Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Popup-zedo/redorbit Video


  • This topic is locked This topic is locked
10 replies to this topic

#1 stanpatpick

stanpatpick

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:05:27 PM

Posted 08 September 2007 - 06:01 PM

I I went through all the prep steps in order except for updating via windows update - I had already updated before I found this help forum.
Any help appreciated.

Hopefully nearing the end of this.

Here goes.

I have a popup window which does not have an address bar even though it is nearly full page size. At the top it says
ZEDO and inside is RedOrbit Video which appears to be showing a video which may be different each time the popup occurs. Sometimes the frame for the popup will appear with nothing inside except a white background inside and a long underline where the Zedo would otherwise appear. It may be infrequently appearing with another title possibly drivecleaner but I haven't seen that one in while and the frequency seems to be reduced since going through all of the prep steps.


***************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:06 AM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\WINDOWS\plite731.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\Program Files\AOL Companion\companion.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=C:\WINDOWS\taskmgr.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\SYSTEM32\XKRGUXDL.DLL (file missing)
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [horyjybu] C:\Program Files\EMusic\horyjybu22011.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\lndsrngj.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mljjhij - mljjhij.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\tcorkisd.exe (file missing)
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\AWS\profsyby.html

--
End of file - 11254 bytes
#########################################

jazzisjazz

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:27 PM

Posted 11 September 2007 - 02:44 PM

Hello stanpatpick,

I am SifuMike and I will be helping you. :thumbsup: Sorry for the delay. We are swamped with logs.

NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 11 September 2007 - 02:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 stanpatpick

stanpatpick
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:05:27 PM

Posted 11 September 2007 - 06:34 PM

ComboFix 07-09-10.6 - "Owner" 2007-09-11 17:06:58.2 - NTFSx86
Thanks in Advance for the help!.

The combofix and hijackthis logs are below.


Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.130 [GMT -5:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-11 17:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-10 12:46 <DIR> d-------- C:\!KillBox
2007-09-10 11:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 11:50 <DIR> d-------- C:\WINDOWS\pss
2007-09-08 09:29 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-09-08 09:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-08 09:28 75,932 --a------ C:\WINDOWS\SYSTEM32\drivers\klick.dat
2007-09-08 09:28 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-08 09:28 74,396 --a------ C:\WINDOWS\SYSTEM32\drivers\klin.dat
2007-09-08 09:28 165,920 --ahs---- C:\WINDOWS\SYSTEM32\drivers\fidbox.dat
2007-09-08 09:27 110,360 --a------ C:\WINDOWS\SYSTEM32\drivers\kl1.sys
2007-09-08 09:27 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-09-08 09:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-09-08 09:24 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-08 01:32 94,480 --a------ C:\WINDOWS\SYSTEM32\drivers\tmcomm.sys
2007-09-08 01:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\HouseCall 6.6
2007-09-08 01:23 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\HouseCall 6.6
2007-09-07 21:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-07 08:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-07 08:57 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-09-07 08:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 10:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-05 08:31 10,872 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2007-09-05 03:47 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-05 03:44 <DIR> d-------- C:\Program Files\MSBuild
2007-09-05 03:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2007-09-05 03:34 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-09-05 03:32 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2007-09-05 03:31 <DIR> d-------- C:\b91585f5ea663f3b0002
2007-09-05 03:26 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-05 03:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-09-05 03:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\UMDF
2007-09-05 02:43 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2007-09-05 02:43 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2007-09-05 02:43 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2007-09-04 19:51 33,792 --a------ C:\WINDOWS\SYSTEM32\dllcache\custsat.dll
2007-09-04 19:39 23,040 --------- C:\WINDOWS\SYSTEM32\dllcache\fltmc.exe
2007-09-04 19:39 16,896 --------- C:\WINDOWS\SYSTEM32\dllcache\fltlib.dll
2007-09-04 19:39 128,896 --------- C:\WINDOWS\SYSTEM32\dllcache\fltmgr.sys
2007-09-04 17:36 <DIR> d-------- C:\WINDOWS\peernet
2007-09-04 17:35 <DIR> d-------- C:\WINDOWS\provisioning
2007-09-04 17:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-09-04 17:22 23,856 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-09-04 17:16 <DIR> d-------- C:\WINDOWS\EHome
2007-09-04 17:07 68,096 --a------ C:\WINDOWS\SYSTEM32\l3acdb2.dll
2007-09-04 16:55 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2007-09-04 16:55 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
2007-09-04 16:01 77,312 --a------ C:\WINDOWS\SYSTEM32\browser.dll
2007-09-04 16:01 614,912 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2007-09-04 16:01 40,960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-09-04 16:01 40,960 --------- C:\WINDOWS\SYSTEM32\dllcache\evtgprov.dll
2007-09-04 16:01 331,264 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2007-09-04 15:46 239,104 --a------ C:\WINDOWS\SYSTEM32\srrstr.dll
2007-09-04 15:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-04 00:02 3,840 --a------ C:\WINDOWS\SYSTEM32\drivers\BANTExt.sys
2007-09-04 00:02 <DIR> d-------- C:\Program Files\Belarc
2007-09-03 22:42 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-09-03 22:42 94,416 --a------ C:\WINDOWS\SYSTEM32\drivers\aswmon2.sys
2007-09-03 22:42 92,848 --a------ C:\WINDOWS\SYSTEM32\drivers\aswmon.sys
2007-09-03 22:42 801,144 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-03 22:42 42,912 --a------ C:\WINDOWS\SYSTEM32\drivers\aswTdi.sys
2007-09-03 22:42 26,624 --a------ C:\WINDOWS\SYSTEM32\drivers\aavmker4.sys
2007-09-03 22:42 23,152 --a------ C:\WINDOWS\SYSTEM32\drivers\aswRdr.sys
2007-09-03 22:42 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-03 22:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-03 22:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-03 22:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-03 20:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-03 20:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-09-03 20:18 474,112 --a------ C:\WINDOWS\svchost_tmp.exe
2007-09-03 01:11 109,568 --a------ C:\WINDOWS\SYSTEM32\rt27.exe
2007-09-02 11:32 15,160 --a------ C:\WINDOWS\SYSTEM32\rt26.exe
2007-09-02 11:32 15,160 --a------ C:\WINDOWS\SYSTEM32\rt25.exe
2007-08-20 14:34 <DIR> d-------- C:\Program Files\Common Files\ErrorSafe Free
2007-08-20 14:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Error Safe Free
2007-08-19 06:38 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-08-19 06:32 1,994,256 ---hs---- C:\WINDOWS\SYSTEM32\yccdd.bak2
2007-08-16 17:41 1,603,301 --ahs---- C:\WINDOWS\SYSTEM32\yccdd.bak1
2007-08-16 15:03 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-08-16 15:03 13,824 --a------ C:\WINDOWS\plite731.exe
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\syschks22
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\SS1
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\ICM2
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\chkfig5
2007-08-16 15:03 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 12:01 --------- d-------- C:\Program Files\AWS
2007-09-08 10:12 2204 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-08 05:04 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\blstoolbar
2007-09-08 03:06 --------- d-------- C:\Program Files\CompuServe 2000
2007-09-05 11:36 --------- d-------- C:\Program Files\QuickTime
2007-09-05 11:16 --------- d-------- C:\Program Files\blstoolbar
2007-09-05 11:15 --------- d-------- C:\Program Files\AOL Companion
2007-09-05 11:15 --------- d-------- C:\Program Files\America Online 9.0a
2007-09-03 23:15 --------- d-------- C:\Program Files\Sumo Dance
2007-08-08 20:15 --------- d-------- C:\Program Files\Imikimi
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-19 01:59 3583488 --------- C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-07-12 18:31 765952 --------- C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-27 09:34 823808 --------- C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-06-27 09:34 671232 --------- C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-06-27 09:34 6058496 --------- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-06-27 09:34 52224 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-06-27 09:34 477696 --------- C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-06-27 09:34 459264 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-06-27 09:34 44544 --------- C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-06-27 09:34 384512 --------- C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-06-27 09:34 383488 --------- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-06-27 09:34 27648 --------- C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-06-27 09:34 267776 --------- C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-06-27 09:34 232960 --------- C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-06-27 09:34 230400 --------- C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-06-27 09:34 193024 --------- C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-06-27 09:34 153088 --------- C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-06-27 09:34 132608 --------- C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-06-27 09:34 124928 --------- C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-06-27 09:34 1152000 --------- C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-06-27 09:34 105984 --------- C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-06-27 09:34 102400 --------- C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-06-27 03:27 63488 --------- C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-06-27 03:27 625152 --------- C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-06-27 03:27 13824 --------- C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-06-27 02:00 161792 --a------ C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2007-06-15 03:12 474112 --------- C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
2007-06-15 03:12 151040 --------- C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --------- C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
2007-06-15 03:12 1054208 --------- C:\WINDOWS\SYSTEM32\dllcache\danim.dll
2007-06-15 03:12 1022976 --------- C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\SYSTEM32\dllcache\explorer.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-10_121303.75 )))))))))))))))))))))))))))))))))))))))))
.
----atw 16,384 2007-09-11 02:19:13 C:\WINDOWS\Temp\Perflib_Perfdata_19c.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 17:56]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 18:34]
"NvCplDaemon"="NvQTwk" []
"S3TRAY2"="S3tray2.exe" [2001-10-04 14:06 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 19:36]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 17:13]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-04 13:32]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 22:23]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-11-29 22:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-21 23:45]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" [2007-01-28 12:14]
"plite731"="C:\WINDOWS\plite731.exe" [2007-08-16 15:03]
"horyjybu"="C:\Program Files\EMusic\horyjybu22011.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 C:\WINDOWS\ltmsg.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" []
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 13:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0a\aoltray.exe [2004-01-22 00:02:20]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2004-01-21 23:45:35]
Event Planner Reminders Tray Icon.lnk - C:\Sierra\Planner\PLNRnote.exe [2002-02-23 14:01:47]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [2005-03-05 11:06:01]
hp center UI.lnk - C:\Program Files\hp center\137903\Shadow\ShadowBar.exe [2001-11-06 21:46:15]
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe [2001-11-06 21:46:17]
Palo Alto Software Update Manager 8.0.lnk - C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe [2005-02-09 16:50:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
S3 7ByteIO;7ByteIO;\??\C:\Program Files\Hot CPU Tester Pro 4 LE\SysInfo.sys
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 17:13:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-11 17:19:10
C:\ComboFix-quarantined-files.txt ... 2007-09-11 17:19
C:\ComboFix2.txt ... 2007-09-10 12:15
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:01 PM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\WINDOWS\plite731.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [horyjybu] C:\Program Files\EMusic\horyjybu22011.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10036 bytes

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:27 PM

Posted 11 September 2007 - 09:55 PM

Hi stanpatpick,


You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\svchost_tmp.exe


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\SYSTEM32\rt27.exe
C:\WINDOWS\SYSTEM32\rt26.exe
C:\WINDOWS\SYSTEM32\rt25.exe



Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.


*******************************************


Download CCleaner and install it. (default location is best). Do not download the Beta version 2.0. Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O4 - HKLM\..\Run: [horyjybu] C:\Program Files\EMusic\horyjybu22011.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe






Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File::
C:\Program Files\EMusic\horyjybu22011.exe
C:\WINDOWS\SYSTEM32\yccdd.bak2
C:\WINDOWS\SYSTEM32\yccdd.bak1
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\plite731.exe

DirLook::
C:\WINDOWS\SYSTEM32\ICM2
C:\WINDOWS\SYSTEM32\syschks22
C:\WINDOWS\SYSTEM32\chkfig5
C:\WINDOWS\SYSTEM32\SS1

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plite731"= -
"horyjybu"=-



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 stanpatpick

stanpatpick
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:05:27 PM

Posted 12 September 2007 - 12:15 PM

Complete scanning result of "svchost_tmp.exe", processed in VirusTotal at
09/12/2007 13:12:11 (CET).

[ file data ]
* name: svchost_tmp.exe
* size: 474112
* md5.: 6f8a4becc1fa4f8f7d914e627071819c
* sha1: 292dd6ed0afaf92092277a3f05dbd156da70c8ba

[ scan result ]
AhnLab-V3 2007.9.11.1/20070912 found nothing
AntiVir 7.6.0.5/20070912 found [HEUR/Crypted]
Authentium 4.93.8/20070912 found [Possibly a new variant of W32/Threat-
SysVenFak-based!Maximus]
Avast 4.7.1043.0/20070911 found nothing
AVG 7.5.0.485/20070911 found nothing
BitDefender 7.2/20070912 found nothing
CAT-QuickHeal 9.00/20070911 found nothing
ClamAV 0.91.2/20070912 found nothing
DrWeb 4.33/20070912 found nothing
eSafe 7.0.15.0/20070911 found nothing
eTrust-Vet 31.1.5128/20070912 found nothing
Ewido 4.0/20070912 found nothing
F-Prot 4.3.2.48/20070912 found [W32/Threat-SysVenFak-based!Maximus]
F-Secure 6.70.13030.0/20070912 found nothing
FileAdvisor 1/20070912 found nothing
Fortinet 3.11.0.0/20070912 found nothing
Ikarus T3.1.1.12/20070912 found nothing
Kaspersky 4.0.2.24/20070912 found nothing
McAfee 5117/20070911 found nothing
Microsoft 1.2803/20070912 found nothing
NOD32v2 2524/20070912 found nothing
Norman 5.80.02/20070912 found nothing
Panda 9.0.0.4/20070911 found [Suspicious file]
Prevx1 V2/20070912 found [Heuristic: Suspicious Hijacker]
Rising 19.40.22.00/20070912 found nothing
Sophos 4.21.0/20070912 found [Mal/Behav-053]
Sunbelt 2.2.907.0/20070912 found nothing
Symantec 10/20070912 found nothing
TheHacker 6.1.10.184/20070911 found nothing
VBA32 3.12.2.4/20070912 found nothing
VirusBuster 4.3.26:9/20070912 found nothing
Webwasher-Gateway 6.0.1/20070912 found [Heuristic.Crypted]

[ notes ]
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...5CC1500A2FBFD3C

__________________________________________________
VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service. Do not reply
to this message. It has been generated by an automatic address that will not
handle any reply. Although the detection rate afforded by the use of multiple
antivirus engines is far superior to that offered by just one product, these
results DO NOT guarantee the harmlessness of a file. Currently, there is not
any solution that offers a 100% effectiveness rate for detecting viruses and
malware.
********************************************************************
Complete scanning result of "rt25.exe", processed in VirusTotal at 09/12/2007
13:45:15 (CET).

[ file data ]
* name: rt25.exe
* size: 15160
* md5.: 7d9523931ec387c22b749ea3dc44398e
* sha1: 73bf34eb1d31ded77d0ab0f38fe06681122ad1b8

[ scan result ]
AhnLab-V3 2007.9.11.1/20070912 found nothing
AntiVir 7.6.0.5/20070912 found [TR/PCK.PolyCrypt.D.111]
Authentium 4.93.8/20070912 found nothing
Avast 4.7.1043.0/20070911 found nothing
AVG 7.5.0.485/20070911 found [Generic7.FLI]
BitDefender 7.2/20070912 found nothing
CAT-QuickHeal 9.00/20070911 found [Trojan.PolyCrypt.d]
ClamAV 0.91.2/20070912 found nothing
DrWeb 4.33/20070912 found [Trojan.Packed.166]
eSafe 7.0.15.0/20070911 found [Win32.PolyCrypt.d]
eTrust-Vet 31.1.5128/20070912 found nothing
Ewido 4.0/20070912 found nothing
F-Prot 4.3.2.48/20070912 found nothing
F-Secure 6.70.13030.0/20070912 found [Packed.Win32.PolyCrypt.d]
FileAdvisor 1/20070912 found nothing
Fortinet 3.11.0.0/20070912 found nothing
Ikarus T3.1.1.12/20070912 found [Trojan-PWS.Win32.LdPinch.atw]
Kaspersky 4.0.2.24/20070912 found [Packed.Win32.PolyCrypt.d]
McAfee 5117/20070911 found [New Malware.eq]
Microsoft 1.2803/20070912 found nothing
NOD32v2 2524/20070912 found nothing
Norman 5.80.02/20070912 found [Suspicious_F.gen]
Panda 9.0.0.4/20070911 found nothing
Prevx1 V2/20070912 found [Heuristic: Suspicious Self Modifying EXE]
Rising 19.40.22.00/20070912 found nothing
Sophos 4.21.0/20070912 found [Mal/EncPk-AW]
Sunbelt 2.2.907.0/20070912 found [VIPRE.Suspicious]
Symantec 10/20070912 found nothing
TheHacker 6.1.10.184/20070911 found [W32/Behav-Heuristic-069]
VBA32 3.12.2.4/20070912 found nothing
VirusBuster 4.3.26:9/20070912 found [Trojan.DR.Cimuz.Gen.1]
Webwasher-Gateway 6.0.1/20070912 found [Trojan.PCK.PolyCrypt.D.111]

[ notes ]
packers: RCrypt
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...FCB1800A1EC3BD3
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats
that are deemed suspicious through heuristics.

__________________________________________________
VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service. Do not reply
to this message. It has been generated by an automatic address that will not
handle any reply. Although the detection rate afforded by the use of multiple
antivirus engines is far superior to that offered by just one product, these
results DO NOT guarantee the harmlessness of a file. Currently, there is not
any solution that offers a 100% effectiveness rate for detecting viruses and
malware.
****************************************************************
Complete scanning result of "rt26.exe", processed in VirusTotal at 09/12/2007
13:36:17 (CET).

[ file data ]
* name: rt26.exe
* size: 15160
* md5.: 7d9523931ec387c22b749ea3dc44398e
* sha1: 73bf34eb1d31ded77d0ab0f38fe06681122ad1b8

[ scan result ]
AhnLab-V3 2007.9.11.1/20070912 found nothing
AntiVir 7.6.0.5/20070912 found [TR/PCK.PolyCrypt.D.111]
Authentium 4.93.8/20070912 found nothing
Avast 4.7.1043.0/20070911 found nothing
AVG 7.5.0.485/20070911 found [Generic7.FLI]
BitDefender 7.2/20070912 found nothing
CAT-QuickHeal 9.00/20070911 found [Trojan.PolyCrypt.d]
ClamAV 0.91.2/20070912 found nothing
DrWeb 4.33/20070912 found [Trojan.Packed.166]
eSafe 7.0.15.0/20070911 found [Win32.PolyCrypt.d]
eTrust-Vet 31.1.5128/20070912 found nothing
Ewido 4.0/20070911 found nothing
F-Prot 4.3.2.48/20070912 found nothing
F-Secure 6.70.13030.0/20070912 found [Packed.Win32.PolyCrypt.d]
FileAdvisor 1/20070912 found nothing
Fortinet 3.11.0.0/20070912 found nothing
Ikarus T3.1.1.12/20070912 found [Trojan-PWS.Win32.LdPinch.atw]
Kaspersky 4.0.2.24/20070912 found [Packed.Win32.PolyCrypt.d]
McAfee 5117/20070911 found [New Malware.eq]
Microsoft 1.2803/20070912 found nothing
NOD32v2 2524/20070912 found nothing
Norman 5.80.02/20070912 found [Suspicious_F.gen]
Panda 9.0.0.4/20070911 found nothing
Prevx1 V2/20070912 found [Prevx Database Unreachable]
Rising 19.40.22.00/20070912 found nothing
Sophos 4.21.0/20070912 found [Mal/EncPk-AW]
Sunbelt 2.2.907.0/20070912 found [VIPRE.Suspicious]
Symantec 10/20070912 found nothing
TheHacker 6.1.10.184/20070911 found [W32/Behav-Heuristic-069]
VBA32 3.12.2.4/20070912 found nothing
VirusBuster 4.3.26:9/20070912 found [Trojan.DR.Cimuz.Gen.1]
Webwasher-Gateway 6.0.1/20070912 found [Trojan.PCK.PolyCrypt.D.111]

[ notes ]
packers: RCrypt
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats
that are deemed suspicious through heuristics.

__________________________________________________
VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service. Do not reply
to this message. It has been generated by an automatic address that will not
handle any reply. Although the detection rate afforded by the use of multiple
antivirus engines is far superior to that offered by just one product, these
results DO NOT guarantee the harmlessness of a file. Currently, there is not
any solution that offers a 100% effectiveness rate for detecting viruses and
malware.
*****************************************************************

When I tried to send rt27.exe the symantec scanner for my at&t email account siad it was infected with virus trojan.Adclicker and was removed because the file could not be cleaned

**********************************************************************
ComboFix 07-09-10.6 - "Owner" 2007-09-12 11:33:06.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.172 [GMT -5:00]
* Created a new restore point

FILE::
C:\Program Files\EMusic\horyjybu22011.exe
C:\WINDOWS\SYSTEM32\yccdd.bak2
C:\WINDOWS\SYSTEM32\yccdd.bak1
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\plite731.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\SYSTEM32\yccdd.bak1
C:\WINDOWS\SYSTEM32\yccdd.bak2


((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 06:36 <DIR> d-------- C:\Program Files\VirusTotalUploader
2007-09-11 17:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-10 12:46 <DIR> d-------- C:\!KillBox
2007-09-10 11:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 11:50 <DIR> d-------- C:\WINDOWS\pss
2007-09-08 09:29 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-09-08 09:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-08 09:28 75,932 --a------ C:\WINDOWS\SYSTEM32\drivers\klick.dat
2007-09-08 09:28 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-08 09:28 74,396 --a------ C:\WINDOWS\SYSTEM32\drivers\klin.dat
2007-09-08 09:28 256,032 --ahs---- C:\WINDOWS\SYSTEM32\drivers\fidbox.dat
2007-09-08 09:27 110,360 --a------ C:\WINDOWS\SYSTEM32\drivers\kl1.sys
2007-09-08 09:27 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-09-08 09:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-09-08 09:24 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-08 01:32 94,480 --a------ C:\WINDOWS\SYSTEM32\drivers\tmcomm.sys
2007-09-08 01:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\HouseCall 6.6
2007-09-08 01:23 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\HouseCall 6.6
2007-09-07 21:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-07 08:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-07 08:57 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-09-07 08:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 10:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-05 08:31 10,872 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2007-09-05 03:47 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-05 03:44 <DIR> d-------- C:\Program Files\MSBuild
2007-09-05 03:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2007-09-05 03:34 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-09-05 03:32 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2007-09-05 03:31 <DIR> d-------- C:\b91585f5ea663f3b0002
2007-09-05 03:26 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-05 03:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-09-05 03:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\UMDF
2007-09-05 02:43 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2007-09-05 02:43 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2007-09-05 02:43 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2007-09-04 19:51 33,792 --a------ C:\WINDOWS\SYSTEM32\dllcache\custsat.dll
2007-09-04 19:39 23,040 --------- C:\WINDOWS\SYSTEM32\dllcache\fltmc.exe
2007-09-04 19:39 16,896 --------- C:\WINDOWS\SYSTEM32\dllcache\fltlib.dll
2007-09-04 19:39 128,896 --------- C:\WINDOWS\SYSTEM32\dllcache\fltmgr.sys
2007-09-04 17:36 <DIR> d-------- C:\WINDOWS\peernet
2007-09-04 17:35 <DIR> d-------- C:\WINDOWS\provisioning
2007-09-04 17:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-09-04 17:22 23,856 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-09-04 17:16 <DIR> d-------- C:\WINDOWS\EHome
2007-09-04 17:07 68,096 --a------ C:\WINDOWS\SYSTEM32\l3acdb2.dll
2007-09-04 16:55 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2007-09-04 16:55 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
2007-09-04 16:01 77,312 --a------ C:\WINDOWS\SYSTEM32\browser.dll
2007-09-04 16:01 614,912 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2007-09-04 16:01 40,960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-09-04 16:01 40,960 --------- C:\WINDOWS\SYSTEM32\dllcache\evtgprov.dll
2007-09-04 16:01 331,264 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2007-09-04 15:46 239,104 --a------ C:\WINDOWS\SYSTEM32\srrstr.dll
2007-09-04 15:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-04 00:02 3,840 --a------ C:\WINDOWS\SYSTEM32\drivers\BANTExt.sys
2007-09-04 00:02 <DIR> d-------- C:\Program Files\Belarc
2007-09-03 22:42 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-09-03 22:42 94,416 --a------ C:\WINDOWS\SYSTEM32\drivers\aswmon2.sys
2007-09-03 22:42 92,848 --a------ C:\WINDOWS\SYSTEM32\drivers\aswmon.sys
2007-09-03 22:42 801,144 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-03 22:42 42,912 --a------ C:\WINDOWS\SYSTEM32\drivers\aswTdi.sys
2007-09-03 22:42 26,624 --a------ C:\WINDOWS\SYSTEM32\drivers\aavmker4.sys
2007-09-03 22:42 23,152 --a------ C:\WINDOWS\SYSTEM32\drivers\aswRdr.sys
2007-09-03 22:42 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-03 22:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-03 22:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-03 22:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-03 20:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-03 20:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-09-03 20:18 474,112 --a------ C:\WINDOWS\svchost_tmp.exe
2007-09-03 01:11 109,568 --a------ C:\WINDOWS\SYSTEM32\rt27.exe
2007-09-02 11:32 15,160 --a------ C:\WINDOWS\SYSTEM32\rt26.exe
2007-09-02 11:32 15,160 --a------ C:\WINDOWS\SYSTEM32\rt25.exe
2007-08-20 14:34 <DIR> d-------- C:\Program Files\Common Files\ErrorSafe Free
2007-08-20 14:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Error Safe Free
2007-08-19 06:38 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\syschks22
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\SS1
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\ICM2
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\chkfig5
2007-08-16 15:03 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 12:01 --------- d-------- C:\Program Files\AWS
2007-09-08 10:12 2204 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-08 05:04 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\blstoolbar
2007-09-08 03:06 --------- d-------- C:\Program Files\CompuServe 2000
2007-09-05 11:36 --------- d-------- C:\Program Files\QuickTime
2007-09-05 11:16 --------- d-------- C:\Program Files\blstoolbar
2007-09-05 11:15 --------- d-------- C:\Program Files\AOL Companion
2007-09-05 11:15 --------- d-------- C:\Program Files\America Online 9.0a
2007-09-03 23:15 --------- d-------- C:\Program Files\Sumo Dance
2007-08-08 20:15 --------- d-------- C:\Program Files\Imikimi
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-19 01:59 3583488 --------- C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-07-12 18:31 765952 --------- C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
2007-06-27 09:34 823808 --------- C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-06-27 09:34 671232 --------- C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-06-27 09:34 6058496 --------- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-06-27 09:34 52224 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-06-27 09:34 477696 --------- C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-06-27 09:34 459264 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-06-27 09:34 44544 --------- C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-06-27 09:34 384512 --------- C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-06-27 09:34 383488 --------- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-06-27 09:34 27648 --------- C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-06-27 09:34 267776 --------- C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-06-27 09:34 232960 --------- C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-06-27 09:34 230400 --------- C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-06-27 09:34 193024 --------- C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-06-27 09:34 153088 --------- C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-06-27 09:34 132608 --------- C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-06-27 09:34 124928 --------- C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-06-27 09:34 1152000 --------- C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-06-27 09:34 105984 --------- C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-06-27 09:34 102400 --------- C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-06-27 03:27 63488 --------- C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-06-27 03:27 625152 --------- C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-06-27 03:27 13824 --------- C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-06-27 02:00 161792 --a------ C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2007-06-15 03:12 474112 --------- C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
2007-06-15 03:12 151040 --------- C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --------- C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
2007-06-15 03:12 1054208 --------- C:\WINDOWS\SYSTEM32\dllcache\danim.dll
2007-06-15 03:12 1022976 --------- C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\SYSTEM32\dllcache\explorer.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\WINDOWS\SYSTEM32\ICM2 ----


---- Directory of C:\WINDOWS\SYSTEM32\syschks22 ----


---- Directory of C:\WINDOWS\SYSTEM32\chkfig5 ----


---- Directory of C:\WINDOWS\SYSTEM32\SS1 ----



((((((((((((((((((((((((((((( snapshot_2007-09-10_121303.75 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 879,736 2007-09-06 17:08:01 C:\WINDOWS\SoftwareDistribution\Download\Install\Windows-KB890830-V1.33-delta.exe
----a-w 17,474,680 2007-09-06 02:50:42 C:\WINDOWS\SYSTEM32\MRT.exe
----atw 16,384 2007-09-11 02:19:13 C:\WINDOWS\Temp\Perflib_Perfdata_19c.dat
.
----a-w 16,789,464 2007-08-03 02:34:12 C:\WINDOWS\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 17:56]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 18:34]
"NvCplDaemon"="NvQTwk" []
"S3TRAY2"="S3tray2.exe" [2001-10-04 14:06 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 19:36]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 17:13]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-04 13:32]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 22:23]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-11-29 22:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-21 23:45]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" [2007-01-28 12:14]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 C:\WINDOWS\ltmsg.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" []
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 13:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0a\aoltray.exe [2004-01-22 00:02:20]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2004-01-21 23:45:35]
Event Planner Reminders Tray Icon.lnk - C:\Sierra\Planner\PLNRnote.exe [2002-02-23 14:01:47]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [2005-03-05 11:06:01]
Palo Alto Software Update Manager 8.0.lnk - C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe [2005-02-09 16:50:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
S3 7ByteIO;7ByteIO;\??\C:\Program Files\Hot CPU Tester Pro 4 LE\SysInfo.sys
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys

*Newly Created Service* - IDSVC
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 11:38:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 11:42:18
C:\ComboFix-quarantined-files.txt ... 2007-09-12 11:42
C:\ComboFix2.txt ... 2007-09-11 17:19
C:\ComboFix3.txt ... 2007-09-10 12:15
.
--- E O F ---
*****************************************************************************
*****************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:43 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9544 bytes


**********************************************************************

Thanks again, awaiting your reply
stanpatpick

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:27 PM

Posted 12 September 2007 - 01:26 PM

Hi stanpatpick,

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following (if they exist) by double-clicking on the following entries:
MarketBrowser

Reboot your computer



Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy




Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File::
C:\WINDOWS\svchost_tmp.exe
C:\WINDOWS\SYSTEM32\rt25.exe
C:\WINDOWS\SYSTEM32\rt26.exe
C:\WINDOWS\SYSTEM32\rt27.exe
C:\WINDOWS\SYSTEM32\l3acdb2.dll



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Navigate to and delete the following folders:
C:\Program Files\MarketBrowser\
C:\WINDOWS\system32\syschks22
C:\WINDOWS\system32\SS1
C:\WINDOWS\system32\ICM2
C:\WINDOWS\system32\chkfig5

Edited by SifuMike, 12 September 2007 - 01:27 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 stanpatpick

stanpatpick
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:05:27 PM

Posted 12 September 2007 - 09:32 PM

Marketbrowser was uninstalled.
Rebooted.
No entries were found to remove with HijackThis.
Ran ComboFix.
Rebooted.
No Folder found for MarketBrowser.
deleted others as instructed.
*************************************************
ComboFix 07-09-10.6 - "Owner" 2007-09-12 20:37:29.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -5:00]
* Created a new restore point

FILE::
C:\WINDOWS\svchost_tmp.exe
C:\WINDOWS\SYSTEM32\rt25.exe
C:\WINDOWS\SYSTEM32\rt26.exe
C:\WINDOWS\SYSTEM32\rt27.exe
C:\WINDOWS\SYSTEM32\l3acdb2.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\svchost_tmp.exe
C:\WINDOWS\SYSTEM32\l3acdb2.dll
C:\WINDOWS\SYSTEM32\rt25.exe
C:\WINDOWS\SYSTEM32\rt26.exe
C:\WINDOWS\SYSTEM32\rt27.exe


((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-12 06:36 <DIR> d-------- C:\Program Files\VirusTotalUploader
2007-09-11 17:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-10 12:46 <DIR> d-------- C:\!KillBox
2007-09-10 11:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 11:50 <DIR> d-------- C:\WINDOWS\pss
2007-09-08 09:29 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-09-08 09:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-08 09:28 75,932 --a------ C:\WINDOWS\SYSTEM32\drivers\klick.dat
2007-09-08 09:28 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-08 09:28 74,396 --a------ C:\WINDOWS\SYSTEM32\drivers\klin.dat
2007-09-08 09:28 299,040 --ahs---- C:\WINDOWS\SYSTEM32\drivers\fidbox.dat
2007-09-08 09:27 110,360 --a------ C:\WINDOWS\SYSTEM32\drivers\kl1.sys
2007-09-08 09:27 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-09-08 09:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-09-08 09:24 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-08 01:32 94,480 --a------ C:\WINDOWS\SYSTEM32\drivers\tmcomm.sys
2007-09-08 01:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\HouseCall 6.6
2007-09-08 01:23 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\HouseCall 6.6
2007-09-07 21:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-07 08:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-07 08:57 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-09-07 08:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-05 10:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-05 08:31 10,872 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2007-09-05 03:47 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-05 03:44 <DIR> d-------- C:\Program Files\MSBuild
2007-09-05 03:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2007-09-05 03:34 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-09-05 03:32 14,048 --------- C:\WINDOWS\SYSTEM32\spmsg2.dll
2007-09-05 03:31 <DIR> d-------- C:\b91585f5ea663f3b0002
2007-09-05 03:26 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-05 03:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-09-05 03:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivers\UMDF
2007-09-05 02:43 36,352 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2007-09-05 02:43 288,768 --------- C:\WINDOWS\SYSTEM32\rhttpaa.dll
2007-09-05 02:43 116,736 --------- C:\WINDOWS\SYSTEM32\aaclient.dll
2007-09-04 19:51 33,792 --a------ C:\WINDOWS\SYSTEM32\dllcache\custsat.dll
2007-09-04 19:39 23,040 --------- C:\WINDOWS\SYSTEM32\dllcache\fltmc.exe
2007-09-04 19:39 16,896 --------- C:\WINDOWS\SYSTEM32\dllcache\fltlib.dll
2007-09-04 19:39 128,896 --------- C:\WINDOWS\SYSTEM32\dllcache\fltmgr.sys
2007-09-04 17:36 <DIR> d-------- C:\WINDOWS\peernet
2007-09-04 17:35 <DIR> d-------- C:\WINDOWS\provisioning
2007-09-04 17:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-09-04 17:22 23,856 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-09-04 17:16 <DIR> d-------- C:\WINDOWS\EHome
2007-09-04 16:55 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2007-09-04 16:55 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
2007-09-04 16:01 77,312 --a------ C:\WINDOWS\SYSTEM32\browser.dll
2007-09-04 16:01 614,912 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2007-09-04 16:01 40,960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-09-04 16:01 40,960 --------- C:\WINDOWS\SYSTEM32\dllcache\evtgprov.dll
2007-09-04 16:01 331,264 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2007-09-04 15:46 239,104 --a------ C:\WINDOWS\SYSTEM32\srrstr.dll
2007-09-04 15:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-04 00:02 3,840 --a------ C:\WINDOWS\SYSTEM32\drivers\BANTExt.sys
2007-09-04 00:02 <DIR> d-------- C:\Program Files\Belarc
2007-09-03 22:42 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-09-03 22:42 94,416 --a------ C:\WINDOWS\SYSTEM32\drivers\aswmon2.sys
2007-09-03 22:42 92,848 --a------ C:\WINDOWS\SYSTEM32\drivers\aswmon.sys
2007-09-03 22:42 801,144 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-09-03 22:42 42,912 --a------ C:\WINDOWS\SYSTEM32\drivers\aswTdi.sys
2007-09-03 22:42 26,624 --a------ C:\WINDOWS\SYSTEM32\drivers\aavmker4.sys
2007-09-03 22:42 23,152 --a------ C:\WINDOWS\SYSTEM32\drivers\aswRdr.sys
2007-09-03 22:42 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-03 22:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-03 22:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-03 22:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-03 20:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-03 20:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-08-20 14:34 <DIR> d-------- C:\Program Files\Common Files\ErrorSafe Free
2007-08-20 14:34 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Error Safe Free
2007-08-19 06:38 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\syschks22
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\SS1
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\ICM2
2007-08-16 15:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\chkfig5
2007-08-16 15:03 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 20:44 4580 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-12 20:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-10 12:01 --------- d-------- C:\Program Files\AWS
2007-09-08 05:04 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\blstoolbar
2007-09-08 03:06 --------- d-------- C:\Program Files\CompuServe 2000
2007-09-05 11:36 --------- d-------- C:\Program Files\QuickTime
2007-09-05 11:16 --------- d-------- C:\Program Files\blstoolbar
2007-09-05 11:15 --------- d-------- C:\Program Files\AOL Companion
2007-09-05 11:15 --------- d-------- C:\Program Files\America Online 9.0a
2007-09-03 23:15 --------- d-------- C:\Program Files\Sumo Dance
2007-08-08 20:15 --------- d-------- C:\Program Files\Imikimi
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-19 01:59 3583488 --------- C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-07-12 18:31 765952 --------- C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
2007-06-27 09:34 823808 --------- C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-06-27 09:34 671232 --------- C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-06-27 09:34 6058496 --------- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-06-27 09:34 52224 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-06-27 09:34 477696 --------- C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-06-27 09:34 459264 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-06-27 09:34 44544 --------- C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-06-27 09:34 384512 --------- C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-06-27 09:34 383488 --------- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-06-27 09:34 27648 --------- C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-06-27 09:34 267776 --------- C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-06-27 09:34 232960 --------- C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-06-27 09:34 230400 --------- C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-06-27 09:34 193024 --------- C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-06-27 09:34 153088 --------- C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-06-27 09:34 132608 --------- C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-06-27 09:34 124928 --------- C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-06-27 09:34 1152000 --------- C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-06-27 09:34 105984 --------- C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-06-27 09:34 102400 --------- C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-06-27 03:27 63488 --------- C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-06-27 03:27 625152 --------- C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-06-27 03:27 13824 --------- C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-06-27 02:00 161792 --a------ C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2007-06-15 03:12 474112 --------- C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
2007-06-15 03:12 151040 --------- C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --------- C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
2007-06-15 03:12 1054208 --------- C:\WINDOWS\SYSTEM32\dllcache\danim.dll
2007-06-15 03:12 1022976 --------- C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\SYSTEM32\dllcache\explorer.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-10_121303.75 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 17,474,680 2007-09-06 02:50:42 C:\WINDOWS\SYSTEM32\MRT.exe
----atw 16,384 2007-09-13 01:45:55 C:\WINDOWS\Temp\Perflib_Perfdata_15c.dat
----atw 16,384 2007-09-11 02:19:13 C:\WINDOWS\Temp\Perflib_Perfdata_19c.dat
.
----a-w 16,789,464 2007-08-03 02:34:12 C:\WINDOWS\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 17:56]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 18:34]
"NvCplDaemon"="NvQTwk" []
"S3TRAY2"="S3tray2.exe" [2001-10-04 14:06 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 19:36]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 17:13]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-04 13:32]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 22:23]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-11-29 22:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-21 23:45]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" [2007-01-28 12:14]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 C:\WINDOWS\ltmsg.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" []
"MoneyAgent"="c:\Program Files\Microsoft Money\System\Money Express.exe" [2001-07-25 13:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0a\aoltray.exe [2004-01-22 00:02:20]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2004-01-21 23:45:35]
Event Planner Reminders Tray Icon.lnk - C:\Sierra\Planner\PLNRnote.exe [2002-02-23 14:01:47]
Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [2005-03-05 11:06:01]
Palo Alto Software Update Manager 8.0.lnk - C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe [2005-02-09 16:50:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
S3 7ByteIO;7ByteIO;\??\C:\Program Files\Hot CPU Tester Pro 4 LE\SysInfo.sys
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 20:47:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-12 20:54:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-12 20:54
C:\ComboFix2.txt ... 2007-09-12 11:42
C:\ComboFix3.txt ... 2007-09-11 17:19
.
--- E O F ---
**************************************************************************
**************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:40 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9320 bytes

******************************************************************************
******************************************************************************

Thanks again.

Did I overlook something with the MarketBrowser items or could they just not have been there for me to find?

Awaiting instructions.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:27 PM

Posted 12 September 2007 - 09:50 PM

Hi stanpatpick

Did I overlook something with the MarketBrowser items or could they just not have been there for me to find?



No, you did not overlook anything. The MarketBroswer uninstall took them out. :thumbsup:

ComboFix log looks clean.

How is the computer running now. Any popups?

Edited by SifuMike, 12 September 2007 - 10:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 stanpatpick

stanpatpick
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:05:27 PM

Posted 13 September 2007 - 01:03 AM

No popups.

What is left to do?

Is there any particular reason I seem to have to shut down zonealarm every once in a while to get connectivity?

Thanks.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:27 PM

Posted 13 September 2007 - 12:33 PM

Hi stanpatpick,

What is left to do?


Please find and delete the following:
Combofix
C:\QOOBOX
C:\Combofix




Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.

Is there any particular reason I seem to have to shut down zonealarm every once in a while to get connectivity?


It is a ZoneAlarm bug. If you cant live with it, then try a different firewall.

Here are five four firewalls available for personal use. If one conflicts with your system, try another.
I use Comodo firewall Pro,

You Need a (Properly Configured) Firewall
Understanding and Using Firewalls


Comodo Firewall Pro
Comodo Firewall Pro user guide

Sunbelt Kerio Firewall

Outpost Firewall Free

Jetico Personal Firewall
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:27 PM

Posted 20 September 2007 - 04:11 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users