Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/trojan? Help


  • This topic is locked This topic is locked
16 replies to this topic

#1 Stotic

Stotic

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:34 PM

Posted 20 August 2007 - 03:09 PM

I found that I have some type of trojan/malware file on my system. I did all the things that I'm supposed to rid of it, but I'm not sure if its gone. Adaware keeps picking it up after each scan. I get random IE popup ads from time to time. I also get these virus warnings:

Posted Image

After a recent scan, Adaware turns up nothing, but I still get the virus warnings. Here is a HJT scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:16 PM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MATH DOES FIRST MODE] C:\Documents and Settings\All Users\Application Data\live 64 math does\Obj link.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [magseq] C:\DOCUME~1\ADMINI~1\APPLIC~1\SHIMCL~1\mapi save mp3.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183496207609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8032 bytes

BC AdBot (Login to Remove)

 


#2 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:34 PM

Posted 20 August 2007 - 11:00 PM

Hi Stotic and welcome to BleepingComputers Forums.

My name is Trevuren and I will be helping you with your problem.


A. Please provide a list of uninstallable programs.

To Provide a List of Installed Programs
  • Run HijackThis.
  • Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List
  • Save list to Desktop
  • Copy the Notepad list and Paste it into this thread.

B. Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labeled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#3 Stotic

Stotic
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:34 PM

Posted 20 August 2007 - 11:16 PM

Uninstallable programs:

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
AOL Instant Messenger
Apple Software Update
AssociateCert 4.0
Baseball Mogul 2007
Baseball Mogul 2008
Battlefield 2™ Demo
BitLord 1.1
Boson NetSim for CCNP BETA 2b
Boson NetSim LE for Cisco Press ICND
Cisco Press CCNA ICND Test
Cisco Press CCNA INTRO Test
Conexant HD Audio
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Flash Cards
Free iPod Video Converter 1.26
Google Earth
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB912436)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915326)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
HP Imaging Device Functions 6.1
HP Integrated Module with Bluetooth wireless technology
HP Pavilion Webcam Demo
HP Pavilion Webcam Tray Icon
HP Quick Launch Buttons 6.00 G2
HP QuickPlay 2.1
HP Solution Center and Imaging Support Tools 6.1
HP Update
HP Wireless Assistant 2.00 E1
Intel® PRO Network Connections Drivers
iTunes
J2SE Runtime Environment 5.0 Update 6
Logitech Gaming Software
Logitech SetPoint
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash Player 8
Macromedia Shockwave Player
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mozilla Firefox (1.5.0.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MVP Baseball 2005
MySQL Server 5.0
Nero 6 Ultra Edition
Nightmist
NVIDIA Drivers
Panda ActiveScan
PokerTH
QuickTime
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
SemSim Router Simulator
SmartAudio
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
TestOut Navigator (Stand-Alone Version)
Total MLB 1.13
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Ventrilo Client
VPN Client
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
WinRAR archiver
WinSCP 3.7.5 beta
Wireless Home Network Setup
World of Warcraft



NoLop.log:

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Administrator\Desktop
[8/21/2007]
[12:09:36 AM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AF82B15E979128C6.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Adobeum
C:\Documents and Settings\Administrator\Application Data\Aim
C:\Documents and Settings\Administrator\Application Data\Apple Computer
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo
C:\Documents and Settings\Administrator\Application Data\Cyberlink
C:\Documents and Settings\Administrator\Application Data\Divx
C:\Documents and Settings\Administrator\Application Data\Gearbox Software
C:\Documents and Settings\Administrator\Application Data\Google
C:\Documents and Settings\Administrator\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Hp
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Lavasoft
C:\Documents and Settings\Administrator\Application Data\Logitech
C:\Documents and Settings\Administrator\Application Data\Macromedia
C:\Documents and Settings\Administrator\Application Data\Microgaming
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Mozilla
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2
C:\Documents and Settings\Administrator\Application Data\Pokerth
C:\Documents and Settings\Administrator\Application Data\Real
C:\Documents and Settings\Administrator\Application Data\Shim Close
C:\Documents and Settings\Administrator\Application Data\Sports Interactive
C:\Documents and Settings\Administrator\Application Data\Sun
C:\Documents and Settings\Administrator\Application Data\Teamspeak2
C:\Documents and Settings\Administrator\Application Data\Template
C:\Documents and Settings\Administrator\Application Data\Thunderbird
C:\Documents and Settings\Administrator\Application Data\U3
C:\Documents and Settings\Administrator\Application Data\Uniblue -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Ventrilo
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Geek Squad
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Live 64 Math Does
C:\Documents and Settings\All Users\Application Data\Macromedia
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Network Associates
C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Viewpoint -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Adobe
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft

#4 Stotic

Stotic
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:34 PM

Posted 20 August 2007 - 11:21 PM

I noticed that there are some programs I don't use anymore in Application Data folder. Would it be safe to delete them if I've already uninstalled the programs?

#5 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:34 PM

Posted 20 August 2007 - 11:51 PM

List them with the entire path and I will delete them later. I don't want to do anything to ruin the fix in any way.

Trevuren
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#6 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:34 PM

Posted 20 August 2007 - 11:56 PM

A. You can easily UNINSTALL the following as you are using a more current version:

Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0



B. Please download this file - combofix.exe by sUBs
  • You must download it to and run it from your Desktop
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Regards,

Trevuren

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#7 Stotic

Stotic
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:34 PM

Posted 21 August 2007 - 12:16 AM

These I am pretty sure correlate to programs I no longer have installed:
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo
C:\Documents and Settings\Administrator\Application Data\Gearbox Software
C:\Documents and Settings\Administrator\Application Data\Microgaming
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2
C:\Documents and Settings\Administrator\Application Data\Pokerth
C:\Documents and Settings\Administrator\Application Data\Teamspeak2
C:\Documents and Settings\Administrator\Application Data\Thunderbird

These I'm not really sure what they are:
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Shim Close
C:\Documents and Settings\Administrator\Application Data\U3
C:\Documents and Settings\Administrator\Application Data\Uniblue -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}
C:\Documents and Settings\All Users\Application Data\Live 64 Math Does


I have Microsoft .NET Framework 3.0
So I uninstalled:
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)

I couldn't uninstall 2.0 though:
Posted Image


Combofix Log:

ComboFix 07-08-17.2 - "Administrator" 2007-08-21 1:05:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1528 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-21 01:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-21 00:11 <DIR> d-------- C:\NoLopBackups
2007-08-20 22:02 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-20 19:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-08-20 14:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-20 14:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-20 00:37 <DIR> d-------- C:\Program Files\a-squared Free
2007-08-19 21:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\live 64 math does
2007-08-19 21:58 <DIR> d-------- C:\Program Files\SHIM CLOSE
2007-08-19 21:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SHIM CLOSE


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 00:13 785 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-08-20 14:30 --------- d-------- C:\Program Files\WinSCP3
2007-08-20 14:30 --------- d-------- C:\Program Files\iTunes
2007-08-20 14:29 --------- d-------- C:\Program Files\AIM
2007-08-18 17:26 --------- d-------- C:\Program Files\TESTOUT
2007-08-11 00:47 --------- d-------- C:\Program Files\Cisco Press
2007-08-11 00:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 14:00 --------- d-------- C:\Program Files\Google
2007-07-20 06:20 9728 --a------ C:\WINDOWS\system32\drivers\n558.sys
2007-07-11 21:09 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-11 21:09 249856 --------- C:\WINDOWS\Setup1.exe
2007-07-11 21:09 --------- d-------- C:\Program Files\FlashCards
2007-07-04 22:11 --------- d-------- C:\Program Files\DivX
2007-07-04 22:11 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-07-02 20:45 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Thunderbird
2007-07-02 15:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 15:41 36624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-02 15:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 15:41 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-02 15:41 2432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-02 15:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 15:41 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-02 15:41 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-02 15:41 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-02 15:41 1044480 --a--c--- C:\WINDOWS\system32\libdivx.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 15:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 15:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 15:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 15:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 15:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 15:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 15:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 15:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 15:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 15:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-26 22:59 --------- d-------- C:\Program Files\Free iPod Video Converter
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-21 11:43 2208512 --a------ C:\WINDOWS\system32\drivers\NETw4x32.sys
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-01 17:33 684032 --a------ C:\WINDOWS\system32\NETw4c32.dll
2007-06-01 17:33 2772992 --a------ C:\WINDOWS\system32\NETw4r32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-26 15:48]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 01:01]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-17 16:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 21:54]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 11:38]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 03:55]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-14 20:09]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"MATH DOES FIRST MODE"="C:\Documents and Settings\All Users\Application Data\live 64 math does\Obj link.exe" [2007-08-21 00:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]
"magseq"="C:\DOCUME~1\ADMINI~1\APPLIC~1\SHIMCL~1\mapi save mp3.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Pavilion Webcam Tray Icon.lnk
backup=C:\WINDOWS\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 NETw3x32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf0e97ea-af0a-11db-9f5c-00059a3c7800}]
AutoRun\command- G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2d7f3db-b48e-11db-9f64-00059a3c7800}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f868845c-c92b-11db-9f98-00059a3c7800}]
AutoRun\command- F:\LaunchU3.exe

*Newly Created Service* - ENTDRV51

Contents of the 'Scheduled Tasks' folder
2007-05-25 21:31:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 01:07:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 1:07:43

--- E O F ---


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:16, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MATH DOES FIRST MODE] C:\Documents and Settings\All Users\Application Data\live 64 math does\Obj link.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [magseq] C:\DOCUME~1\ADMINI~1\APPLIC~1\SHIMCL~1\mapi save mp3.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183496207609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8368 bytes

Edited by Stotic, 21 August 2007 - 12:17 AM.


#8 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:34 PM

Posted 21 August 2007 - 01:32 AM

A. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
B. Please copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • Please disable AVG AntiSpyware by opening the program and on the Status page - beside "Resident Shield" click on "change status" so that it says "inactive" for it may interfere with our HJT fix.
    • Remember to reactivate this feature when all our work is finished.
  • Please RUN HijackThis

    1. Click the SCAN button to produce a log.


    2. Place a check mark beside each one of the following items:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O4 - HKLM\..\Run: [MATH DOES FIRST MODE] C:\Documents and Settings\All Users\Application Data\live 64 math does\Obj link.exe
    O4 - HKCU\..\Run: [magseq] C:\DOCUME~1\ADMINI~1\APPLIC~1\SHIMCL~1\mapi save mp3.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)



    3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


  • Now to Remove some malware:

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.
    2. Now copy/paste the entire content of the code box below into the Notepad window:

    Folder::
    C:\NoLopBackups
    C:\DOCUME~1\ALLUSE~1\APPLIC~1\live 64 math does
    C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
    C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo
    C:\Documents and Settings\Administrator\Application Data\Gearbox Software
    C:\Documents and Settings\Administrator\Application Data\Microgaming
    C:\Documents and Settings\Administrator\Application Data\Openoffice.org2
    C:\Documents and Settings\Administrator\Application Data\Pokerth
    C:\Documents and Settings\Administrator\Application Data\Teamspeak2
    C:\Documents and Settings\Administrator\Application Data\Thunderbird
    C:\Documents and Settings\Administrator\Application Data\Uniblue -- EMPTY Directory
    C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}
    C:\Program Files\PartyGaming
    C:\DOCUME~1\ADMINI~1\APPLIC~1\SHIMCL~1


    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    Posted Image


    5. If the tool does not initiate a reboot itself, please restart the system yourself, then post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.

Edited by Trevuren, 21 August 2007 - 01:34 AM.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#9 Stotic

Stotic
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:34 PM

Posted 21 August 2007 - 02:03 AM

Combofix:

ComboFix 07-08-17.2 - "Administrator" 2007-08-21 2:55:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1522 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1\SHIMCL~1
C:\DOCUME~1\ADMINI~1\APPLIC~1\SHIMCL~1\0
C:\DOCUME~1\ALLUSE~1\APPLIC~1\live 64 math does
C:\DOCUME~1\ALLUSE~1\APPLIC~1\live 64 math does\Obj link.exe
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\MapPreviews\data_maps_official_map_mp_2_black5_map_mp_2_black5.tga
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\directory.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\GSVoice.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\hotkeys.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\000_GDI_Internal_MemosIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\001_GDI_News_AlertIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\002_GDI_Field_ReconIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\003_GDI_WeaponryIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\005_GDI_BackgroundIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\006_Nod_Internal_MemosIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\008_Nod_Field_ReconIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\009_Nod_WeaponryIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\010_Nod_RumorsIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\011_Nod_BackgroundIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\IDB\012_Alien_Internal_MemosIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\movies.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\Options.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\ProfileData.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\Skirmish.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\Stats_CAMPAIGN_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\Stats_LAN_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\Stats_ONLINE_CLAN_1V1_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\Stats_ONLINE_CLAN_2V2_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\Stats_ONLINE_RANKED_1V1_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\Stats_ONLINE_RANKED_2V2_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\Stats_ONLINE_UNRANKED_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars Demo\Profiles\Mike\Stats_SKIRMISH_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\directory.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\000_GDI_Internal_MemosIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\001_GDI_News_AlertIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\002_GDI_Field_ReconIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\003_GDI_WeaponryIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\005_GDI_BackgroundIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\006_Nod_Internal_MemosIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\008_Nod_Field_ReconIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\009_Nod_WeaponryIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\010_Nod_RumorsIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\011_Nod_BackgroundIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\IDB\012_Alien_Internal_MemosIDB.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\movies.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\NetworkPref.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Online Files\Config.txt
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Options.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\ProfileData.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Skirmish.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Stats_CAMPAIGN_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Stats_LAN_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Stats_ONLINE_CLAN_1V1_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Stats_ONLINE_CLAN_2V2_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Stats_ONLINE_RANKED_1V1_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Stats_ONLINE_RANKED_2V2_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Stats_ONLINE_UNRANKED_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars\Profiles\Mike\Stats_SKIRMISH_GAME.ini
C:\Documents and Settings\Administrator\Application Data\Gearbox Software
C:\Documents and Settings\Administrator\Application Data\Gearbox Software\Earned In Blood\Mike\EiB.ini
C:\Documents and Settings\Administrator\Application Data\Gearbox Software\Earned In Blood\Mike\SP_SAVE_GAME
C:\Documents and Settings\Administrator\Application Data\Gearbox Software\Earned In Blood\Mike\User.ini
C:\Documents and Settings\Administrator\Application Data\Microgaming
C:\Documents and Settings\Administrator\Application Data\Microgaming\MPG\PrimaPokerNetwork.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\autotext\mytexts.bau
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\basic\dialog.xlc
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\basic\script.xlc
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\basic\Standard\dialog.xlb
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\basic\Standard\Module1.xba
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\basic\Standard\script.xlb
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\arrowhd_en-US.soe
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\autotbl.fmt
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\classic_en-US.sog
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\cmyk.soc
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\gallery.soc
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\hatching_en-US.soh
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\html.soc
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\ooo680en-US1592215default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\res_commandimagelist_sc_enUS117default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\res_commandimagelist_sc_enUS131default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\res_commandimagelist_sc_enUS514default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\res_commandimagelist_sc_enUS59default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\res_commandimagelist_sc_enUS8default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\sc680en-US2755default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\sm680en-US209509default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\sm680en-US2095216default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\svt680en-US1592267default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\svt680en-US1592567default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\svx680en-US1800030default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\svx680en-US1800230default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\svx680en-US205default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\svx680en-US215default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\svx680en-US306default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\imagecache\svx680en-US316default
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\javasettings_Windows_x86.xml
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\modern_en-US.sog
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\palette_en-US.soc
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\soffice.cfg\global\accelerator\en-US\current.xml
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\soffice.cfg\modules\simpress\accelerator\en-US\current.xml
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\soffice.cfg\modules\swriter\accelerator\en-US\current.xml
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\soffice.cfg\modules\swriter\toolbar\numobjectbar.xml
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\standard.sob
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\standard.soc
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\standard.sod
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\standard.soe
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\standard.sog
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\standard.soh
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\styles_en-US.sod
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\sun-color.soc
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\config\web.soc
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\database\biblio.odb
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\database\biblio\biblio.dbf
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\database\biblio\biblio.dbt
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\gallery\sg100.sdv
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\gallery\sg100.thm
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\gallery\sg30.sdv
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\gallery\sg30.thm
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.FirstStartWizard.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Addons.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Calc.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Commands.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Common.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Compatibility.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.DataAccess.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Embedding.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Events.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Impress.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Jobs.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Linguistic.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Math.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.ProtocolHandler.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Recovery.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.SFX.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Substitution.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.TypeDetection.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.CalcCommands.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.CalcWindowState.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.Controller.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.DbuCommands.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.DrawImpressCommands.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.Effects.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.Factories.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.GenericCommands.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.GlobalSettings.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.ImpressWindowState.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.MathCommands.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.MathWindowState.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.WriterCommands.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.WriterWebWindowState.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.UI.WriterWindowState.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Views.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.Writer.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Office.WriterWeb.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.Setup.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.System.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.TypeDetection.Filter.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.TypeDetection.GraphicFilter.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.TypeDetection.Misc.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.TypeDetection.Types.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.TypeDetection.UISort.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.ucb.Configuration.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.ucb.Store.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.UserProfile.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\cache\org.openoffice.VCL.dat
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\Office\Common.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\Office\Linguistic.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\Office\Recovery.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\Office\UI\CalcWindowState.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\Office\UI\ImpressWindowState.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\Office\UI\MathWindowState.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\Office\UI\WriterWindowState.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\Office\Views.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\Office\Writer.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\Setup.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\registry\data\org\openoffice\UserProfile.xcu
C:\Documents and Settings\Administrator\Application Data\Openoffice.org2\user\wordbook\standard.dic
C:\Documents and Settings\Administrator\Application Data\Pokerth
C:\Documents and Settings\Administrator\Application Data\Pokerth\config.xml
C:\Documents and Settings\Administrator\Application Data\Pokerth\data\flopValues
C:\Documents and Settings\Administrator\Application Data\Pokerth\data\preflopValues
C:\Documents and Settings\Administrator\Application Data\Pokerth\data\qt_temp.gq3988
C:\Documents and Settings\Administrator\Application Data\Pokerth\data\qt_temp.Hp3988
C:\Documents and Settings\Administrator\Application Data\Pokerth\data\serverprofiles.xml
C:\Documents and Settings\Administrator\Application Data\Pokerth\log-files\logo.png
C:\Documents and Settings\Administrator\Application Data\Pokerth\log-files\pokerth-log-2007-08-03_18.17.21.html
C:\Documents and Settings\Administrator\Application Data\Teamspeak2
C:\Documents and Settings\Administrator\Application Data\Teamspeak2\451D0958-6A61-45CB-9327-1F8989E64B24.jpg
C:\Documents and Settings\Administrator\Application Data\Teamspeak2\imagecache.ini
C:\Documents and Settings\Administrator\Application Data\Teamspeak2\TeamSpeak.Conf
C:\Documents and Settings\Administrator\Application Data\Thunderbird
C:\Documents and Settings\Administrator\Application Data\Thunderbird\profiles.ini
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\abook.mab
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\cert8.db
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\compatibility.ini
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\compreg.dat
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\cookies.txt
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\extensions.cache
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\extensions.ini
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\extensions.rdf
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\history.mab
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\key3.db
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\localstore.rdf
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\Local Folders\Trash
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\Local Folders\Trash.msf
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\Local Folders\Unsent Messages
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\Local Folders\Unsent Messages.msf
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\pop.gmail.com\Drafts.msf
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\pop.gmail.com\Inbox
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\pop.gmail.com\Inbox.msf
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\pop.gmail.com\Sent
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\pop.gmail.com\Sent.msf
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\pop.gmail.com\Templates.msf
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\pop.gmail.com\Trash
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\Mail\pop.gmail.com\Trash.msf
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\mimeTypes.rdf
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\panacea.dat
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\prefs.js
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\secmod.db
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\virtualFolders.dat
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\k1wn1xla.default\xpti.dat
C:\Documents and Settings\Administrator\Application Data\Thunderbird\registry.dat
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}\BB2K8-Setup.dat
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}\BB2K8-Setup.exe
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}\BB2K8-Setup.msi
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}\BB2K8-Setup.par
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}\BB2K8-Setup.res
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}\instance.dat
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}\mia.dll
C:\Documents and Settings\All Users\Application Data\{b9dfdef4-3471-4379-bdbb-deda8a9809df}\setup.bmp
C:\NoLopBackups
C:\NoLopBackups\AF82B15E979128C6.job.01.infected


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-21 01:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 22:02 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-20 19:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-08-20 14:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-20 14:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-20 00:37 <DIR> d-------- C:\Program Files\a-squared Free
2007-08-19 21:58 <DIR> d-------- C:\Program Files\SHIM CLOSE


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 03:00 785 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-08-20 14:30 --------- d-------- C:\Program Files\WinSCP3
2007-08-20 14:30 --------- d-------- C:\Program Files\iTunes
2007-08-20 14:29 --------- d-------- C:\Program Files\AIM
2007-08-18 17:26 --------- d-------- C:\Program Files\TESTOUT
2007-08-11 00:47 --------- d-------- C:\Program Files\Cisco Press
2007-08-11 00:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 14:00 --------- d-------- C:\Program Files\Google
2007-07-20 06:20 9728 --a------ C:\WINDOWS\system32\drivers\n558.sys
2007-07-11 21:09 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-11 21:09 249856 --------- C:\WINDOWS\Setup1.exe
2007-07-11 21:09 --------- d-------- C:\Program Files\FlashCards
2007-07-04 22:11 --------- d-------- C:\Program Files\DivX
2007-07-04 22:11 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-07-02 15:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 15:41 36624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-02 15:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 15:41 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-02 15:41 2432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-02 15:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 15:41 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-02 15:41 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-02 15:41 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-02 15:41 1044480 --a--c--- C:\WINDOWS\system32\libdivx.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 15:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 15:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 15:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 15:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 15:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 15:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 15:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 15:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 15:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 15:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-26 22:59 --------- d-------- C:\Program Files\Free iPod Video Converter
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-21 11:43 2208512 --a------ C:\WINDOWS\system32\drivers\NETw4x32.sys
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-01 17:33 684032 --a------ C:\WINDOWS\system32\NETw4c32.dll
2007-06-01 17:33 2772992 --a------ C:\WINDOWS\system32\NETw4r32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-26 15:48]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 01:01]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-17 16:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 21:54]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 11:38]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 03:55]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-14 20:09]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Pavilion Webcam Tray Icon.lnk
backup=C:\WINDOWS\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 NETw3x32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf0e97ea-af0a-11db-9f5c-00059a3c7800}]
AutoRun\command- G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2d7f3db-b48e-11db-9f64-00059a3c7800}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f868845c-c92b-11db-9f98-00059a3c7800}]
AutoRun\command- F:\LaunchU3.exe

*Newly Created Service* - ENTDRV51

Contents of the 'Scheduled Tasks' folder
2007-05-25 21:31:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 03:00:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 3:01:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 03:01
C:\ComboFix2.txt ... 2007-08-21 01:07

--- E O F ---



HiJackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:03, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183496207609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7823 bytes

#10 Stotic

Stotic
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:34 PM

Posted 21 August 2007 - 12:08 PM

The ComboFix program changed my clock to military time. I remember it saying that it was adjusting my clock settings, and it said that itd change it back.

#11 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:34 PM

Posted 21 August 2007 - 01:29 PM

It may reset after this run:


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

DirLook::
C:\Program Files\SHIM CLOSE

Registry::
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

B. We had better also check that there are no "baddies" still lurking:

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply, along with a fresh HijackThis log
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#12 Stotic

Stotic
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:34 PM

Posted 21 August 2007 - 03:36 PM

Note: The clock hasn't changed back.

ComboFix Log:


ComboFix 07-08-17.2 - "Administrator" 2007-08-21 14:58:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1582 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-21 01:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 22:02 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-20 19:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-08-20 14:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-20 14:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-20 00:37 <DIR> d-------- C:\Program Files\a-squared Free
2007-08-19 21:58 <DIR> d-------- C:\Program Files\SHIM CLOSE


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 14:45 785 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-08-20 14:30 --------- d-------- C:\Program Files\WinSCP3
2007-08-20 14:30 --------- d-------- C:\Program Files\iTunes
2007-08-20 14:29 --------- d-------- C:\Program Files\AIM
2007-08-18 17:26 --------- d-------- C:\Program Files\TESTOUT
2007-08-11 00:47 --------- d-------- C:\Program Files\Cisco Press
2007-08-11 00:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 14:00 --------- d-------- C:\Program Files\Google
2007-07-20 06:20 9728 --a------ C:\WINDOWS\system32\drivers\n558.sys
2007-07-11 21:09 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-11 21:09 249856 --------- C:\WINDOWS\Setup1.exe
2007-07-11 21:09 --------- d-------- C:\Program Files\FlashCards
2007-07-04 22:11 --------- d-------- C:\Program Files\DivX
2007-07-04 22:11 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-07-02 15:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 15:41 36624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-02 15:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 15:41 2560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-02 15:41 2432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-02 15:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 15:41 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-02 15:41 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-02 15:41 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-02 15:41 1044480 --a--c--- C:\WINDOWS\system32\libdivx.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 15:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 15:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 15:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 15:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 15:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 15:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 15:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 15:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 15:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 15:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-26 22:59 --------- d-------- C:\Program Files\Free iPod Video Converter
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-21 11:43 2208512 --a------ C:\WINDOWS\system32\drivers\NETw4x32.sys
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-01 17:33 684032 --a------ C:\WINDOWS\system32\NETw4c32.dll
2007-06-01 17:33 2772992 --a------ C:\WINDOWS\system32\NETw4r32.dll


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\Program Files\SHIM CLOSE ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-26 15:48]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 01:01]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-17 16:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 21:54]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 11:38]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 03:55]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-14 20:09]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 15:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Pavilion Webcam Tray Icon.lnk
backup=C:\WINDOWS\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 NETw3x32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf0e97ea-af0a-11db-9f5c-00059a3c7800}]
AutoRun\command- G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2d7f3db-b48e-11db-9f64-00059a3c7800}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f868845c-c92b-11db-9f98-00059a3c7800}]
AutoRun\command- F:\LaunchU3.exe

*Newly Created Service* - ENTDRV51

Contents of the 'Scheduled Tasks' folder
2007-05-25 21:31:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 15:01:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 15:01:45
C:\ComboFix-quarantined-files.txt ... 2007-08-21 15:01
C:\ComboFix2.txt ... 2007-08-21 03:01
C:\ComboFix3.txt ... 2007-08-21 01:07

--- E O F ---


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:36, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1183496207609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7957 bytes



Kaspersky Log:



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 21, 2007 16:34
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 21/08/2007
Kaspersky Anti-Virus database records: 386812
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 107454
Number of viruses found: 2
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:15:41

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\2E4E8B6Dd01.Vir.bac_a02584 Infected: Trojan-Downloader.VBS.Small.do skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\63C6945Dd01.Vir.bac_a02584 Infected: Trojan-Downloader.VBS.Small.do skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7zl1saqx.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7zl1saqx.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7zl1saqx.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7zl1saqx.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7zl1saqx.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7zl1saqx.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7zl1saqx.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7zl1saqx.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\NAILogs\UpdaterUI_MIKE.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070821_Time-150414234_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070821_Time-150414234_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_MIKE.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_MIKE.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\live 64 math does\Obj link.exe.vir Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{88DE2767-102E-4072-ADBC-1A3AD69974F9}\RP342\A0058482.exe/file9 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{88DE2767-102E-4072-ADBC-1A3AD69974F9}\RP342\A0058482.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{88DE2767-102E-4072-ADBC-1A3AD69974F9}\RP344\A0058690.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{88DE2767-102E-4072-ADBC-1A3AD69974F9}\RP344\A0058706.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{88DE2767-102E-4072-ADBC-1A3AD69974F9}\RP349\A0059289.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{88DE2767-102E-4072-ADBC-1A3AD69974F9}\RP350\A0059293.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{88DE2767-102E-4072-ADBC-1A3AD69974F9}\RP351\A0059320.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{88DE2767-102E-4072-ADBC-1A3AD69974F9}\RP352\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5901.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mmf.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#13 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:34 PM

Posted 21 August 2007 - 04:39 PM

1. Please empty the content of this Quarantine:

C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\. Do not delete the folder itself, just the content.


2. The other files picked up by Kas[ersky are also in Quarantines. These will be cleaned oout just the final cleanup procedures.

3. As for your time, first time for me. Try the following:

a. Right Click on the Clock and from the Menu choose Adjust Time/Date. Now in the next screen Choose Time Zone and ensure that it is set to your time zone not ComboFix' Time Zone. Hopefully this will reset your time after a reboot.


Trevuren
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#14 Stotic

Stotic
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:34 PM

Posted 21 August 2007 - 05:04 PM

I deleted the housecall quarantines. Is this housecall folder necessary if I don't plan on using housecall in the future for awhile?

Also, I figured out the time in the regional and language options settings.

#15 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:02:34 PM

Posted 21 August 2007 - 05:18 PM

That is where I was going next.

No you don't need that folder

How is the machine? Ready to finish up?


Trev
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users