Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Vundo + Winfixer + Errorsafe


  • This topic is locked This topic is locked
3 replies to this topic

#1 barry80

barry80

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 27 September 2007 - 01:46 AM

my norton av detected this 3 viruses & removed them. but once i restart my system, this 3 viruses detected again ....

i've try combofix; vundofix; fixvundo; vundobegone; all of em can't remove it too ... :thumbsup: someone plz help me....tq!

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:49 PM, on 9/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Symantec\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\BitComet Acceleration Patch\BitComet Acceleration Patch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\System32\drwtsn32.exe
C:\Documents and Settings\Yip's WinXP\Local Settings\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\jroeyaxb.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {18F57D30-EF36-4C0E-9343-7BFA6DF79B4A} - http://active.micr0media.com/swflash.CAB
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://khoopt.dipmap.com/cab/OCXChecker_6100.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190479457281
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190479441625
O16 - DPF: {A5866BA0-E4D6-4B46-8C80-13D50EB1449B} (RecordCtl Class) - http://newspic.mop.com/music/MOPMusicRecorder.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{821210E0-6865-466B-BC1B-7CC01948A8D8}: NameServer = 202.188.0.133,202.188.1.5
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10898 bytes


Combofix log

"Yip's WinXP" - 07-09-27 12:49:40.84 Service Pack 1
ComboFix 06-12-23W-BetaE2 - Running from: "D:\Software\ComboFix"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


g:\autorun.inf" . . . . failed to delete
h:\autorun.inf" . . . . failed to delete


((((((((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 ))))))))))))))))))))))))))))))))))


2007-09-27 12:43 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-09-27 01:24 84,032 --a------ C:\WINDOWS\system32\ehyvmbcy.dll
2007-09-26 23:42 84,032 --------- C:\WINDOWS\system32\cprymmmc.dll
2007-09-26 03:01 <DIR> d-------- C:\VundoFix Backups
2007-09-26 01:39 84,032 --a------ C:\WINDOWS\system32\lorbimtq.dll
2007-09-26 01:26 <DIR> d-------- C:\WINDOWS\CSC
2007-09-26 01:21 84,032 --a------ C:\WINDOWS\system32\jldyckmk.dll
2007-09-26 00:43 84,032 --a------ C:\WINDOWS\system32\kcjislno.dll
2007-09-23 03:46 86,080 --a------ C:\WINDOWS\system32\xuqwaswd.dll
2007-09-23 02:31 624,404 ---hs---- C:\WINDOWS\system32\hjllm.bak1
2007-09-22 14:30 623,935 ---hs---- C:\WINDOWS\system32\hjllm.bak2
2007-09-21 20:01 620,340 ---hs---- C:\WINDOWS\system32\hjllm.ini2
2007-09-21 02:30 306,784 --------- C:\WINDOWS\system32\mlljh.dll
2007-09-20 18:28 <DIR> d-------- C:\Program Files\iTunes
2007-09-20 18:28 <DIR> d-------- C:\Program Files\iPod
2007-09-20 18:19 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-20 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-19 23:40 <DIR> d-------- C:\Program Files\ImTOO


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-09-27 05:18 -------- d-------- C:\Program Files\warcraft iii
2007-09-27 01:54 -------- d---s---- C:\Program Files\xfire
2007-09-21 02:25 -------- d-------- C:\Program Files\limewire
2007-09-13 17:52 -------- d-------- C:\Program Files\bitcomet
2007-09-10 02:59 -------- d-------- C:\Program Files\speedfan
2007-08-20 02:36 -------- d-------- C:\Program Files\opera
2007-08-17 06:05 -------- d-------- C:\Program Files\winamp
2007-08-05 00:33 -------- d-------- C:\Program Files\eread6.0
2007-08-04 00:56 -------- d-------- C:\Program Files\active data recovery software
2007-08-03 18:22 -------- d-------- C:\Program Files\getdata
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-29 03:00 -------- d-------- C:\Program Files\quicktime
2007-07-15 02:32 657197 --a------ C:\WINDOWS\condition zero uninstaller.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,6c,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e8,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e8,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=""
"{4F8C5BB1-8D81-497D-8E4C-4F81490B8FB8}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yxyvteik"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\yxyvteik.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=dword:00000002
"RichVideo"=dword:00000002
"Automatic LiveUpdate Scheduler"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
Ip6FwHlp


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Yip's WinXP.job

Completion time: 07-09-27 12:55:21.28


RootkitReveal log

HKU\.DEFAULT\Control Panel\International 9/27/2007 12:55 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 9/27/2007 12:55 PM 0 bytes Security mismatch.
HKU\S-1-5-21-448539723-854245398-682003330-1003\Control Panel\International 9/27/2007 1:31 PM 0 bytes Security mismatch.
HKU\S-1-5-21-448539723-854245398-682003330-1003\Control Panel\International\Geo 9/27/2007 12:55 PM 0 bytes Security mismatch.
HKU\S-1-5-21-448539723-854245398-682003330-1003\Software\Microsoft\Command Processor 9/27/2007 12:55 PM 0 bytes Security mismatch.
HKU\S-1-5-21-448539723-854245398-682003330-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 4/2/2007 1:32 AM 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-18\Control Panel\International 9/27/2007 12:55 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 9/27/2007 12:55 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 2/19/2005 4:10 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2/19/2005 4:10 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Command Processor 9/27/2007 12:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 9/27/2007 1:31 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP\ActiveFirewallMappings\msmsgs 15553 UDP 9/27/2007 1:30 PM 20 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP\ActiveFirewallMappings\msmsgs 11422 TCP 9/27/2007 1:30 PM 20 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\System32\yxyvteik.exe 9/26/2007 1:26 AM 47 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 11/24/2006 2:43 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\System32\yxyvteik.exe 9/26/2007 1:26 AM 47 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q22.css 9/27/2007 1:24 PM 1.65 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q2B.jpeg 9/27/2007 1:24 PM 1.58 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q2E.jpeg 9/27/2007 1:24 PM 869 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q2O.htm 9/27/2007 1:25 PM 13.19 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q2Q.htm 9/27/2007 1:25 PM 917 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q2R.htm 9/27/2007 1:25 PM 822 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q2T.htm 9/27/2007 1:25 PM 1.86 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q3X.htm 9/27/2007 1:31 PM 180 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q40.js 9/27/2007 1:31 PM 32.36 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q41.jpeg 9/27/2007 1:31 PM 961 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q42.css 9/27/2007 1:31 PM 2.74 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q43.htm 9/27/2007 1:31 PM 17.54 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q48.css 9/27/2007 1:41 PM 1.65 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4A.gif 9/27/2007 1:42 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4B.css 9/27/2007 1:42 PM 6.58 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4C.js 9/27/2007 1:42 PM 32.41 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4D.htm 9/27/2007 1:42 PM 792 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4E.js 9/27/2007 1:42 PM 4.12 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4F.js 9/27/2007 1:42 PM 20.44 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4G.css 9/27/2007 1:42 PM 2.44 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4H.css 9/27/2007 1:42 PM 4.84 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4I.js 9/27/2007 1:42 PM 3.04 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4J.js 9/27/2007 1:42 PM 8.54 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4K.gif 9/27/2007 1:42 PM 49 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4L.js 9/27/2007 1:42 PM 5.96 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4M.htm 9/27/2007 1:42 PM 18.82 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4N.js 9/27/2007 1:42 PM 2.34 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4O.js 9/27/2007 1:42 PM 975 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4P.gif 9/27/2007 1:42 PM 728 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4Q.js 9/27/2007 1:42 PM 7.28 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4R.js 9/27/2007 1:42 PM 2.92 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4S.htm 9/27/2007 1:42 PM 674 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4T.gif 9/27/2007 1:42 PM 49 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4U.gif 9/27/2007 1:42 PM 1.49 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4V.gif 9/27/2007 1:42 PM 3.05 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4W.gif 9/27/2007 1:42 PM 833 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4X.gif 9/27/2007 1:42 PM 920 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4Y.gif 9/27/2007 1:42 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q4Z.gif 9/27/2007 1:42 PM 327 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q50.js 9/27/2007 1:42 PM 21.65 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q51.js 9/27/2007 1:42 PM 3.49 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q52.gif 9/27/2007 1:42 PM 64 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q53.gif 9/27/2007 1:42 PM 49 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q54.js 9/27/2007 1:42 PM 1.75 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q55.jpg 9/27/2007 1:42 PM 11.09 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q56.gif 9/27/2007 1:42 PM 1.72 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q57.gif 9/27/2007 1:42 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q58.gif 9/27/2007 1:42 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q59.ico 9/27/2007 1:42 PM 266 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5A.gif 9/27/2007 1:42 PM 1.06 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5B.js 9/27/2007 1:42 PM 982 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5C.js 9/27/2007 1:42 PM 4.77 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5D.css 9/27/2007 1:42 PM 2.74 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5E.htm 9/27/2007 1:42 PM 180 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5F.js 9/27/2007 1:42 PM 32.36 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5G.jpeg 9/27/2007 1:43 PM 961 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5H.gif 9/27/2007 1:43 PM 7.08 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5I.gif 9/27/2007 1:43 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5J.htm 9/27/2007 1:43 PM 17.53 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5K.gif 9/27/2007 1:43 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5L.gif 9/27/2007 1:43 PM 1.28 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5M.htm 9/27/2007 1:43 PM 9.81 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5O.gif 9/27/2007 1:43 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5P.jpeg 9/27/2007 1:43 PM 1.58 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5R.gif 9/27/2007 1:43 PM 772 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5S.jpeg 9/27/2007 1:43 PM 869 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5T.jpg 9/27/2007 1:43 PM 8.28 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5U.jpg 9/27/2007 1:43 PM 6.36 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5W.gif 9/27/2007 1:43 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5X.htm 9/27/2007 1:43 PM 2.29 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5Y.gif 9/27/2007 1:43 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q5Z.gif 9/27/2007 1:43 PM 2.18 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q60.htm 9/27/2007 1:44 PM 13.19 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q61.htm 9/27/2007 1:44 PM 2.38 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q62.gif 9/27/2007 1:44 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q63.gif 9/27/2007 1:44 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q64.htm 9/27/2007 1:44 PM 917 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q65.htm 9/27/2007 1:44 PM 1.39 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q66.gif 9/27/2007 1:44 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q67.gif 9/27/2007 1:44 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q68.htm 9/27/2007 1:44 PM 1.86 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q69.js 9/27/2007 1:45 PM 18.61 KB Hidden from Windows API.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6A.css 9/27/2007 1:45 PM 2.74 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6B.js 9/27/2007 1:45 PM 103 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6C.css 9/27/2007 1:45 PM 14.88 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6D.swf 9/27/2007 1:45 PM 15.79 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6E.gif 9/27/2007 1:45 PM 3.59 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6F.jpeg 9/27/2007 1:45 PM 7.38 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6G.htm 9/27/2007 1:45 PM 34.22 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6H.htm 9/27/2007 1:45 PM 4.11 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6I.jpeg 9/27/2007 1:45 PM 1.39 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6K.gif 9/27/2007 1:45 PM 67 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6L.jpeg 9/27/2007 1:45 PM 2.66 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6M.jpeg 9/27/2007 1:45 PM 1.28 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6N.gif 9/27/2007 1:45 PM 53 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6O.gif 9/27/2007 1:45 PM 947 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6P.js 9/27/2007 1:45 PM 50 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6Q.gif 9/27/2007 1:45 PM 53 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6R.gif 9/27/2007 1:45 PM 67 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6S.gif 9/27/2007 1:45 PM 4.09 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6T.jpg 9/27/2007 1:45 PM 10.90 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6U.jpg 9/27/2007 1:45 PM 3.43 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6V.js 9/27/2007 1:45 PM 624 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6W.js 9/27/2007 1:45 PM 629 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6X.htm 9/27/2007 1:45 PM 230 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Yip's WinXP\Application Data\Opera\Opera\profile\cache4\opr00Q6Y.htm 9/27/2007 1:45 PM 8.21 KB Visible in directory index, but not Windows API or MFT.
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Savrt\0100NAV~.TMP 9/27/2007 1:45 PM 0 bytes Visible in directory index, but not Windows API or MFT.



BC AdBot (Login to Remove)

 


#2 barry80

barry80
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 27 September 2007 - 09:55 AM

HijackThis v2.0.2
Scan saved at 10:51:24 PM, on 9/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Symantec\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\BitComet Acceleration Patch\BitComet Acceleration Patch.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Software\HJT\HijackThis V1.99.1.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: (no name) - $?38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: (no name) - ??497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - ??49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {18F57D30-EF36-4C0E-9343-7BFA6DF79B4A} - http://active.micr0media.com/swflash.CAB
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://khoopt.dipmap.com/cab/OCXChecker_6100.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183820599859
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183820585000
O16 - DPF: {A5866BA0-E4D6-4B46-8C80-13D50EB1449B} (RecordCtl Class) - http://newspic.mop.com/music/MOPMusicRecorder.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{821210E0-6865-466B-BC1B-7CC01948A8D8}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

this is the latest HJT log after i restore back to previous iso image file b4 the infection. do i need to delete anything else ?? pls help ...

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:36 PM

Posted 05 October 2007 - 09:24 PM

Hello barry,

Our apologies for the delay.
If you still need help, please post a new log so I can see if anything has changed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:36 PM

Posted 12 October 2007 - 09:36 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users