Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Alert Flashing In Taskbar (malware)


  • Please log in to reply
14 replies to this topic

#1 wend

wend

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Scotland, north lanarkshire
  • Local time:02:18 PM

Posted 24 September 2007 - 09:24 AM

have a flashing blue question mark that turns to a red cross and cant get it off my taskbar. Also get a pop up box that says ''System Alert-system has discovered you have a number of active spyware applications running that may impact the performance of your pc. Click here etc etc''

Also noticed since ive had this i cant sign into my msn or yahoo, and also as im typing this im having to go back and check because certain keys arent responding the first time i try to type.

Please help guys, a lady is in distress lol

weny x x

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12:06, on 24/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\Run: [pros] C:\WINDOWS\system32\valu1e.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunServices: [pros] C:\WINDOWS\system32\valu1e.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Suggestions - {2223664C-1942-4276-9A2D-E8D8F547C5D2} - res://EffiPeled (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf2.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf2.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf2.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\laf2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164137377925
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164212819926
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/fi...tivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: flensburg - {d6ef030a-a235-41ba-9ead-89b6ff542f00} - C:\WINDOWS\system32\pluwue.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11432 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:18 AM

Posted 24 September 2007 - 06:14 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 wend

wend
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Scotland, north lanarkshire
  • Local time:02:18 PM

Posted 24 September 2007 - 09:41 PM

thanks and hi Sam, here is my log after running combofix, and await further instructions, thanks in advance

wedy x x

ComboFix 07-09-21.2 - "Stuart" 2007-09-25 3:02:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.122 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Stuart\APPLIC~1\FunWebProducts
C:\DOCUME~1\Stuart\APPLIC~1\FunWebProducts\Data\Stuart\avatar.dat
C:\Program Files\Common Files\{30B69~1
C:\Program Files\Common Files\{30B69~2
C:\Program Files\Common Files\{C0B69~1
C:\Program Files\Common Files\{C0B69~2
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Installr\3.bin\F3EZSETP.DLL
C:\Program Files\FunWebProducts\ScreenSaver\Images\0245D42E.urr
C:\Program Files\FunWebProducts\Shared\015566DD.dat
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\ActiveDesktop\bin\ActiveDesktopExe.exe
C:\Program Files\screensavers.com\SSSInstaller\bin\sinstaller3.exe
C:\Program Files\screensavers.com\SSSUninst.exe
C:\WINDOWS\pp.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-25 to 2007-09-25 )))))))))))))))))))))))))))))))
.

2007-09-25 03:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-24 20:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-24 17:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-09-24 17:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-09-24 17:06 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-24 15:11 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-09-24 15:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-24 14:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-24 01:08 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-23 21:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-09-23 21:26 29,696 --a------ C:\WINDOWS\system32\laf2.dll
2007-09-23 15:02 <DIR> d-------- C:\Program Files\Windows Live
2007-09-12 01:03 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-12 01:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-09-12 01:01 <DIR> d-------- C:\Program Files\QuickTime
2007-09-10 03:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-09-10 03:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-10 03:32 <DIR> d-------- C:\Program Files\Viewpoint
2007-09-10 03:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-10 03:31 335 --a------ C:\WINDOWS\nsreg.dat
2007-09-10 03:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-27 17:13 97,672 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-08-27 17:13 537,992 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-08-27 17:13 31,624 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-08-27 17:13 28,040 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-08-27 17:13 23,944 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-08-27 17:13 189,320 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-08-27 17:13 161,160 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-08-27 17:13 12,680 --a------ C:\WINDOWS\system32\drivers\symdns.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-24 19:24 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-24 19:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-09-24 19:18 --------- d-------- C:\Program Files\Yahoo!
2007-09-24 18:56 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-09-24 17:06 --------- d-------- C:\Program Files\MSN Messenger
2007-09-24 11:13 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-09-24 00:04 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-09-22 14:31 --------- d-------- C:\DOCUME~1\Stuart\APPLIC~1\LimeWire
2007-09-22 05:58 --------- d-------- C:\DOCUME~1\Stuart\APPLIC~1\BitTorrent
2007-09-20 10:06 --------- d-------- C:\Program Files\Norton Internet Security
2007-09-18 10:01 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-18 09:58 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-18 09:58 60800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-18 09:58 123952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-18 09:58 10676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-18 09:58 --------- d-------- C:\Program Files\Symantec
2007-09-14 20:26 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-09-02 16:59 --------- d-------- C:\DOCUME~1\Eilidh\APPLIC~1\Real
2007-09-01 18:40 --------- d-------- C:\Program Files\LimeWire
2007-08-29 03:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-29 03:05 --------- d-------- C:\Program Files\Google
2007-08-28 18:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-27 15:32 --------- d-------- C:\DOCUME~1\Stuart\APPLIC~1\MSN6
2007-08-27 00:26 --------- d-------- C:\DOCUME~1\Wendy\APPLIC~1\Real
2007-08-24 21:22 --------- d-------- C:\Program Files\VideoLAN
2007-08-24 21:22 --------- d-------- C:\Program Files\NCH Swift Sound
2007-08-24 21:22 --------- d-------- C:\DOCUME~1\Stuart\APPLIC~1\NCH Swift Sound
2007-08-06 13:33 --------- d-------- C:\Program Files\Common Files\Teleca Shared
2007-08-06 13:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 07:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-13 00:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 15:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 15:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 15:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 15:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 15:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 15:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 15:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 15:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 15:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 09:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 09:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 07:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-08-24 10:40]
"ACTIVBOARD"="C:\Apps\ActivBoard\MMKeybd.exe" [2001-05-03 19:41]
"Windows Logon Application"="C:\WINDOWS\System32\logon.exe" []
"pros"="C:\WINDOWS\system32\valu1e.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 15:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-17 14:51]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 13:23]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-04 13:30]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-02-01 17:45]
"Update Service"="C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe" [2006-11-21 18:12]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"pros"=C:\WINDOWS\system32\valu1e.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2007-01-28 10:09 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-07-04 13:30 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R2 nhksrv;Netropa NHK Server;C:\Apps\ActivBoard\nhksrv.exe
R3 CVIAAUD;NEC VIA 3D Environmental Audio;C:\WINDOWS\system32\drivers\cviaaud.sys
R3 CVIAHALA;CVIAHALA;C:\WINDOWS\system32\drivers\cviahal.sys
R3 ovt519;%USB\vid_054c&pid_0155.DeviceDesc%;C:\WINDOWS\system32\Drivers\ov519vid.sys
R3 PxHelper;PxHelper;\??\C:\WINDOWS\System32\drivers\PxHelper.sys
S3 KvaziDVD;KvaziDVD;\??\C:\Program Files\MakBit Software\MakBit Virtual CD-DVD\kvazidvd.sys
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys
S3 V90drv;v90drv;C:\WINDOWS\system32\DRIVERS\v90drv.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-24 16:48:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-25 02:13:54 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-21 20:46:52 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Stuart.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-25 03:12:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\winnt256.bmp
C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\winnt.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log
C:\WINDOWS\wmp11.log
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr8.prx
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\Wudf01000Inst.log
C:\WINDOWS\xpsp1hfm.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
**************************************************************************
.
Completion time: 2007-09-25 3:19:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-25 03:19
.
--- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:18 AM

Posted 25 September 2007 - 04:58 PM

Download LSPFix from http://www.cexx.org/lspfix.zip and run it.
Check the I know what I'm doing box.
In the Keep box you should see one or more instances of the following files.

laf2.dll

Select every instance of this file, but no others, and move each one to the Remove box by clicking the >> button.
When you are done click Finish>>.


Reboot your computer.


===============


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\laf2.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Application"=-
"pros"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"pros"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 wend

wend
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Scotland, north lanarkshire
  • Local time:02:18 PM

Posted 25 September 2007 - 06:18 PM

on running the lspfix, there isnt a laf2.dll file, here are the files it lists, i was presuming the laf1.dll file would be the one but didnt want to go ahead and do it just incase i was wrong

mswsock.dll Tcpip
winrnr.dll NTDS
laf1.dll {Protocol handler}
rspvsp.dll {Protocol handler}

await your instructions as to whether its the laf1.dll file i move to the remove box

#6 wend

wend
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Scotland, north lanarkshire
  • Local time:02:18 PM

Posted 25 September 2007 - 08:53 PM

hi again sam, just to keep you up to date on things, my norton live update wouldnt work for some reason so i uninstalled norton and then tried to reinstall it. Got to the point where it tried to connect and it came back with ''unable to connect to the symantec server. You need to connect to the internet to create and access your Norton Account''

Unplugged and restarted my motorola surfboard SB5101 cable modem a few times and still cant get Norton to access the internet. Says my modem is working fine.

Not saying this current problem is your domain or anything but thought it best to inform you
Thanks again for your help you guys are great. Ill follow each step carefully

wendy x x

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:18 AM

Posted 26 September 2007 - 08:45 AM

It looks like the filename changed, so yes you want to follow those directions with LSPFix on the file: laf1.dll
That may help your connection with Norton also.

Let's take things slowly here because I don't want to lose your connection. Do not follow the second step I posted, the part with Combofix. Just remove the laf1.dll with LSPfix and then post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 wend

wend
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Scotland, north lanarkshire
  • Local time:02:18 PM

Posted 26 September 2007 - 12:18 PM

k ive deleted the laf1.dll file using lspfix. Here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17:09, on 26/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer brought to you by Planetis
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

- C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security 2006 -

{9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common

Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program

Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Windows Live Toolbar Helper -

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live

Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 -

{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common

Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} -

C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common

Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe"

/a /m "C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [pros] C:\WINDOWS\system32\valu1e.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet

Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz

/CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec

Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [pros] C:\WINDOWS\system32\valu1e.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe

/startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User

'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User

'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program

Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Suggestions - {2223664C-1942-4276-9A2D-E8D8F547C5D2} -

res://EffiPeled (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

http://a1540.g.akamai.net/7/1540/52/200707...ple.com/qtactiv

ex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

http://ak.exe.imgfarm.com/images/nocache/f...sorManiaFWBInit

ialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -

C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/.../client/wuweb_s

ite.cab?1164137377925
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...86/client/muweb

_site.cab?1164212819926
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment

1.6.0) -

http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge)

-

http://a248.e.akamai.net/f/248/5462/2h/www...2.0-img/operati

ons/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) -

http://www.blueyonder.co.uk/assets/tool/fi...tivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) -

Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program

Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program

Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common

Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton Internet Security\Norton

AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner -

C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\Security

Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program

Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - -

C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12139 bytes

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:18 AM

Posted 27 September 2007 - 06:58 AM

Ok, that went perfectly. :thumbsup:

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.


File::
C:\WINDOWS\system32\laf1.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Application"=-
"pros"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"pros"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 wend

wend
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Scotland, north lanarkshire
  • Local time:02:18 PM

Posted 27 September 2007 - 09:09 AM

After the lspfix and removing the laf1.dll file last night i got my Nortun installed, thanks for that.

Carried out the above instructions but as combofix was running i received a virus alert from Norton (laf3.dll file was found and deleted by Norton)

When combofix was rebooting my computer i also received the following ''Nircmd.exe.cfexe.dll failed to initialise because the window station was/is shutting down''

Below are the logs

ComboFix 07-09-21.2 - "Stuart" 2007-09-27 14:41:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.124 [GMT 1:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\laf1.dll
.

((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.

2007-09-26 22:02 <DIR> d-------- C:\DOCUME~1\Wendy\APPLIC~1\Symantec
2007-09-26 02:37 <DIR> d-------- C:\WINDOWS\pss
2007-09-25 18:44 <DIR> dr-h----- C:\DOCUME~1\Stuart\APPLIC~1\yahoo!
2007-09-25 17:27 <DIR> d-------- C:\DOCUME~1\Stuart\APPLIC~1\Symantec
2007-09-25 17:17 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-09-25 17:15 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-25 17:15 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-25 10:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-25 10:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-09-25 03:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-24 17:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-09-24 17:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-09-24 17:06 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-24 15:11 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-09-24 15:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-24 14:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-24 01:08 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-12 01:03 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-12 01:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-09-12 01:01 <DIR> d-------- C:\Program Files\QuickTime
2007-09-10 03:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-09-10 03:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-10 03:32 <DIR> d-------- C:\Program Files\Viewpoint
2007-09-10 03:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-10 03:31 335 --a------ C:\WINDOWS\nsreg.dat
2007-09-10 03:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-27 17:13 97,672 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-08-27 17:13 537,992 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-08-27 17:13 31,624 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-08-27 17:13 28,040 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-08-27 17:13 23,944 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-08-27 17:13 189,320 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-08-27 17:13 161,160 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-08-27 17:13 12,680 --a------ C:\WINDOWS\system32\drivers\symdns.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 14:44 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-26 18:32 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-26 18:32 10676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-26 18:32 --------- d-------- C:\Program Files\Symantec
2007-09-25 17:25 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-25 16:22 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-09-25 10:34 --------- d-------- C:\Program Files\Yahoo!
2007-09-25 08:51 --------- d-------- C:\Program Files\MSN Messenger
2007-09-25 07:15 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-09-24 11:13 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-09-22 14:31 --------- d-------- C:\DOCUME~1\Stuart\APPLIC~1\LimeWire
2007-09-22 05:58 --------- d-------- C:\DOCUME~1\Stuart\APPLIC~1\BitTorrent
2007-09-02 16:59 --------- d-------- C:\DOCUME~1\Eilidh\APPLIC~1\Real
2007-09-01 18:40 --------- d-------- C:\Program Files\LimeWire
2007-08-29 03:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-29 03:05 --------- d-------- C:\Program Files\Google
2007-08-28 18:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-27 15:32 --------- d-------- C:\DOCUME~1\Stuart\APPLIC~1\MSN6
2007-08-27 00:26 --------- d-------- C:\DOCUME~1\Wendy\APPLIC~1\Real
2007-08-24 21:22 --------- d-------- C:\Program Files\VideoLAN
2007-08-24 21:22 --------- d-------- C:\Program Files\NCH Swift Sound
2007-08-24 21:22 --------- d-------- C:\DOCUME~1\Stuart\APPLIC~1\NCH Swift Sound
2007-08-06 13:33 --------- d-------- C:\Program Files\Common Files\Teleca Shared
2007-08-06 13:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 07:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-13 00:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 15:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 15:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 15:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 15:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 15:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 15:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 15:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 15:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 15:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 09:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 09:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-25_ 31646.65 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 32,528 2003-10-15 17:52:46 C:\WINDOWS\amcap.exe
----a-w 135,168 2003-10-15 17:52:48 C:\WINDOWS\ov519cap.exe
----a-w 61,440 2003-10-15 17:52:48 C:\WINDOWS\ov519dib.dll
----a-w 200,704 2003-10-15 17:52:50 C:\WINDOWS\sel3110.exe
----a-w 307,200 2003-10-15 17:52:50 C:\WINDOWS\vidcap32.exe
----a-w 6,059,008 2007-06-27 14:39:51 C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\ieframe.dll
-c--a-w 31,856 2006-11-07 20:04:18 C:\WINDOWS\ie7\spuninst\iecustom.dll
-c--a-w 66,048 2006-11-07 20:01:06 C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
-c--a-w 213,216 2006-09-06 15:43:16 C:\WINDOWS\ie7\spuninst\spuninst.exe
-c--a-w 371,424 2006-09-06 15:43:18 C:\WINDOWS\ie7\spuninst\updspapi.dll
-c----w 123,904 2006-11-07 02:26:24 C:\WINDOWS\ie7updates\KB937143-IE7\advpack.dll
-c----w 132,608 2007-06-27 14:39:42 C:\WINDOWS\ie7updates\KB937143-IE7\extmgr.dll
-c----w 54,784 2006-11-07 02:26:28 C:\WINDOWS\ie7updates\KB937143-IE7\ie4uinit.exe
-c----w 152,064 2006-11-07 02:26:56 C:\WINDOWS\ie7updates\KB937143-IE7\ieakeng.dll
-c----w 229,376 2006-11-07 02:27:02 C:\WINDOWS\ie7updates\KB937143-IE7\ieaksie.dll
-c----w 161,792 2006-11-07 02:25:14 C:\WINDOWS\ie7updates\KB937143-IE7\ieakui.dll
-c----w 2,451,824 2006-09-05 22:01:26 C:\WINDOWS\ie7updates\KB937143-IE7\ieapfltr.dat
-c----w 380,928 2006-10-17 10:27:56 C:\WINDOWS\ie7updates\KB937143-IE7\ieapfltr.dll
-c----w 382,976 2006-11-07 02:27:10 C:\WINDOWS\ie7updates\KB937143-IE7\iedkcs32.dll
-c----w 6,049,280 2006-11-07 20:03:36 C:\WINDOWS\ie7updates\KB937143-IE7\ieframe.dll
-c----w 43,008 2006-11-07 02:26:28 C:\WINDOWS\ie7updates\KB937143-IE7\iernonce.dll
-c----w 266,752 2006-10-17 10:57:20 C:\WINDOWS\ie7updates\KB937143-IE7\iertutil.dll
-c----w 13,312 2006-11-07 02:26:32 C:\WINDOWS\ie7updates\KB937143-IE7\ieudinit.exe
-c----w 622,080 2006-10-17 11:04:40 C:\WINDOWS\ie7updates\KB937143-IE7\iexplore.exe
-c----w 27,136 2006-11-07 20:03:36 C:\WINDOWS\ie7updates\KB937143-IE7\jsproxy.dll
-c----w 458,752 2006-11-07 20:03:36 C:\WINDOWS\ie7updates\KB937143-IE7\msfeeds.dll
-c----w 50,688 2006-11-07 20:03:36 C:\WINDOWS\ie7updates\KB937143-IE7\msfeedsbs.dll
-c----w 3,577,856 2006-11-07 20:03:36 C:\WINDOWS\ie7updates\KB937143-IE7\mshtml.dll
-c----w 475,648 2006-11-07 20:03:36 C:\WINDOWS\ie7updates\KB937143-IE7\mshtmled.dll
-c----w 192,000 2006-10-17 11:05:10 C:\WINDOWS\ie7updates\KB937143-IE7\msrating.dll
-c----w 670,720 2006-11-07 20:03:36 C:\WINDOWS\ie7updates\KB937143-IE7\mstime.dll
-c----w 101,376 2006-10-17 11:04:46 C:\WINDOWS\ie7updates\KB937143-IE7\occache.dll
-c----w 22,752 2007-03-06 01:22:34 C:\WINDOWS\ie7updates\KB937143-IE7\spcustom.dll
-c----w 14,048 2007-03-06 01:22:36 C:\WINDOWS\ie7updates\KB937143-IE7\spmsg.dll
-c----w 213,216 2007-03-06 01:22:41 C:\WINDOWS\ie7updates\KB937143-IE7\spuninst.exe
-c----w 716,000 2007-03-06 01:22:59 C:\WINDOWS\ie7updates\KB937143-IE7\update.exe
-c----w 371,424 2007-03-06 01:23:51 C:\WINDOWS\ie7updates\KB937143-IE7\updspapi.dll
-c----w 105,984 2006-10-17 11:05:22 C:\WINDOWS\ie7updates\KB937143-IE7\url.dll
-c----w 1,162,240 2006-11-07 20:03:36 C:\WINDOWS\ie7updates\KB937143-IE7\urlmon.dll
-c----w 231,424 2006-11-07 20:03:36 C:\WINDOWS\ie7updates\KB937143-IE7\webcheck.dll
-c----w 818,688 2006-11-07 20:03:36 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
----a-r 29,926 2007-09-25 07:51:49 C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
----a-r 10,134 2007-09-25 16:20:16 C:\WINDOWS\Installer\{77772678-817F-4401-9301-ED1D01A8DA56}\ARPPRODUCTICON.exe
----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\SoftwareDistribution\Download\16665ed3c40ea6a0c9841eec5f15a718\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\SoftwareDistribution\Download\16665ed3c40ea6a0c9841eec5f15a718\spuninst.exe
----a-w 765,952 2007-07-12 23:31:54 C:\WINDOWS\SoftwareDistribution\Download\16665ed3c40ea6a0c9841eec5f15a718\sp2gdr\vgx.dll
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\SoftwareDistribution\Download\16665ed3c40ea6a0c9841eec5f15a718\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\SoftwareDistribution\Download\16665ed3c40ea6a0c9841eec5f15a718\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\SoftwareDistribution\Download\16665ed3c40ea6a0c9841eec5f15a718\update\updspapi.dll
----a-w 14,048 2007-03-06 01:22:36 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\spmsg.dll
----a-w 213,216 2007-03-06 01:22:41 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\spuninst.exe
----a-w 124,928 2007-06-27 14:34:51 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\advpack.dll
----a-w 132,608 2007-06-27 14:34:51 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\extmgr.dll
----a-w 63,488 2007-06-27 08:27:04 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\ie4uinit.exe
----a-w 153,088 2007-06-27 14:34:51 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\ieakeng.dll
----a-w 230,400 2007-06-27 14:34:51 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\ieaksie.dll
----a-w 161,792 2007-06-27 07:00:33 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\ieakui.dll
----a-w 2,455,488 2007-04-17 09:28:12 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\ieapfltr.dat
----a-w 383,488 2007-06-27 14:34:51 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\ieapfltr.dll
----a-w 384,512 2007-06-27 14:34:51 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\iedkcs32.dll
----a-w 6,058,496 2007-06-27 14:34:55 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\ieframe.dll
----a-w 44,544 2007-06-27 14:34:55 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\iernonce.dll
----a-w 267,776 2007-06-27 14:34:55 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\iertutil.dll
----a-w 13,824 2007-06-27 08:27:05 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\ieudinit.exe
----a-w 625,152 2007-06-27 08:27:30 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\iexplore.exe
----a-w 27,648 2007-06-27 14:34:56 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\jsproxy.dll
----a-w 459,264 2007-06-27 14:34:56 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\msfeeds.dll
----a-w 52,224 2007-06-27 14:34:56 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\msfeedsbs.dll
----a-w 3,583,488 2007-07-19 06:59:59 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\mshtml.dll
----a-w 477,696 2007-06-27 14:34:57 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\mshtmled.dll
----a-w 193,024 2007-06-27 14:34:58 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\msrating.dll
----a-w 671,232 2007-06-27 14:34:58 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\mstime.dll
----a-w 102,400 2007-06-27 14:34:58 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\occache.dll
----a-w 105,984 2007-06-27 14:34:58 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\url.dll
----a-w 1,152,000 2007-06-27 14:34:58 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\urlmon.dll
----a-w 232,960 2007-06-27 14:34:59 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\webcheck.dll
----a-w 823,808 2007-06-27 14:34:59 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2gdr\wininet.dll
----a-w 124,928 2007-06-27 14:39:42 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\advpack.dll
----a-w 132,608 2007-06-27 14:39:42 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\extmgr.dll
----a-w 63,488 2007-06-27 09:16:27 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\ie4uinit.exe
----a-w 153,088 2007-06-27 14:39:42 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\ieakeng.dll
----a-w 230,400 2007-06-27 14:39:43 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\ieaksie.dll
----a-w 161,792 2007-06-27 07:07:01 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\ieakui.dll
----a-w 384,512 2007-06-27 14:39:44 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\iedkcs32.dll
----a-w 6,059,008 2007-06-27 14:39:51 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\ieframe.dll
----a-w 44,544 2007-06-27 14:39:51 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\iernonce.dll
----a-w 267,776 2007-06-27 14:39:52 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\iertutil.dll
----a-w 13,824 2007-06-27 09:16:27 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\ieudinit.exe
----a-w 625,152 2007-06-27 09:16:52 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\iexplore.exe
----a-w 27,648 2007-06-27 14:39:54 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\jsproxy.dll
----a-w 459,264 2007-06-27 14:39:55 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\msfeeds.dll
----a-w 52,224 2007-06-27 14:39:55 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\msfeedsbs.dll
----a-w 477,696 2007-06-27 14:40:00 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\mshtmled.dll
----a-w 193,024 2007-06-27 14:40:01 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\msrating.dll
----a-w 671,232 2007-06-27 14:40:01 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\mstime.dll
----a-w 102,400 2007-06-27 14:40:01 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\occache.dll
----a-w 105,984 2007-06-27 14:40:01 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\url.dll
----a-w 1,154,048 2007-06-27 14:40:02 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\urlmon.dll
----a-w 232,960 2007-06-27 14:40:02 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\webcheck.dll
----a-w 824,320 2007-06-27 14:40:03 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\sp2qfe\wininet.dll
----a-w 22,752 2007-03-06 01:22:34 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\update\spcustom.dll
----a-w 716,000 2007-03-06 01:22:59 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\update\update.exe
----a-w 371,424 2007-03-06 01:23:51 C:\WINDOWS\SoftwareDistribution\Download\fbd74e253a9131770d5798b356214bc9\update\updspapi.dll
----a-w 71,680 2006-11-07 02:26:44 C:\WINDOWS\system32\admparse.dll
----a-w 1,022,976 2006-09-23 11:12:50 C:\WINDOWS\system32\browseui.dll
----a-w 17,408 2006-10-17 11:03:56 C:\WINDOWS\system32\corpol.dll
----a-w 346,624 2006-10-17 10:58:06 C:\WINDOWS\system32\dxtmsft.dll
----a-w 214,528 2006-10-17 10:57:50 C:\WINDOWS\system32\dxtrans.dll
------w 61,952 2006-10-17 10:58:20 C:\WINDOWS\system32\icardie.dll
----a-w 78,336 2006-10-17 11:06:00 C:\WINDOWS\system32\ieencode.dll
----a-w 191,488 2006-11-07 20:03:36 C:\WINDOWS\system32\iepeers.dll
----a-w 55,296 2006-11-07 02:26:42 C:\WINDOWS\system32\iesetup.dll
------w 180,736 2006-11-07 20:03:36 C:\WINDOWS\system32\ieui.dll
----a-w 36,352 2006-10-17 10:57:58 C:\WINDOWS\system32\imgutil.dll
----a-w 92,672 2006-11-07 02:26:24 C:\WINDOWS\system32\inseng.dll
----a-w 491,520 2006-10-17 11:00:00 C:\WINDOWS\system32\jscript.dll
----a-w 40,960 2006-10-17 11:05:10 C:\WINDOWS\system32\licmgr10.dll
------w 12,288 2006-10-17 10:58:32 C:\WINDOWS\system32\msfeedssync.exe
----a-w 45,568 2006-10-17 10:56:10 C:\WINDOWS\system32\mshta.exe
----a-w 48,128 2006-10-17 10:28:56 C:\WINDOWS\system32\mshtmler.dll
----a-w 156,160 2006-11-07 20:03:36 C:\WINDOWS\system32\msls31.dll
----a-w 40,960 2003-10-15 17:52:48 C:\WINDOWS\system32\ov519ext.dll
----a-w 44,544 2006-10-17 10:58:08 C:\WINDOWS\system32\pngfilt.dll
----a-w 1,497,088 2006-09-23 11:12:50 C:\WINDOWS\system32\shdocvw.dll
----a-w 474,112 2006-09-23 11:12:50 C:\WINDOWS\system32\shlwapi.dll
----a-w 51,056 2007-01-19 11:53:04 C:\WINDOWS\system32\sirenacm.dll
----a-w 413,696 2006-11-07 20:03:36 C:\WINDOWS\system32\vbscript.dll
----a-w 53,760 2004-08-04 06:56:46 C:\WINDOWS\system32\vfwwdm32.dll
------w 206,336 2006-10-17 11:05:58 C:\WINDOWS\system32\WinFXDocObj.exe
------w 71,680 2006-11-07 02:26:44 C:\WINDOWS\system32\dllcache\admparse.dll
----a-w 1,022,976 2006-09-23 11:12:50 C:\WINDOWS\system32\dllcache\browseui.dll
------w 17,408 2006-10-17 11:03:56 C:\WINDOWS\system32\dllcache\corpol.dll
----a-w 33,792 2006-11-07 20:03:36 C:\WINDOWS\system32\dllcache\custsat.dll
----a-w 346,624 2006-10-17 10:58:06 C:\WINDOWS\system32\dllcache\dxtmsft.dll
----a-w 214,528 2006-10-17 10:57:50 C:\WINDOWS\system32\dllcache\dxtrans.dll
------w 60,416 2006-10-17 10:44:36 C:\WINDOWS\system32\dllcache\hmmapi.dll
----a-w 69,120 2006-10-17 11:04:50 C:\WINDOWS\system32\dllcache\iedw.exe
------w 78,336 2006-10-17 11:06:00 C:\WINDOWS\system32\dllcache\ieencode.dll
----a-w 191,488 2006-11-07 20:03:36 C:\WINDOWS\system32\dllcache\iepeers.dll
------w 55,296 2006-11-07 02:26:42 C:\WINDOWS\system32\dllcache\iesetup.dll
------w 36,352 2006-10-17 10:57:58 C:\WINDOWS\system32\dllcache\imgutil.dll
----a-w 92,672 2006-11-07 02:26:24 C:\WINDOWS\system32\dllcache\inseng.dll
----a-w 47,616 2004-08-04 06:56:42 C:\WINDOWS\system32\dllcache\iyuv_32.dll
----a-w 491,520 2006-10-17 11:00:00 C:\WINDOWS\system32\dllcache\jscript.dll
----a-w 140,928 2004-08-04 05:15:22 C:\WINDOWS\system32\dllcache\ks.sys
----a-w 4,096 2004-08-04 06:56:42 C:\WINDOWS\system32\dllcache\ksuser.dll
------w 40,960 2006-10-17 11:05:10 C:\WINDOWS\system32\dllcache\licmgr10.dll
------w 45,568 2006-10-17 10:56:10 C:\WINDOWS\system32\dllcache\mshta.exe
------w 48,128 2006-10-17 10:28:56 C:\WINDOWS\system32\dllcache\mshtmler.dll
----a-w 156,160 2006-11-07 20:03:36 C:\WINDOWS\system32\dllcache\msls31.dll
----a-w 17,408 2004-08-04 06:56:44 C:\WINDOWS\system32\dllcache\msyuv.dll
----a-w 44,544 2006-10-17 10:58:08 C:\WINDOWS\system32\dllcache\pngfilt.dll
----a-w 1,497,088 2006-09-23 11:12:50 C:\WINDOWS\system32\dllcache\shdocvw.dll
----a-w 474,112 2006-09-23 11:12:50 C:\WINDOWS\system32\dllcache\shlwapi.dll
----a-w 8,192 2001-08-17 21:36:34 C:\WINDOWS\system32\dllcache\tsbyuv.dll
------w 413,696 2006-11-07 20:03:36 C:\WINDOWS\system32\dllcache\vbscript.dll
----a-w 479,232 2006-06-05 13:14:28 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
----a-w 548,864 2006-06-05 13:14:28 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
----a-w 626,688 2006-06-05 13:14:28 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
-c--a-w 32,528 2003-10-15 17:52:46 C:\WINDOWS\amcap.exe
-c--a-w 135,168 2003-10-15 17:52:48 C:\WINDOWS\ov519cap.exe
-c--a-w 61,440 2003-10-15 17:52:48 C:\WINDOWS\ov519dib.dll
-c--a-w 200,704 2003-10-15 17:52:50 C:\WINDOWS\sel3110.exe
-c--a-w 307,200 2003-10-15 17:52:50 C:\WINDOWS\vidcap32.exe
-c--a-w 6,059,008 2007-06-27 14:39:51 C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\ieframe.dll
-c--a-w 31,856 2006-11-07 21:04:18 C:\WINDOWS\ie7\spuninst\iecustom.dll
-c--a-w 66,048 2006-11-07 21:01:06 C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
-c--a-w 213,216 2006-09-06 16:43:16 C:\WINDOWS\ie7\spuninst\spuninst.exe
-c--a-w 371,424 2006-09-06 16:43:18 C:\WINDOWS\ie7\spuninst\updspapi.dll
-c----w 124,928 2007-04-25 08:41:08 C:\WINDOWS\ie7updates\KB937143-IE7\advpack.dll
-c----w 132,608 2007-04-25 08:41:09 C:\WINDOWS\ie7updates\KB937143-IE7\extmgr.dll
-c----w 56,832 2007-04-24 14:26:20 C:\WINDOWS\ie7updates\KB937143-IE7\ie4uinit.exe
-c----w 153,088 2007-04-25 08:41:09 C:\WINDOWS\ie7updates\KB937143-IE7\ieakeng.dll
-c----w 230,400 2007-04-25 08:41:10 C:\WINDOWS\ie7updates\KB937143-IE7\ieaksie.dll
-c----w 161,792 2007-04-24 07:30:38 C:\WINDOWS\ie7updates\KB937143-IE7\ieakui.dll
-c----w 383,488 2007-04-25 08:41:10 C:\WINDOWS\ie7updates\KB937143-IE7\ieapfltr.dll
-c----w 384,512 2007-04-25 08:41:10 C:\WINDOWS\ie7updates\KB937143-IE7\iedkcs32.dll
-c----w 6,058,496 2007-04-25 08:41:11 C:\WINDOWS\ie7updates\KB937143-IE7\ieframe.dll
-c----w 44,544 2007-04-25 08:41:11 C:\WINDOWS\ie7updates\KB937143-IE7\iernonce.dll
-c----w 267,776 2007-04-25 08:41:11 C:\WINDOWS\ie7updates\KB937143-IE7\iertutil.dll
-c----w 13,824 2007-04-24 14:26:20 C:\WINDOWS\ie7updates\KB937143-IE7\ieudinit.exe
-c----w 625,152 2007-04-24 14:26:26 C:\WINDOWS\ie7updates\KB937143-IE7\iexplore.exe
-c----w 27,648 2007-04-25 08:41:13 C:\WINDOWS\ie7updates\KB937143-IE7\jsproxy.dll
-c----w 459,264 2007-04-25 08:41:13 C:\WINDOWS\ie7updates\KB937143-IE7\msfeeds.dll
-c----w 52,224 2007-04-25 08:41:13 C:\WINDOWS\ie7updates\KB937143-IE7\msfeedsbs.dll
-c----w 3,583,488 2007-05-08 09:24:35 C:\WINDOWS\ie7updates\KB937143-IE7\mshtml.dll
-c----w 477,696 2007-04-25 08:41:15 C:\WINDOWS\ie7updates\KB937143-IE7\mshtmled.dll
-c----w 193,024 2007-04-25 08:41:15 C:\WINDOWS\ie7updates\KB937143-IE7\msrating.dll
-c----w 670,720 2007-04-25 08:41:15 C:\WINDOWS\ie7updates\KB937143-IE7\mstime.dll
-c----w 102,400 2007-04-25 08:41:15 C:\WINDOWS\ie7updates\KB937143-IE7\occache.dll
-c----w 105,984 2007-04-25 08:41:15 C:\WINDOWS\ie7updates\KB937143-IE7\url.dll
-c----w 1,152,000 2007-04-25 08:41:16 C:\WINDOWS\ie7updates\KB937143-IE7\urlmon.dll
-c----w 232,960 2007-04-25 08:41:17 C:\WINDOWS\ie7updates\KB937143-IE7\webcheck.dll
-c----w 822,784 2007-04-25 08:41:17 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
----a-r 29,926 2007-03-11 12:02:20 C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
-c--a-r 10,134 2006-11-23 14:28:55 C:\WINDOWS\Installer\{77772678-817F-4401-9301-ED1D01A8DA56}\ARPPRODUCTICON.exe
-c--a-w 71,680 2006-11-07 03:26:44 C:\WINDOWS\system32\admparse.dll
----a-w 1,022,976 2006-09-23 12:12:50 C:\WINDOWS\system32\browseui.dll
----a-w 17,408 2007-01-08 19:01:14 C:\WINDOWS\system32\corpol.dll
----a-w 346,624 2006-10-17 11:58:06 C:\WINDOWS\system32\dxtmsft.dll
----a-w 214,528 2006-10-17 11:57:50 C:\WINDOWS\system32\dxtrans.dll
------w 61,952 2006-10-17 11:58:20 C:\WINDOWS\system32\icardie.dll
----a-w 78,336 2006-10-17 12:06:00 C:\WINDOWS\system32\ieencode.dll
----a-w 191,488 2006-11-07 21:03:36 C:\WINDOWS\system32\iepeers.dll
-c--a-w 55,296 2006-11-07 03:26:42 C:\WINDOWS\system32\iesetup.dll
------w 180,736 2006-11-07 21:03:36 C:\WINDOWS\system32\ieui.dll
----a-w 36,352 2006-10-17 11:57:58 C:\WINDOWS\system32\imgutil.dll
-c--a-w 92,672 2006-11-07 03:26:24 C:\WINDOWS\system32\inseng.dll
----a-w 491,520 2006-10-17 12:00:00 C:\WINDOWS\system32\jscript.dll
-c--a-w 40,960 2006-10-17 12:05:10 C:\WINDOWS\system32\licmgr10.dll
-c----w 12,288 2006-10-17 11:58:32 C:\WINDOWS\system32\msfeedssync.exe
----a-w 45,568 2006-10-17 11:56:10 C:\WINDOWS\system32\mshta.exe
-c--a-w 48,128 2006-10-17 11:28:56 C:\WINDOWS\system32\mshtmler.dll
----a-w 156,160 2006-11-07 21:03:36 C:\WINDOWS\system32\msls31.dll
-c--a-w 40,960 2003-10-15 17:52:48 C:\WINDOWS\system32\ov519ext.dll
----a-w 44,544 2006-10-17 11:58:08 C:\WINDOWS\system32\pngfilt.dll
----a-w 1,497,088 2006-09-23 12:12:50 C:\WINDOWS\system32\shdocvw.dll
----a-w 474,112 2006-09-23 12:12:50 C:\WINDOWS\system32\shlwapi.dll
----a-w 413,696 2006-11-07 21:03:36 C:\WINDOWS\system32\vbscript.dll
-c--a-w 53,760 2004-08-04 06:56:46 C:\WINDOWS\system32\vfwwdm32.dll
-c----w 206,336 2006-10-17 12:05:58 C:\WINDOWS\system32\WinFXDocObj.exe
-c--a-w 71,680 2006-11-07 03:26:44 C:\WINDOWS\system32\dllcache\admparse.dll
-c--a-w 1,022,976 2006-09-23 12:12:50 C:\WINDOWS\system32\dllcache\browseui.dll
-c----w 17,408 2007-01-08 19:01:14 C:\WINDOWS\system32\dllcache\corpol.dll
-c--a-w 28,672 2004-08-04 07:56:41 C:\WINDOWS\system32\dllcache\custsat.dll
-c--a-w 346,624 2006-10-17 11:58:06 C:\WINDOWS\system32\dllcache\dxtmsft.dll
-c--a-w 214,528 2006-10-17 11:57:50 C:\WINDOWS\system32\dllcache\dxtrans.dll
-c----w 60,416 2006-10-17 11:44:36 C:\WINDOWS\system32\dllcache\hmmapi.dll
-c--a-w 69,120 2006-10-17 12:04:50 C:\WINDOWS\system32\dllcache\iedw.exe
-c----w 78,336 2006-10-17 12:06:00 C:\WINDOWS\system32\dllcache\ieencode.dll
-c--a-w 191,488 2006-11-07 21:03:36 C:\WINDOWS\system32\dllcache\iepeers.dll
-c--a-w 55,296 2006-11-07 03:26:42 C:\WINDOWS\system32\dllcache\iesetup.dll
-c----w 36,352 2006-10-17 11:57:58 C:\WINDOWS\system32\dllcache\imgutil.dll
-c--a-w 92,672 2006-11-07 03:26:24 C:\WINDOWS\system32\dllcache\inseng.dll
-c--a-w 47,616 2004-08-04 06:56:42 C:\WINDOWS\system32\dllcache\iyuv_32.dll
-c--a-w 491,520 2006-10-17 12:00:00 C:\WINDOWS\system32\dllcache\jscript.dll
-c--a-w 140,928 2004-08-04 05:15:22 C:\WINDOWS\system32\dllcache\ks.sys
-c--a-w 4,096 2004-08-04 06:56:42 C:\WINDOWS\system32\dllcache\ksuser.dll
-c--a-w 40,960 2006-10-17 12:05:10 C:\WINDOWS\system32\dllcache\licmgr10.dll
-c----w 45,568 2006-10-17 11:56:10 C:\WINDOWS\system32\dllcache\mshta.exe
-c--a-w 48,128 2006-10-17 11:28:56 C:\WINDOWS\system32\dllcache\mshtmler.dll
-c--a-w 156,160 2006-11-07 21:03:36 C:\WINDOWS\system32\dllcache\msls31.dll
-c--a-w 17,408 2004-08-04 06:56:44 C:\WINDOWS\system32\dllcache\msyuv.dll
-c--a-w 44,544 2006-10-17 11:58:08 C:\WINDOWS\system32\dllcache\pngfilt.dll
-c--a-w 1,497,088 2006-09-23 12:12:50 C:\WINDOWS\system32\dllcache\shdocvw.dll
-c--a-w 474,112 2006-09-23 12:12:50 C:\WINDOWS\system32\dllcache\shlwapi.dll
-c--a-w 8,192 2001-08-17 21:36:34 C:\WINDOWS\system32\dllcache\tsbyuv.dll
-c----w 413,696 2006-11-07 21:03:36 C:\WINDOWS\system32\dllcache\vbscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-08-24 10:40]
"ACTIVBOARD"="C:\Apps\ActivBoard\MMKeybd.exe" [2001-05-03 19:41]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 15:43]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-04 13:30]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-02-01 17:45]
"Update Service"="C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe" [2006-11-21 18:12]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2007-01-28 10:09 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-07-04 13:30 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R2 nhksrv;Netropa NHK Server;C:\Apps\ActivBoard\nhksrv.exe
R3 CVIAAUD;NEC VIA 3D Environmental Audio;C:\WINDOWS\system32\drivers\cviaaud.sys
R3 CVIAHALA;CVIAHALA;C:\WINDOWS\system32\drivers\cviahal.sys
R3 ovt519;%USB\vid_054c&pid_0155.DeviceDesc%;C:\WINDOWS\system32\Drivers\ov519vid.sys
R3 PxHelper;PxHelper;\??\C:\WINDOWS\System32\drivers\PxHelper.sys
S3 KvaziDVD;KvaziDVD;\??\C:\Program Files\MakBit Software\MakBit Virtual CD-DVD\kvazidvd.sys
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys
S3 V90drv;v90drv;C:\WINDOWS\system32\DRIVERS\v90drv.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-27 13:54:49 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-26 17:27:08 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Stuart.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 14:53:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\winnt256.bmp
C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\winnt.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log
C:\WINDOWS\wmp11.log
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr8.prx
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\Wudf01000Inst.log
C:\WINDOWS\xpsp1hfm.log
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif

scan completed successfully
hidden files: 19

**************************************************************************
.
Completion time: 2007-09-27 14:59:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-27 14:58
C:\ComboFix2.txt ... 2007-09-25 03:19
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:04:04, on 27/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Suggestions - {2223664C-1942-4276-9A2D-E8D8F547C5D2} - res://EffiPeled (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1164137377925
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164212819926
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/fi...tivePreQual.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11186 bytes


Thanks for your help up to now don't know what i'd be doing without you guys

wendy x x

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:18 AM

Posted 28 September 2007 - 09:22 AM

Good! It looks like we're making good progress here. Now let's run a couple things just to clean up anything that we missed.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



=====================




Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Edited by Buckeye_Sam, 28 September 2007 - 09:24 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 wend

wend
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Scotland, north lanarkshire
  • Local time:02:18 PM

Posted 29 September 2007 - 04:05 AM

k here are the smitfraudfix and the F-scanner report logs


SmitFraudFix v2.227

Scan done at 7:14:09.84, 29/09/2007
Run from C:\Documents and Settings\Stuart\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Stuart


C:\Documents and Settings\Stuart\Application Data


Start Menu


C:\DOCUME~1\Stuart\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Motorola SURFboard SB5101 USB Cable Modem - Packet Scheduler Miniport
DNS Server Search Order: 62.31.64.39
DNS Server Search Order: 62.31.112.39
DNS Server Search Order: 62.31.144.39

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A9D8FF02-206D-494D-A87F-C67C3B48CE8E}: DhcpNameServer=62.31.64.39 62.31.112.39 62.31.144.39
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A9D8FF02-206D-494D-A87F-C67C3B48CE8E}: DhcpNameServer=62.31.64.39 62.31.112.39 62.31.144.39
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A9D8FF02-206D-494D-A87F-C67C3B48CE8E}: DhcpNameServer=62.31.64.39 62.31.112.39 62.31.144.39
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.31.64.39 62.31.112.39 62.31.144.39
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.31.64.39 62.31.112.39 62.31.144.39
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=62.31.64.39 62.31.112.39 62.31.144.39


Scanning for wininet.dll infection


End




Scanning Report
Saturday, September 29, 2007 07:20:10 - 09:12:06
Computer name: SN010718820064
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 23 malware found
Surfairy (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
Trojan-Downloader.JS.Agent.kd (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\03DE54ED.HTM (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.bls (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\1CFD5F03.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\7E3B27B4.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.doe (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{882BC9EF-5200-4C7A-9CBD-993FC830CD07}\RP12\A0001532.DLL (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\00F92CBC.DLL (Renamed & Submitted)
Trojan-Downloader.Win32.Zlob.cun (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\1D1A4215.DLL (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\20BC0015.DLL (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\269173AB.DLL (Renamed & Submitted)
Trojan-Proxy.Win32.Ranky.gb (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\07603C47.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\193E0A54.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 38188
System: 5322
Not scanned: 6
Actions:
Disinfected: 2
Renamed: 10
Deleted: 0
None: 11
Submitted: 10
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{66BD8605-3273-42D6-ACE6-3324817062B6}.BIN
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\DOCUMENTS AND SETTINGS\STUART\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{39AD321F-498A-4C3C-B28E-5604997E53F7}

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:18 AM

Posted 29 September 2007 - 08:18 PM

That looks good also. How are things working on your end? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 wend

wend
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Scotland, north lanarkshire
  • Local time:02:18 PM

Posted 30 September 2007 - 02:13 AM

Things are working fine my end, Norton installled and running and i can access my msn and yahoo, keyboard appears to be back to normal working order as well. No pop-ups on taskbar etc. Does this mean im back in good health then and no disease lol

wend x x

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:18 AM

Posted 30 September 2007 - 09:34 AM

Yes, you should be good to go! :blink:


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :wacko:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users