Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • This topic is locked This topic is locked
17 replies to this topic

#1 smok1109

smok1109

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 11 September 2007 - 01:23 AM

hey y'all
well i posted a hijackthis log on a wrong portion of the forum. So here I am with the correct hijackthis version, in the correct forum.

Ok, so my problem is:
Win32: Agent-LAP[Trj]
Win32: Tiny-IF [Trj]
Win32: Vundo-gen 4X [Adw] the X can be any number from 0-9
I've tried using VundoFix to get the Vundo-gen, but it doesn't work.
I also used the virtumundobegone or whatever it's called. The file is still there. And like i still get the winantispyware popups.

I was told to do my log in safe mode, so here you go
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:35 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alps Pointing-device Driver] C:\drivers\mouse\onboard\Apoint.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: ProcessTamer.lnk = C:\Program Files\ProcessTamer\ProcessTamerTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156736341654
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: realplay - Unknown owner - C:\WINDOWS\G_Server1.23.exe (file missing)

--
End of file - 10527 bytes


I'm not in any kind of rush, it can wait, avast holds it back. So yea.
thanks alot.

Edited by smok1109, 11 September 2007 - 01:26 AM.


BC AdBot (Login to Remove)

 


#2 smok1109

smok1109
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 11 September 2007 - 02:49 AM

here's a log that i did in normal mode
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:02 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\drivers\mouse\onboard\Apoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Vidalia\vidalia.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Tor\tor.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
C:\Program Files\ProcessTamer\ProcessTamerTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alps Pointing-device Driver] C:\drivers\mouse\onboard\Apoint.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: ProcessTamer.lnk = C:\Program Files\ProcessTamer\ProcessTamerTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156736341654
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: realplay - Unknown owner - C:\WINDOWS\G_Server1.23.exe (file missing)

--
End of file - 12119 bytes

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 16 September 2007 - 09:38 PM

Hello smok1109,

I am SifuMike and I will be helping you. :thumbsup:
Sorry for the delay. We have many logs backed up.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 2".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
*********************

NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 16 September 2007 - 09:44 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 smok1109

smok1109
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 17 September 2007 - 04:15 PM

all i have to say is "whoops" i did combofix before I did the java uninstall. But i did uninstall them.
COMBOFIX
ComboFix 07-09-17.2 - "Sean Mok" 2007-09-17 13:46:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.490 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\SEANMO~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\QMDCVXAV\www.inter-focus.cn
C:\DOCUME~1\SEANMO~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\QMDCVXAV\www.inter-focus.cn\flashad-v5-stop_firstput_mute.swf\IFFLASHAD.sol
C:\DOCUME~1\SEANMO~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\QMDCVXAV\www.inter-focus.cn\flashad_beta_1.01.swf\IFFLASHAD.sol
C:\DOCUME~1\SEANMO~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\QMDCVXAV\www.inter-focus.cn\tt_flashad.swf\IFFLASHAD.sol
C:\DOCUME~1\SEANMO~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\DOCUME~1\SEANMO~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\DOCUME~1\SEANMO~1\err.log
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\svhost
C:\temp\0b9
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L11
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\L5
C:\WINDOWS\system32\L7
C:\WINDOWS\system32\L9
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\olqyott.dll
C:\WINDOWS\system32\tempchk
C:\WINDOWS\system32\tempchk\w86.exe
C:\WINDOWS\system32\V1
C:\WINDOWS\system32\win
C:\WINDOWS\system32\Z1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_IPRIP
-------\LEGACY_NETWORK_MONITOR
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-16 23:46 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-09-15 22:57 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-09-15 22:57 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-09-15 22:57 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-09-15 22:57 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-09-15 22:56 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2007-09-15 22:56 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2007-09-15 22:56 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-09-15 22:56 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-09-15 22:56 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-09-15 22:56 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-09-15 22:55 8,832 --a------ C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-09-15 22:55 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2007-09-15 22:55 34,890 --a------ C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-09-15 22:55 154,624 --a------ C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-09-15 22:54 87,040 --a------ C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-09-15 22:54 701,386 --a------ C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-09-15 22:54 53,760 --a------ C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-09-15 22:54 41,600 --a------ C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-09-15 22:54 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-09-15 22:54 31,232 --a------ C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-09-15 22:54 23,615 --a------ C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-09-15 22:52 19,016 --a------ C:\WINDOWS\system32\dllcache\w926nd.sys
2007-09-15 22:52 16,925 --a------ C:\WINDOWS\system32\dllcache\w940nd.sys
2007-09-15 22:51 64,605 --a------ C:\WINDOWS\system32\dllcache\vvoice.sys
2007-09-15 22:51 48,256 --a------ C:\WINDOWS\system32\dllcache\w32.dll
2007-09-15 22:51 397,502 --a------ C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-09-15 22:51 19,528 --a------ C:\WINDOWS\system32\dllcache\w840nd.sys
2007-09-15 22:50 765,884 --a------ C:\WINDOWS\system32\dllcache\usrti.sys
2007-09-15 22:50 687,999 --a------ C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-09-15 22:50 604,253 --a------ C:\WINDOWS\system32\dllcache\vmodem.sys
2007-09-15 22:50 249,402 --a------ C:\WINDOWS\system32\dllcache\vinwm.sys
2007-09-15 22:50 24,576 --a------ C:\WINDOWS\system32\dllcache\viairda.sys
2007-09-15 22:50 11,325 --a------ C:\WINDOWS\system32\dllcache\vchnt5.dll
2007-09-15 22:49 794,399 --a------ C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-09-15 22:49 7,556 --a------ C:\WINDOWS\system32\dllcache\usroslba.sys
2007-09-15 22:49 224,802 --a------ C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-09-15 22:49 113,762 --a------ C:\WINDOWS\system32\dllcache\usrpda.sys
2007-09-15 22:48 94,720 --a------ C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-09-15 22:48 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2007-09-15 22:48 793,598 --a------ C:\WINDOWS\system32\dllcache\usr1806.sys
2007-09-15 22:48 78,464 --a------ C:\WINDOWS\system32\dllcache\usbvideo.sys
2007-09-15 22:48 32,384 --a------ C:\WINDOWS\system32\dllcache\usb101et.sys
2007-09-15 22:48 17,024 --a------ C:\WINDOWS\system32\dllcache\usbohci.sys
2007-09-15 22:48 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-09-15 22:48 12,672 --a------ C:\WINDOWS\system32\dllcache\usb8023x.sys
2007-09-15 22:47 69,632 --a------ C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-09-15 22:47 50,688 --a------ C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-09-15 22:47 28,160 --a------ C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-09-15 22:47 26,624 --a------ C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-09-15 22:46 50,176 --a------ C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-09-15 22:46 47,616 --a------ C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-09-15 22:46 22,912 --a------ C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-09-15 22:46 216,064 --a------ C:\WINDOWS\system32\dllcache\um34scan.dll
2007-09-15 22:46 211,968 --a------ C:\WINDOWS\system32\dllcache\um54scan.dll
2007-09-15 22:45 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2007-09-15 22:45 44,672 --a------ C:\WINDOWS\system32\dllcache\uagp35.sys
2007-09-15 22:45 166,784 --a------ C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-09-15 22:45 159,232 --a------ C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-09-15 22:45 14,336 --a------ C:\WINDOWS\system32\dllcache\tsprof.exe
2007-09-15 22:45 11,520 --a------ C:\WINDOWS\system32\dllcache\twotrack.sys
2007-09-15 22:44 82,432 --a------ C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-09-15 22:44 440,576 --a------ C:\WINDOWS\system32\dllcache\tridkb.dll
2007-09-15 22:44 42,496 --a------ C:\WINDOWS\system32\dllcache\tp4res.dll
2007-09-15 22:44 34,375 --a------ C:\WINDOWS\system32\dllcache\tpro4.sys
2007-09-15 22:44 315,520 --a------ C:\WINDOWS\system32\dllcache\trid3d.dll
2007-09-15 22:44 222,336 --a------ C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-09-15 22:43 31,744 --a------ C:\WINDOWS\system32\dllcache\tp4.dll
2007-09-15 22:43 28,232 --a------ C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-09-15 22:43 241,664 --a------ C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-09-15 22:43 230,912 --a------ C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-09-15 22:42 81,408 --a------ C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-09-15 22:42 19,464 --a------ C:\WINDOWS\system32\dllcache\tdspx.sys
2007-09-15 22:42 17,129 --a------ C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-09-15 22:42 149,376 --a------ C:\WINDOWS\system32\dllcache\tffsport.sys
2007-09-15 22:42 138,528 --a------ C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-09-15 22:42 123,995 --a------ C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-09-15 22:41 7,040 --a------ C:\WINDOWS\system32\dllcache\tandqic.sys
2007-09-15 22:41 37,961 --a------ C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-09-15 22:41 36,640 --a------ C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-09-15 22:41 30,464 --a------ C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-09-15 22:41 21,896 --a------ C:\WINDOWS\system32\dllcache\tdipx.sys
2007-09-15 22:41 172,768 --a------ C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-09-15 22:41 13,192 --a------ C:\WINDOWS\system32\dllcache\tdasync.sys
2007-09-15 22:40 94,293 --a------ C:\WINDOWS\system32\dllcache\sxports.dll
2007-09-15 22:40 3,968 --a------ C:\WINDOWS\system32\dllcache\swusbflt.sys
2007-09-15 22:40 103,936 --a------ C:\WINDOWS\system32\dllcache\sx.sys
2007-09-15 22:40 10,240 --a------ C:\WINDOWS\system32\dllcache\swpidflt.dll
2007-09-15 22:39 53,760 --a------ C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-09-15 22:39 41,472 --a------ C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-09-15 22:39 155,648 --a------ C:\WINDOWS\system32\dllcache\stlnprop.dll
2007-09-15 22:39 10,240 --a------ C:\WINDOWS\system32\dllcache\swpdflt2.dll
2007-09-15 22:38 99,328 --a------ C:\WINDOWS\system32\dllcache\srusd.dll
2007-09-15 22:38 53,248 --a------ C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-09-15 22:38 48,736 --a------ C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-09-15 22:38 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2007-09-15 22:38 16,896 --a------ C:\WINDOWS\system32\dllcache\stcusb.sys
2007-09-15 22:37 61,824 --a------ C:\WINDOWS\system32\dllcache\speed.sys
2007-09-15 22:37 24,660 --a------ C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-09-15 22:37 106,584 --a------ C:\WINDOWS\system32\dllcache\spdports.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-17 13:52 --------- d-------- C:\Program Files\FlashGet
2007-09-16 00:04 --------- d-------- C:\Program Files\NJStar Communicator
2007-09-13 12:23 --------- d-------- C:\Program Files\Avant Browser
2007-09-13 12:19 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Avant Browser
2007-09-11 10:38 --------- d-------- C:\Program Files\ProcessTamer
2007-09-11 10:10 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Tor
2007-09-10 23:03 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Viewpoint
2007-09-10 23:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-10 23:02 --------- d-------- C:\Program Files\Viewpoint
2007-09-10 12:30 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-06 03:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 03:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 03:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 03:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 03:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 03:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-06 03:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-05 21:12 --------- d-------- C:\Program Files\PokerStars.NET
2007-08-18 12:54 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-18 12:54 --------- d-------- C:\Program Files\AIM
2007-08-17 15:40 --------- d-------- C:\Program Files\AIM6
2007-08-17 15:11 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-15 16:57 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-06 17:48 --------- d-------- C:\Program Files\IrfanView
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-24 11:04 6467 ---hs---- C:\WINDOWS\system32\mlkkj.bak1
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-18 11:21 --------- d-------- C:\Program Files\QuickTime
2007-07-13 00:55 3532 --a------ C:\drmHeader.bin
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --a-s---- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 22:10 317440 --a------ C:\WINDOWS\system32\dllcache\unregmp2.exe
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2006-11-26 23:35 9232 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmmdfl.sys
2006-11-26 23:35 92064 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmmdm.sys
2006-11-26 23:35 79328 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmserd.sys
2006-11-26 23:35 66656 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmbus.sys
2006-11-26 23:35 6208 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmcmnt.sys
2006-11-26 23:35 5936 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmwhnt.sys
2006-11-26 23:35 4048 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmcr.sys
2006-11-26 23:35 25600 --a--c--- C:\DOCUME~1\SEANMO~1\usbsermptxp.sys
2006-11-26 23:35 22768 --a--c--- C:\DOCUME~1\SEANMO~1\usbsermpt.sys
2005-08-22 07:59:11 56 --sh--r C:\WINDOWS\system32\36FA1CF6DE.sys
2005-08-22 07:59:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EDDC04D-ABA6-4715-AB6A-19B788B51E02}]
C:\WINDOWS\system32\geebb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC2AD687-BFF5-407D-95B2-57DA93089B6D}]
C:\WINDOWS\system32\pmkhg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"DefragTaskBar"="C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-08-28 16:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Alps Pointing-device Driver"="C:\drivers\mouse\onboard\Apoint.exe" [2004-09-13 14:33]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 09:12]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-14 21:13:23]
Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2006-11-20 07:30:54]

C:\DOCUME~1\SEANMO~1\STARTM~1\Programs\Startup\
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-12-07 16:45:30]
ProcessTamer.lnk - C:\Program Files\ProcessTamer\ProcessTamerTray.exe [2006-10-30 16:31:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\mljgd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sean Mok^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Sean Mok\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]
rundll32.exe "C:\WINDOWS\system32\ftylojht.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]
"C:\WINDOWS\poolsv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\system32\kmesccye.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vipoc]
C:\Program Files\Common Files\vipoc22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.1\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
"C:\Program Files\WinAntiSpyware 2007\was7.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{00-09-9E-EF-ZN}]
C:\Documents and Settings\Sean Mok\Local Settings\Temp\thinksnet.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"rwww"=C:\PROGRA~1\COMMON~1\rwww\rwwwm.exe
"Sen"="C:\DOCUME~1\SEANMO~1\APPLIC~1\SMANTE~1\userinit.exe" -vt yazb
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe
"xloadnet"="C:\Program Files\xloadnet\xloadnet.exe"

R2 WIBUKEY;WIBU-KEY Kernel Driver;C:\WINDOWS\system32\DRIVERS\Wibukey.sys
S2 realplay;realplay;C:\WINDOWS\G_Server1.23.exe
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 NETMW145; NETGEAR WN511T;C:\WINDOWS\system32\DRIVERS\NETMW145.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 RivaTuner32;RivaTuner32;\??\C:\Documents and Settings\Sean Mok\Desktop\RivaTuner_v20RC16\RivaTuner_v20RC16\RivaTuner32.sys
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter.sys
S3 TIEHDUSB;TIEHDUSB;C:\WINDOWS\system32\drivers\tiehdusb.sys
S3 TIGLUSB;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;C:\WINDOWS\system32\Drivers\TiglUsb.sys
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{143d2c8e-7079-11db-a1eb-00123fd7a694}]
AutoRun\command- setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b2e9cab-0301-11db-a160-00123fd7a694}]
AutoRun\command- setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-08-15 18:06:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 13:55:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-17 14:01:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-17 14:01
.
--- E O F ---


HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:11 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\drivers\mouse\onboard\Apoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
C:\Program Files\ProcessTamer\ProcessTamerTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5EDDC04D-ABA6-4715-AB6A-19B788B51E02} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CC2AD687-BFF5-407D-95B2-57DA93089B6D} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alps Pointing-device Driver] C:\drivers\mouse\onboard\Apoint.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: ProcessTamer.lnk = C:\Program Files\ProcessTamer\ProcessTamerTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156736341654
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: realplay - Unknown owner - C:\WINDOWS\G_Server1.23.exe (file missing)

--
End of file - 13742 bytes

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 17 September 2007 - 04:39 PM

Hi smok1109,

Now we delete the remaining malware. :thumbsup:

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {5EDDC04D-ABA6-4715-AB6A-19B788B51E02} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll (file missing)
O2 - BHO: (no name) - {CC2AD687-BFF5-407D-95B2-57DA93089B6D} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O20 - AppInit_DLLs:
O23 - Service: realplay - Unknown owner - C:\WINDOWS\G_Server1.23.exe (file missing)



*******************************************

Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\Program Files\Web Buying\v1.8.1\webbuying.exe
C:\WINDOWS\system32\ftylojht.dll
C:\WINDOWS\poolsv.exe
C:\WINDOWS\system32\kmesccye.dll
C:\Program Files\Common Files\vipoc22011.exe
C:\Program Files\WinAntiSpyware 2007\was7.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vipoc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 17 September 2007 - 04:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 smok1109

smok1109
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 17 September 2007 - 08:59 PM

hey thanks for being so prompt, but just a quick question on a side note, i have spybot, avast, avg, and lavasoft, is that too many anti-spyware? I heard that if you have too many anti-spyware stuff, the programs will crash each other.
COMBOFIX
ComboFix 07-09-17.2 - "Sean Mok" 2007-09-17 18:46:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.775 [GMT -7:00]
* Created a new restore point

FILE::
C:\Program Files\Web Buying\v1.8.1\webbuying.exe
C:\WINDOWS\system32\ftylojht.dll
C:\WINDOWS\poolsv.exe
C:\WINDOWS\system32\kmesccye.dll
C:\Program Files\Common Files\vipoc22011.exe
C:\Program Files\WinAntiSpyware 2007\was7.exe
.

((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-16 23:46 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-09-15 22:57 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-09-15 22:57 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-09-15 22:57 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-09-15 22:57 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-09-15 22:56 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2007-09-15 22:56 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2007-09-15 22:56 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-09-15 22:56 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-09-15 22:56 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-09-15 22:56 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-09-15 22:55 8,832 --a------ C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-09-15 22:55 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2007-09-15 22:55 34,890 --a------ C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-09-15 22:55 154,624 --a------ C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-09-15 22:54 87,040 --a------ C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-09-15 22:54 701,386 --a------ C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-09-15 22:54 53,760 --a------ C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-09-15 22:54 41,600 --a------ C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-09-15 22:54 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-09-15 22:54 31,232 --a------ C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-09-15 22:54 23,615 --a------ C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-09-15 22:52 19,016 --a------ C:\WINDOWS\system32\dllcache\w926nd.sys
2007-09-15 22:52 16,925 --a------ C:\WINDOWS\system32\dllcache\w940nd.sys
2007-09-15 22:51 64,605 --a------ C:\WINDOWS\system32\dllcache\vvoice.sys
2007-09-15 22:51 48,256 --a------ C:\WINDOWS\system32\dllcache\w32.dll
2007-09-15 22:51 397,502 --a------ C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-09-15 22:51 19,528 --a------ C:\WINDOWS\system32\dllcache\w840nd.sys
2007-09-15 22:50 765,884 --a------ C:\WINDOWS\system32\dllcache\usrti.sys
2007-09-15 22:50 687,999 --a------ C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-09-15 22:50 604,253 --a------ C:\WINDOWS\system32\dllcache\vmodem.sys
2007-09-15 22:50 249,402 --a------ C:\WINDOWS\system32\dllcache\vinwm.sys
2007-09-15 22:50 24,576 --a------ C:\WINDOWS\system32\dllcache\viairda.sys
2007-09-15 22:50 11,325 --a------ C:\WINDOWS\system32\dllcache\vchnt5.dll
2007-09-15 22:49 794,399 --a------ C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-09-15 22:49 7,556 --a------ C:\WINDOWS\system32\dllcache\usroslba.sys
2007-09-15 22:49 224,802 --a------ C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-09-15 22:49 113,762 --a------ C:\WINDOWS\system32\dllcache\usrpda.sys
2007-09-15 22:48 94,720 --a------ C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-09-15 22:48 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2007-09-15 22:48 793,598 --a------ C:\WINDOWS\system32\dllcache\usr1806.sys
2007-09-15 22:48 78,464 --a------ C:\WINDOWS\system32\dllcache\usbvideo.sys
2007-09-15 22:48 32,384 --a------ C:\WINDOWS\system32\dllcache\usb101et.sys
2007-09-15 22:48 17,024 --a------ C:\WINDOWS\system32\dllcache\usbohci.sys
2007-09-15 22:48 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-09-15 22:48 12,672 --a------ C:\WINDOWS\system32\dllcache\usb8023x.sys
2007-09-15 22:47 69,632 --a------ C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-09-15 22:47 50,688 --a------ C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-09-15 22:47 28,160 --a------ C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-09-15 22:47 26,624 --a------ C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-09-15 22:46 50,176 --a------ C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-09-15 22:46 47,616 --a------ C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-09-15 22:46 22,912 --a------ C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-09-15 22:46 216,064 --a------ C:\WINDOWS\system32\dllcache\um34scan.dll
2007-09-15 22:46 211,968 --a------ C:\WINDOWS\system32\dllcache\um54scan.dll
2007-09-15 22:45 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2007-09-15 22:45 44,672 --a------ C:\WINDOWS\system32\dllcache\uagp35.sys
2007-09-15 22:45 166,784 --a------ C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-09-15 22:45 159,232 --a------ C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-09-15 22:45 14,336 --a------ C:\WINDOWS\system32\dllcache\tsprof.exe
2007-09-15 22:45 11,520 --a------ C:\WINDOWS\system32\dllcache\twotrack.sys
2007-09-15 22:44 82,432 --a------ C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-09-15 22:44 440,576 --a------ C:\WINDOWS\system32\dllcache\tridkb.dll
2007-09-15 22:44 42,496 --a------ C:\WINDOWS\system32\dllcache\tp4res.dll
2007-09-15 22:44 34,375 --a------ C:\WINDOWS\system32\dllcache\tpro4.sys
2007-09-15 22:44 315,520 --a------ C:\WINDOWS\system32\dllcache\trid3d.dll
2007-09-15 22:44 222,336 --a------ C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-09-15 22:43 31,744 --a------ C:\WINDOWS\system32\dllcache\tp4.dll
2007-09-15 22:43 28,232 --a------ C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-09-15 22:43 241,664 --a------ C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-09-15 22:43 230,912 --a------ C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-09-15 22:42 81,408 --a------ C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-09-15 22:42 19,464 --a------ C:\WINDOWS\system32\dllcache\tdspx.sys
2007-09-15 22:42 17,129 --a------ C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-09-15 22:42 149,376 --a------ C:\WINDOWS\system32\dllcache\tffsport.sys
2007-09-15 22:42 138,528 --a------ C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-09-15 22:42 123,995 --a------ C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-09-15 22:41 7,040 --a------ C:\WINDOWS\system32\dllcache\tandqic.sys
2007-09-15 22:41 37,961 --a------ C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-09-15 22:41 36,640 --a------ C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-09-15 22:41 30,464 --a------ C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-09-15 22:41 21,896 --a------ C:\WINDOWS\system32\dllcache\tdipx.sys
2007-09-15 22:41 172,768 --a------ C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-09-15 22:41 13,192 --a------ C:\WINDOWS\system32\dllcache\tdasync.sys
2007-09-15 22:40 94,293 --a------ C:\WINDOWS\system32\dllcache\sxports.dll
2007-09-15 22:40 3,968 --a------ C:\WINDOWS\system32\dllcache\swusbflt.sys
2007-09-15 22:40 103,936 --a------ C:\WINDOWS\system32\dllcache\sx.sys
2007-09-15 22:40 10,240 --a------ C:\WINDOWS\system32\dllcache\swpidflt.dll
2007-09-15 22:39 53,760 --a------ C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-09-15 22:39 41,472 --a------ C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-09-15 22:39 155,648 --a------ C:\WINDOWS\system32\dllcache\stlnprop.dll
2007-09-15 22:39 10,240 --a------ C:\WINDOWS\system32\dllcache\swpdflt2.dll
2007-09-15 22:38 99,328 --a------ C:\WINDOWS\system32\dllcache\srusd.dll
2007-09-15 22:38 53,248 --a------ C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-09-15 22:38 48,736 --a------ C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-09-15 22:38 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2007-09-15 22:38 16,896 --a------ C:\WINDOWS\system32\dllcache\stcusb.sys
2007-09-15 22:37 61,824 --a------ C:\WINDOWS\system32\dllcache\speed.sys
2007-09-15 22:37 24,660 --a------ C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-09-15 22:37 106,584 --a------ C:\WINDOWS\system32\dllcache\spdports.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-17 15:22 --------- d-------- C:\Program Files\FlashGet
2007-09-16 00:04 --------- d-------- C:\Program Files\NJStar Communicator
2007-09-13 12:23 --------- d-------- C:\Program Files\Avant Browser
2007-09-13 12:19 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Avant Browser
2007-09-11 10:38 --------- d-------- C:\Program Files\ProcessTamer
2007-09-11 10:10 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Tor
2007-09-10 23:03 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Viewpoint
2007-09-10 23:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-10 23:02 --------- d-------- C:\Program Files\Viewpoint
2007-09-10 12:30 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-06 03:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 03:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 03:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 03:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 03:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 03:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-06 03:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-05 21:12 --------- d-------- C:\Program Files\PokerStars.NET
2007-08-18 12:54 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-18 12:54 --------- d-------- C:\Program Files\AIM
2007-08-17 15:40 --------- d-------- C:\Program Files\AIM6
2007-08-17 15:11 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-15 16:57 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-06 17:48 --------- d-------- C:\Program Files\IrfanView
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-24 11:04 6467 ---hs---- C:\WINDOWS\system32\mlkkj.bak1
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-18 11:21 --------- d-------- C:\Program Files\QuickTime
2007-07-13 00:55 3532 --a------ C:\drmHeader.bin
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --a-s---- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 22:10 317440 --a------ C:\WINDOWS\system32\dllcache\unregmp2.exe
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2006-11-26 23:35 9232 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmmdfl.sys
2006-11-26 23:35 92064 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmmdm.sys
2006-11-26 23:35 79328 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmserd.sys
2006-11-26 23:35 66656 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmbus.sys
2006-11-26 23:35 6208 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmcmnt.sys
2006-11-26 23:35 5936 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmwhnt.sys
2006-11-26 23:35 4048 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmcr.sys
2006-11-26 23:35 25600 --a--c--- C:\DOCUME~1\SEANMO~1\usbsermptxp.sys
2006-11-26 23:35 22768 --a--c--- C:\DOCUME~1\SEANMO~1\usbsermpt.sys
2005-08-22 07:59:11 56 --sh--r C:\WINDOWS\system32\36FA1CF6DE.sys
2005-08-22 07:59:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-17_140022.34 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 359,808 2006-04-20 11:51:50 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 359,808 2006-04-20 11:51:50 C:\WINDOWS\system32\drivers\tcpip.sys
----atw 16,384 2007-09-17 23:07:07 C:\WINDOWS\Temp\Perflib_Perfdata_678.dat
----atw 16,384 2007-09-17 23:06:43 C:\WINDOWS\Temp\Perflib_Perfdata_6f8.dat
.
----a-w 359,808 2005-05-25 19:04:02 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 359,808 2005-05-25 19:04:02 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"DefragTaskBar"="C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-08-28 16:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Alps Pointing-device Driver"="C:\drivers\mouse\onboard\Apoint.exe" [2004-09-13 14:33]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 09:12]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-14 21:13:23]
Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2006-11-20 07:30:54]

C:\DOCUME~1\SEANMO~1\STARTM~1\Programs\Startup\
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-12-07 16:45:30]
ProcessTamer.lnk - C:\Program Files\ProcessTamer\ProcessTamerTray.exe [2006-10-30 16:31:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\mljgd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sean Mok^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Sean Mok\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{00-09-9E-EF-ZN}]
C:\Documents and Settings\Sean Mok\Local Settings\Temp\thinksnet.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"rwww"=C:\PROGRA~1\COMMON~1\rwww\rwwwm.exe
"Sen"="C:\DOCUME~1\SEANMO~1\APPLIC~1\SMANTE~1\userinit.exe" -vt yazb
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe
"xloadnet"="C:\Program Files\xloadnet\xloadnet.exe"

R2 WIBUKEY;WIBU-KEY Kernel Driver;C:\WINDOWS\system32\DRIVERS\Wibukey.sys
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 NETMW145; NETGEAR WN511T;C:\WINDOWS\system32\DRIVERS\NETMW145.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 RivaTuner32;RivaTuner32;\??\C:\Documents and Settings\Sean Mok\Desktop\RivaTuner_v20RC16\RivaTuner_v20RC16\RivaTuner32.sys
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter.sys
S3 TIEHDUSB;TIEHDUSB;C:\WINDOWS\system32\drivers\tiehdusb.sys
S3 TIGLUSB;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;C:\WINDOWS\system32\Drivers\TiglUsb.sys
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys
S4 realplay;realplay;C:\WINDOWS\G_Server1.23.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{143d2c8e-7079-11db-a1eb-00123fd7a694}]
AutoRun\command- setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b2e9cab-0301-11db-a160-00123fd7a694}]
AutoRun\command- setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-08-15 18:06:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 18:51:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-17 18:54:10
C:\ComboFix-quarantined-files.txt ... 2007-09-17 18:54
C:\ComboFix2.txt ... 2007-09-17 14:01
.
--- E O F ---



HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:46 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\drivers\mouse\onboard\Apoint.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
C:\Program Files\ProcessTamer\ProcessTamerTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alps Pointing-device Driver] C:\drivers\mouse\onboard\Apoint.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: ProcessTamer.lnk = C:\Program Files\ProcessTamer\ProcessTamerTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156736341654
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--
End of file - 13264 bytes

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 17 September 2007 - 10:21 PM

Hi smok1109,

but just a quick question on a side note, i have spybot, avast, avg, and lavasoft, is that too many anti-spyware? I heard that if you have too many anti-spyware stuff, the programs will crash each other.


Nope, you heard wrong. :thumbsup:
You can have as many antispyware programs as you want, as they do not interfere with each other; however, you can only have one antivirus program active on your computer. Two antivirus programs (or firewalls) will cause crashes and slow your computer.
Also, if you run antispyware programs, you should be running one at a time, not two at the same time.

Avast is not antispyware, it is a antivirus program. Spybot, lavasoft Adaware 2007, AVG antispyware are all antispware programs. Note that AVG also make an antivirus program, so you should not be running that if you are running AVAST antivirus.


I see some more registry items we need to get rid of.

Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"rwww"=-



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 17 September 2007 - 10:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 smok1109

smok1109
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 18 September 2007 - 01:07 AM

here we go: no hijackthis this time?
COMBOFIX
ComboFix 07-09-17.2 - "Sean Mok" 2007-09-17 22:57:30.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.703 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Sean Mok\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-16 23:46 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-09-15 22:57 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-09-15 22:57 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-09-15 22:57 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-09-15 22:57 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-09-15 22:56 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2007-09-15 22:56 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2007-09-15 22:56 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-09-15 22:56 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-09-15 22:56 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-09-15 22:56 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-09-15 22:55 8,832 --a------ C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-09-15 22:55 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2007-09-15 22:55 34,890 --a------ C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-09-15 22:55 154,624 --a------ C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-09-15 22:54 87,040 --a------ C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-09-15 22:54 701,386 --a------ C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-09-15 22:54 53,760 --a------ C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-09-15 22:54 41,600 --a------ C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-09-15 22:54 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-09-15 22:54 31,232 --a------ C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-09-15 22:54 23,615 --a------ C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-09-15 22:52 19,016 --a------ C:\WINDOWS\system32\dllcache\w926nd.sys
2007-09-15 22:52 16,925 --a------ C:\WINDOWS\system32\dllcache\w940nd.sys
2007-09-15 22:51 64,605 --a------ C:\WINDOWS\system32\dllcache\vvoice.sys
2007-09-15 22:51 48,256 --a------ C:\WINDOWS\system32\dllcache\w32.dll
2007-09-15 22:51 397,502 --a------ C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-09-15 22:51 19,528 --a------ C:\WINDOWS\system32\dllcache\w840nd.sys
2007-09-15 22:50 765,884 --a------ C:\WINDOWS\system32\dllcache\usrti.sys
2007-09-15 22:50 687,999 --a------ C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-09-15 22:50 604,253 --a------ C:\WINDOWS\system32\dllcache\vmodem.sys
2007-09-15 22:50 249,402 --a------ C:\WINDOWS\system32\dllcache\vinwm.sys
2007-09-15 22:50 24,576 --a------ C:\WINDOWS\system32\dllcache\viairda.sys
2007-09-15 22:50 11,325 --a------ C:\WINDOWS\system32\dllcache\vchnt5.dll
2007-09-15 22:49 794,399 --a------ C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-09-15 22:49 7,556 --a------ C:\WINDOWS\system32\dllcache\usroslba.sys
2007-09-15 22:49 224,802 --a------ C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-09-15 22:49 113,762 --a------ C:\WINDOWS\system32\dllcache\usrpda.sys
2007-09-15 22:48 94,720 --a------ C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-09-15 22:48 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2007-09-15 22:48 793,598 --a------ C:\WINDOWS\system32\dllcache\usr1806.sys
2007-09-15 22:48 78,464 --a------ C:\WINDOWS\system32\dllcache\usbvideo.sys
2007-09-15 22:48 32,384 --a------ C:\WINDOWS\system32\dllcache\usb101et.sys
2007-09-15 22:48 17,024 --a------ C:\WINDOWS\system32\dllcache\usbohci.sys
2007-09-15 22:48 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-09-15 22:48 12,672 --a------ C:\WINDOWS\system32\dllcache\usb8023x.sys
2007-09-15 22:47 69,632 --a------ C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-09-15 22:47 50,688 --a------ C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-09-15 22:47 28,160 --a------ C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-09-15 22:47 26,624 --a------ C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-09-15 22:46 50,176 --a------ C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-09-15 22:46 47,616 --a------ C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-09-15 22:46 22,912 --a------ C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-09-15 22:46 216,064 --a------ C:\WINDOWS\system32\dllcache\um34scan.dll
2007-09-15 22:46 211,968 --a------ C:\WINDOWS\system32\dllcache\um54scan.dll
2007-09-15 22:45 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2007-09-15 22:45 44,672 --a------ C:\WINDOWS\system32\dllcache\uagp35.sys
2007-09-15 22:45 166,784 --a------ C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-09-15 22:45 159,232 --a------ C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-09-15 22:45 14,336 --a------ C:\WINDOWS\system32\dllcache\tsprof.exe
2007-09-15 22:45 11,520 --a------ C:\WINDOWS\system32\dllcache\twotrack.sys
2007-09-15 22:44 82,432 --a------ C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-09-15 22:44 440,576 --a------ C:\WINDOWS\system32\dllcache\tridkb.dll
2007-09-15 22:44 42,496 --a------ C:\WINDOWS\system32\dllcache\tp4res.dll
2007-09-15 22:44 34,375 --a------ C:\WINDOWS\system32\dllcache\tpro4.sys
2007-09-15 22:44 315,520 --a------ C:\WINDOWS\system32\dllcache\trid3d.dll
2007-09-15 22:44 222,336 --a------ C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-09-15 22:43 31,744 --a------ C:\WINDOWS\system32\dllcache\tp4.dll
2007-09-15 22:43 28,232 --a------ C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-09-15 22:43 241,664 --a------ C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-09-15 22:43 230,912 --a------ C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-09-15 22:42 81,408 --a------ C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-09-15 22:42 19,464 --a------ C:\WINDOWS\system32\dllcache\tdspx.sys
2007-09-15 22:42 17,129 --a------ C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-09-15 22:42 149,376 --a------ C:\WINDOWS\system32\dllcache\tffsport.sys
2007-09-15 22:42 138,528 --a------ C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-09-15 22:42 123,995 --a------ C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-09-15 22:41 7,040 --a------ C:\WINDOWS\system32\dllcache\tandqic.sys
2007-09-15 22:41 37,961 --a------ C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-09-15 22:41 36,640 --a------ C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-09-15 22:41 30,464 --a------ C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-09-15 22:41 21,896 --a------ C:\WINDOWS\system32\dllcache\tdipx.sys
2007-09-15 22:41 172,768 --a------ C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-09-15 22:41 13,192 --a------ C:\WINDOWS\system32\dllcache\tdasync.sys
2007-09-15 22:40 94,293 --a------ C:\WINDOWS\system32\dllcache\sxports.dll
2007-09-15 22:40 3,968 --a------ C:\WINDOWS\system32\dllcache\swusbflt.sys
2007-09-15 22:40 103,936 --a------ C:\WINDOWS\system32\dllcache\sx.sys
2007-09-15 22:40 10,240 --a------ C:\WINDOWS\system32\dllcache\swpidflt.dll
2007-09-15 22:39 53,760 --a------ C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-09-15 22:39 41,472 --a------ C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-09-15 22:39 155,648 --a------ C:\WINDOWS\system32\dllcache\stlnprop.dll
2007-09-15 22:39 10,240 --a------ C:\WINDOWS\system32\dllcache\swpdflt2.dll
2007-09-15 22:38 99,328 --a------ C:\WINDOWS\system32\dllcache\srusd.dll
2007-09-15 22:38 53,248 --a------ C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-09-15 22:38 48,736 --a------ C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-09-15 22:38 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2007-09-15 22:38 16,896 --a------ C:\WINDOWS\system32\dllcache\stcusb.sys
2007-09-15 22:37 61,824 --a------ C:\WINDOWS\system32\dllcache\speed.sys
2007-09-15 22:37 24,660 --a------ C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-09-15 22:37 106,584 --a------ C:\WINDOWS\system32\dllcache\spdports.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-17 15:22 --------- d-------- C:\Program Files\FlashGet
2007-09-16 00:04 --------- d-------- C:\Program Files\NJStar Communicator
2007-09-13 12:23 --------- d-------- C:\Program Files\Avant Browser
2007-09-13 12:19 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Avant Browser
2007-09-11 10:38 --------- d-------- C:\Program Files\ProcessTamer
2007-09-11 10:10 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Tor
2007-09-10 23:03 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Viewpoint
2007-09-10 23:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-10 23:02 --------- d-------- C:\Program Files\Viewpoint
2007-09-10 12:30 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-06 03:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 03:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 03:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 03:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 03:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 03:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-06 03:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-05 21:12 --------- d-------- C:\Program Files\PokerStars.NET
2007-08-18 12:54 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-18 12:54 --------- d-------- C:\Program Files\AIM
2007-08-17 15:40 --------- d-------- C:\Program Files\AIM6
2007-08-17 15:11 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-15 16:57 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-06 17:48 --------- d-------- C:\Program Files\IrfanView
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-24 11:04 6467 ---hs---- C:\WINDOWS\system32\mlkkj.bak1
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-18 11:21 --------- d-------- C:\Program Files\QuickTime
2007-07-13 00:55 3532 --a------ C:\drmHeader.bin
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --a-s---- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 22:10 317440 --a------ C:\WINDOWS\system32\dllcache\unregmp2.exe
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2006-11-26 23:35 9232 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmmdfl.sys
2006-11-26 23:35 92064 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmmdm.sys
2006-11-26 23:35 79328 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmserd.sys
2006-11-26 23:35 66656 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmbus.sys
2006-11-26 23:35 6208 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmcmnt.sys
2006-11-26 23:35 5936 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmwhnt.sys
2006-11-26 23:35 4048 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmcr.sys
2006-11-26 23:35 25600 --a--c--- C:\DOCUME~1\SEANMO~1\usbsermptxp.sys
2006-11-26 23:35 22768 --a--c--- C:\DOCUME~1\SEANMO~1\usbsermpt.sys
2005-08-22 07:59:11 56 --sh--r C:\WINDOWS\system32\36FA1CF6DE.sys
2005-08-22 07:59:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-17_140022.34 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 359,808 2006-04-20 11:51:50 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 359,808 2006-04-20 11:51:50 C:\WINDOWS\system32\drivers\tcpip.sys
----atw 16,384 2007-09-17 23:07:07 C:\WINDOWS\Temp\Perflib_Perfdata_678.dat
----atw 16,384 2007-09-17 23:06:43 C:\WINDOWS\Temp\Perflib_Perfdata_6f8.dat
.
----a-w 359,808 2005-05-25 19:04:02 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 359,808 2005-05-25 19:04:02 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"DefragTaskBar"="C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-08-28 16:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Alps Pointing-device Driver"="C:\drivers\mouse\onboard\Apoint.exe" [2004-09-13 14:33]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 09:12]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-14 21:13:23]
Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2006-11-20 07:30:54]

C:\DOCUME~1\SEANMO~1\STARTM~1\Programs\Startup\
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-12-07 16:45:30]
ProcessTamer.lnk - C:\Program Files\ProcessTamer\ProcessTamerTray.exe [2006-10-30 16:31:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\mljgd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sean Mok^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Sean Mok\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{00-09-9E-EF-ZN}]
C:\Documents and Settings\Sean Mok\Local Settings\Temp\thinksnet.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"Sen"="C:\DOCUME~1\SEANMO~1\APPLIC~1\SMANTE~1\userinit.exe" -vt yazb
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe
"xloadnet"="C:\Program Files\xloadnet\xloadnet.exe"

R2 WIBUKEY;WIBU-KEY Kernel Driver;C:\WINDOWS\system32\DRIVERS\Wibukey.sys
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 NETMW145; NETGEAR WN511T;C:\WINDOWS\system32\DRIVERS\NETMW145.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 RivaTuner32;RivaTuner32;\??\C:\Documents and Settings\Sean Mok\Desktop\RivaTuner_v20RC16\RivaTuner_v20RC16\RivaTuner32.sys
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter.sys
S3 TIEHDUSB;TIEHDUSB;C:\WINDOWS\system32\drivers\tiehdusb.sys
S3 TIGLUSB;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;C:\WINDOWS\system32\Drivers\TiglUsb.sys
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys
S4 realplay;realplay;C:\WINDOWS\G_Server1.23.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{143d2c8e-7079-11db-a1eb-00123fd7a694}]
AutoRun\command- setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b2e9cab-0301-11db-a160-00123fd7a694}]
AutoRun\command- setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-08-15 18:06:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 23:01:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-17 23:04:41
C:\ComboFix-quarantined-files.txt ... 2007-09-17 23:04
C:\ComboFix2.txt ... 2007-09-17 18:54
C:\ComboFix3.txt ... 2007-09-17 14:01
.
--- E O F ---

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 18 September 2007 - 12:01 PM

Hi smok1109,

I missed two items, so we will take care of now.

Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\mlkkj.bak1

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"xloadnet"=-



Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply and a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 smok1109

smok1109
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 18 September 2007 - 04:06 PM

thanks so much!
ComboFix 07-09-17.2 - "Sean Mok" 2007-09-18 13:47:34.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.538 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Sean Mok\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\mlkkj.bak1
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mlkkj.bak1

.
((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-16 23:46 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-09-15 22:57 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-09-15 22:57 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-09-15 22:57 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-09-15 22:57 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-09-15 22:56 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2007-09-15 22:56 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2007-09-15 22:56 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-09-15 22:56 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-09-15 22:56 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-09-15 22:56 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-09-15 22:55 8,832 --a------ C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-09-15 22:55 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2007-09-15 22:55 34,890 --a------ C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-09-15 22:55 154,624 --a------ C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-09-15 22:54 87,040 --a------ C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-09-15 22:54 701,386 --a------ C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-09-15 22:54 53,760 --a------ C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-09-15 22:54 41,600 --a------ C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-09-15 22:54 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-09-15 22:54 31,232 --a------ C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-09-15 22:54 23,615 --a------ C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-09-15 22:52 19,016 --a------ C:\WINDOWS\system32\dllcache\w926nd.sys
2007-09-15 22:52 16,925 --a------ C:\WINDOWS\system32\dllcache\w940nd.sys
2007-09-15 22:51 64,605 --a------ C:\WINDOWS\system32\dllcache\vvoice.sys
2007-09-15 22:51 48,256 --a------ C:\WINDOWS\system32\dllcache\w32.dll
2007-09-15 22:51 397,502 --a------ C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-09-15 22:51 19,528 --a------ C:\WINDOWS\system32\dllcache\w840nd.sys
2007-09-15 22:50 765,884 --a------ C:\WINDOWS\system32\dllcache\usrti.sys
2007-09-15 22:50 687,999 --a------ C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-09-15 22:50 604,253 --a------ C:\WINDOWS\system32\dllcache\vmodem.sys
2007-09-15 22:50 249,402 --a------ C:\WINDOWS\system32\dllcache\vinwm.sys
2007-09-15 22:50 24,576 --a------ C:\WINDOWS\system32\dllcache\viairda.sys
2007-09-15 22:50 11,325 --a------ C:\WINDOWS\system32\dllcache\vchnt5.dll
2007-09-15 22:49 794,399 --a------ C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-09-15 22:49 7,556 --a------ C:\WINDOWS\system32\dllcache\usroslba.sys
2007-09-15 22:49 224,802 --a------ C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-09-15 22:49 113,762 --a------ C:\WINDOWS\system32\dllcache\usrpda.sys
2007-09-15 22:48 94,720 --a------ C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-09-15 22:48 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2007-09-15 22:48 793,598 --a------ C:\WINDOWS\system32\dllcache\usr1806.sys
2007-09-15 22:48 78,464 --a------ C:\WINDOWS\system32\dllcache\usbvideo.sys
2007-09-15 22:48 32,384 --a------ C:\WINDOWS\system32\dllcache\usb101et.sys
2007-09-15 22:48 17,024 --a------ C:\WINDOWS\system32\dllcache\usbohci.sys
2007-09-15 22:48 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-09-15 22:48 12,672 --a------ C:\WINDOWS\system32\dllcache\usb8023x.sys
2007-09-15 22:47 69,632 --a------ C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-09-15 22:47 50,688 --a------ C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-09-15 22:47 28,160 --a------ C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-09-15 22:47 26,624 --a------ C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-09-15 22:46 50,176 --a------ C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-09-15 22:46 47,616 --a------ C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-09-15 22:46 22,912 --a------ C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-09-15 22:46 216,064 --a------ C:\WINDOWS\system32\dllcache\um34scan.dll
2007-09-15 22:46 211,968 --a------ C:\WINDOWS\system32\dllcache\um54scan.dll
2007-09-15 22:45 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2007-09-15 22:45 44,672 --a------ C:\WINDOWS\system32\dllcache\uagp35.sys
2007-09-15 22:45 166,784 --a------ C:\WINDOWS\system32\dllcache\tridxpm.sys
2007-09-15 22:45 159,232 --a------ C:\WINDOWS\system32\dllcache\tridkbm.sys
2007-09-15 22:45 14,336 --a------ C:\WINDOWS\system32\dllcache\tsprof.exe
2007-09-15 22:45 11,520 --a------ C:\WINDOWS\system32\dllcache\twotrack.sys
2007-09-15 22:44 82,432 --a------ C:\WINDOWS\system32\dllcache\tp4mon.exe
2007-09-15 22:44 440,576 --a------ C:\WINDOWS\system32\dllcache\tridkb.dll
2007-09-15 22:44 42,496 --a------ C:\WINDOWS\system32\dllcache\tp4res.dll
2007-09-15 22:44 34,375 --a------ C:\WINDOWS\system32\dllcache\tpro4.sys
2007-09-15 22:44 315,520 --a------ C:\WINDOWS\system32\dllcache\trid3d.dll
2007-09-15 22:44 222,336 --a------ C:\WINDOWS\system32\dllcache\trid3dm.sys
2007-09-15 22:43 31,744 --a------ C:\WINDOWS\system32\dllcache\tp4.dll
2007-09-15 22:43 28,232 --a------ C:\WINDOWS\system32\dllcache\tos4mo.sys
2007-09-15 22:43 241,664 --a------ C:\WINDOWS\system32\dllcache\tosdvd02.sys
2007-09-15 22:43 230,912 --a------ C:\WINDOWS\system32\dllcache\tosdvd03.sys
2007-09-15 22:42 81,408 --a------ C:\WINDOWS\system32\dllcache\tgiul50.dll
2007-09-15 22:42 19,464 --a------ C:\WINDOWS\system32\dllcache\tdspx.sys
2007-09-15 22:42 17,129 --a------ C:\WINDOWS\system32\dllcache\tdkcd31.sys
2007-09-15 22:42 149,376 --a------ C:\WINDOWS\system32\dllcache\tffsport.sys
2007-09-15 22:42 138,528 --a------ C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2007-09-15 22:42 123,995 --a------ C:\WINDOWS\system32\dllcache\tjisdn.sys
2007-09-15 22:41 7,040 --a------ C:\WINDOWS\system32\dllcache\tandqic.sys
2007-09-15 22:41 37,961 --a------ C:\WINDOWS\system32\dllcache\tdk100b.sys
2007-09-15 22:41 36,640 --a------ C:\WINDOWS\system32\dllcache\t2r4mini.sys
2007-09-15 22:41 30,464 --a------ C:\WINDOWS\system32\dllcache\tbatm155.sys
2007-09-15 22:41 21,896 --a------ C:\WINDOWS\system32\dllcache\tdipx.sys
2007-09-15 22:41 172,768 --a------ C:\WINDOWS\system32\dllcache\t2r4disp.dll
2007-09-15 22:41 13,192 --a------ C:\WINDOWS\system32\dllcache\tdasync.sys
2007-09-15 22:40 94,293 --a------ C:\WINDOWS\system32\dllcache\sxports.dll
2007-09-15 22:40 3,968 --a------ C:\WINDOWS\system32\dllcache\swusbflt.sys
2007-09-15 22:40 103,936 --a------ C:\WINDOWS\system32\dllcache\sx.sys
2007-09-15 22:40 10,240 --a------ C:\WINDOWS\system32\dllcache\swpidflt.dll
2007-09-15 22:39 53,760 --a------ C:\WINDOWS\system32\dllcache\sw_wheel.dll
2007-09-15 22:39 41,472 --a------ C:\WINDOWS\system32\dllcache\sw_effct.dll
2007-09-15 22:39 155,648 --a------ C:\WINDOWS\system32\dllcache\stlnprop.dll
2007-09-15 22:39 10,240 --a------ C:\WINDOWS\system32\dllcache\swpdflt2.dll
2007-09-15 22:38 99,328 --a------ C:\WINDOWS\system32\dllcache\srusd.dll
2007-09-15 22:38 53,248 --a------ C:\WINDOWS\system32\dllcache\stlncoin.dll
2007-09-15 22:38 48,736 --a------ C:\WINDOWS\system32\dllcache\srwlnd5.sys
2007-09-15 22:38 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2007-09-15 22:38 16,896 --a------ C:\WINDOWS\system32\dllcache\stcusb.sys
2007-09-15 22:37 61,824 --a------ C:\WINDOWS\system32\dllcache\speed.sys
2007-09-15 22:37 24,660 --a------ C:\WINDOWS\system32\dllcache\spxupchk.dll
2007-09-15 22:37 106,584 --a------ C:\WINDOWS\system32\dllcache\spdports.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-18 13:56 --------- d-------- C:\Program Files\FlashGet
2007-09-16 00:04 --------- d-------- C:\Program Files\NJStar Communicator
2007-09-13 12:23 --------- d-------- C:\Program Files\Avant Browser
2007-09-13 12:19 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Avant Browser
2007-09-11 10:38 --------- d-------- C:\Program Files\ProcessTamer
2007-09-11 10:10 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Tor
2007-09-10 23:03 --------- d-------- C:\DOCUME~1\SEANMO~1\APPLIC~1\Viewpoint
2007-09-10 23:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-10 23:02 --------- d-------- C:\Program Files\Viewpoint
2007-09-10 12:30 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-06 03:09 801144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-06 03:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 03:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 03:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 03:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 03:00 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-06 03:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-05 21:12 --------- d-------- C:\Program Files\PokerStars.NET
2007-08-18 12:54 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-18 12:54 --------- d-------- C:\Program Files\AIM
2007-08-17 15:40 --------- d-------- C:\Program Files\AIM6
2007-08-17 15:11 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-15 16:57 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-06 17:48 --------- d-------- C:\Program Files\IrfanView
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-18 11:21 --------- d-------- C:\Program Files\QuickTime
2007-07-13 00:55 3532 --a------ C:\drmHeader.bin
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --a-s---- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 22:10 317440 --a------ C:\WINDOWS\system32\dllcache\unregmp2.exe
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2006-11-26 23:35 9232 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmmdfl.sys
2006-11-26 23:35 92064 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmmdm.sys
2006-11-26 23:35 79328 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmserd.sys
2006-11-26 23:35 66656 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmbus.sys
2006-11-26 23:35 6208 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmcmnt.sys
2006-11-26 23:35 5936 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmwhnt.sys
2006-11-26 23:35 4048 --a--c--- C:\DOCUME~1\SEANMO~1\mqdmcr.sys
2006-11-26 23:35 25600 --a--c--- C:\DOCUME~1\SEANMO~1\usbsermptxp.sys
2006-11-26 23:35 22768 --a--c--- C:\DOCUME~1\SEANMO~1\usbsermpt.sys
2005-08-22 07:59:11 56 --sh--r C:\WINDOWS\system32\36FA1CF6DE.sys
2005-08-22 07:59:11 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-17_140022.34 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 359,808 2006-04-20 11:51:50 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 359,808 2006-04-20 11:51:50 C:\WINDOWS\system32\drivers\tcpip.sys
----atw 16,384 2007-09-18 15:40:53 C:\WINDOWS\Temp\Perflib_Perfdata_494.dat
----atw 16,384 2007-09-18 15:40:31 C:\WINDOWS\Temp\Perflib_Perfdata_738.dat
.
----a-w 359,808 2005-05-25 19:04:02 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 359,808 2005-05-25 19:04:02 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"DefragTaskBar"="C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2007-08-28 16:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"Alps Pointing-device Driver"="C:\drivers\mouse\onboard\Apoint.exe" [2004-09-13 14:33]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 09:12]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-14 21:13:23]
Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2006-11-20 07:30:54]

C:\DOCUME~1\SEANMO~1\STARTM~1\Programs\Startup\
Powerword 2006.lnk - C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE [2005-12-07 16:45:30]
ProcessTamer.lnk - C:\Program Files\ProcessTamer\ProcessTamerTray.exe [2006-10-30 16:31:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\mljgd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sean Mok^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Sean Mok\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{00-09-9E-EF-ZN}]
C:\Documents and Settings\Sean Mok\Local Settings\Temp\thinksnet.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"Sen"="C:\DOCUME~1\SEANMO~1\APPLIC~1\SMANTE~1\userinit.exe" -vt yazb
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe

R2 WIBUKEY;WIBU-KEY Kernel Driver;C:\WINDOWS\system32\DRIVERS\Wibukey.sys
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 NETMW145; NETGEAR WN511T;C:\WINDOWS\system32\DRIVERS\NETMW145.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 RivaTuner32;RivaTuner32;\??\C:\Documents and Settings\Sean Mok\Desktop\RivaTuner_v20RC16\RivaTuner_v20RC16\RivaTuner32.sys
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter.sys
S3 TIEHDUSB;TIEHDUSB;C:\WINDOWS\system32\drivers\tiehdusb.sys
S3 TIGLUSB;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;C:\WINDOWS\system32\Drivers\TiglUsb.sys
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys
S4 realplay;realplay;C:\WINDOWS\G_Server1.23.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{143d2c8e-7079-11db-a1eb-00123fd7a694}]
AutoRun\command- setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b2e9cab-0301-11db-a160-00123fd7a694}]
AutoRun\command- setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 00:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-08-15 18:06:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 13:55:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-18 13:59:00
C:\ComboFix-quarantined-files.txt ... 2007-09-18 13:58
C:\ComboFix2.txt ... 2007-09-17 23:04
C:\ComboFix3.txt ... 2007-09-17 18:54
.
--- E O F ---

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 18 September 2007 - 04:09 PM

Hi smok1109,

Looks good. :thumbsup:

You forgot to post the Hijackthis log. :flowers:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 smok1109

smok1109
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 18 September 2007 - 11:28 PM

whoops, here's the hijackthis log
my avast also detected this: Win32:Dabora-EY[TRJ] and it says the infected file is Combofix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:39 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\drivers\mouse\onboard\Apoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
C:\Program Files\ProcessTamer\ProcessTamerTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Documents and Settings\Sean Mok\Desktop\Adobe Dreamweaver CS3 v 9.0 Build 3453 Portable\Adobe Dreamweaver CS3 Portable\Dreamweaver.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sean Mok\Desktop\Bitcomet 0.93\Bitcomet ? 0.93 ???\BC?0.93\BitComet.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Alps Pointing-device Driver] C:\drivers\mouse\onboard\Apoint.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Powerword 2006.lnk = C:\Program Files\Kingsoft\PowerWord 2006\XDICT.EXE
O4 - Startup: ProcessTamer.lnk = C:\Program Files\ProcessTamer\ProcessTamerTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156736341654
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--
End of file - 13708 bytes

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 19 September 2007 - 12:10 AM

Hi smok1109,

my avast also detected this: Win32:Dabora-EY[TRJ] and it says the infected file is Combofix.

It is probably finding one of the files the ComboFix quarentined.
Does it tell the location in ComboFix?



Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.




Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 smok1109

smok1109
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 19 September 2007 - 01:27 AM

hey thanks a lot, i sent out a small donation because you really helped me out a lot!

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 19 September 2007 - 07:17 AM

Hi smok1109,

Thanks for the donation. It is much appreicated. :thumbsup:

Hate to be like Columbo, but could you do just one more thing... LOL

Please find and delete the following:
Combofix
C:\QOOBOX
C:\Combofix

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users