Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Miaminews365 Redirect & Trustin Contextual Hijacking


  • This topic is locked This topic is locked
20 replies to this topic

#1 djockers

djockers

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 01 September 2007 - 12:10 PM

Was hit with TrustIn contextual hijacking awhile back -- I thought I had removed it completely... but apparently not. It resurfaced this week and am now getting redirected to miaminews365.net when visiting various sites, such as IMDB.com. The hijacking stops when I remove "trustin" references from the registry -- so I assume the two are related and my "trustin" hijacking is back.

I googled this hijacking problem and discovered your site and a recent thread on this subject (now closed), and it appears to have helped. I followed the instructions you gave that user at that time -- and will post my results below.

I downloaded and ran Fixwareout and ComboFix, as you recommended in that thread... but stopped at that point. Below (in the next 3 posts) are each of the Log reports for the Fixwareout and combofix, as well as the most recent log from Hijackthis. Any help here would be greatly appreciated!

BC AdBot (Login to Remove)

 


#2 djockers

djockers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 01 September 2007 - 12:13 PM

First up is the log for "fixwareout"

~~~~~~~~~~~~~~~~



Username "djockers" - 2007-09-01 11:30:44 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

»»»»» Postrun check
HKLMSOFTWARE~Winlogon "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....


C:Program FilesTrustIn Contextual < Found
Additional tools are recomended.

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"ccApp"=""C:Program FilesCommon FilesSymantec SharedccApp.exe""
"Norton Save and Restore"=""D:Program FilesNorton Save and RestoreAgentNSRTray.exe""
"SunJavaUpdateSched"=""C:Program FilesJavajre1.5.0_09binjusched.exe""
"NeroCheck"="C:WINDOWSsystem32NeroCheck.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NapsterShell"="D:Program FilesNapsternapster.exe /systray"
"AudioHQ"="D:Program FilesCreativeSBLiveAudioHQAHQTB.EXE"
"Ad-Aware"=""D:Program FilesLavasoftAd-Aware SE ProfessionalAd-Aware.exe" +c"
"Disc Detector"="C:Program FilesCreativeShareDLLCtNotify.exe"
"PhoneTray"="D:Program FilesTraySoftPhoneTrayPhoneTray.exe"
"teqwpkb.dll"="C:WINDOWSsystem32rundll32.exe "C:Documents and SettingsdjockersLocal SettingsApplication Datateqwpkb.dll",gilanjf"
"ATICCC"=""C:Program FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay"
"CTAvTray"="D:Program FilesCreativeSBLiveProgramCTAvTray.EXE"
"ALUAlert"="C:Program FilesSymantecLiveUpdateALUNOTIFY.EXE"

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"NOMAD Detector"=""E:Program FilesCreativePlayCenter2CTNMRun.exe""
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe"
"AWMON"=""D:PROGRA~1LavasoftAD-AWA~1Ad-Watch.exe""
"ATI Launchpad"=""D:Program FilesATI MultimediamainLaunchPd.exe""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Now here is the combofix log...

~~~~~~~~~~~


ComboFix 07-08-30.3 - " Username "djockers" - 2007-09-01 11:30:44 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

»»»»» Postrun check
HKLMSOFTWARE~Winlogon "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....


C:Program FilesTrustIn Contextual < Found
Additional tools are recomended.

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"ccApp"=""C:Program FilesCommon FilesSymantec SharedccApp.exe""
"Norton Save and Restore"=""D:Program FilesNorton Save and RestoreAgentNSRTray.exe""
"SunJavaUpdateSched"=""C:Program FilesJavajre1.5.0_09binjusched.exe""
"NeroCheck"="C:WINDOWSsystem32NeroCheck.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NapsterShell"="D:Program FilesNapsternapster.exe /systray"
"AudioHQ"="D:Program FilesCreativeSBLiveAudioHQAHQTB.EXE"
"Ad-Aware"=""D:Program FilesLavasoftAd-Aware SE ProfessionalAd-Aware.exe" +c"
"Disc Detector"="C:Program FilesCreativeShareDLLCtNotify.exe"
"PhoneTray"="D:Program FilesTraySoftPhoneTrayPhoneTray.exe"
"teqwpkb.dll"="C:WINDOWSsystem32rundll32.exe "C:Documents and SettingsdjockersLocal SettingsApplication Datateqwpkb.dll",gilanjf"
"ATICCC"=""C:Program FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay"
"CTAvTray"="D:Program FilesCreativeSBLiveProgramCTAvTray.EXE"
"ALUAlert"="C:Program FilesSymantecLiveUpdateALUNOTIFY.EXE"

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"NOMAD Detector"=""E:Program FilesCreativePlayCenter2CTNMRun.exe""
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe"
"AWMON"=""D:PROGRA~1LavasoftAD-AWA~1Ad-Watch.exe""
"ATI Launchpad"=""D:Program FilesATI MultimediamainLaunchPd.exe""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
" 2007-09-01 11:52:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:Program FilesTrustIn Contextual
C:WINDOWSinetloader.dll
C:WINDOWSsystem32amstreams.dll
C:WINDOWSsystem32driversnpf.sys
C:WINDOWSsystem32packet.dll
C:WINDOWSsystem32pthreadVC.dll
C:WINDOWSsystem32WanPacket.dll
C:WINDOWSsystem32WPCAP.DLL


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------LEGACY_NPF
-------NPF


((((((((((((((((((((((((( Files Created from 2007-08-01 to 2007-09-01 )))))))))))))))))))))))))))))))


2007-09-01 11:51 51,200 --a------ C:WINDOWSnircmd.exe
2007-09-01 11:30 7,044 --a------ C:dnsbak.reg
2007-09-01 11:18 21,504 --a------ C:WINDOWSsystem32authzs.dll
2007-09-01 00:35 21,504 --a------ C:WINDOWSsystem32avifilebs.dll
2007-08-31 19:45 21,504 --a------ C:WINDOWSsystem32avifileb.dll
2007-08-30 23:07 21,504 --a------ C:WINDOWSsystem32avicapb.dll
2007-08-30 19:55 <DIR> d-------- C:Program FilesCommon FilesBorland Shared
2007-08-30 19:54 9,136 --------- C:WINDOWSsystem32INETWH16.DLL
2007-08-30 19:54 66,560 --------- C:WINDOWSsystem32atiyuv12.dll
2007-08-30 19:54 643,072 --------- C:WINDOWSsystem32PCcheck.dll
2007-08-30 19:54 6,144 --------- C:WINDOWSsystem32driverscinemsup.sys
2007-08-30 19:54 45,056 --------- C:WINDOWSsystem32atimiaaa.dll
2007-08-30 19:54 4,557 --------- C:WINDOWSsystem32atiicdxx.sys
2007-08-30 19:54 327,748 --------- C:WINDOWSsystem32atiicdxx.dll
2007-08-30 19:54 10,249 --------- C:WINDOWSsystem32driversx10uif.sys
2007-08-30 19:54 <DIR> d-------- C:Program FilesCommon FilesRavisent Shared
2007-08-30 19:17 <DIR> d-------- C:DOCUME~1ALLUSE~1APPLIC~1ATI MMC
2007-08-30 19:10 <DIR> d-------- C:Program FilesCommon FilesATI
2007-08-30 19:10 <DIR> d-------- C:Program FilesATI Multimedia
2007-08-30 19:02 <DIR> d-------- C:Program FilesTitanTV
2007-08-30 19:02 <DIR> d-------- C:Program Filesmsaccrt
2007-08-30 19:01 <DIR> d--h----- C:WINDOWSmsdownld.tmp
2007-08-30 19:01 <DIR> d-------- C:WINDOWSsystem32windows media
2007-08-30 19:01 <DIR> d-------- C:Program FilesWindows Media Components
2007-08-30 18:55 520,192 --------- C:WINDOWSsystem32ati2sgag.exe
2007-08-30 18:54 <DIR> d-------- C:Program FilesATI Technologies
2007-08-29 22:10 21,504 --a------ C:WINDOWSsystem32asycfiltv.dll
2007-08-29 22:04 6,097 --a------ C:WINDOWSsystem32driverssonyhcb.sys
2007-08-29 22:04 53,248 --a------ C:WINDOWSsystem32SONYHCY.DLL
2007-08-29 22:04 38,739 --a------ C:WINDOWSsystem32driverssonyhcc.sys
2007-08-29 22:04 3,654 --a------ C:WINDOWSsystem32driversSonyhcp.dll
2007-08-29 22:04 299,923 --a------ C:WINDOWSsystem32driverssonyhcs.sys
2007-08-29 22:04 102,220 --a------ C:WINDOWSsystem32driverssonypvs1.sys
2007-08-29 22:04 <DIR> d-------- C:Drivers
2007-08-29 21:59 <DIR> d-------- C:DOCUME~1ALLUSE~1APPLIC~1Sony Corporation
2007-08-29 21:48 21,504 --a------ C:WINDOWSsystem32admparseb.dll
2007-08-29 21:23 21,504 --a------ C:WINDOWSsystem32batmetera.dll
2007-08-29 21:10 21,504 --a------ C:WINDOWSsystem32asferrorss.dll
2007-08-29 19:56 21,504 --a------ C:WINDOWSsystem32bthcib.dll
2007-08-28 21:18 21,504 --a------ C:WINDOWSsystem32adptifv.dll
2007-08-28 21:04 21,504 --a------ C:WINDOWSsystem32basesrvv.dll
2007-08-28 21:00 21,504 --a------ C:WINDOWSsystem32avtapiv.dll
2007-08-28 20:35 21,504 --a------ C:WINDOWSsystem32bthservv.dll
2007-08-26 19:43 21,504 --a------ C:WINDOWSsystem32audiosrvv.dll
2007-08-26 19:29 21,504 --a------ C:WINDOWSsystem32asferrors.dll
2007-08-26 19:21 21,504 --a------ C:WINDOWSsystem32camocxv.dll
2007-08-26 13:19 6,912 --a------ C:WINDOWSsystem32driversvulfnth.sys
2007-08-26 13:19 45,056 --a------ C:WINDOWSsystem32vusetup.dll
2007-08-26 13:19 11,264 --a------ C:WINDOWSsystem32driversvulfntr.sys
2007-08-26 13:08 <DIR> d-------- C:Program FilesWinPcap
2007-08-26 13:07 <DIR> d-------- C:Program Filesxtg101 Setup
2007-08-25 18:48 51,328 --a--c--- C:WINDOWSsystem32dllcachemsdv.sys
2007-08-25 18:48 51,328 --a------ C:WINDOWSsystem32driversmsdv.sys
2007-08-25 18:35 <DIR> d-a------ C:DOCUME~1ALLUSE~1APPLIC~1TEMP
2007-08-25 18:35 <DIR> d-------- C:Program FilesCommon FilesDeskShare Shared
2007-08-24 20:18 99,328 --a--c--- C:WINDOWSsystem32dllcachesrusd.dll
2007-08-24 20:18 99,328 --a------ C:WINDOWSsystem32srusd.dll
2007-08-24 20:18 71,680 --a--c--- C:WINDOWSsystem32dllcachefnfilter.dll
2007-08-24 20:18 71,680 --a------ C:WINDOWSsystem32fnfilter.dll
2007-08-24 20:18 6,784 --a--c--- C:WINDOWSsystem32dllcacheserscan.sys
2007-08-24 20:18 6,784 --a------ C:WINDOWSsystem32driversserscan.sys
2007-08-24 19:07 <DIR> d-------- C:DOCUME~1DAVIDJ~1APPLIC~1Sony Corporation
2007-08-24 18:52 <DIR> d-------- C:Program FilesSony
2007-08-23 17:58 49,024 --a--c--- C:WINDOWSsystem32dllcachemstape.sys
2007-08-23 17:58 49,024 --a------ C:WINDOWSsystem32driversmstape.sys
2007-08-23 17:58 13,696 --a--c--- C:WINDOWSsystem32dllcacheavcstrm.sys
2007-08-23 17:58 13,696 --a------ C:WINDOWSsystem32driversavcstrm.sys
2007-08-23 17:57 48,128 --a--c--- C:WINDOWSsystem32dllcache61883.sys
2007-08-23 17:57 48,128 --a------ C:WINDOWSsystem32drivers61883.sys
2007-08-23 17:57 38,912 --a--c--- C:WINDOWSsystem32dllcacheavc.sys
2007-08-23 17:57 38,912 --a------ C:WINDOWSsystem32driversavc.sys
2007-08-23 17:40 6,400 --a--c--- C:WINDOWSsystem32dllcacheenum1394.sys
2007-08-23 17:40 6,400 --a------ C:WINDOWSsystem32driversenum1394.sys
2007-08-23 17:39 61,056 --a--c--- C:WINDOWSsystem32dllcacheohci1394.sys
2007-08-23 17:39 61,056 --a------ C:WINDOWSsystem32driversohci1394.sys
2007-08-23 17:39 53,248 --a--c--- C:WINDOWSsystem32dllcache1394bus.sys
2007-08-23 17:39 53,248 --a------ C:WINDOWSsystem32drivers1394bus.sys
2007-08-21 15:03 5,632 --a------ C:WINDOWSsystem32ptpusb.dll
2007-08-21 15:03 159,232 --a------ C:WINDOWSsystem32ptpusd.dll
2007-08-21 15:03 15,104 --a--c--- C:WINDOWSsystem32dllcacheusbscan.sys
2007-08-21 15:03 15,104 --a------ C:WINDOWSsystem32driversusbscan.sys
2007-08-19 11:06 <DIR> d-------- C:Program FilesMSXML 6.0
2007-08-01 22:04 167,936 --a------ C:WINDOWSsystem32SpoonUninstall.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 23:51 --------- d-------- C:DOCUME~1DAVIDJ~1APPLIC~1U3
2007-08-30 19:55 --------- d--h----- C:Program FilesInstallShield Installation Information
2007-08-30 19:17 --------- d-------- C:DOCUME~1DAVIDJ~1APPLIC~1ATI
2007-08-30 16:15 --------- d-------- C:DOCUME~1ADAMJO~1APPLIC~1ATI
2007-08-29 22:06 --------- d-------- C:Program FilesCommon FilesSymantec Shared
2007-08-27 03:57 --------- d-------- C:DOCUME~1ALLUSE~1APPLIC~1DVD Shrink
2007-08-26 22:41 --------- d-------- C:DOCUME~1DAVIDJ~1APPLIC~1RipIt4Me
2007-08-11 00:59 --------- d-------- C:DOCUME~1DAVIDJ~1APPLIC~1AdobeUM
2007-07-30 19:19 92504 --a------ C:WINDOWSsystem32cdm.dll
2007-07-30 19:19 549720 --a------ C:WINDOWSsystem32wuapi.dll
2007-07-30 19:19 53080 --a------ C:WINDOWSsystem32wuauclt.exe
2007-07-30 19:19 43352 --a------ C:WINDOWSsystem32wups2.dll
2007-07-30 19:19 325976 --a------ C:WINDOWSsystem32wucltui.dll
2007-07-30 19:19 271224 --a------ C:WINDOWSsystem32mucltui.dll
2007-07-30 19:19 207736 --a------ C:WINDOWSsystem32muweb.dll
2007-07-30 19:19 203096 --a------ C:WINDOWSsystem32wuweb.dll
2007-07-30 19:19 1712984 --a------ C:WINDOWSsystem32wuaueng.dll
2007-07-30 19:18 33624 --a------ C:WINDOWSsystem32wups.dll
2007-07-04 14:40 --------- d-------- C:DOCUME~1DAVIDJ~1APPLIC~1.BitZip
2007-06-26 02:08 1104896 --a------ C:WINDOWSsystem32msxml3.dll
2007-06-19 09:31 282112 --a------ C:WINDOWSsystem32gdi32.dll
2007-06-13 06:23 1033216 --a------ C:WINDOWSexplorer.exe
2006-11-26 15:21 9232 --a------ C:DOCUME~1DAVIDJ~1mqdmmdfl.sys
2006-11-26 15:21 92064 --a------ C:DOCUME~1DAVIDJ~1mqdmmdm.sys
2006-11-26 15:21 79328 --a------ C:DOCUME~1DAVIDJ~1mqdmserd.sys
2006-11-26 15:21 66656 --a------ C:DOCUME~1DAVIDJ~1mqdmbus.sys
2006-11-26 15:21 6208 --a------ C:DOCUME~1DAVIDJ~1mqdmcmnt.sys
2006-11-26 15:21 5936 --a------ C:DOCUME~1DAVIDJ~1mqdmwhnt.sys
2006-11-26 15:21 4048 --a------ C:DOCUME~1DAVIDJ~1mqdmcr.sys
2006-11-26 15:21 25600 --a------ C:DOCUME~1DAVIDJ~1usbsermptxp.sys
2006-11-26 15:21 22768 --a------ C:DOCUME~1DAVIDJ~1usbsermpt.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"ccApp"="C:Program FilesCommon FilesSymantec SharedccApp.exe" [2006-04-12 11:30]
"Norton Save and Restore"="D:Program FilesNorton Save and RestoreAgentNSRTray.exe" [2006-04-11 20:36]
"SunJavaUpdateSched"="C:Program FilesJavajre1.5.0_09binjusched.exe" [2006-10-12 04:10]
"NeroCheck"="C:WINDOWSsystem32NeroCheck.exe" [2001-07-09 02:50]
"Cmaudio"="cmicnfg.cpl" []
"NapsterShell"="D:Program FilesNapsternapster.exe" [2007-01-12 20:36]
"AudioHQ"="D:Program FilesCreativeSBLiveAudioHQAHQTB.EXE" [2000-05-11 02:00]
"Ad-Aware"="D:Program FilesLavasoftAd-Aware SE ProfessionalAd-Aware.exe" [2005-05-27 14:24]
"Disc Detector"="C:Program FilesCreativeShareDLLCtNotify.exe" [1999-08-30 02:55]
"PhoneTray"="D:Program FilesTraySoftPhoneTrayPhoneTray.exe" []
"teqwpkb.dll"="C:Documents and Settings Username "djockers" - 2007-09-01 11:30:44 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

»»»»» Postrun check
HKLMSOFTWARE~Winlogon "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....


C:Program FilesTrustIn Contextual < Found
Additional tools are recomended.

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"ccApp"=""C:Program FilesCommon FilesSymantec SharedccApp.exe""
"Norton Save and Restore"=""D:Program FilesNorton Save and RestoreAgentNSRTray.exe""
"SunJavaUpdateSched"=""C:Program FilesJavajre1.5.0_09binjusched.exe""
"NeroCheck"="C:WINDOWSsystem32NeroCheck.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NapsterShell"="D:Program FilesNapsternapster.exe /systray"
"AudioHQ"="D:Program FilesCreativeSBLiveAudioHQAHQTB.EXE"
"Ad-Aware"=""D:Program FilesLavasoftAd-Aware SE ProfessionalAd-Aware.exe" +c"
"Disc Detector"="C:Program FilesCreativeShareDLLCtNotify.exe"
"PhoneTray"="D:Program FilesTraySoftPhoneTrayPhoneTray.exe"
"teqwpkb.dll"="C:WINDOWSsystem32rundll32.exe "C:Documents and SettingsdjockersLocal SettingsApplication Datateqwpkb.dll",gilanjf"
"ATICCC"=""C:Program FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay"
"CTAvTray"="D:Program FilesCreativeSBLiveProgramCTAvTray.EXE"
"ALUAlert"="C:Program FilesSymantecLiveUpdateALUNOTIFY.EXE"

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"NOMAD Detector"=""E:Program FilesCreativePlayCenter2CTNMRun.exe""
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe"
"AWMON"=""D:PROGRA~1LavasoftAD-AWA~1Ad-Watch.exe""
"ATI Launchpad"=""D:Program FilesATI MultimediamainLaunchPd.exe""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Local SettingsApplication Datateqwpkb.dll" []
"ATICCC"="C:Program FilesATI TechnologiesATI.ACEcli.exe" [2006-01-02 16:41]
"ALUAlert"="C:Program FilesSymantecLiveUpdateALUNOTIFY.EXE" [2006-07-25 18:03]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"NOMAD Detector"="E:Program FilesCreativePlayCenter2CTNMRun.exe" []
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 03:56]
"AWMON"="D:PROGRA~1LavasoftAD-AWA~1Ad-Watch.exe" [2005-05-25 12:12]
"ATI Launchpad"="D:Program FilesATI MultimediamainLaunchPd.exe" [2001-10-02 15:23]

C:DOCUME~1DAVIDJ~1STARTM~1ProgramsStartup
Picture Motion Browser Media Check Tool.lnk - D:Program FilesSonySony Picture UtilityVolumeWatcherSPUVolumeWatcher.exe [2007-08-29 22:00:23]
UMScheduler 2.0.lnk - C:NokiaUpdate_ManagerbinUMScheduler.exe [2006-12-26 19:13:03]

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
@=

R1 prcmondrv;prcmondrv;??C:WINDOWSsystem32driversprcmondrv1041.sys
R1 V2IMount;V2IMount;C:WINDOWSsystem32driversV2IMount.sys
R2 BCMNTIO;BCMNTIO;??D:PROGRA~1CheckItDIAGNO~1BCMNTIO.sys
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:WINDOWSsystem32DRIVERSCINEMSUP.SYS
R2 MAPMEM;MAPMEM;??D:PROGRA~1CheckItDIAGNO~1MAPMEM.sys
R2 Norton Save and Restore;Norton Save and Restore;D:Program FilesNorton Save and RestoreAgentVProSvc.exe
R3 ATITUNEP;ATI WDM TV Tuner;C:WINDOWSsystem32DRIVERSatintuxx.sys
R3 ativraxx;ATI WDM Rage Theater Audio;C:WINDOWSsystem32DRIVERSatinraxx.sys
R3 ATIXSAudio;ATI WDM TV Audio Crossbar;C:WINDOWSsystem32DRIVERSatinxsxx.sys
R3 epcfw2k;SCM Parallel Port CF Driver;C:WINDOWSsystem32DRIVERSepcfw2k.sys
R3 NPDriver;Norton UnErase Protection Driver;??C:WINDOWSSystem32DriversNPDRIVER.SYS
R3 PCDCODEC;ATI WDM Specialized PCD Codec;C:WINDOWSsystem32DRIVERSatinpdxx.sys
R3 XUIF;X10 USB Wireless Transceiver;C:WINDOWSsystem32Driversx10ufx2.sys
S3 AVCSTRM;AVC Streaming Filter Driver;C:WINDOWSsystem32DRIVERSavcstrm.sys
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:WINDOWSsystem32DRIVERSmstape.sys
S3 SDdriver;SDdriver;??C:WINDOWSSystem32Driverssddriver.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:WINDOWSsystem32DRIVERSssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:WINDOWSsystem32DRIVERSssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:WINDOWSsystem32DRIVERSssm_mdm.sys


[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2H]
AutoRuncommand- H:LaunchU3.exe -a

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-09-01 04:33:57 C:WINDOWSTasksNorton AntiVirus - Run Full System Scan - Username "djockers" - 2007-09-01 11:30:44 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

»»»»» Postrun check
HKLMSOFTWARE~Winlogon "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....


C:Program FilesTrustIn Contextual < Found
Additional tools are recomended.

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"ccApp"=""C:Program FilesCommon FilesSymantec SharedccApp.exe""
"Norton Save and Restore"=""D:Program FilesNorton Save and RestoreAgentNSRTray.exe""
"SunJavaUpdateSched"=""C:Program FilesJavajre1.5.0_09binjusched.exe""
"NeroCheck"="C:WINDOWSsystem32NeroCheck.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NapsterShell"="D:Program FilesNapsternapster.exe /systray"
"AudioHQ"="D:Program FilesCreativeSBLiveAudioHQAHQTB.EXE"
"Ad-Aware"=""D:Program FilesLavasoftAd-Aware SE ProfessionalAd-Aware.exe" +c"
"Disc Detector"="C:Program FilesCreativeShareDLLCtNotify.exe"
"PhoneTray"="D:Program FilesTraySoftPhoneTrayPhoneTray.exe"
"teqwpkb.dll"="C:WINDOWSsystem32rundll32.exe "C:Documents and SettingsdjockersLocal SettingsApplication Datateqwpkb.dll",gilanjf"
"ATICCC"=""C:Program FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay"
"CTAvTray"="D:Program FilesCreativeSBLiveProgramCTAvTray.EXE"
"ALUAlert"="C:Program FilesSymantecLiveUpdateALUNOTIFY.EXE"

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"NOMAD Detector"=""E:Program FilesCreativePlayCenter2CTNMRun.exe""
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe"
"AWMON"=""D:PROGRA~1LavasoftAD-AWA~1Ad-Watch.exe""
"ATI Launchpad"=""D:Program FilesATI MultimediamainLaunchPd.exe""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-01 12:04:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Disc Detector = C:Program FilesCreativeShareDLLCtNotify.exe?X???&???????????? C?????Disc Detector?B???A???????A?0 ????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@?@ ????????A~??????????@?s?????????????????B?????? ????????????????????????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-01 12:08:08 - machine was rebooted
C:ComboFix-quarantined-files.txt ... 2007-09-01 12:08

--- E O F ---

Let me add that I know that references to "teqwpkb.dll" has been part of my problem. That was the problem in the last attack I had... and I still see references to it in these logs. I was never quite able to completely root it out of my system.

Any suggestions will be greatly appreciated. Thanks!

Edited by TMacK, 01 September 2007 - 01:02 PM.


#3 djockers

djockers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 01 September 2007 - 12:16 PM

Finally, here is the most recent hijackthis log...


~~~~~~~~~~~~~~~~~~



Logfile of HijackThis v1.99.1
Scan saved at 12:39:28 PM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\Napster\napster.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Save and Restore] "D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Ad-Aware] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PhoneTray] D:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [teqwpkb.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll",gilanjf
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTAvTray] D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\RunOnce: [CTAVTray] D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [NOMAD Detector] "E:\Program Files\Creative\PlayCenter2\CTNMRun.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150769594675
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150770728812
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

#4 djockers

djockers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 01 September 2007 - 03:02 PM

Sorry, guess I posted in the wrong forum -- but any help in here would be greatly appreciated.

Thanks!

#5 djockers

djockers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 03 September 2007 - 10:10 AM

Anybody there?

:thumbsup:

#6 djockers

djockers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 04 September 2007 - 05:28 PM

Suggestions?

Edited by djockers, 04 September 2007 - 05:30 PM.


#7 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:27 PM

Posted 05 September 2007 - 10:12 AM

Hello and welcome to BC. :thumbsup:

Sorry for the delayed response. The fact that you bumped your post a few times, made it appear as if the post had been replied to. The helpers answer the "0" reply logs first.

Please disable Adaware's Adwatch so that it will not interfere with the fixes.

Scan with HijackThis and put a checkmark against the following entry:

O4 - HKLM\..\Run: [teqwpkb.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll",gilanjf

Close all browsers and click on "fix checked".

===============================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "The JSE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6.0 windows-i586-p.exe to install the newest version.

===============================

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner Also, let me know how the computer is running.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop in txt format.
Copy and paste that information from Kapersky in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

==============================

Reboot your computer and post back a fresh HijackThis log along with the Kaspersky report please.

#8 djockers

djockers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 05 September 2007 - 07:01 PM

Thanks amateur, I'm just happy to get a response... so thanks upfront!

I followed your instructions and shut down Adware and re-ran HJT -- then removed the file/line in question... by checking it and hitting fix checked. However, each time that I restart the computer, that line comes back. So something keeps recreating it somewhere.

I also removed and re-installed the latest Java.

As for Kaspersky, I'm having problems here too... after click okay on the ActiveX install, it asks to install the kavwebscan_unicode.cab file -- which okay, but then it gives me a warning that it cannot locate the 002E08D9.key file. And it is looking in the Temp directory. Obviously the key file unlocks the cab to install the files for the online scan... and it's a no go. I did a google search and see others have had this problem too -- but I did not find a solution. Any suggestions?

That's the latest -- I will add that the computer is running "normal" again... after running the fixwareout and combofix mentioned above... however I note that the files related to the Trustin stuff are still there. That's why I'm here this time looking for help. I'm afraid this problem is going to come back again, so I'm trying to root it out now.

Let me know if any suggestions on the Kaspersky problem. Thanks again!

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:27 PM

Posted 05 September 2007 - 08:02 PM

Hi,

Please discard the version of Combofix you had and download this one:

ComboFix

Note: It is important that it is saved directly to your desktop. Don't scan with it yet.

=========================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll
C:\WINDOWS\system32\authzs.dll
C:\WINDOWS\system32\avifilebs.dll
C:\WINDOWS\system32\avicapb.dll
C:\WINDOWS\system32\asycfiltv.dll
C:\WINDOWS\system32\admparseb.dll
C:\WINDOWS\system32\batmetera.dll
C:\WINDOWS\system32\asferrorss.dll
C:\WINDOWS\system32\bthcib.dll
C:\WINDOWS\system32\adptifv.dll
C:\WINDOWS\system32\avtapiv.dll
C:\WINDOWS\system32\basesrvv.dll
C:\WINDOWS\system32\bthservv.dll
C:\WINDOWS\system32\audiosrvv.dll
C:\WINDOWS\system32\asferrors.dll
C:\WINDOWS\system32\camocxv.dll
C:\WINDOWS\system32\SpoonUninstall.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"teqwpkb.dll"=-


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply and a fresh HijackThis log.

====================================

When you're done with the above, let's try a different online scanner.

Panda ActiveScan
  • Click on Posted Image located at the bottom of the page.
  • A "pop up" window will appear. Please ensure that your pop up blocker doesn't block it
  • Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place
Begin the scan by selecting Posted Image
[list]
[*] If it finds any malware, it will offer you a report.
[*] Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
[*] Click on Posted Image then click Posted Image and post back the contents please.

#10 djockers

djockers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 06 September 2007 - 06:19 PM

Okay Amateur, here's the 3 results from all 3... first up, the Panda ActiveScan:


Incident                                             Status                        Location                                                                                                                                                                                                                                                        Spyware:Cookie/Atwola                                Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@atwola[1].txt                                                                                                                                                                                     Spyware:Cookie/BurstNet                              Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@burstnet[1].txt                                                                                                                                                                                   Spyware:Cookie/Ccbill                                Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@ccbill[2].txt                                                                                                                                                                                     Spyware:Cookie/Cd Freaks                             Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@cdfreaks[1].txt                                                                                                                                                                                   Spyware:Cookie/Cgi-bin                               Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@cgi-bin[11].txt                                                                                                                                                                                   Spyware:Cookie/Cgi-bin                               Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@cgi-bin[4].txt                                                                                                                                                                                    Spyware:Cookie/Cd Freaks                             Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@club.cdfreaks[1].txt                                                                                                                                                                              Spyware:Cookie/did-it                                Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@did-it[1].txt                                                                                                                                                                                     Spyware:Cookie/GoStats                               Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@gostats[1].txt                                                                                                                                                                                    Spyware:Cookie/Go                                    Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@go[1].txt                                                                                                                                                                                         Spyware:Cookie/Screensavers                          Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@i.screensavers[2].txt                                                                                                                                                                             Spyware:Cookie/Toplist                               Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@toplist[1].txt                                                                                                                                                                                    Spyware:Cookie/Xiti                                  Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@xiti[1].txt                                                                                                                                                                                       Spyware:Cookie/Yadro                                 Not disinfected    C:\Documents and Settings\djockers\Cookies\djockers@yadro[1].txt                                                                                                                                                                                      Potentially unwanted tool:Application/NirCmd.A       Not disinfected    C:\Documents and Settings\djockers\Desktop\ComboFix.exe[nircmd.exe]                                                                                                                                                                                        Potentially unwanted tool:Application/NirCmd.A       Not disinfected    C:\fixwareout\FindT\nircmd.exe                                                                                                                                                                                                                                  Potentially unwanted tool:Application/Pskill.B       Not disinfected    C:\Nokia\Update_Manager\UninstallerData_UM_2_0\Shut_Down_UMC.exe                                                                                                                                                                                                Virus:Trj/Downloader.ODN                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\inetloader.dll.vir                                                                                                                                                                                                               Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\admparseb.dll.vir                                                                                                                                                                                                       Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\adptifv.dll.vir                                                                                                                                                                                                         Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\amstreams.dll.vir                                                                                                                                                                                                       Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\asferrors.dll.vir                                                                                                                                                                                                       Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\asferrorss.dll.vir                                                                                                                                                                                                      Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\asycfiltv.dll.vir                                                                                                                                                                                                       Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\audiosrvv.dll.vir                                                                                                                                                                                                       Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\authzs.dll.vir                                                                                                                                                                                                          Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\avicapb.dll.vir                                                                                                                                                                                                         Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\avifilebs.dll.vir                                                                                                                                                                                                       Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\avtapiv.dll.vir                                                                                                                                                                                                         Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\basesrvv.dll.vir                                                                                                                                                                                                        Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\batmetera.dll.vir                                                                                                                                                                                                       Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\bthcib.dll.vir                                                                                                                                                                                                          Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\bthservv.dll.vir                                                                                                                                                                                                        Virus:Trj/Downloader.MSW                             Disinfected        C:\qoobox\Quarantine\C\WINDOWS\system32\camocxv.dll.vir                                                                                                                                                                                                         Potentially unwanted tool:Application/NirCmd.A       Not disinfected    C:\RECYCLER\NPROTECT\00022691.CFE                                                                                                                                                                                                                               Potentially unwanted tool:Application/NirCmd.A       Not disinfected    C:\RECYCLER\NPROTECT\00022692.exe                                                                                                                                                                                                                               Potentially unwanted tool:Application/NirCmd.A       Not disinfected    C:\RECYCLER\NPROTECT\00022856.CFE                                                                                                                                                                                                                               Potentially unwanted tool:Application/NirCmd.A       Not disinfected    C:\RECYCLER\NPROTECT\00022857.exe                                                                                                                                                                                                                               Potentially unwanted tool:Application/NirCmd.A       Not disinfected    C:\RECYCLER\NPROTECT\00023409.CFE                                                                                                                                                                                                                               Potentially unwanted tool:Application/NirCmd.A       Not disinfected    C:\RECYCLER\NPROTECT\00023410.exe                                                                                                                                                                                                                               Potentially unwanted tool:Application/NirCmd.A       Not disinfected    C:\WINDOWS\nircmd.exe                                                                                                                                                                                                                                           Virus:Trj/Downloader.MSW                             Disinfected        C:\WINDOWS\system32\atl71b.dll                                                                                                                                                                                                                                  Virus:Trj/Downloader.MSW                             Disinfected        C:\WINDOWS\system32\atlb.dll                                                                                                                                                                                                                                    Virus:Trj/Downloader.MSW                             Disinfected        C:\WINDOWS\system32\Audio3Db.dll                                                                                                                                                                                                                                Virus:Trj/Downloader.MSW                             Disinfected        C:\WINDOWS\system32\audiosrvb.dll                                                                                                                                                                                                                               Virus:Trj/Downloader.MSW                             Disinfected        C:\WINDOWS\system32\avifileb.dll                                                                                                                                                                                                                                Virus:Trj/Downloader.MSW                             Disinfected        C:\WINDOWS\system32\avtapis.dll                                                                                                                                                                                                                                 Virus:Trj/Downloader.MSW                             Disinfected        C:\WINDOWS\system32\bootvida.dll                                                                                                                                                                                                                                Adware:Adware/TrustIn                                Not disinfected    D:\Program Files\Hijack This\backups\backup-20070828-233039-478.dll



=====================================================================================


Next up, the ComboFix log:


ComboFix 07-09-07 - "djockers" 2007-09-07 16:11:10.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.367 [GMT -4:00]
Command switches used :: C:\Documents and Settings\djockers\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll
C:\WINDOWS\system32\authzs.dll
C:\WINDOWS\system32\avifilebs.dll
C:\WINDOWS\system32\avicapb.dll
C:\WINDOWS\system32\asycfiltv.dll
C:\WINDOWS\system32\admparseb.dll
C:\WINDOWS\system32\batmetera.dll
C:\WINDOWS\system32\asferrorss.dll
C:\WINDOWS\system32\bthcib.dll
C:\WINDOWS\system32\adptifv.dll
C:\WINDOWS\system32\avtapiv.dll
C:\WINDOWS\system32\basesrvv.dll
C:\WINDOWS\system32\bthservv.dll
C:\WINDOWS\system32\audiosrvv.dll
C:\WINDOWS\system32\asferrors.dll
C:\WINDOWS\system32\camocxv.dll
C:\WINDOWS\system32\SpoonUninstall.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\admparseb.dll
C:\WINDOWS\system32\adptifv.dll
C:\WINDOWS\system32\asferrors.dll
C:\WINDOWS\system32\asferrorss.dll
C:\WINDOWS\system32\asycfiltv.dll
C:\WINDOWS\system32\audiosrvv.dll
C:\WINDOWS\system32\authzs.dll
C:\WINDOWS\system32\avicapb.dll
C:\WINDOWS\system32\avifilebs.dll
C:\WINDOWS\system32\avtapiv.dll
C:\WINDOWS\system32\basesrvv.dll
C:\WINDOWS\system32\batmetera.dll
C:\WINDOWS\system32\bthcib.dll
C:\WINDOWS\system32\bthservv.dll
C:\WINDOWS\system32\camocxv.dll
C:\WINDOWS\system32\SpoonUninstall.exe


((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))


2007-09-05 17:58 <DIR> d-------- C:\DOCUME~1\DAVIDJ~1\.SunDownloadManager
2007-09-02 17:05 <DIR> d-------- C:\Program Files\Google
2007-09-01 11:51 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 11:30 7,044 --a------ C:\dnsbak.reg
2007-08-31 19:45 21,504 --a------ C:\WINDOWS\system32\avifileb.dll
2007-08-30 19:55 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2007-08-30 19:54 9,136 --------- C:\WINDOWS\system32\INETWH16.DLL
2007-08-30 19:54 66,560 --------- C:\WINDOWS\system32\atiyuv12.dll
2007-08-30 19:54 643,072 --------- C:\WINDOWS\system32\PCcheck.dll
2007-08-30 19:54 6,144 --------- C:\WINDOWS\system32\drivers\cinemsup.sys
2007-08-30 19:54 45,056 --------- C:\WINDOWS\system32\atimiaaa.dll
2007-08-30 19:54 4,557 --------- C:\WINDOWS\system32\atiicdxx.sys
2007-08-30 19:54 327,748 --------- C:\WINDOWS\system32\atiicdxx.dll
2007-08-30 19:54 10,249 --------- C:\WINDOWS\system32\drivers\x10uif.sys
2007-08-30 19:54 <DIR> d-------- C:\Program Files\Common Files\Ravisent Shared
2007-08-30 19:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI MMC
2007-08-30 19:10 <DIR> d-------- C:\Program Files\Common Files\ATI
2007-08-30 19:10 <DIR> d-------- C:\Program Files\ATI Multimedia
2007-08-30 19:02 <DIR> d-------- C:\Program Files\TitanTV
2007-08-30 19:02 <DIR> d-------- C:\Program Files\msaccrt
2007-08-30 19:01 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-08-30 19:01 <DIR> d-------- C:\WINDOWS\system32\windows media
2007-08-30 19:01 <DIR> d-------- C:\Program Files\Windows Media Components
2007-08-30 18:55 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-08-30 18:54 <DIR> d-------- C:\Program Files\ATI Technologies
2007-08-29 22:04 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2007-08-29 22:04 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2007-08-29 22:04 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2007-08-29 22:04 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2007-08-29 22:04 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2007-08-29 22:04 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2007-08-29 22:04 <DIR> d-------- C:\Drivers
2007-08-29 21:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Corporation
2007-08-26 13:19 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys
2007-08-26 13:19 45,056 --a------ C:\WINDOWS\system32\vusetup.dll
2007-08-26 13:19 11,264 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys
2007-08-26 13:08 <DIR> d-------- C:\Program Files\WinPcap
2007-08-26 13:07 <DIR> d-------- C:\Program Files\xtg101 Setup
2007-08-25 18:48 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys
2007-08-25 18:48 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-08-25 18:35 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-25 18:35 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2007-08-24 20:18 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2007-08-24 20:18 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2007-08-24 20:18 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2007-08-24 20:18 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2007-08-24 20:18 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2007-08-24 20:18 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-08-24 19:07 <DIR> d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\Sony Corporation
2007-08-24 18:52 <DIR> d-------- C:\Program Files\Sony
2007-08-23 17:58 49,024 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2007-08-23 17:58 49,024 --a------ C:\WINDOWS\system32\drivers\mstape.sys
2007-08-23 17:58 13,696 --a--c--- C:\WINDOWS\system32\dllcache\avcstrm.sys
2007-08-23 17:58 13,696 --a------ C:\WINDOWS\system32\drivers\avcstrm.sys
2007-08-23 17:57 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2007-08-23 17:57 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-08-23 17:57 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys
2007-08-23 17:57 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-08-23 17:40 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2007-08-23 17:40 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-08-23 17:39 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2007-08-23 17:39 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-08-23 17:39 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2007-08-23 17:39 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-08-21 15:03 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-08-21 15:03 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-08-21 15:03 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-08-21 15:03 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-08-19 11:06 <DIR> d-------- C:\Program Files\MSXML 6.0


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 15:36 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-05 17:33 --------- d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\U3
2007-09-04 15:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-30 19:17 --------- d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\ATI
2007-08-30 16:15 --------- d-------- C:\DOCUME~1\ADAMJO~1\APPLIC~1\ATI
2007-08-27 03:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-08-26 22:41 --------- d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\RipIt4Me
2007-08-11 00:59 --------- d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\AdobeUM
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-11-26 15:21 9232 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmmdfl.sys
2006-11-26 15:21 92064 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmmdm.sys
2006-11-26 15:21 79328 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmserd.sys
2006-11-26 15:21 66656 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmbus.sys
2006-11-26 15:21 6208 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmcmnt.sys
2006-11-26 15:21 5936 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmwhnt.sys
2006-11-26 15:21 4048 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmcr.sys
2006-11-26 15:21 25600 --a------ C:\DOCUME~1\DAVIDJ~1\usbsermptxp.sys
2006-11-26 15:21 22768 --a------ C:\DOCUME~1\DAVIDJ~1\usbsermpt.sys


((((((((((((((((((((((((((((( snapshot_2007-09-01_120712.64 )))))))))))))))))))))))))))))))))))))))))

----a-w 9,118 2007-09-04 20:38:58 C:\WINDOWS\hh.dat
----a-r 26,694 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\ARPPRODUCTICON.exe
----a-r 26,694 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\googleearth.exe1_29622F4A245C41268764897E21E888D1.exe
----a-r 26,694 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\googleearth.exe_29622F4A245C41268764897E21E888D1.exe
----a-r 65,536 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\NewShortcut1_29622F4A245C41268764897E21E888D1.exe
----a-r 65,536 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\NewShortcut2_29622F4A245C41268764897E21E888D1.exe
----a-r 26,694 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\UNINST_Uninstall_G_29622F4A245C41268764897E21E888D1.exe
----a-w 135,168 2007-07-12 05:22:00 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-07-12 05:22:04 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-07-12 06:22:38 C:\WINDOWS\system32\javaws.exe
----atw 16,384 2007-09-07 20:14:48 C:\WINDOWS\Temp\Perflib_Perfdata_514.dat
---------
----a-w 9,118 2007-08-26 00:40:58 C:\WINDOWS\hh.dat
----a-w 49,248 2006-10-12 06:35:14 C:\WINDOWS\system32\java.exe
----a-w 53,346 2006-10-12 06:35:24 C:\WINDOWS\system32\javaw.exe
----a-w 127,078 2006-10-12 08:10:56 C:\WINDOWS\system32\javaws.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-04-12 11:30]
"Norton Save and Restore"="D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe" [2006-04-11 20:36]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 02:50]
"Cmaudio"="cmicnfg.cpl" []
"NapsterShell"="D:\Program Files\Napster\napster.exe" [2007-01-12 20:36]
"AudioHQ"="D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2000-05-11 02:00]
"Ad-Aware"="D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" [2005-05-27 14:24]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 02:55]
"PhoneTray"="D:\Program Files\TraySoft\PhoneTray\PhoneTray.exe" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"CTAvTray"="D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE" [2000-09-01 02:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NOMAD Detector"="E:\Program Files\Creative\PlayCenter2\CTNMRun.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"AWMON"="D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12]
"ATI Launchpad"="D:\Program Files\ATI Multimedia\main\LaunchPd.exe" [2001-10-02 15:23]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56]
Microsoft Office OneNote 2003 Quick Launch.lnk - D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 14:06:14]

C:\DOCUME~1\DAVIDJ~1\STARTM~1\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-08-29 22:00:23]
UMScheduler 2.0.lnk - C:\Nokia\Update_Manager\bin\UMScheduler.exe [2006-12-26 19:13:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

R1 prcmondrv;prcmondrv;\??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys
R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
R2 BCMNTIO;BCMNTIO;\??\D:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS
R2 MAPMEM;MAPMEM;\??\D:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
R2 Norton Save and Restore;Norton Save and Restore;D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
R3 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\atintuxx.sys
R3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\system32\DRIVERS\atinraxx.sys
R3 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinxsxx.sys
R3 epcfw2k;SCM Parallel Port CF Driver;C:\WINDOWS\system32\DRIVERS\epcfw2k.sys
R3 NPDriver;Norton UnErase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS
R3 PCDCODEC;ATI WDM Specialized PCD Codec;C:\WINDOWS\system32\DRIVERS\atinpdxx.sys
R3 XUIF;X10 USB Wireless Transceiver;C:\WINDOWS\system32\Drivers\x10ufx2.sys
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys
S3 SDdriver;SDdriver;\??\C:\WINDOWS\System32\Drivers\sddriver.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
"2007-09-01 04:33:57 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - djockers.job"

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-07 16:15:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???D???????????? C?????Disc Detector?B???A???????A?` ????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@?p ????????A~??????????@??? ???????????????B?????? ????????????????????????????B
CTAvTray = D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE??s$?????A~????$???Z?A~????*?A~??????a???a???????????????????????????@?????????????????d???????W?D~???sx??s@????????M2?D??sh??s$??????????s????(????&?s?????M2??M2?????(????B?s?92? @@????? @@??M2??B?s??
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
CTAVTray = D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI?A~????$???Z?A~????*?A~??????a???a???????????????????????????@?????????????????d???????W?D~???sx??s@????????M2?D??sh??s$??????????s????(????&?s?????M2??M2?????(????B?s?92? @@????? @@??M2??B?s??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-07 16:19:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-07 16:19
C:\ComboFix2.txt ... 2007-09-07 16:03
C:\ComboFix3.txt ... 2007-09-01 12:08

--- E O F ---


==================================================================================================


Finally, a HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 7:18:34 PM, on 9/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
D:\Program Files\Napster\napster.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Save and Restore] "D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Ad-Aware] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PhoneTray] D:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTAvTray] D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [teqwpkb.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll",gilanjf
O4 - HKLM\..\RunOnce: [CTAVTray] D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [NOMAD Detector] "E:\Program Files\Creative\PlayCenter2\CTNMRun.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150769594675
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150770728812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by djockers, 06 September 2007 - 06:25 PM.


#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:27 PM

Posted 06 September 2007 - 08:07 PM

Hi,

I suspect that Adwatch is rolling back the registry entries that we are deleting. Please uninstall Adaware completely via Add or Remove Programs in Control Panel. You can reinstall it once the system is clean.

=========================

Reboot your computer.

=========================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text inside the codebox below into it:

http://www.bleepingcomputer.com/forums/t/106665/miaminews365-redirect-trustin-contextual-hijacking/?p=612510

File::
C:\WINDOWS\system32\avifileb.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=-

Collect::[4]
C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll



Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.[/quote]

NOTE: The file must be uploaded before proceeding to the next step.

=================================

Reboot your computer.

=================================

Post a fresh HijackThis log and the Combofix log.

Edited by amateur, 06 September 2007 - 09:47 PM.


#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:27 PM

Posted 06 September 2007 - 09:06 PM

When you're done with the above, can you also do this please:

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

#13 djockers

djockers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 08 September 2007 - 03:51 PM

Thanks Amateur, sorry for the delayed response -- I've been busy with work and not home much to work on this computer... here are the logs, after doing everything you asked above... including uninstalling AdAware. I also submitted the file (through combofix) to BC as you and it asked me to.

I note that the problem file is still there -- in fact, I still get an error message every time I restart my computer. The message says the following:

"Error loading C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll
The specified module could not be found"

This is not something new, as I've been getting this message since the first time I tried to remove the hijacker several months ago. It comes up every time I start my computer. Anyhow, here are all 3 logs that you asked for... thanks again!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 07-09-07 - "djockers" 2007-09-09 15:52:46.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.347 [GMT -4:00]
Command switches used :: C:\Documents and Settings\djockers\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\avifileb.dll


((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))


2007-09-07 16:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-05 17:58 <DIR> d-------- C:\DOCUME~1\DAVIDJ~1\.SunDownloadManager
2007-09-02 17:05 <DIR> d-------- C:\Program Files\Google
2007-09-01 11:51 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 11:30 7,044 --a------ C:\dnsbak.reg
2007-08-30 19:55 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2007-08-30 19:54 9,136 --------- C:\WINDOWS\system32\INETWH16.DLL
2007-08-30 19:54 66,560 --------- C:\WINDOWS\system32\atiyuv12.dll
2007-08-30 19:54 643,072 --------- C:\WINDOWS\system32\PCcheck.dll
2007-08-30 19:54 6,144 --------- C:\WINDOWS\system32\drivers\cinemsup.sys
2007-08-30 19:54 45,056 --------- C:\WINDOWS\system32\atimiaaa.dll
2007-08-30 19:54 4,557 --------- C:\WINDOWS\system32\atiicdxx.sys
2007-08-30 19:54 327,748 --------- C:\WINDOWS\system32\atiicdxx.dll
2007-08-30 19:54 10,249 --------- C:\WINDOWS\system32\drivers\x10uif.sys
2007-08-30 19:54 <DIR> d-------- C:\Program Files\Common Files\Ravisent Shared
2007-08-30 19:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI MMC
2007-08-30 19:10 <DIR> d-------- C:\Program Files\Common Files\ATI
2007-08-30 19:10 <DIR> d-------- C:\Program Files\ATI Multimedia
2007-08-30 19:02 <DIR> d-------- C:\Program Files\TitanTV
2007-08-30 19:02 <DIR> d-------- C:\Program Files\msaccrt
2007-08-30 19:01 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-08-30 19:01 <DIR> d-------- C:\WINDOWS\system32\windows media
2007-08-30 19:01 <DIR> d-------- C:\Program Files\Windows Media Components
2007-08-30 18:55 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-08-30 18:54 <DIR> d-------- C:\Program Files\ATI Technologies
2007-08-29 22:04 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2007-08-29 22:04 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2007-08-29 22:04 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2007-08-29 22:04 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2007-08-29 22:04 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2007-08-29 22:04 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2007-08-29 22:04 <DIR> d-------- C:\Drivers
2007-08-29 21:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Corporation
2007-08-26 13:19 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys
2007-08-26 13:19 45,056 --a------ C:\WINDOWS\system32\vusetup.dll
2007-08-26 13:19 11,264 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys
2007-08-26 13:08 <DIR> d-------- C:\Program Files\WinPcap
2007-08-26 13:07 <DIR> d-------- C:\Program Files\xtg101 Setup
2007-08-25 18:48 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys
2007-08-25 18:48 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-08-25 18:35 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-25 18:35 <DIR> d-------- C:\Program Files\Common Files\DeskShare Shared
2007-08-24 20:18 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2007-08-24 20:18 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2007-08-24 20:18 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2007-08-24 20:18 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2007-08-24 20:18 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2007-08-24 20:18 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2007-08-24 19:07 <DIR> d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\Sony Corporation
2007-08-24 18:52 <DIR> d-------- C:\Program Files\Sony
2007-08-23 17:58 49,024 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2007-08-23 17:58 49,024 --a------ C:\WINDOWS\system32\drivers\mstape.sys
2007-08-23 17:58 13,696 --a--c--- C:\WINDOWS\system32\dllcache\avcstrm.sys
2007-08-23 17:58 13,696 --a------ C:\WINDOWS\system32\drivers\avcstrm.sys
2007-08-23 17:57 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2007-08-23 17:57 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-08-23 17:57 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys
2007-08-23 17:57 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-08-23 17:40 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2007-08-23 17:40 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-08-23 17:39 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2007-08-23 17:39 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-08-23 17:39 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2007-08-23 17:39 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-08-21 15:03 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-08-21 15:03 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-08-21 15:03 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-08-21 15:03 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-08-19 11:06 <DIR> d-------- C:\Program Files\MSXML 6.0


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-09 15:38 --------- d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\Lavasoft
2007-09-07 20:13 --------- d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\U3
2007-09-07 17:08 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-07 16:46 --------- d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\Symantec
2007-09-07 16:42 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-04 15:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-30 19:17 --------- d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\ATI
2007-08-30 16:15 --------- d-------- C:\DOCUME~1\ADAMJO~1\APPLIC~1\ATI
2007-08-27 03:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-08-26 22:41 --------- d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\RipIt4Me
2007-08-11 00:59 --------- d-------- C:\DOCUME~1\DAVIDJ~1\APPLIC~1\AdobeUM
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-11-26 15:21 9232 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmmdfl.sys
2006-11-26 15:21 92064 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmmdm.sys
2006-11-26 15:21 79328 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmserd.sys
2006-11-26 15:21 66656 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmbus.sys
2006-11-26 15:21 6208 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmcmnt.sys
2006-11-26 15:21 5936 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmwhnt.sys
2006-11-26 15:21 4048 --a------ C:\DOCUME~1\DAVIDJ~1\mqdmcr.sys
2006-11-26 15:21 25600 --a------ C:\DOCUME~1\DAVIDJ~1\usbsermptxp.sys
2006-11-26 15:21 22768 --a------ C:\DOCUME~1\DAVIDJ~1\usbsermpt.sys


((((((((((((((((((((((((((((( snapshot_2007-09-01_120712.64 )))))))))))))))))))))))))))))))))))))))))

----a-w 9,118 2007-09-04 20:38:58 C:\WINDOWS\hh.dat
----a-w 141,424 2006-08-24 12:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll
----a-r 26,694 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\ARPPRODUCTICON.exe
----a-r 26,694 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\googleearth.exe1_29622F4A245C41268764897E21E888D1.exe
----a-r 26,694 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\googleearth.exe_29622F4A245C41268764897E21E888D1.exe
----a-r 65,536 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\NewShortcut1_29622F4A245C41268764897E21E888D1.exe
----a-r 65,536 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\NewShortcut2_29622F4A245C41268764897E21E888D1.exe
----a-r 26,694 2007-09-02 16:14:22 C:\WINDOWS\Installer\{9578C0CD-8108-4379-9026-4601F59859A0}\UNINST_Uninstall_G_29622F4A245C41268764897E21E888D1.exe
----a-w 73,728 2006-08-02 16:39:06 C:\WINDOWS\system32\asuninst.exe
----a-w 135,168 2007-07-12 05:22:00 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-07-12 05:22:04 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-07-12 06:22:38 C:\WINDOWS\system32\javaws.exe
----a-w 11,776 2003-03-25 22:53:50 C:\WINDOWS\system32\ZPORT4AS.dll
----a-w 110,592 2007-03-29 13:20:50 C:\WINDOWS\system32\ActiveScan\as.dll
----a-w 233,472 2006-10-05 20:15:26 C:\WINDOWS\system32\ActiveScan\ascontrol.dll
----a-w 96,256 2005-06-03 18:03:18 C:\WINDOWS\system32\ActiveScan\asmdat.dll
----a-w 36,864 2003-08-01 15:00:16 C:\WINDOWS\system32\ActiveScan\certdll.dll
----a-w 86,016 2005-05-20 17:42:44 C:\WINDOWS\system32\ActiveScan\instlsp.dll
----a-w 4,608 2006-02-16 22:20:20 C:\WINDOWS\system32\ActiveScan\memvfile.dll
----a-w 348,160 2005-10-25 22:08:32 C:\WINDOWS\system32\ActiveScan\msvcr71.dll
----a-w 139,264 2004-05-04 19:01:02 C:\WINDOWS\system32\ActiveScan\pavaleas.dll
----a-w 45,056 2006-07-14 17:04:10 C:\WINDOWS\system32\ActiveScan\pavdr.exe
----a-w 159,832 2006-04-10 14:50:02 C:\WINDOWS\system32\ActiveScan\pavexcom.dll
----a-w 94,208 2006-02-14 17:05:38 C:\WINDOWS\system32\ActiveScan\pavinas.dll
----a-w 180,224 2006-02-16 22:35:38 C:\WINDOWS\system32\ActiveScan\pavoe.dll
----a-w 122,880 2006-10-05 20:15:38 C:\WINDOWS\system32\ActiveScan\pavpz.dll
----a-w 8,704 2006-06-30 18:13:38 C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
----a-w 49,152 2004-02-04 18:08:42 C:\WINDOWS\system32\ActiveScan\port32.dll
----a-w 69,632 2006-08-01 17:23:10 C:\WINDOWS\system32\ActiveScan\pscpu.dll
----a-w 1,388,544 2006-08-23 17:06:08 C:\WINDOWS\system32\ActiveScan\pskahk.dll
----a-w 10,752 2006-08-17 15:38:14 C:\WINDOWS\system32\ActiveScan\pskalloc.dll
----a-w 61,440 2006-09-04 15:49:54 C:\WINDOWS\system32\ActiveScan\pskas.dll
----a-w 779,264 2006-08-18 12:46:18 C:\WINDOWS\system32\ActiveScan\pskavs.dll
----a-w 417,792 2007-03-26 18:25:34 C:\WINDOWS\system32\ActiveScan\pskcmp.dll
----a-w 90,112 2006-08-09 14:42:24 C:\WINDOWS\system32\ActiveScan\pskfss.dll
----a-w 208,896 2006-07-19 14:55:58 C:\WINDOWS\system32\ActiveScan\pskhtml.dll
----a-w 9,728 2006-01-20 20:57:00 C:\WINDOWS\system32\ActiveScan\pskmas.dll
----a-w 14,336 2006-05-17 13:50:12 C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
----a-w 33,280 2006-08-16 14:58:12 C:\WINDOWS\system32\ActiveScan\pskpack.dll
----a-w 266,240 2006-06-30 18:42:36 C:\WINDOWS\system32\ActiveScan\pskscs.dll
----a-w 62,976 2006-08-17 18:33:14 C:\WINDOWS\system32\ActiveScan\pskutil.dll
----a-w 13,312 2006-08-08 17:13:10 C:\WINDOWS\system32\ActiveScan\pskvfile.dll
----a-w 69,632 2006-08-18 12:53:08 C:\WINDOWS\system32\ActiveScan\pskvfs.dll
----a-w 167,936 2006-08-18 12:49:50 C:\WINDOWS\system32\ActiveScan\pskvm.dll
----a-w 353,840 2007-04-18 21:16:04 C:\WINDOWS\system32\ActiveScan\psscan.dll
----a-w 35,328 2007-01-22 18:42:48 C:\WINDOWS\system32\ActiveScan\rawvfile.dll
----a-w 9,488 1997-09-18 10:12:32 C:\WINDOWS\system32\ActiveScan\sporder.dll
----a-w 69,632 2006-02-28 21:23:40 C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
----atw 16,384 2007-09-09 14:55:09 C:\WINDOWS\Temp\Perflib_Perfdata_270.dat
----atw 16,384 2007-09-09 14:59:58 C:\WINDOWS\Temp\Perflib_Perfdata_a48.dat
---------
----a-w 9,118 2007-08-26 00:40:58 C:\WINDOWS\hh.dat
----a-w 49,248 2006-10-12 06:35:14 C:\WINDOWS\system32\java.exe
----a-w 53,346 2006-10-12 06:35:24 C:\WINDOWS\system32\javaw.exe
----a-w 127,078 2006-10-12 08:10:56 C:\WINDOWS\system32\javaws.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-04-12 11:30]
"Norton Save and Restore"="D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe" [2006-04-11 20:36]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 02:50]
"Cmaudio"="cmicnfg.cpl" []
"NapsterShell"="D:\Program Files\Napster\napster.exe" [2007-01-12 20:36]
"AudioHQ"="D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2000-05-11 02:00]
"Ad-Aware"="D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" []
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 02:55]
"PhoneTray"="D:\Program Files\TraySoft\PhoneTray\PhoneTray.exe" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" []
"teqwpkb.dll"="C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NOMAD Detector"="E:\Program Files\Creative\PlayCenter2\CTNMRun.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"ATI Launchpad"="D:\Program Files\ATI Multimedia\main\LaunchPd.exe" [2001-10-02 15:23]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56]
Microsoft Office OneNote 2003 Quick Launch.lnk - D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-03-17 14:06:14]

C:\DOCUME~1\DAVIDJ~1\STARTM~1\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-08-29 22:00:23]
UMScheduler 2.0.lnk - C:\Nokia\Update_Manager\bin\UMScheduler.exe [2006-12-26 19:13:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

R1 prcmondrv;prcmondrv;\??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys
R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
R2 BCMNTIO;BCMNTIO;\??\D:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\system32\DRIVERS\CINEMSUP.SYS
R2 MAPMEM;MAPMEM;\??\D:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
R2 Norton Save and Restore;Norton Save and Restore;D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
R3 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\atintuxx.sys
R3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\system32\DRIVERS\atinraxx.sys
R3 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinxsxx.sys
R3 epcfw2k;SCM Parallel Port CF Driver;C:\WINDOWS\system32\DRIVERS\epcfw2k.sys
R3 NPDriver;Norton UnErase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS
R3 PCDCODEC;ATI WDM Specialized PCD Codec;C:\WINDOWS\system32\DRIVERS\atinpdxx.sys
R3 XUIF;X10 USB Wireless Transceiver;C:\WINDOWS\system32\Drivers\x10ufx2.sys
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys
S3 SDdriver;SDdriver;\??\C:\WINDOWS\System32\Drivers\sddriver.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
"2007-09-08 02:18:39 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - djockers.job"

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 15:54:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???l???????????? C?????Disc Detector?B???A???????A?0 ????B???@?$?@?? C?????U?@?????????@?B???A???????A?? ????B???@?????P???$?@?@ ????????A~??????????@???????????????????B?????? ????????????????????????????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-09 15:55:36
C:\ComboFix-quarantined-files.txt ... 2007-09-09 15:55
C:\ComboFix2.txt ... 2007-09-09 15:47
C:\ComboFix3.txt ... 2007-09-07 16:19

--- E O F ---


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SmitFraudFix v2.221

Scan done at 16:01:24.16, Sun 09/09/2007
Run from C:\Documents and Settings\djockers\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Messenger\msmsgs.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\djockers


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\djockers\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DAVIDJ~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3F9B6E5C-16EB-4781-BA1E-05CE5BB7B346}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3F9B6E5C-16EB-4781-BA1E-05CE5BB7B346}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3F9B6E5C-16EB-4781-BA1E-05CE5BB7B346}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:55 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
D:\Program Files\Napster\napster.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Hijack This\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Save and Restore] "D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Ad-Aware] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PhoneTray] D:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [teqwpkb.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll",gilanjf
O4 - HKCU\..\Run: [NOMAD Detector] "E:\Program Files\Creative\PlayCenter2\CTNMRun.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150769594675
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150770728812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10352 bytes

Edited by djockers, 08 September 2007 - 03:52 PM.


#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:27 PM

Posted 08 September 2007 - 05:47 PM

Hi,

OK. Let's try this:

Please uninstall Adaware. I had asked you to do that in Post #11, but I am still seeing it running in your log:

O4 - HKLM\..\Run: [Ad-Aware] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" +c

Please go to Start>Control Panel>Add or Remove Programs and remove Ad-Aware SE Professional.

=======================

Now, run HijackThis. Close all windows and browsers except HijackThis.
Go to Config > Misc tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll
Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following

O4 - HKLM\..\Run: [teqwpkb.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\djockers\Local Settings\Application Data\teqwpkb.dll",gilanjf

Close all other windows/browsers/applications, except HijackThis and click on Fix checked.

======================

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt



======================================


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"


Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

=======================

Please open HijackThis.
Click on Open Misc Tools Section
Make sure that both boxes beside "Generate StartupList Log" are checked:
  • List all minor sections(Full)
  • List Empty Sections(Complete)
Click Generate StartupList Log.
Click Yes at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here

=======================

Restart the computer.

=======================

P.S. I had asked you to update your java and remove the older versions in Post # 7. Old versions are still present. Did you miss that post?

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

=======================

Scan with HijackThis again and post a fresh HijackThis log along with the Startup list please.

Edited by amateur, 08 September 2007 - 05:59 PM.


#15 djockers

djockers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 09 September 2007 - 11:02 AM

Thanks for you patience Amateur -- I'll start off by saying that I think we may have another success story here... but first:

Regarding the AdAware removal and earlier versions of Java removal that you brought up -- I did indeed remove both programs through my Control Panel. In both cases, the files listed in the HJT registry log file, did not exist. I completely uninstalled AdAware, the only thing that was left behind was an empty folder. I deleted it to be safe. Perhaps this AdAware line was a remnant that was left behind in my registry? Regardless, it was not in the directory so I had HJT remove it from my registry while I was in Safe Mode.

Also, same thing with the Java file. I did completely remove earlier versions of Java. My D drive shows one version, which is Java 6.0. My C drive doesn't even show that directory there you posted. Perhaps another remnant left behind in the registry? Regardless, it was not in the directory so I had HJT remove it from my registry while I was in Safe Mode too.

Now on to the things you had me do...

I made the HJT moves that you asked me to -- to remove on startup and to also do that stuff in safe mode. And as I noted above, I also removed those remnants while in safe mode -- below are all the log files. You'll note that the problem file is no longer there in my registry -- nor did I get the error message when the computer started up. Give a look through the log files to make sure, but I'm feeling optimistic here...

Here is the SmitFraud report, it didn't find anything:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SmitFraudFix v2.221

Scan done at 11:14:30.21, Mon 09/10/2007
Run from C:\Documents and Settings\djockers\Desktop\Spyware fix stuff\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3F9B6E5C-16EB-4781-BA1E-05CE5BB7B346}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3F9B6E5C-16EB-4781-BA1E-05CE5BB7B346}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3F9B6E5C-16EB-4781-BA1E-05CE5BB7B346}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now here is the HJT StartupList report:

StartupList report, 9/10/2007, 11:44:21 AM
StartupList version: 1.52.2
Started from : D:\Program Files\Hijack This\HiJackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\Napster\napster.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
D:\Program Files\Hijack This\HiJackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\djockers\Start Menu\Programs\Startup]
Picture Motion Browser Media Check Tool.lnk = D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Norton Save and Restore = "D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe"
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
NapsterShell = D:\Program Files\Napster\napster.exe /systray
AudioHQ = D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe
PhoneTray = D:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
ATICCC = "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NOMAD Detector = "E:\Program Files\Creative\PlayCenter2\CTNMRun.exe"
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
ATI Launchpad = "D:\Program Files\ATI Multimedia\main\LaunchPd.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[optionalcomponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Norton Internet Security 2006 - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll - {9ECB9560-04F9-4bbc-943D-298DDF1699E1}
NAV Helper - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
(no name) - c:\program files\google\googletoolbar3.dll (file missing) - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Run Full System Scan - djockers.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1150769594675

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1150770728812

[Java Plug-in 1.6.0_02]
InProcServer32 = D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[Java Plug-in 1.6.0_02]
InProcServer32 = D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_02]
InProcServer32 = D:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

61883 Unit Device: system32\DRIVERS\61883.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATI WDM Rage Theater Video: system32\DRIVERS\atinrvxx.sys (manual start)
ATI WDM TV Tuner: system32\DRIVERS\atintuxx.sys (manual start)
ATI WDM Rage Theater Audio: system32\DRIVERS\atinraxx.sys (manual start)
ATI WDM TV Audio Crossbar: system32\DRIVERS\atinxsxx.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart)
AVC Device: system32\DRIVERS\avc.sys (manual start)
AVC Streaming Filter Driver: system32\DRIVERS\avcstrm.sys (manual start)
BCMNTIO: \??\D:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
catchme: \??\C:\DOCUME~1\DAVIDJ~1\LOCALS~1\Temp\catchme.sys (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Internet Security Password Validation: "D:\Program Files\Norton Internet Security\ccPwdSvc.exe" (manual start)
Symantec Network Proxy: "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Software Cinemaster NT4.0 Driver: \SystemRoot\SYSTEM32\DRIVERS\CINEMSUP.SYS (autostart)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
C-Media WDM Audio Interface: system32\drivers\cmuda.sys (manual start)
COM Host: "D:\Program Files\Norton Internet Security\comHost.exe" (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\system32\CTsvcCDA.EXE (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative SBLive! Gameport: System32\DRIVERS\ctljystk.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
Creative SB Live! (WDM): system32\drivers\emu10k1m.sys (manual start)
Creative Interface Manager Driver (WDM): system32\drivers\ctlfacem.sys (manual start)
SCM Parallel Port CF Driver: system32\DRIVERS\epcfw2k.sys (manual start)
EraserUtilRebootDrv: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Windows Presentation Foundation Font Cache 3.0.0.0: C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" (manual start)
Windows CardSpace: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LiveUpdate: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
MAPMEM: \??\D:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Microsoft DV Camera and VCR: System32\DRIVERS\msdv.sys (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft AV/C Tape Subunit Device: system32\DRIVERS\mstape.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
ATI WDM Specialized MVD Codec: system32\DRIVERS\atinmdxx.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Norton AntiVirus Auto-Protect Service: "D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070606.018\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070606.018\NavEx15.Sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net.Tcp Port Sharing Service: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" (disabled)
1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Monitor Driver: system32\DRIVERS\NMnt.sys (manual start)
Norton Save and Restore: D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe (autostart)
Norton UnErase Protection Driver: \??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS (manual start)
Norton UnErase Protection: D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (autostart)
Norton Protection Center Service: "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE" (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
ATI WDM Specialized PCD Codec: system32\DRIVERS\atinpdxx.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
PfModNT: \??\C:\WINDOWS\system32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
prcmondrv: \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (system)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Cyberlink RichVideo Service(CRVS): "C:\Program Files\Cyberlink\Shared Files\RichVideo.exe" (autostart)
Remote Packet Capture Protocol v.0 (experimental): "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
TRENDnet TE100 PCBUSR PC Card: system32\DRIVERS\TE100XP.SYS (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS (system)
SAVRTPEL: \??\D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS (system)
Symantec AVScan: "D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe" (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SDdriver: \??\C:\WINDOWS\System32\Drivers\sddriver.sys (manual start)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Creative SoundFont Manager Driver (WDM): system32\drivers\sfmanm.sys (manual start)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (autostart)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (autostart)
Speed Disk service: D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SAMSUNG Mobile USB Device II 1.0 driver (WDM): system32\DRIVERS\ssm_bus.sys (manual start)
SAMSUNG Mobile USB Modem II 1.0 Filter: system32\DRIVERS\ssm_mdfl.sys (manual start)
SAMSUNG Mobile USB Modem II 1.0 Drivers: system32\DRIVERS\ssm_mdm.sys (manual start)
Still Serial Digital Camera Driver: system32\DRIVERS\serscan.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{AC0BB007-870D-4E3A-A8ED-E6F25E4CB806} (manual start)
Symantec Core LC: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" (autostart)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20061211.001\symidsco.sys (manual start)
symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
Motorola A1000 USB Modem Driver: system32\DRIVERS\usbser.sys (manual start)
Motorola USB Modem Driver for MPT: system32\DRIVERS\usbsermpt.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Vinyl AC'97 Audio Controller (WDM): system32\drivers\vinyl97.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
VIA USB Host Controller Lower Filter: \SystemRoot\System32\Drivers\vulfnth.sys (manual start)
VIA USB Roothub Lower Filter: \SystemRoot\System32\Drivers\vulfntr.sys (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Media Connect Service: C:\Program Files\Windows Media Connect 2\wmccds.exe (manual start)
WMDM PMSP Service: C:\WINDOWS\system32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
X10 USB Wireless Transceiver: System32\Drivers\x10ufx2.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 41,482 bytes
Report generated in 0.431 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And finally, here is a new HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:58 AM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\Napster\napster.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Hijack This\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Save and Restore] "D:\Program Files\Norton Save and Restore\Agent\NSRTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NapsterShell] D:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PhoneTray] D:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [NOMAD Detector] "E:\Program Files\Creative\PlayCenter2\CTNMRun.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - D:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150769594675
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150770728812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Save and Restore - Symantec Corporation - D:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10036 bytes


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Let me know, thanks!

Edited by djockers, 09 September 2007 - 11:03 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users