Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Several Things: Winfixer, Virtumonde, Conhook.d


  • Please log in to reply
7 replies to this topic

#1 hutch83

hutch83

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 08 September 2007 - 09:18 PM

I just started having issues with this computer, and I can't seem to get rid of the problems.
I'm getting a whole assortment of problems:
eZula
WinFixer
Virtumonde
Conhook

Every time I restart my computer spybot s&d tells me some registry files are trying to be changed. I've done everything I know and even found some new things to try. I've run AdAware, Spybot S&D, Windows Defender, and SUPERAntiSpyware Professional, all of these programs have been run in regular and safemode and I'm still getting problems every time. Here is my Hijackthis Log. Thanks for any help.

-------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:56 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\DOCUME~1\Jason\LOCALS~1\Temp\clclean.0001
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=rB...rUIUly8GYU-ptqg
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [{8A-AF-FE-EC-ZN}] C:\DOCUME~1\Jason\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\ckroftkj.dll",forkonce
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Jason\Local Settings\Temp\thinksnet.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6785 bytes

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 PM

Posted 09 September 2007 - 09:07 AM

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 hutch83

hutch83
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 09 September 2007 - 11:58 AM

ComboFix 07-09-09.4 - "Jason" 2007-09-09 10:51:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Jason\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\Jason\STARTM~1\Programs\Startup\ta_start.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\drivers\asc3550.sys
C:\WINDOWS\system32\ebsuxatg.dll


C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\hmlstaer.ini
C:\WINDOWS\system32\ntolfdih.dll
C:\WINDOWS\system32\reatslmh.dll
F:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))
.

2007-09-09 10:56 14,848 --a------ C:\WINDOWS\system32\drivers\asc3550.sys
2007-09-09 10:56 14,848 --a------ C:\WINDOWS\system32\dllcache\asc3550.sys
2007-09-09 10:55 69,184 --a------ C:\WINDOWS\system32\ioefjlji.dll
2007-09-09 10:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 21:24 2,039,184 ---hs---- C:\WINDOWS\system32\wyadd.ini2
2007-09-08 21:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-08 20:39 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-08 18:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-08 18:53 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\SUPERAntiSpyware.com
2007-09-08 18:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-07 11:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-07 11:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-07 11:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-07 11:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-07 05:47 2,060,393 ---hs---- C:\WINDOWS\system32\wyadd.bak2
2007-09-06 18:07 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-06 17:46 6,448 ---hs---- C:\WINDOWS\system32\wyadd.bak1
2007-09-06 17:45 244,832 --------- C:\WINDOWS\system32\ddayw.dll
2007-09-06 17:41 <DIR> d--hs---- C:\WINDOWS\SmFzb24
2007-09-06 17:41 <DIR> d-------- C:\WINDOWS\system32\drvr2
2007-09-06 17:41 <DIR> d-------- C:\WINDOWS\system32\cfig322
2007-09-06 17:41 <DIR> d-------- C:\WINDOWS\system32\capcom
2007-09-06 17:40 <DIR> d-------- C:\Temp
2007-09-06 13:24 <DIR> d-------- C:\Program Files\uTorrent
2007-09-06 13:23 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\uTorrent
2007-09-06 13:17 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\WinRAR
2007-09-05 18:39 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-09-05 18:38 <DIR> d-------- C:\ATI
2007-09-05 17:50 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-05 17:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-05 17:47 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-02 23:19 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-29 20:05 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-28 22:46 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-08-28 22:46 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-08-28 22:46 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-28 22:46 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-06 17:41 --------- d-------- C:\Program Files\Windows Plus
2007-09-05 18:40 --------- d-------- C:\Program Files\ATI Technologies
2007-09-05 18:39 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-02 23:24 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-15 18:56 --------- d-------- C:\Program Files\World of Warcraft
2007-08-08 07:28 --------- d-------- C:\DOCUME~1\Jason\APPLIC~1\.purple
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-28 00:44 45296 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-07-27 22:37 8237056 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-07-27 22:31 344064 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-07-27 22:30 269312 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-07-27 22:30 2371584 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-27 22:30 2371584 --a------ C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-07-27 22:24 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-07-27 22:23 143360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-07-27 22:23 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-07-27 22:22 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-07-27 22:22 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-07-27 22:22 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-07-27 22:21 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-07-27 22:20 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-07-27 22:12 3067712 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-07-27 22:06 176128 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-07-27 22:01 1550208 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-07-27 21:50 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-07-27 21:47 266240 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-07-27 21:46 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-07-27 21:45 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-07-27 21:40 450560 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-07-22 06:11 --------- d-------- C:\Program Files\OGPlanet
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-26 10:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 09:35 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 03:12 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 03:12 616960 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 03:12 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 03:12 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 03:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 03:12 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 03:12 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 03:12 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 03:12 3064320 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 03:12 251904 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 03:12 205824 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 03:12 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 03:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 03:12 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 03:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 03:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 05:32 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28D33993-F890-4446-B8B4-F6857339A8BE}]
2007-09-06 17:46 244832 --------- C:\WINDOWS\system32\ddayw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF59FC4B-16B1-4089-B2F4-7C371F257EB4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 09:47]
"MBMon"="CTMBHA.DLL" [2005-05-19 01:54 C:\WINDOWS\system32\CTMBHA.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 07:42]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-20 13:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 10:40 C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 05:33]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddayw

R3 Angel2;Angel II MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel2.sys
R3 sigfilt;sigfilt;C:\WINDOWS\system32\drivers\sigfilt.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-09 06:41:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 10:59:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-09 11:01:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-09 11:01
.
--- E O F ---



----------HIJACKTHIS LOG--------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:50 AM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\DOCUME~1\Jason\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=rB...rUIUly8GYU-ptqg
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6442 bytes

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 PM

Posted 10 September 2007 - 11:36 AM

Right click here and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish
  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Dirlook::
    C:\WINDOWS\SmFzb24
    C:\WINDOWS\system32\drvr2
    C:\WINDOWS\system32\cfig322
    C:\WINDOWS\system32\capcom
    C:\Temp
    C:\DOCUME~1\Jason\Applic~1\.purple
    File::
    C:\WINDOWS\system32\ioefjlji.dll
    C:\WINDOWS\system32\wyadd.ini2
    C:\WINDOWS\system32\wyadd.bak2
    C:\WINDOWS\system32\wyadd.bak1
    C:\WINDOWS\system32\ddayw.dll
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28D33993-F890-4446-B8B4-F6857339A8BE}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF59FC4B-16B1-4089-B2F4-7C371F257EB4}]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#5 hutch83

hutch83
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 10 September 2007 - 02:19 PM

ComboFix 07-09-09.4 - "Jason" 2007-09-10 14:08:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.568 [GMT -5:00]

FILE::
C:\WINDOWS\system32\ioefjlji.dll
C:\WINDOWS\system32\wyadd.ini2
C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\ddayw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\drivers\asc3550.sys
C:\WINDOWS\system32\idynthci.exe
C:\WINDOWS\system32\ioefjlji.dll
C:\WINDOWS\system32\lyuhtfyl.dll
C:\WINDOWS\system32\piqycvkf.dll
C:\WINDOWS\system32\qylnnobt.dll
C:\WINDOWS\system32\rdkobvlq.exe
C:\WINDOWS\system32\tbonnlyq.ini
C:\WINDOWS\system32\vyqyfync.exe
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.ini2


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-09 10:56 14,848 --a------ C:\WINDOWS\system32\drivers\asc3550.sys
2007-09-09 10:56 14,848 --a------ C:\WINDOWS\system32\dllcache\asc3550.sys
2007-09-09 10:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 21:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-08 20:39 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-08 18:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-08 18:53 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\SUPERAntiSpyware.com
2007-09-08 18:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-07 11:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-07 11:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-07 11:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-07 11:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-06 18:07 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-06 17:41 <DIR> d--hs---- C:\WINDOWS\SmFzb24
2007-09-06 17:41 <DIR> d-------- C:\WINDOWS\system32\drvr2
2007-09-06 17:41 <DIR> d-------- C:\WINDOWS\system32\cfig322
2007-09-06 17:41 <DIR> d-------- C:\WINDOWS\system32\capcom
2007-09-06 17:40 <DIR> d-------- C:\Temp
2007-09-06 13:24 <DIR> d-------- C:\Program Files\uTorrent
2007-09-06 13:23 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\uTorrent
2007-09-06 13:17 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\WinRAR
2007-09-05 18:39 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-09-05 18:38 <DIR> d-------- C:\ATI
2007-09-05 17:50 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-05 17:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-05 17:47 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-02 23:19 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-29 20:05 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-28 22:46 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-08-28 22:46 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-08-28 22:46 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-28 22:46 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-06 17:41 --------- d-------- C:\Program Files\Windows Plus
2007-09-05 18:40 --------- d-------- C:\Program Files\ATI Technologies
2007-09-05 18:39 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-15 18:56 --------- d-------- C:\Program Files\World of Warcraft
2007-08-08 07:28 --------- d-------- C:\DOCUME~1\Jason\APPLIC~1\.purple
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-28 00:44 45296 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-07-27 22:30 2371584 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-27 21:45 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-07-22 06:11 --------- d-------- C:\Program Files\OGPlanet
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\WINDOWS\SmFzb24 ----


---- Directory of C:\WINDOWS\system32\drvr2 ----


---- Directory of C:\WINDOWS\system32\cfig322 ----

2007-08-30 04:41 9814 --a------ C:\WINDOWS\system32\cfig322\icm33o.exe

---- Directory of C:\WINDOWS\system32\capcom ----

2007-08-08 02:30 116351 --a------ C:\WINDOWS\system32\capcom\nab22011.exe

---- Directory of C:\Temp ----


---- Directory of C:\DOCUME~1\Jason\Applic~1\.purple ----

2007-08-08 07:28 812 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\status.xml
2007-08-08 07:28 35313 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\blist.xml
2007-08-08 05:50 4158 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\6029972f7ac1d17855834338bde6718fec0de234.jpg
2007-08-08 05:50 152 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\m3atwall3t\2007-08-08.055032-0500CDT.txt
2007-08-08 05:49 7162 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\1ad7415abd1c80a3f7478199bfc9e97339ec1d44.gif
2007-08-08 05:49 2981 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\accounts.xml
2007-08-08 05:49 2093 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\d2c5df2e9a1c11da887140bc6bdce6e6021ae85a.gif
2007-07-24 21:10 16334 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\prefs.xml
2007-07-24 20:51 114 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\prodge02\2007-07-24.205123-0500CDT.txt
2007-07-24 19:15 5010 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\accels
2007-07-24 19:15 151 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-07-24.191514-0500CDT.txt
2007-07-24 18:42 2976 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-07-24.182232-0500CDT.txt
2007-07-24 17:00 119 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-07-24.170057-0500CDT.txt
2007-07-24 01:58 329 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\blerr1\2007-07-24.015309-0500CDT.txt
2007-07-24 01:57 269 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-07-24.015218-0500CDT.txt
2007-07-24 00:31 214 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\blerr1\2007-07-24.001059-0500CDT.txt
2007-07-23 23:47 951 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-07-23.223518-0500CDT.txt
2007-07-23 23:14 3598 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\34cdca4e1bb7083feac6c1777dd713a35ed5396c.gif
2007-07-23 22:18 3448 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\698acbc38294d20d05e1006ae522bcc091173a79.jpg
2007-07-23 21:23 1073 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-07-23.202140-0500CDT.txt
2007-07-23 20:18 3203 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\c41010e2b4f41e105295e2f4469c01266b3bcb3e.jpg
2007-07-23 20:18 2748 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\1f78c144d30c120e00e7a79d93df33635a0e579a.gif
2007-07-23 20:18 1261 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\ed544b038f26f8d3baf25c2305703f8e94310820.gif
2007-06-24 21:33 17970 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\0afb849bc0a95c788d72cea6a694476d4cc60c38.png
2007-06-24 21:20 23985 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\6536c4e89f24976d1dce8168f5b98896938e17dd.png
2007-06-24 19:49 5818 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\f805050f75ab0d2b3f750adc14757eae07653e97.gif
2007-06-24 17:26 2801 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\6a243d84bc7f78dbf288a6d5211c6811c7dff4e5.gif
2007-06-24 17:09 2646 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\ad1975e9432ed1fd3b2445ccb00c274bc9633b41.jpg
2007-06-24 17:09 2577 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\90a24b2c88f65b95a1b96bc109636c02bf2ab61e.jpg
2007-06-24 17:09 2395 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\6e9c84aced827399bb065d22b69f0f105c6142fb.jpg
2007-06-24 17:09 2207 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\b39c4cc9382bf51bc21fd7647c0049e7177f7649.gif
2007-06-24 17:08 985 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\485f1053392a1ec971ee74db3f65a700a83317e2.jpg
2007-06-24 17:08 17897 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\a7f76fda9d6dfe3c98f73c7e54b5cee937f5d3e0.png
2007-05-24 03:48 7385 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\kleenx07\2007-05-24.033012-0500CDT.txt
2007-05-24 03:29 452 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\kleenx07\2007-05-24.032839-0500CDT.txt
2007-05-24 03:28 226 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\worduppe\2007-05-24.032803-0500CDT.txt
2007-05-24 03:07 145 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\msn\hutchgamer@hotmail.com\little_trinks@hotmail.com\2007-05-24.030741-0500CDT.txt
2007-05-24 02:46 518 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-24.023152-0500CDT.txt
2007-05-24 00:41 117 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\mightymastel32\2007-05-24.004112-0500CDT.txt
2007-05-24 00:40 136 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\mightymastel32\2007-05-24.003550-0500CDT.txt
2007-05-23 22:52 480 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\msn\hutchgamer@hotmail.com\stevi_lynn03@hotmail.com\2007-05-23.223706-0500CDT.txt
2007-05-23 22:30 353 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-23.203817-0500CDT.txt
2007-05-23 22:18 3735 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\b08f6836685d2f0966a0d2fe7e8defba77e6ff24.gif
2007-05-23 21:33 362 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\drockh\2007-05-23.211857-0500CDT.txt
2007-05-23 20:01 205 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-23.194958-0500CDT.txt
2007-05-23 16:42 2865 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\c2c73741bbeeb5ec21350dd52daa127d26e06742.jpg
2007-05-23 08:27 3140 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\9bb520acf46bca53766dcbc1690fdbf3aab92981.gif
2007-05-23 08:11 6042 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\8b2117047edd821ad005225c5ca3646ecdca80f9.gif
2007-05-23 04:32 6789 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\6115c4268ebbfdbe4a3c122f7b51be984f2f2a5c.gif
2007-05-23 04:17 107 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-23.041715-0500CDT.txt
2007-05-22 23:17 2233 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\b5fa4a86cc5721e46b18d0678d7f9bc42a95b23d.gif
2007-05-22 22:04 950 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-22.210036-0500CDT.txt
2007-05-22 22:04 465 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-22.210554-0500CDT.txt
2007-05-22 21:52 1197 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\17519a0b52df52307c6046ce51c0acadf2205967.gif
2007-05-22 21:07 2169 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-22.192636-0500CDT.txt
2007-05-22 21:01 16139 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\2c16b496974cc69d911fedc37851cf01f99542f2.png
2007-05-22 19:16 112 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-22.191614-0500CDT.txt
2007-05-22 14:03 153 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-22.140332-0500CDT.txt
2007-05-22 03:32 523 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-22.031944-0500CDT.txt
2007-05-22 02:32 166 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-22.020517-0500CDT.txt
2007-05-22 02:23 1918 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\b66cf8ff0aa48b6ae9dba299b04c1e7bc3bfad9b.jpg
2007-05-22 02:08 596 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\trashygnum\2007-05-22.015158-0500CDT.txt
2007-05-22 01:49 283 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\trashygnum\2007-05-22.011017-0500CDT.txt
2007-05-22 01:30 2048 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-22.010807-0500CDT.txt
2007-05-22 01:10 2329 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\bdcd30d8376159ba76c4dfd62bbe586962c38ff7.gif
2007-05-22 01:00 10571 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\fd5e25eba67bb1f8821afa1bf3e32f39934775d5.png
2007-05-21 23:50 174 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-21.235005-0500CDT.txt
2007-05-21 21:23 5190 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\d923c20b37a3b39a15a8bc863440278155aba961.gif
2007-05-21 15:16 409 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\mcs0up\2007-05-21.151527-0500CDT.txt
2007-05-21 15:15 212 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\mcs0up\2007-05-21.151451-0500CDT.txt
2007-05-21 10:31 372 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\titaniume5\2007-05-21.101659-0500CDT.txt
2007-05-21 09:49 131 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\titaniume5\2007-05-21.091405-0500CDT.txt
2007-05-21 08:35 229 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\pooleeboone\2007-05-21.083457-0500CDT.txt
2007-05-21 03:10 120 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-21.031022-0500CDT.txt
2007-05-21 03:04 123 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-21.030445-0500CDT.txt
2007-05-21 03:02 841 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-21.024423-0500CDT.txt
2007-05-21 02:44 233 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-21.024417-0500CDT.txt
2007-05-21 02:43 1911 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-21.023753-0500CDT.txt
2007-05-21 02:43 106 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\toad773\2007-05-21.024339-0500CDT.txt
2007-05-21 02:42 138 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\andy84raw\2007-05-21.024002-0500CDT.txt
2007-05-21 02:42 122 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\andy84raw\2007-05-21.024221-0500CDT.txt
2007-05-21 02:37 446 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-21.023619-0500CDT.txt
2007-05-21 02:36 128 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-21.023558-0500CDT.txt
2007-05-21 02:35 102 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-21.023553-0500CDT.txt
2007-05-20 20:21 16316 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\0962a528e0cc55b44cc1d735c98a6040de3eb000.png
2007-05-20 19:36 258 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\drockh\2007-05-20.192345-0500CDT.txt
2007-05-20 19:15 168 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-20.191442-0500CDT.txt
2007-05-20 19:14 174 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-20.191405-0500CDT.txt
2007-05-20 16:19 173 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-20.161915-0500CDT.txt
2007-05-20 15:00 29504 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\de6b71eb0863f3fbee3349f1c92157699120a1c8.png
2007-05-20 12:10 114 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-20.121032-0500CDT.txt
2007-05-19 21:20 120 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-19.212038-0500CDT.txt
2007-05-19 18:38 96 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-19.183808-0500CDT.txt
2007-05-19 18:35 160 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-19.183512-0500CDT.txt
2007-05-19 18:27 146 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-19.182734-0500CDT.txt
2007-05-19 15:06 173 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\stevi14girl\2007-05-19.150453-0500CDT.txt
2007-05-19 14:02 221 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\stevi14girl\2007-05-19.140107-0500CDT.txt
2007-05-19 13:57 706 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\stevi14girl\2007-05-19.135238-0500CDT.txt
2007-05-19 13:57 206 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\msn\hutchgamer@hotmail.com\prodge02@hotmail.com\2007-05-19.135635-0500CDT.txt
2007-05-19 13:48 384 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\msn\hutchgamer@hotmail.com\prodge02@hotmail.com\2007-05-19.134552-0500CDT.txt
2007-05-19 13:12 176 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\stevi14girl\2007-05-19.131159-0500CDT.txt
2007-05-19 00:20 116 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-19.002007-0500CDT.txt
2007-05-18 20:05 374 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-18.155009-0500CDT.txt
2007-05-18 19:57 568 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-18.162024-0500CDT.txt
2007-05-18 17:43 2415 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\8c8adb78447f964e799488bae95725f4fde7b5d4.gif
2007-05-18 16:03 649 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-18.155014-0500CDT.txt
2007-05-18 10:05 122 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\younguner\2007-05-18.100534-0500CDT.txt
2007-05-18 07:36 263 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\weaselo\2007-05-18.072356-0500CDT.txt
2007-05-18 06:52 424 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\weaselo\2007-05-18.064947-0500CDT.txt
2007-05-18 06:49 168 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-18.064859-0500CDT.txt
2007-05-18 06:48 1343 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\weaselo\2007-05-18.063240-0500CDT.txt
2007-05-18 06:30 1417 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\48393b4ca3a3b2d14d9394eb7faf6be16abb5f7b.jpg
2007-05-18 04:35 296 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-18.042857-0500CDT.txt
2007-05-18 03:50 184 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-18.034421-0500CDT.txt
2007-05-18 03:07 115 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-18.030724-0500CDT.txt
2007-05-18 01:39 499 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-18.013724-0500CDT.txt
2007-05-18 01:20 173 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-18.012025-0500CDT.txt
2007-05-18 00:29 933 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-17.215943-0500CDT.txt
2007-05-17 12:04 1995 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\younguner\2007-05-17.115433-0500CDT.txt
2007-05-17 12:00 450 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\fluffdog8808\2007-05-17.115918-0500CDT.txt
2007-05-17 10:48 604 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-17.070533-0500CDT.txt
2007-05-17 06:48 184 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-17.064813-0500CDT.txt
2007-05-17 04:36 6174 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\445878f847ccf53829d6658c33ab1fadd2fc4d01.bmp
2007-05-17 02:44 818 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\d4e43ad70775619438c18e6aa65c368d67759317.gif
2007-05-16 22:43 377 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\cowpimp5\2007-05-16.224215-0500CDT.txt
2007-05-16 22:09 99 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-16.220906-0500CDT.txt
2007-05-16 22:07 178 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-16.220742-0500CDT.txt
2007-05-16 22:06 171 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\fluffdog8808\2007-05-16.220544-0500CDT.txt
2007-05-16 21:22 152 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\llhonkeypowerll\2007-05-16.212245-0500CDT.txt
2007-05-16 21:15 649 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\bausy87\2007-05-16.211122-0500CDT.txt
2007-05-16 18:50 181 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\drockh\2007-05-16.185003-0500CDT.txt
2007-05-16 16:37 149 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\msn\hutchgamer@hotmail.com\rj_phantom@hotmail.com\2007-05-16.163738-0500CDT.txt
2007-05-16 15:28 1583 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\younguner\2007-05-16.152207-0500CDT.txt
2007-05-16 01:34 1059 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-16.013016-0500CDT.txt
2007-05-15 23:20 270 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-15.231958-0500CDT.txt
2007-05-15 23:15 107 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-15.231518-0500CDT.txt
2007-05-15 21:23 21062 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\a2787c9e347cfce5745b8aed6ad2240386306ba0.png
2007-05-15 20:48 6736 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\f0d25dc8358f82f25c7bd9a839019ccb259082a3.gif
2007-05-15 17:55 133 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\msn\hutchgamer@hotmail.com\motter21@hotmail.com\2007-05-15.175546-0500CDT.txt
2007-05-15 17:44 586 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\msn\hutchgamer@hotmail.com\stevi_lynn03@hotmail.com\2007-05-15.172329-0500CDT.txt
2007-05-15 16:50 1008 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\3b7a8e0dd6bc9981dba0cce0e5b3204251ad5258.gif
2007-05-15 16:15 3164 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\d42226951b6563467e70e526a12ae68a2d0202e0.jpg
2007-05-15 15:28 108 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\drockh\2007-05-15.152805-0500CDT.txt
2007-05-15 14:42 2777 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\fd143193fa409da2dd12d1fc019bf20e3b8384dc.jpg
2007-05-15 14:03 117 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\younguner\2007-05-15.140352-0500CDT.txt
2007-05-15 13:51 2903 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\46b62a1ece43ab773d91667baa5ed837fe7deb3c.jpg
2007-05-15 13:30 820 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\e8576ee1f8ede934082bc133fa5619411ddd4a8f.gif
2007-05-15 12:53 914 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\starscreamo0o\2007-05-15.124948-0500CDT.txt
2007-05-15 12:48 117 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\younguner\2007-05-15.124847-0500CDT.txt
2007-05-15 11:56 2567 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\818accca857c5d0c3ff8b78da560bb923c404813.gif
2007-05-15 09:45 2966 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\6b77561766c91e7ce8387543f7e9efdfe01a3f3b.gif
2007-05-15 06:08 4724 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\5822bddd73107ed7f804b77499012fcf0a3e0057.gif
2007-05-15 03:14 3454 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\d1a69b2debf6fbfccb061aa0c14f0ffbeb7eaa34.jpg
2007-05-15 01:31 1762 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-15.010834-0500CDT.txt
2007-05-15 01:17 6222 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\c34fe395a42f5310932b575e2d70f4630db69e63.gif
2007-05-15 00:10 160 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\drockh\2007-05-14.233629-0500CDT.txt
2007-05-15 00:08 1820 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\e6d82e44e8b996829589a96e4235a3f8e90c308b.gif
2007-05-14 22:38 143 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\aim\m3atwall3t\supestact\2007-05-14.223845-0500CDT.txt
2007-05-14 22:33 128 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\logs\msn\hutchgamer@hotmail.com\motter21@hotmail.com\2007-05-14.223351-0500CDT.txt
2007-05-14 22:25 6947 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\938251af33aa69154139474b78785a2b8971c812.gif
2007-05-14 22:25 6704 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\6f8caa2545380246745e942855987eed0a356fcd.gif
2007-05-14 22:25 6570 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\5da9006c51cdad2774deaddc3bb4d89af36ceaa4.gif
2007-05-14 22:25 5965 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\5bbaa948299985b1df0f54d6ebd469b6b89d0308.gif
2007-05-14 22:25 3892 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\4cb48e2dca269d2c0153d4e878d0c1ca7a363efc.gif
2007-05-14 22:25 3717 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\3a1763274340dd066db43521e4339aab66eb99f8.jpg
2007-05-14 22:25 3642 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\31372879e5eb21af1c83ce9d47faf9c9e534770a.jpg
2007-05-14 22:25 3332 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\412812c3fd868b00472680b42d2a3f385cfe9321.jpg
2007-05-14 22:25 3238 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\b1b7850f1847f669d25a4c8e296f79004c4e8f14.jpg
2007-05-14 22:25 3096 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\0a18f658d6f1bde552eff4e2e76821c77754bd58.jpg
2007-05-14 22:25 2759 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\2fcd6134dba9fc40912ca5ce35cc6368e737f480.gif
2007-05-14 22:25 2666 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\08783fa6c667bee148e72d6fe7e215d22bd37c1c.gif
2007-05-14 22:25 1920 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\5d7ddfc49c9c6477b80b6d533e3d5ee741a9554b.gif
2007-05-14 22:25 1857 --a------ C:\DOCUME~1\Jason\Applic~1\.purple\icons\ff2306fdef98ebba8ec09e32e08dfc4299e49d48.gif


((((((((((((((((((((((((((((( snapshot_2007-09-09_110051.37 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 44,032 1999-12-13 05:01:00 C:\WINDOWS\system32\CTSVCCDA.EXE
----a-w 25,088 1999-11-18 05:00:00 C:\WINDOWS\system32\CTSVCCTL.EXE
----a-w 24,064 2004-08-12 22:45:52 C:\WINDOWS\system32\Hdaudprop.dll
----a-w 5,120 2004-08-12 22:45:42 C:\WINDOWS\system32\Hdaudpropres.dll
----a-w 61,952 2004-08-12 22:45:52 C:\WINDOWS\system32\Hdaudpropshortcut.exe
----a-w 49,152 1999-09-01 17:04:42 C:\WINDOWS\system32\inetwh32.dll
----a-w 1,476,992 2007-02-16 00:01:04 C:\WINDOWS\system32\LegitCheckControl.dll
----a-w 259,072 2006-10-19 02:47:14 C:\WINDOWS\system32\MP43DECD.dll
----a-w 317,440 2006-10-19 02:47:14 C:\WINDOWS\system32\MP4SDECD.dll
----a-w 259,072 2006-10-19 02:47:14 C:\WINDOWS\system32\MPG4DECD.dll
----a-w 312,128 2006-10-02 20:28:42 C:\WINDOWS\system32\msdelta.dll
----a-w 284,160 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceApi.dll
----a-w 101,888 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceClassExtension.dll
----a-w 166,912 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceTypes.dll
----a-w 132,096 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
----a-w 199,168 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceWMDRM.dll
----a-w 523,000 2006-11-15 21:01:31 C:\WINDOWS\system32\Px.dll
----a-w 64,248 2006-11-15 21:01:31 C:\WINDOWS\system32\pxcpya64.exe
----a-w 115,960 2006-11-15 21:01:32 C:\WINDOWS\system32\pxcpyi64.exe
----a-w 486,136 2006-11-15 21:01:32 C:\WINDOWS\system32\pxdrv.dll
----a-w 68,344 2006-11-15 21:01:32 C:\WINDOWS\system32\pxhpinst.exe
----a-w 63,736 2006-11-15 21:01:31 C:\WINDOWS\system32\pxinsa64.exe
----a-w 116,984 2006-11-15 21:01:31 C:\WINDOWS\system32\pxinsi64.exe
----a-w 183,032 2006-11-15 21:01:32 C:\WINDOWS\system32\PxMas.dll
----a-w 1,077,248 2005-03-30 18:58:32 C:\WINDOWS\system32\PxSFS.DLL
----a-w 379,640 2006-11-15 21:01:32 C:\WINDOWS\system32\PxWave.dll
----a-w 151,552 2005-03-30 18:56:12 C:\WINDOWS\system32\pxwma.dll
----a-w 14,640 2006-09-25 22:58:48 C:\WINDOWS\system32\spmsg.dll
----a-w 60,416 2007-07-18 12:42:22 C:\WINDOWS\system32\tzchange.exe
----a-w 28,672 2006-03-17 00:38:01 C:\WINDOWS\system32\verclsid.exe
----a-w 39,672 2006-11-15 21:01:31 C:\WINDOWS\system32\vxblock.dll
----a-w 336,768 2007-02-16 00:01:26 C:\WINDOWS\system32\WgaTray.exe
----a-w 295,936 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpeffects.dll
----a-w 613,376 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpmde.dll
----a-w 130,048 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpps.dll
----a-w 1,543,680 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVDECOD.dll
----a-w 1,574,912 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVENCOD.dll
----a-w 1,382,912 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVSDECD.dll
----a-w 767,488 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVSENCD.dll
----a-w 656,896 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVXENCD.dll
----a-w 2,603,008 2006-10-19 02:47:22 C:\WINDOWS\system32\WpdShext.dll
----a-w 17,408 2006-10-19 01:00:14 C:\WINDOWS\system32\wpdshextautoplay.exe
----a-w 38,400 2006-10-19 02:47:22 C:\WINDOWS\system32\wpdshextres.dll
----a-w 133,632 2006-10-19 02:47:22 C:\WINDOWS\system32\WPDShServiceObj.dll
----a-w 95,344 2006-09-29 01:13:26 C:\WINDOWS\system32\WUDFCoinstaller.dll
----a-w 146,432 2006-09-28 23:56:38 C:\WINDOWS\system32\WudfHost.exe
----a-w 165,376 2006-09-28 23:56:16 C:\WINDOWS\system32\WudfPlatform.dll
----a-w 55,808 2006-09-28 23:56:14 C:\WINDOWS\system32\WudfSvc.dll
----a-w 316,416 2006-09-28 23:56:38 C:\WINDOWS\system32\WUDFx.dll
.
------w 44,032 1999-12-13 05:01:00 C:\WINDOWS\system32\CTSVCCDA.EXE
------w 25,088 1999-11-18 05:00:00 C:\WINDOWS\system32\CTSVCCTL.EXE
------w 24,064 2004-08-12 22:45:52 C:\WINDOWS\system32\Hdaudprop.dll
------w 5,120 2004-08-12 22:45:42 C:\WINDOWS\system32\Hdaudpropres.dll
------w 61,952 2004-08-12 22:45:52 C:\WINDOWS\system32\Hdaudpropshortcut.exe
------w 49,152 1999-09-01 17:04:42 C:\WINDOWS\system32\inetwh32.dll
------w 1,476,992 2007-02-16 00:01:04 C:\WINDOWS\system32\LegitCheckControl.dll
------w 259,072 2006-10-19 02:47:14 C:\WINDOWS\system32\MP43DECD.dll
------w 317,440 2006-10-19 02:47:14 C:\WINDOWS\system32\MP4SDECD.dll
------w 259,072 2006-10-19 02:47:14 C:\WINDOWS\system32\MPG4DECD.dll
------w 312,128 2006-10-02 20:28:42 C:\WINDOWS\system32\msdelta.dll
------w 284,160 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceApi.dll
------w 101,888 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceClassExtension.dll
------w 166,912 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceTypes.dll
------w 132,096 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
------w 199,168 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceWMDRM.dll
------w 523,000 2006-11-15 21:01:31 C:\WINDOWS\system32\Px.dll
------w 64,248 2006-11-15 21:01:31 C:\WINDOWS\system32\pxcpya64.exe
------w 115,960 2006-11-15 21:01:32 C:\WINDOWS\system32\pxcpyi64.exe
------w 486,136 2006-11-15 21:01:32 C:\WINDOWS\system32\pxdrv.dll
------w 68,344 2006-11-15 21:01:32 C:\WINDOWS\system32\pxhpinst.exe
------w 63,736 2006-11-15 21:01:31 C:\WINDOWS\system32\pxinsa64.exe
------w 116,984 2006-11-15 21:01:31 C:\WINDOWS\system32\pxinsi64.exe
------w 183,032 2006-11-15 21:01:32 C:\WINDOWS\system32\PxMas.dll
------w 1,077,248 2005-03-30 18:58:32 C:\WINDOWS\system32\PxSFS.DLL
------w 379,640 2006-11-15 21:01:32 C:\WINDOWS\system32\PxWave.dll
------w 151,552 2005-03-30 18:56:12 C:\WINDOWS\system32\pxwma.dll
------w 14,640 2006-09-25 22:58:48 C:\WINDOWS\system32\spmsg.dll
------w 60,416 2007-07-18 12:42:22 C:\WINDOWS\system32\tzchange.exe
------w 28,672 2006-03-17 00:38:01 C:\WINDOWS\system32\verclsid.exe
------w 39,672 2006-11-15 21:01:31 C:\WINDOWS\system32\vxblock.dll
------w 336,768 2007-02-16 00:01:26 C:\WINDOWS\system32\WgaTray.exe
------w 295,936 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpeffects.dll
------w 613,376 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpmde.dll
------w 130,048 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpps.dll
------w 1,543,680 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVDECOD.dll
------w 1,574,912 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVENCOD.dll
------w 1,382,912 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVSDECD.dll
------w 767,488 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVSENCD.dll
------w 656,896 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVXENCD.dll
------w 2,603,008 2006-10-19 02:47:22 C:\WINDOWS\system32\WpdShext.dll
------w 17,408 2006-10-19 01:00:14 C:\WINDOWS\system32\wpdshextautoplay.exe
------w 38,400 2006-10-19 02:47:22 C:\WINDOWS\system32\wpdshextres.dll
------w 133,632 2006-10-19 02:47:22 C:\WINDOWS\system32\WPDShServiceObj.dll
------w 95,344 2006-09-29 01:13:26 C:\WINDOWS\system32\WUDFCoinstaller.dll
------w 146,432 2006-09-28 23:56:38 C:\WINDOWS\system32\WudfHost.exe
------w 165,376 2006-09-28 23:56:16 C:\WINDOWS\system32\WudfPlatform.dll
------w 55,808 2006-09-28 23:56:14 C:\WINDOWS\system32\WudfSvc.dll
------w 316,416 2006-09-28 23:56:38 C:\WINDOWS\system32\WUDFx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 09:47]
"MBMon"="CTMBHA.DLL" [2005-05-19 01:54 C:\WINDOWS\system32\CTMBHA.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 07:42]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-20 13:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 10:40 C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 05:33]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R3 Angel2;Angel II MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel2.sys
R3 sigfilt;sigfilt;C:\WINDOWS\system32\drivers\sigfilt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-10 19:07:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 14:16:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-10 14:17:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-10 14:16
C:\ComboFix2.txt ... 2007-09-09 11:01
.
--- E O F ---




---------- HIJACK This ------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:59 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\Jason\LOCALS~1\Temp\clclean.0001
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=rB...rUIUly8GYU-ptqg
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7070 bytes

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 PM

Posted 10 September 2007 - 03:23 PM

  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Folder::
    C:\WINDOWS\SmFzb24
    C:\WINDOWS\system32\drvr2
    C:\WINDOWS\system32\cfig322
    C:\WINDOWS\system32\capcom
    C:\Temp
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


#7 hutch83

hutch83
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 10 September 2007 - 07:01 PM

ComboFix 07-09-09.4 - "Jason" 2007-09-10 18:52:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.369 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Jason\Desktop\CFscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\WINDOWS\SmFzb24
C:\WINDOWS\system32\capcom
C:\WINDOWS\system32\capcom\nab22011.exe
C:\WINDOWS\system32\cfig322
C:\WINDOWS\system32\cfig322\icm33o.exe
C:\WINDOWS\system32\drivers\asc3550.sys
C:\WINDOWS\system32\drvr2


((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-09 10:56 14,848 --a------ C:\WINDOWS\system32\dllcache\asc3550.sys
2007-09-09 10:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 21:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-08 20:39 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-08 18:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-08 18:53 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\SUPERAntiSpyware.com
2007-09-08 18:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-07 11:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-07 11:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-07 11:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-07 11:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-06 18:07 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-06 13:24 <DIR> d-------- C:\Program Files\uTorrent
2007-09-06 13:23 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\uTorrent
2007-09-06 13:17 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\WinRAR
2007-09-05 18:39 593,920 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-09-05 18:38 <DIR> d-------- C:\ATI
2007-09-05 17:50 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-05 17:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-05 17:47 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-02 23:19 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-29 20:05 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-28 22:46 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-08-28 22:46 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-08-28 22:46 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-28 22:46 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 17:21 --------- d-------- C:\DOCUME~1\Jason\APPLIC~1\.purple
2007-09-06 17:41 --------- d-------- C:\Program Files\Windows Plus
2007-09-05 18:40 --------- d-------- C:\Program Files\ATI Technologies
2007-09-05 18:39 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-02 23:24 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-15 18:56 --------- d-------- C:\Program Files\World of Warcraft
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-28 00:44 45296 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-07-27 22:37 8237056 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-07-27 22:31 344064 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-07-27 22:30 269312 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-07-27 22:30 2371584 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-27 22:30 2371584 --a------ C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-07-27 22:24 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-07-27 22:23 143360 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-07-27 22:23 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-07-27 22:22 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-07-27 22:22 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-07-27 22:22 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-07-27 22:21 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-07-27 22:20 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-07-27 22:12 3067712 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-07-27 22:06 176128 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-07-27 22:01 1550208 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-07-27 21:50 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-07-27 21:47 266240 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-07-27 21:46 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-07-27 21:45 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-07-27 21:40 450560 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-07-22 06:11 --------- d-------- C:\Program Files\OGPlanet
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-26 10:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 09:35 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 03:12 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 03:12 616960 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 03:12 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 03:12 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 03:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 03:12 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 03:12 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 03:12 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 03:12 3064320 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 03:12 251904 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 03:12 205824 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 03:12 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 03:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 03:12 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 03:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 03:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 05:32 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-09_110051.37 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 44,032 1999-12-13 05:01:00 C:\WINDOWS\system32\CTSVCCDA.EXE
----a-w 25,088 1999-11-18 05:00:00 C:\WINDOWS\system32\CTSVCCTL.EXE
----a-w 24,064 2004-08-12 22:45:52 C:\WINDOWS\system32\Hdaudprop.dll
----a-w 5,120 2004-08-12 22:45:42 C:\WINDOWS\system32\Hdaudpropres.dll
----a-w 61,952 2004-08-12 22:45:52 C:\WINDOWS\system32\Hdaudpropshortcut.exe
----a-w 49,152 1999-09-01 17:04:42 C:\WINDOWS\system32\inetwh32.dll
----a-w 1,476,992 2007-02-16 00:01:04 C:\WINDOWS\system32\LegitCheckControl.dll
----a-w 259,072 2006-10-19 02:47:14 C:\WINDOWS\system32\MP43DECD.dll
----a-w 317,440 2006-10-19 02:47:14 C:\WINDOWS\system32\MP4SDECD.dll
----a-w 259,072 2006-10-19 02:47:14 C:\WINDOWS\system32\MPG4DECD.dll
----a-w 312,128 2006-10-02 20:28:42 C:\WINDOWS\system32\msdelta.dll
----a-w 284,160 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceApi.dll
----a-w 101,888 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceClassExtension.dll
----a-w 166,912 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceTypes.dll
----a-w 132,096 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
----a-w 199,168 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceWMDRM.dll
----a-w 523,000 2006-11-15 21:01:31 C:\WINDOWS\system32\Px.dll
----a-w 64,248 2006-11-15 21:01:31 C:\WINDOWS\system32\pxcpya64.exe
----a-w 115,960 2006-11-15 21:01:32 C:\WINDOWS\system32\pxcpyi64.exe
----a-w 486,136 2006-11-15 21:01:32 C:\WINDOWS\system32\pxdrv.dll
----a-w 68,344 2006-11-15 21:01:32 C:\WINDOWS\system32\pxhpinst.exe
----a-w 63,736 2006-11-15 21:01:31 C:\WINDOWS\system32\pxinsa64.exe
----a-w 116,984 2006-11-15 21:01:31 C:\WINDOWS\system32\pxinsi64.exe
----a-w 183,032 2006-11-15 21:01:32 C:\WINDOWS\system32\PxMas.dll
----a-w 1,077,248 2005-03-30 18:58:32 C:\WINDOWS\system32\PxSFS.DLL
----a-w 379,640 2006-11-15 21:01:32 C:\WINDOWS\system32\PxWave.dll
----a-w 151,552 2005-03-30 18:56:12 C:\WINDOWS\system32\pxwma.dll
----a-w 14,640 2006-09-25 22:58:48 C:\WINDOWS\system32\spmsg.dll
----a-w 60,416 2007-07-18 12:42:22 C:\WINDOWS\system32\tzchange.exe
----a-w 28,672 2006-03-17 00:38:01 C:\WINDOWS\system32\verclsid.exe
----a-w 39,672 2006-11-15 21:01:31 C:\WINDOWS\system32\vxblock.dll
----a-w 336,768 2007-02-16 00:01:26 C:\WINDOWS\system32\WgaTray.exe
----a-w 295,936 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpeffects.dll
----a-w 613,376 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpmde.dll
----a-w 130,048 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpps.dll
----a-w 1,543,680 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVDECOD.dll
----a-w 1,574,912 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVENCOD.dll
----a-w 1,382,912 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVSDECD.dll
----a-w 767,488 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVSENCD.dll
----a-w 656,896 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVXENCD.dll
----a-w 2,603,008 2006-10-19 02:47:22 C:\WINDOWS\system32\WpdShext.dll
----a-w 17,408 2006-10-19 01:00:14 C:\WINDOWS\system32\wpdshextautoplay.exe
----a-w 38,400 2006-10-19 02:47:22 C:\WINDOWS\system32\wpdshextres.dll
----a-w 133,632 2006-10-19 02:47:22 C:\WINDOWS\system32\WPDShServiceObj.dll
----a-w 95,344 2006-09-29 01:13:26 C:\WINDOWS\system32\WUDFCoinstaller.dll
----a-w 146,432 2006-09-28 23:56:38 C:\WINDOWS\system32\WudfHost.exe
----a-w 165,376 2006-09-28 23:56:16 C:\WINDOWS\system32\WudfPlatform.dll
----a-w 55,808 2006-09-28 23:56:14 C:\WINDOWS\system32\WudfSvc.dll
----a-w 316,416 2006-09-28 23:56:38 C:\WINDOWS\system32\WUDFx.dll
.
------w 44,032 1999-12-13 05:01:00 C:\WINDOWS\system32\CTSVCCDA.EXE
------w 25,088 1999-11-18 05:00:00 C:\WINDOWS\system32\CTSVCCTL.EXE
------w 24,064 2004-08-12 22:45:52 C:\WINDOWS\system32\Hdaudprop.dll
------w 5,120 2004-08-12 22:45:42 C:\WINDOWS\system32\Hdaudpropres.dll
------w 61,952 2004-08-12 22:45:52 C:\WINDOWS\system32\Hdaudpropshortcut.exe
------w 49,152 1999-09-01 17:04:42 C:\WINDOWS\system32\inetwh32.dll
------w 1,476,992 2007-02-16 00:01:04 C:\WINDOWS\system32\LegitCheckControl.dll
------w 259,072 2006-10-19 02:47:14 C:\WINDOWS\system32\MP43DECD.dll
------w 317,440 2006-10-19 02:47:14 C:\WINDOWS\system32\MP4SDECD.dll
------w 259,072 2006-10-19 02:47:14 C:\WINDOWS\system32\MPG4DECD.dll
------w 312,128 2006-10-02 20:28:42 C:\WINDOWS\system32\msdelta.dll
------w 284,160 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceApi.dll
------w 101,888 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceClassExtension.dll
------w 166,912 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceTypes.dll
------w 132,096 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
------w 199,168 2006-10-19 02:47:18 C:\WINDOWS\system32\PortableDeviceWMDRM.dll
------w 523,000 2006-11-15 21:01:31 C:\WINDOWS\system32\Px.dll
------w 64,248 2006-11-15 21:01:31 C:\WINDOWS\system32\pxcpya64.exe
------w 115,960 2006-11-15 21:01:32 C:\WINDOWS\system32\pxcpyi64.exe
------w 486,136 2006-11-15 21:01:32 C:\WINDOWS\system32\pxdrv.dll
------w 68,344 2006-11-15 21:01:32 C:\WINDOWS\system32\pxhpinst.exe
------w 63,736 2006-11-15 21:01:31 C:\WINDOWS\system32\pxinsa64.exe
------w 116,984 2006-11-15 21:01:31 C:\WINDOWS\system32\pxinsi64.exe
------w 183,032 2006-11-15 21:01:32 C:\WINDOWS\system32\PxMas.dll
------w 1,077,248 2005-03-30 18:58:32 C:\WINDOWS\system32\PxSFS.DLL
------w 379,640 2006-11-15 21:01:32 C:\WINDOWS\system32\PxWave.dll
------w 151,552 2005-03-30 18:56:12 C:\WINDOWS\system32\pxwma.dll
------w 14,640 2006-09-25 22:58:48 C:\WINDOWS\system32\spmsg.dll
------w 60,416 2007-07-18 12:42:22 C:\WINDOWS\system32\tzchange.exe
------w 28,672 2006-03-17 00:38:01 C:\WINDOWS\system32\verclsid.exe
------w 39,672 2006-11-15 21:01:31 C:\WINDOWS\system32\vxblock.dll
------w 336,768 2007-02-16 00:01:26 C:\WINDOWS\system32\WgaTray.exe
------w 295,936 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpeffects.dll
------w 613,376 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpmde.dll
------w 130,048 2006-10-19 02:47:20 C:\WINDOWS\system32\wmpps.dll
------w 1,543,680 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVDECOD.dll
------w 1,574,912 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVENCOD.dll
------w 1,382,912 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVSDECD.dll
------w 767,488 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVSENCD.dll
------w 656,896 2006-10-19 02:47:22 C:\WINDOWS\system32\WMVXENCD.dll
------w 2,603,008 2006-10-19 02:47:22 C:\WINDOWS\system32\WpdShext.dll
------w 17,408 2006-10-19 01:00:14 C:\WINDOWS\system32\wpdshextautoplay.exe
------w 38,400 2006-10-19 02:47:22 C:\WINDOWS\system32\wpdshextres.dll
------w 133,632 2006-10-19 02:47:22 C:\WINDOWS\system32\WPDShServiceObj.dll
------w 95,344 2006-09-29 01:13:26 C:\WINDOWS\system32\WUDFCoinstaller.dll
------w 146,432 2006-09-28 23:56:38 C:\WINDOWS\system32\WudfHost.exe
------w 165,376 2006-09-28 23:56:16 C:\WINDOWS\system32\WudfPlatform.dll
------w 55,808 2006-09-28 23:56:14 C:\WINDOWS\system32\WudfSvc.dll
------w 316,416 2006-09-28 23:56:38 C:\WINDOWS\system32\WUDFx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 09:47]
"MBMon"="CTMBHA.DLL" [2005-05-19 01:54 C:\WINDOWS\system32\CTMBHA.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 07:42]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-20 13:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 10:40 C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 05:33]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R3 Angel2;Angel II MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel2.sys
R3 sigfilt;sigfilt;C:\WINDOWS\system32\drivers\sigfilt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-10 19:18:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 18:55:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-10 18:56:35
C:\ComboFix-quarantined-files.txt ... 2007-09-10 18:55
C:\ComboFix2.txt ... 2007-09-10 14:17
C:\ComboFix3.txt ... 2007-09-09 11:01
.
--- E O F ---





----------- HIJACK This --------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:46 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\divxsm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=rB...rUIUly8GYU-ptqg
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7068 bytes

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 PM

Posted 11 September 2007 - 11:52 AM

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users