDOWS\System32\hclioquk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-01-02 12:58]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 17:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 02:26]
"HostManager"="C:\Program Files\Common Files\AOL\1175578723\ee\AOLSoftware.exe" [2006-09-25 19:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 16:33]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"server"="C:\DOCUME~1\Nathan\LOCALS~1\Temp\watchdll.dll" [2007-07-26 05:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 11:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"server"="C:\DOCUME~1\Nathan\LOCALS~1\Temp\watchdll.dll,startwatcher" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Camio Viewer 2000.lnk - C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2002-01-02 12:57:27]
DESKTOP.INI [2001-11-15 08:31:16]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 18:06:54]

C:\DOCUME~1\Dot\STARTM~1\Programs\Startup\
America Online Tray Icon.lnk - C:\America Online 4.0\aoltray.exe [2002-03-23 20:49:00]
DESKTOP.INI [2001-11-15 08:31:16]

C:\DOCUME~1\Nathan\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-11-15 08:31:16]

C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-11-15 08:31:16]

C:\DOCUME~1\Tom\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-11-15 08:31:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\system2]
C:\DOCUME~1\Nathan\LOCALS~1\Temp\system2.dll 2007-07-26 05:35 228864 C:\DOCUME~1\Nathan\LOCALS~1\Temp\system2.dll

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\System32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 Msikbd2k;DellTouch;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\WINDOWS\System32\drivers\dump_wmimmc.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 05:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 14:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 15:00:02 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 16:00:03 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-07 17:00:00 C:\WINDOWS\Tasks\At13.job"
"2007-09-07 18:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-07 19:00:00 C:\WINDOWS\Tasks\At15.job"
"2007-09-07 20:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-07 21:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-07 22:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-07 23:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 06:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 00:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 01:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 02:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 03:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 04:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 07:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 08:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 10:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 11:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 12:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2007-09-08 13:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\XwD1S06A.exe
"2006-07-08 23:49:18 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1130971406.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 11:03:21
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\hclioquk.dll

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-09-08 11:07:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-08 11:07
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:20 AM, on 9/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CMD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1175578723\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\program files\common files\aol\1175578723\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1175578723\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\America Online 4.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175578723\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [server] rundll32.exe "C:\DOCUME~1\Nathan\LOCALS~1\Temp\watchdll.dll",startwatcher
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [server] rundll32.exe "C:\DOCUME~1\Nathan\LOCALS~1\Temp\watchdll.dll",startwatcher
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5507 bytes

Thanks again Richie!

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 08 September 2007 - 12:54 PM

Download SmitfraudFix (by S!Ri),to your desktop.
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the Smitfraudfix report into your next reply.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\sysirza.exe
C:\sysfwql.exe
C:\sysmurl.exe
C:\syscaly.exe
C:\sysgixd.exe
C:\WINDOWS\vicakwwA.exe
C:\WINDOWS\xzbadduA.exe
C:\WINDOWS\SYSTEM32\lodctr.dll
C:\WINDOWS\SYSTEM32\ielog.dll
C:\WINDOWS\system32\hclioquk.dll
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{084A5DE5-832E-489D-A704-216F7EEB82AC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C8D8EE0-330A-4FD7-7871-3CB60B49F29F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4551BB6-FD12-481F-B77F-08C33F4054BF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C06BE0E2-C558-4B86-8440-370F1CC5A21A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"server"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C06BE0E2-C558-4B86-8440-370F1CC5A21A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"server"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\system2]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 Trickster74

Trickster74
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 15 September 2007 - 06:33 PM

Here's the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:05 PM, on 9/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1175578723\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\waol.exe
c:\program files\common files\aol\1175578723\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
c:\program files\common files\aol\1175578723\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\America Online 4.0\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175578723\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5241 bytes


Here's the Smitfraud log:

SmitFraudFix v2.225

Scan done at 18:02:33.53, Sat 09/15/2007
Run from C:\Documents and Settings\Dot\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted
C:\WINDOWS\system32\ld???.tmp Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{459850F3-8F64-47E3-BBAC-DC0848A8753D}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{459850F3-8F64-47E3-BBAC-DC0848A8753D}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\..\{459850F3-8F64-47E3-BBAC-DC0848A8753D}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
[Winlogon\Notify\system2]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Here's the Combofix log:

ComboFix 07-09-08.8 - "Dot" 2007-09-15 18:13:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.54 [GMT -5:00]
* Created a new restore point

FILE::
C:\sysirza.exe
C:\sysfwql.exe
C:\sysmurl.exe
C:\syscaly.exe
C:\sysgixd.exe
C:\WINDOWS\vicakwwA.exe
C:\WINDOWS\xzbadduA.exe
C:\WINDOWS\SYSTEM32\lodctr.dll
C:\WINDOWS\SYSTEM32\ielog.dll
C:\WINDOWS\system32\hclioquk.dll
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\syscaly.exe
C:\sysfwql.exe
C:\sysgixd.exe
C:\sysirza.exe
C:\sysmurl.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\bndcgdoi.ini
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\hclioquk.dll
C:\WINDOWS\SYSTEM32\ielog.dll
C:\WINDOWS\system32\iodgcdnb.dll
C:\WINDOWS\system32\lhcesngj.exe
C:\WINDOWS\SYSTEM32\lodctr.dll
C:\WINDOWS\system32\mslphdcu.exe
C:\WINDOWS\system32\pxqarsoa.exe
C:\WINDOWS\system32\wgxfbsgm.dll
C:\WINDOWS\system32\wtgoqfwb.dll
C:\WINDOWS\system32\yvvphcba.exe
C:\WINDOWS\vicakwwA.exe
C:\WINDOWS\xzbadduA.exe


((((((((((((((((((((((((( Files Created from 2007-08-15 to 2007-09-15 )))))))))))))))))))))))))))))))
.

2007-09-15 18:02 2,842 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-09-15 17:54 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2007-09-15 17:54 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-09-15 17:54 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2007-09-15 17:54 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-09-15 14:46 <DIR> d-------- C:\Program Files\LEGO Interactive
2007-09-08 10:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 10:32 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-01 10:35 <DIR> d-------- C:\MicroProse
2007-08-18 18:34 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-08-18 18:34 <DIR> d-------- C:\WINDOWS\ehome
2007-08-18 17:46 <DIR> d-------- C:\WinBackups
2007-08-17 10:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 14:46 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-26 20:25 --------- d-------- C:\Program Files\America Online 6.0
2007-08-18 20:06 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-08-17 11:21 --------- d-------- C:\Program Files\THQ
2007-08-12 17:04 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-11 12:23 --------- d-------- C:\DOCUME~1\Dot\APPLIC~1\Lavasoft
2007-08-11 11:33 226 --a------ C:\PPCleanDeleteAtReboot.bat
2007-08-11 11:24 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-11 11:24 --------- d-------- C:\DOCUME~1\Dot\APPLIC~1\SUPERAntiSpyware.com
2007-08-11 11:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-11 09:42 24608 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-11 09:42 2080 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-11 09:42 1364 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-11 09:42 1244 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-11 09:20 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-11 09:19 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-11 09:19 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-06-21 21:54 75248 --a------ C:\WINDOWS\zllsputility.exe
2007-06-21 21:54 1086952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-08_110633.21 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 36,864 2005-04-19 19:56:40 C:\WINDOWS\SoftwareDistribution\Download\0cac8034bb449a0ac3de4b3ec952cd04\iecustom.dll
----a-w 163,840 2006-05-27 03:19:50 C:\WINDOWS\SoftwareDistribution\Download\0cac8034bb449a0ac3de4b3ec952cd04\jgdw400.dll
----a-w 27,648 2006-04-06 21:15:48 C:\WINDOWS\SoftwareDistribution\Download\0cac8034bb449a0ac3de4b3ec952cd04\jgpl400.dll
----a-w 14,048 2005-06-28 15:20:36 C:\WINDOWS\SoftwareDistribution\Download\0cac8034bb449a0ac3de4b3ec952cd04\spmsg.dll
----a-w 213,216 2005-06-28 15:23:26 C:\WINDOWS\SoftwareDistribution\Download\0cac8034bb449a0ac3de4b3ec952cd04\spuninst.exe
----a-w 36,864 2005-04-19 19:56:40 C:\WINDOWS\SoftwareDistribution\Download\0cac8034bb449a0ac3de4b3ec952cd04\update\iecustom.dll
----a-w 716,000 2005-06-28 15:24:52 C:\WINDOWS\SoftwareDistribution\Download\0cac8034bb449a0ac3de4b3ec952cd04\update\update.exe
----a-w 371,424 2005-06-28 15:23:54 C:\WINDOWS\SoftwareDistribution\Download\0cac8034bb449a0ac3de4b3ec952cd04\update\updspapi.dll
----a-w 14,048 2005-02-25 03:35:05 C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\spmsg.dll
----a-w 209,632 2005-02-25 03:35:05 C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\spuninst.exe
----a-w 230,400 2005-08-05 17:23:27 C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\sp1qfe\msieftp.dll
----a-w 27,648 2005-08-24 04:53:53 C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\update\arpidfix.exe
----a-w 22,240 2005-02-25 03:35:05 C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\update\spcustom.dll
----a-w 718,048 2005-02-25 03:35:05 C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\update\update.exe
----a-w 371,936 2005-02-25 03:35:06 C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\update\updspapi.dll
----a-w 14,048 2005-02-25 01:35:06 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\spmsg.dll
----a-w 209,632 2005-02-25 01:35:06 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\spuninst.exe
----a-w 220,672 2005-07-26 04:30:34 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\catsrv.dll
----a-w 581,632 2005-07-26 04:30:38 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\catsrvut.dll
----a-w 110,080 2005-07-26 04:30:38 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\clbcatex.dll
----a-w 497,152 2005-07-26 04:30:41 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\clbcatq.dll
----a-w 62,464 2005-07-26 04:30:41 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\colbact.dll
----a-w 187,392 2005-07-26 04:30:42 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\comadmin.dll
----a-w 89,600 2005-07-26 04:30:42 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\comrepl.dll
----a-w 1,179,136 2005-07-26 04:30:49 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\comsvcs.dll
----a-w 499,200 2005-07-26 04:31:11 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\comuid.dll
----a-w 227,328 2005-07-26 04:31:12 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\es.dll
----a-w 368,640 2005-07-26 04:31:12 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\msdtcprx.dll
----a-w 973,824 2005-07-26 04:31:12 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\msdtctm.dll
----a-w 150,528 2005-07-26 04:31:12 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\msdtcuiu.dll
----a-w 64,512 2005-07-26 04:31:12 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\mtxclu.dll
----a-w 83,456 2005-07-26 04:31:13 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\mtxoci.dll
----a-w 1,190,400 2005-07-26 04:31:13 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\ole32.dll
----a-w 68,608 2005-07-26 04:31:13 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\olecli32.dll
----a-w 35,328 2005-07-26 04:31:13 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\olecnv32.dll
----a-w 535,552 2004-03-06 02:16:11 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\rpcrt4.dll
----a-w 276,992 2005-07-26 04:31:13 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\rpcss.dll
----a-w 97,280 2005-07-26 04:31:13 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\txflog.dll
----a-w 11,776 2005-07-26 04:31:13 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp1qfe\xolehlp.dll
----a-w 225,792 2005-07-26 04:39:42 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\catsrv.dll
----a-w 625,152 2005-07-26 04:39:43 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\catsrvut.dll
----a-w 110,080 2005-07-26 04:39:43 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\clbcatex.dll
----a-w 498,688 2005-07-26 04:39:43 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\clbcatq.dll
----a-w 60,416 2005-07-26 04:39:43 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\colbact.dll
----a-w 195,072 2005-07-26 04:39:44 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\comadmin.dll
----a-w 97,792 2005-07-26 04:39:44 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\comrepl.dll
----a-w 1,267,200 2005-07-26 04:39:44 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\comsvcs.dll
----a-w 540,160 2005-07-26 04:39:45 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\comuid.dll
----a-w 243,200 2005-07-26 04:39:45 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\es.dll
----a-w 7,680 2005-07-25 23:46:57 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\migregdb.exe
----a-w 425,472 2005-07-26 04:39:46 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\msdtcprx.dll
----a-w 945,152 2005-07-26 04:39:47 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\msdtctm.dll
----a-w 161,280 2005-07-26 04:39:47 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\msdtcuiu.dll
----a-w 66,560 2005-07-26 04:39:47 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\mtxclu.dll
----a-w 91,136 2005-07-26 04:39:47 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\mtxoci.dll
----a-w 1,285,120 2005-07-26 04:39:48 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\ole32.dll
----a-w 74,752 2005-07-26 04:39:48 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\olecli32.dll
----a-w 37,888 2005-07-26 04:39:49 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\olecnv32.dll
----a-w 397,824 2005-07-26 04:39:49 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\rpcss.dll
----a-w 101,376 2005-07-26 04:39:49 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\txflog.dll
----a-w 11,776 2005-07-26 04:39:49 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2gdr\xolehlp.dll
----a-w 225,792 2005-07-26 04:20:23 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\catsrv.dll
----a-w 625,152 2005-07-26 04:20:23 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\catsrvut.dll
----a-w 110,080 2005-07-26 04:20:23 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\clbcatex.dll
----a-w 498,688 2005-07-26 04:20:24 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\clbcatq.dll
----a-w 60,416 2005-07-26 04:20:24 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\colbact.dll
----a-w 195,072 2005-07-26 04:20:24 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\comadmin.dll
----a-w 97,792 2005-07-26 04:20:25 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\comrepl.dll
----a-w 1,267,200 2005-07-26 04:20:27 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\comsvcs.dll
----a-w 540,160 2005-07-26 04:20:28 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\comuid.dll
----a-w 243,200 2005-07-26 04:20:28 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\es.dll
----a-w 8,704 2005-07-25 23:42:35 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\migregdb.exe
----a-w 425,472 2005-07-26 04:20:29 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\msdtcprx.dll
----a-w 945,152 2005-07-26 04:20:31 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\msdtctm.dll
----a-w 161,280 2005-07-26 04:20:31 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\msdtcuiu.dll
----a-w 66,560 2005-07-26 04:20:39 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\mtxclu.dll
----a-w 91,136 2005-07-26 04:20:40 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\mtxoci.dll
----a-w 1,285,632 2005-07-26 04:20:40 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\ole32.dll
----a-w 74,752 2005-07-26 04:20:40 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\olecli32.dll
----a-w 37,376 2005-07-26 04:20:40 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\olecnv32.dll
----a-w 398,336 2005-07-26 04:20:40 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\rpcss.dll
----a-w 101,376 2005-07-26 04:20:40 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\txflog.dll
----a-w 11,776 2005-07-26 04:20:40 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\sp2qfe\xolehlp.dll
----a-w 30,720 2005-07-26 00:21:18 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\update\arpidfix.exe
----a-w 22,240 2005-02-25 01:35:06 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\update\spcustom.dll
----a-w 718,048 2005-02-25 01:35:06 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\update\update.exe
----a-w 371,936 2005-02-25 01:35:08 C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\update\updspapi.dll
----a-w 262,144 2007-09-15 23:11:22 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
.
----a-w 262,144 2007-09-08 15:51:39 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C09D7B25-18E5-47D4-B32F-306471F37127}]
2007-07-26 05:35 228864 --a------ C:\DOCUME~1\Nathan\LOCALS~1\Temp\system2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-01-02 12:58]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 17:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 02:26]
"HostManager"="C:\Program Files\Common Files\AOL\1175578723\ee\AOLSoftware.exe" [2006-09-25 19:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 16:33]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 11:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 06:17]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Camio Viewer 2000.lnk - C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2002-01-02 12:57:27]
DESKTOP.INI [2001-11-15 08:31:16]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 18:06:54]

C:\DOCUME~1\Dot\STARTM~1\Programs\Startup\
America Online Tray Icon.lnk - C:\America Online 4.0\aoltray.exe [2002-03-23 20:49:00]
DESKTOP.INI [2001-11-15 08:31:16]

C:\DOCUME~1\Nathan\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-11-15 08:31:16]

C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-11-15 08:31:16]

C:\DOCUME~1\Tom\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-11-15 08:31:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\system2]
C:\DOCUME~1\Nathan\LOCALS~1\Temp\system2.dll 2007-07-26 05:35 228864 C:\DOCUME~1\Nathan\LOCALS~1\Temp\system2.dll

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2K;pwd_2K;C:\WINDOWS\System32\drivers\pwd_2K.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 Msikbd2k;DellTouch;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\WINDOWS\System32\drivers\dump_wmimmc.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys

.
Contents of the 'Scheduled Tasks' folder
"2006-07-08 23:49:18 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1130971406.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-15 18:22:08
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-15 18:28:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-15 18:28
C:\ComboFix2.txt ... 2007-09-08 11:07
.
--- E O F ---


Thanks a lot again Richie!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users