Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Once Again!


  • Please log in to reply
20 replies to this topic

#1 Scottman

Scottman

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 24 October 2007 - 05:13 PM

It's happened again!

I need to clean up my son's PC's. It is once again oozing with spyware. It has even taken over the desktop display! The wallpaper is set to somefile called "default" which is a warning that my PC has been infected. No duh!

I am running Norton 360, and it stops many Trojan threats, but it cannot get rid of the constant popups. I cannot gain access to Symantec to get updates to 360, no doubt due to whatever is runningthe PC. I have run Adaware and Spybot and always find tons of stuff, but the problems never go away.

Please help! Here is my HIJACK log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:11, on 07-10-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toggle.com/index.php?rvs=hompag
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [C:\DOCUME~1\All\LOCALS~1\Temp\update.exe] C:\DOCUME~1\All\LOCALS~1\Temp\update.exe
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [f8fcf9da] rundll32.exe "C:\WINDOWS\system32\nkfjkdkw.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {97E7818A-29C2-441E-857C-EBA970D7B5D2} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {D34637AF-8024-434D-A488-4BC633950521} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {DD9FC0CA-BFEF-496F-AB22-C995E60BA7D5} - http://www.comcast.net (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162659590343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.leaguelineup.com/XUpload.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O21 - SSODL: BYWcLjz - {F8FCF976-5256-53DC-0A9B-8ECCC6147F8D} - C:\WINDOWS\system32\neuzd.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Symantec Eraser Service (EraserSvc10732) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 10189 bytes


Thanks!

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 24 October 2007 - 07:01 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Scottman :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Scottman

Scottman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 27 October 2007 - 10:46 AM

RichieUK

I had some trouble with this. WHen I ran SD Fix in safe mode, it ran for a awhile, then I got a blue "screen of death" that had a message "Page_Fault_In_nonpaged_area". I also had trouble getting into safe mode-it took several tries. In any event, here's the first log:

SDFix: Version 1.112

Run by Administrator on Thu 10/25/2007 at 06:49 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft Internet Explorer
Microsoft Internet Explorer

ImagePath:

Microsoft Internet Explorer - Deleted
Microsoft Internet Explorer - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Here's the Combo Fix log:

ComboFix 07-10-25.4 - All 2007-10-27 10:21:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.133 [GMT -4:00]
Running from: C:\Documents and Settings\All\Desktop\ComboFix-1.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All\Application Data\macromedia\Flash Player\#SharedObjects\LWHABFUU\www.broadcaster.com
C:\Documents and Settings\All\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\All\Application Data\PPPATC~1
C:\Documents and Settings\All\My Documents\STEM~1
C:\Documents and Settings\All\My Documents\STEM~1\??stem\
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\cringupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack5.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM2\ISMPack8.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\curity~1
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\acgpwmoq.ini
C:\WINDOWS\system32\affgmtsy.ini
C:\WINDOWS\system32\afovfvmo.ini
C:\WINDOWS\system32\agdbbqkh.ini
C:\WINDOWS\system32\akrnwotf.dll
C:\WINDOWS\system32\amcpnxso.ini
C:\WINDOWS\system32\aqnjnfsf.ini
C:\WINDOWS\system32\asijtjdb.dll
C:\WINDOWS\system32\atvwvwkg.ini
C:\WINDOWS\system32\awnscsgn.ini
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\bbaxgkmc.dll
C:\WINDOWS\system32\bdjtjisa.ini
C:\WINDOWS\system32\birutemd.dll
C:\WINDOWS\system32\bktmnhik.dll
C:\WINDOWS\system32\bnhghurp.dll
C:\WINDOWS\system32\bpyymluw.dll
C:\WINDOWS\system32\bxiidrel.ini
C:\WINDOWS\system32\cbmfweoc.ini
C:\WINDOWS\system32\cfgasfuo.ini
C:\WINDOWS\system32\cgrysutr.ini
C:\WINDOWS\system32\cimnhyks.ini
C:\WINDOWS\system32\clokvwwt.dll
C:\WINDOWS\system32\cmfvinit.dll
C:\WINDOWS\system32\cmkgxabb.ini
C:\WINDOWS\system32\cobwbwaw.ini
C:\WINDOWS\system32\coewfmbc.dll
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\cykuefgp.dll
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\dmeturib.ini
C:\WINDOWS\system32\dpepdvoe.ini
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\snkwevbj.sys
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\WFBH23.sys
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\dxkdngqs.ini
C:\WINDOWS\system32\dywunovr.dll
C:\WINDOWS\system32\ecwfrkuy.ini
C:\WINDOWS\system32\efnrdhmk.dll
C:\WINDOWS\system32\eggsilwn.ini
C:\WINDOWS\system32\eigsbfpl.dll
C:\WINDOWS\system32\eovdpepd.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\ewkyeyxp.ini
C:\WINDOWS\system32\fdbpolbp.dll
C:\WINDOWS\system32\fkgaoixl.dll
C:\WINDOWS\system32\fksuclyh.dll
C:\WINDOWS\system32\fmlugmhn.dll
C:\WINDOWS\system32\fqmenssr.ini
C:\WINDOWS\system32\fsdaljjt.dll
C:\WINDOWS\system32\fsfnjnqa.dll
C:\WINDOWS\system32\ftownrka.ini
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\ghbvbeqp.ini
C:\WINDOWS\system32\ghkmp.tmp
C:\WINDOWS\system32\gjkmp.bak1
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gkwvwvta.dll
C:\WINDOWS\system32\glbyjdvj.dll
C:\WINDOWS\system32\gmrelfan.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\hfkcvwnp.ini
C:\WINDOWS\system32\hkqbbdga.dll
C:\WINDOWS\system32\ijowicbq.ini
C:\WINDOWS\system32\iujdueat.ini
C:\WINDOWS\system32\iujoqhtk.ini
C:\WINDOWS\system32\iwbstanu.ini
C:\WINDOWS\system32\jjytmeux.dll
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jlkkj.tmp
C:\WINDOWS\system32\jpkcwvkq.ini2
C:\WINDOWS\system32\jpkcwvkq.tmp
C:\WINDOWS\system32\jvdjyblg.tmp
C:\WINDOWS\system32\KB79238020.exe
C:\WINDOWS\system32\khibibgy.dll
C:\WINDOWS\system32\kihnmtkb.ini
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\klkkj.bak2
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.ini
C:\WINDOWS\system32\kmhdrnfe.ini
C:\WINDOWS\system32\kpcldvax.dll
C:\WINDOWS\system32\kthqojui.dll
C:\WINDOWS\system32\kyrcjjty.dll
C:\WINDOWS\system32\lchtoffn.dll
C:\WINDOWS\system32\lerdiixb.dll
C:\WINDOWS\system32\lmbfhhsn.dll
C:\WINDOWS\system32\lpfbsgie.ini
C:\WINDOWS\system32\lswphvlr.ini
C:\WINDOWS\system32\lukexuhq.dll
C:\WINDOWS\system32\lxioagkf.ini
C:\WINDOWS\system32\mawalmaq.ini
C:\WINDOWS\system32\mdbyohcr.dll
C:\WINDOWS\system32\mhdnlfhm.ini
C:\WINDOWS\system32\mhflndhm.dll
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.bak2
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\mopasacp.ini
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\muqbyiuy.dll
C:\WINDOWS\system32\muthegoq.ini
C:\WINDOWS\system32\naflermg.ini
C:\WINDOWS\system32\nffothcl.ini
C:\WINDOWS\system32\ngscsnwa.dll
C:\WINDOWS\system32\nhlmilqr.dll
C:\WINDOWS\system32\nhmgulmf.ini
C:\WINDOWS\system32\nshhfbml.ini
C:\WINDOWS\system32\nwlisgge.dll
C:\WINDOWS\system32\obwxbsbt.dll
C:\WINDOWS\system32\ocgvtyhp.dll
C:\WINDOWS\system32\odcgvaiq.ini
C:\WINDOWS\system32\ohsasopt.ini
C:\WINDOWS\system32\omvfvofa.dll
C:\WINDOWS\system32\ordmgokr.ini
C:\WINDOWS\system32\osbbyato.dll
C:\WINDOWS\system32\osxnpcma.dll
C:\WINDOWS\system32\otaybbso.ini
C:\WINDOWS\system32\oufsagfc.dll
C:\WINDOWS\system32\pblopbdf.ini
C:\WINDOWS\system32\pcasapom.dll
C:\WINDOWS\system32\pgfeukyc.ini
C:\WINDOWS\system32\pgmjdcvt.ini
C:\WINDOWS\system32\phefmwou.dll
C:\WINDOWS\system32\phytvgco.ini
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\pnwvckfh.dll
C:\WINDOWS\system32\pqebvbhg.dll
C:\WINDOWS\system32\pqsmmnsp.ini
C:\WINDOWS\system32\pruhghnb.ini
C:\WINDOWS\system32\psnmmsqp.dll
C:\WINDOWS\system32\pxyeykwe.dll
C:\WINDOWS\system32\qamlawam.dll
C:\WINDOWS\system32\qbciwoji.dll
C:\WINDOWS\system32\qhuxekul.ini
C:\WINDOWS\system32\qiavgcdo.dll
C:\WINDOWS\system32\qkvwckpj.dll
C:\WINDOWS\system32\qogehtum.dll
C:\WINDOWS\system32\qomwpgca.dll
C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qscedqsu.ini
C:\WINDOWS\system32\qwmalohw.dll
C:\WINDOWS\system32\rchoybdm.ini
C:\WINDOWS\system32\rkmgtuew.ini
C:\WINDOWS\system32\rkogmdro.dll
C:\WINDOWS\system32\rlvhpwsl.dll
C:\WINDOWS\system32\rqlimlhn.ini
C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rseimyrv.ini
C:\WINDOWS\system32\rssnemqf.dll
C:\WINDOWS\system32\rt25.exe
C:\WINDOWS\system32\rtusyrgc.dll
C:\WINDOWS\system32\RunOnce3.t__
C:\WINDOWS\system32\RunOnce3.tmp
C:\WINDOWS\system32\rvonuwyd.ini
C:\WINDOWS\system32\sgwdisqy.dll
C:\WINDOWS\system32\skyhnmic.dll
C:\WINDOWS\system32\sqgndkxd.dll
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\taeudjui.dll
C:\WINDOWS\system32\tbsbxwbo.ini
C:\WINDOWS\system32\tinivfmc.ini
C:\WINDOWS\system32\tjjladsf.ini
C:\WINDOWS\system32\tposasho.dll
C:\WINDOWS\system32\tvcdjmgp.dll
C:\WINDOWS\system32\twwvkolc.ini
C:\WINDOWS\system32\unatsbwi.dll
C:\WINDOWS\system32\uowmfehp.ini
C:\WINDOWS\system32\update177.exe
C:\WINDOWS\system32\update281.exe
C:\WINDOWS\system32\usqdecsq.dll
C:\WINDOWS\system32\utcpqswx.ini
C:\WINDOWS\system32\vedlxssv.dll
C:\WINDOWS\system32\vrymiesr.dll
C:\WINDOWS\system32\vssxldev.ini
C:\WINDOWS\system32\vtsqn.dll
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtsqr.dll
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\wawbwboc.dll
C:\WINDOWS\system32\weutgmkr.dll
C:\WINDOWS\system32\wholamwq.ini
C:\WINDOWS\system32\wulmyypb.ini
C:\WINDOWS\system32\xavdlcpk.ini
C:\WINDOWS\system32\xhrjcciy.dll
C:\WINDOWS\system32\xuemtyjj.ini
C:\WINDOWS\system32\xwsqpctu.dll
C:\WINDOWS\system32\ygbibihk.ini
C:\WINDOWS\system32\yiccjrhx.ini
C:\WINDOWS\system32\yqsidwgs.ini
C:\WINDOWS\system32\ystmgffa.dll
C:\WINDOWS\system32\ytjjcryk.ini
C:\WINDOWS\system32\yuiybqum.ini
C:\WINDOWS\system32\yukrfwce.dll
C:\WINDOWS\tsitra801.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wnsxs~1
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_MICROSOFT_INTERNET_EXPLORER
-------\LEGACY_NDNET1
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_WFBH23
-------\Microsoft Internet Explorer


((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-27 10:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 02:10 83,520 --a------ C:\WINDOWS\system32\wmcntmfb.dll
2007-10-25 06:39 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-13 15:27 376,832 --a------ C:\WINDOWS\system32\khfeeef.dll
2007-10-13 14:27 376,832 --a------ C:\WINDOWS\system32\opnligg.dll
2007-10-13 13:27 376,832 --a------ C:\WINDOWS\system32\fccaxxw.dll
2007-10-13 12:27 376,832 --a------ C:\WINDOWS\system32\khfdaax.dll
2007-10-13 11:27 376,832 --a------ C:\WINDOWS\system32\tuvwwvu.dll
2007-10-13 10:27 376,832 --a------ C:\WINDOWS\system32\fccawtr.dll
2007-10-13 09:27 376,832 --a------ C:\WINDOWS\system32\fcccaab.dll
2007-10-13 08:27 376,832 --a------ C:\WINDOWS\system32\pmnligh.dll
2007-10-13 07:27 376,832 --a------ C:\WINDOWS\system32\mljgdaa.dll
2007-10-13 06:27 376,832 --a------ C:\WINDOWS\system32\xxyaaaw.dll
2007-10-13 05:27 376,832 --a------ C:\WINDOWS\system32\qommljj.dll
2007-10-13 04:27 376,832 --a------ C:\WINDOWS\system32\vtuvtqo.dll
2007-10-12 17:27 50,176 --a------ C:\WINDOWS\system32\ktasr.dll
2007-10-12 16:27 50,176 --a------ C:\WINDOWS\system32\btasv.dll
2007-10-12 16:27 21,504 --a------ C:\WINDOWS\system32\tcprp.dll
2007-10-12 16:27 21,504 --a------ C:\WINDOWS\system32\sipov.dll
2007-10-10 06:22 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 18:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-09 18:31 <DIR> d-------- C:\Documents and Settings\All\Application Data\PC Tools
2007-10-09 18:31 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-09 18:31 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-09 18:31 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-09 18:31 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-09 18:30 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-09 17:51 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-10-06 23:53 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-06 23:50 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-06 23:50 30,464 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-05 22:00 18,688 C:\WINDOWS\system32\drivers\snkwevbj.dat
2007-10-05 22:00 5,120 C:\WINDOWS\system32\drivers\lsisrmki.dat
2007-10-01 18:33 56,912 --a------ C:\Documents and Settings\All\g2mdlhlpx.exe
2007-09-27 18:50 <DIR> d-------- C:\d0b9618f1301cc42fc
2007-09-27 18:49 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-27 18:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 14:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-25 16:52 --------- d-----w C:\Program Files\Dl_cats
2007-10-10 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-10 01:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-09 22:13 --------- d-----w C:\Program Files\Norton 360
2007-10-09 21:47 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-09 21:47 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-09 21:47 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-09 21:47 --------- d-----w C:\Program Files\Symantec
2007-09-26 19:56 --------- d-----w C:\Program Files\Dell Photo AIO Printer 926
2007-09-25 07:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-09-24 21:11 --------- d-----w C:\Documents and Settings\All\Application Data\Line 6
2007-09-24 21:06 --------- d-----w C:\Program Files\Sonoma Wire Works
2007-09-24 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonoma Wire Works
2007-09-24 09:58 --------- d-----w C:\Documents and Settings\All\Application Data\Corel
2007-09-24 09:57 --------- d-----w C:\Program Files\Corel
2007-09-24 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-09-24 09:55 --------- d-----w C:\Program Files\Common Files\Corel
2007-09-24 09:54 --------- d-----w C:\Program Files\Dell
2007-09-24 09:53 --------- d-----w C:\Program Files\Dell PC Fax
2007-09-23 13:46 --------- d-----w C:\Documents and Settings\All\Application Data\DellFaxCtr
2007-09-23 12:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DellFaxCtr
2007-09-23 12:56 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-06 22:58 --------- d-----w C:\Documents and Settings\All\Application Data\Image Zone Express
2007-05-24 23:08 25,904 ----a-w C:\Documents and Settings\All\Application Data\GDIPFONTCACHEV1.DAT
2007-05-01 10:36 11,254 ----a-w C:\Documents and Settings\All\locate.com
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 03:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 50,736 2006-11-07 15:29:02 C:\Program Files\AIM6\bak\aim6.exe
----a-w 50,736 2007-04-27 21:17:26 C:\Program Files\AIM6\aim6.exe

----a-w 483,394 2001-12-17 15:18:06 C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe

----a-w 49,152 2006-02-19 07:41:10 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 278,528 2006-02-23 19:45:20 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 86,102 2002-12-16 11:10:34 C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe

----a-w 155,648 2006-07-10 17:34:36 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 53,248 2002-02-05 02:32:10 C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE

----a-w 57,344 2001-11-21 05:49:46 C:\Program Files\Support.com\bin\bak\tgkill.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49FE4ED2-B4F4-4224-A862-CCE1616646A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971D5B7B-F7DF-43ee-B771-6B7FA09975C3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50F976-592A-47a4-81C7-AD34D5A3A947}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"ComcastSUPPORT"="C:\Program Files\Support.com\bin\tgkill.exe" []
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16]
"nwiz"="nwiz.exe" [2003-10-06 15:16 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"C:\DOCUME~1\All\LOCALS~1\Temp\update.exe"="C:\DOCUME~1\All\LOCALS~1\Temp\update.exe" []
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 12:57]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 18:04]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-11-03 18:09]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 11:06]
"DLCXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 01:31]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27]
"f8fcf9da"="C:\WINDOWS\system32\wmcntmfb.dll" [2007-10-27 02:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 15:16]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"ISMModule6"="C:\Program Files\ISM\ISMModule6.exe" []
"ISMPack8"="C:\Program Files\ISM2\ISMPack8.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 22:53:14]
EZ-DUB Finder.lnk - C:\Program Files\EZ-DUB\EZ-DUB.exe [2005-09-13 19:47:52]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BYWcLjz"= {F8FCF976-5256-53DC-0A9B-8ECCC6147F8D} - C:\WINDOWS\system32\neuzd.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvtqo]
vtuvtqo.dll 2007-10-13 04:27 376832 C:\WINDOWS\system32\vtuvtqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 noittukv;noittukv;C:\WINDOWS\system32\drivers\snkwevbj.dat
R2 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe -service
R2 EraserSvc10732;Symantec Eraser Service;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
S3 ADBLOCK.DLL;Lavasoft Firewall PlugIn (ADBLOCK.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\ADBLOCK.DLL
S3 ARP.DLL;Lavasoft Firewall PlugIn (ARP.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\ARP.DLL
S3 CONTENT.DLL;Lavasoft Firewall PlugIn (CONTENT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\CONTENT.DLL
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys
S3 DNSCACHE.DLL;Lavasoft Firewall PlugIn (DNSCACHE.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\DNSCACHE.DLL
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys
S3 EraserUtilDrv10733;EraserUtilDrv10733;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys
S3 EraserUtilDrvI3;EraserUtilDrvI3;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI3.sys
S3 FTPFILT.DLL;Lavasoft Firewall PlugIn (FTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\FTPFILT.DLL
S3 HTMLFILT.DLL;Lavasoft Firewall PlugIn (HTMLFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\HTMLFILT.DLL
S3 HTTPFILT.DLL;Lavasoft Firewall PlugIn (HTTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\HTTPFILT.DLL
S3 IMAPFILT.DLL;Lavasoft Firewall PlugIn (IMAPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\IMAPFILT.DLL
S3 MAILFILT.DLL;Lavasoft Firewall PlugIn (MAILFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\MAILFILT.DLL
S3 NNTPFILT.DLL;Lavasoft Firewall PlugIn (NNTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\NNTPFILT.DLL
S3 POP3FILT.DLL;Lavasoft Firewall PlugIn (POP3FILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\POP3FILT.DLL
S3 PROTECT.DLL;Lavasoft Firewall PlugIn (PROTECT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\PROTECT.DLL
S3 RIOXDRV;SONICblue Rio generic driver XP+;C:\WINDOWS\system32\Drivers\RIOXDRV.sys
S3 SECRET.DLL;Lavasoft Firewall PlugIn (SECRET.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\SECRET.DLL

*Newly Created Service* - COMHOST
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 10:45:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\DOCUME~1\\All\\LOCALS~1\\Temp\\update.exe"="C:\\DOCUME~1\\All\\LOCALS~1\\Temp\\update.exe"
.
Completion time: 2007-10-27 10:54:11 - machine was rebooted
C:\ComboFix2.txt ... 2007-08-04 23:25
C:\ComboFix3.txt ... 2007-07-04 09:33
.
--- E O F ---

Here's HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42, on 07-10-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toggle.com/index.php?rvs=hompag
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {49FE4ED2-B4F4-4224-A862-CCE1616646A9} - C:\WINDOWS\system32\dgne.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: Flash Module - {DF50F976-592A-47a4-81C7-AD34D5A3A947} - ktasr.dll (file missing)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [C:\DOCUME~1\All\LOCALS~1\Temp\update.exe] C:\DOCUME~1\All\LOCALS~1\Temp\update.exe
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [f8fcf9da] rundll32.exe "C:\WINDOWS\system32\wmcntmfb.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKCU\..\Run: [ISMPack8] "C:\Program Files\ISM2\ISMPack8.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {97E7818A-29C2-441E-857C-EBA970D7B5D2} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {D34637AF-8024-434D-A488-4BC633950521} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {DD9FC0CA-BFEF-496F-AB22-C995E60BA7D5} - http://www.comcast.net (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162659590343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.leaguelineup.com/XUpload.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O20 - Winlogon Notify: vtuvtqo - C:\WINDOWS\SYSTEM32\vtuvtqo.dll
O21 - SSODL: BYWcLjz - {F8FCF976-5256-53DC-0A9B-8ECCC6147F8D} - C:\WINDOWS\system32\neuzd.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Symantec Eraser Service (EraserSvc10732) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11323 bytes


Thanks so much for your help! WHat's next?

Scottman

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 27 October 2007 - 11:51 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\wmcntmfb.dll
C:\WINDOWS\system32\khfeeef.dll
C:\WINDOWS\system32\opnligg.dll
C:\WINDOWS\system32\fccaxxw.dll
C:\WINDOWS\system32\khfdaax.dll
C:\WINDOWS\system32\tuvwwvu.dll
C:\WINDOWS\system32\fccawtr.dll
C:\WINDOWS\system32\fcccaab.dll
C:\WINDOWS\system32\pmnligh.dll
C:\WINDOWS\system32\mljgdaa.dll
C:\WINDOWS\system32\xxyaaaw.dll
C:\WINDOWS\system32\qommljj.dll
C:\WINDOWS\system32\vtuvtqo.dll
C:\WINDOWS\system32\ktasr.dll
C:\WINDOWS\system32\btasv.dll
C:\WINDOWS\system32\tcprp.dll
C:\WINDOWS\system32\sipov.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\drivers\snkwevbj.dat
C:\WINDOWS\system32\drivers\lsisrmki.dat
C:\Documents and Settings\All\g2mdlhlpx.exe
Folder::
C:\d0b9618f1301cc42fc
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49FE4ED2-B4F4-4224-A862-CCE1616646A9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{971D5B7B-F7DF-43ee-B771-6B7FA09975C3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50F976-592A-47a4-81C7-AD34D5A3A947}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\DOCUME~1\All\LOCALS~1\Temp\update.exe"=-
"f8fcf9da"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISMModule6"=-
"ISMPack8"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BYWcLjz"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvtqo]
Driver::
noittukv

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


Download FindAWF.exe and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Copy and paste the contents of the AWF.txt file in your next reply.
Posted Image
Posted Image

#5 Scottman

Scottman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 27 October 2007 - 10:33 PM

Here's the new Combofix file:

ComboFix 07-10-25.4 - All 2007-10-27 14:35:26.2 - NTFSx86
Running from: C:\Documents and Settings\All\Desktop\ComboFix-1.exe
Command switches used :: C:\Documents and Settings\All\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Documents and Settings\All\g2mdlhlpx.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\btasv.dll
C:\WINDOWS\system32\drivers\lsisrmki.dat
C:\WINDOWS\system32\drivers\snkwevbj.dat
C:\WINDOWS\system32\fccawtr.dll
C:\WINDOWS\system32\fccaxxw.dll
C:\WINDOWS\system32\fcccaab.dll
C:\WINDOWS\system32\khfdaax.dll
C:\WINDOWS\system32\khfeeef.dll
C:\WINDOWS\system32\ktasr.dll
C:\WINDOWS\system32\mljgdaa.dll
C:\WINDOWS\system32\opnligg.dll
C:\WINDOWS\system32\pmnligh.dll
C:\WINDOWS\system32\qommljj.dll
C:\WINDOWS\system32\sipov.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\tcprp.dll
C:\WINDOWS\system32\tuvwwvu.dll
C:\WINDOWS\system32\vtuvtqo.dll
C:\WINDOWS\system32\wmcntmfb.dll
C:\WINDOWS\system32\xxyaaaw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\d0b9618f1301cc42fc
C:\d0b9618f1301cc42fc\$shtdwn$.req
C:\d0b9618f1301cc42fc\audiodev.dll
C:\d0b9618f1301cc42fc\blackbox.dll
C:\d0b9618f1301cc42fc\cewmdm.dll
C:\d0b9618f1301cc42fc\drmupgds.exe
C:\d0b9618f1301cc42fc\drmv2clt.dll
C:\d0b9618f1301cc42fc\laprxy.dll
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.401
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.404
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.405
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.406
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.407
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.408
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.409
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.40b
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.40c
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.40d
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.40e
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.410
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.411
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.412
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.413
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.414
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.415
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.416
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.419
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.41b
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.41d
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.41f
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.424
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.804
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.816
C:\d0b9618f1301cc42fc\locbin\wpdshextres.dll.c0a
C:\d0b9618f1301cc42fc\logagent.exe
C:\d0b9618f1301cc42fc\mfplat.dll
C:\d0b9618f1301cc42fc\mp43decd.dll
C:\d0b9618f1301cc42fc\mp43dmod.dll
C:\d0b9618f1301cc42fc\mp4sdecd.dll
C:\d0b9618f1301cc42fc\mp4sdmod.dll
C:\d0b9618f1301cc42fc\mpg4decd.dll
C:\d0b9618f1301cc42fc\mpg4dmod.dll
C:\d0b9618f1301cc42fc\msnetobj.dll
C:\d0b9618f1301cc42fc\mspmsnsv.dll
C:\d0b9618f1301cc42fc\mspmsp.dll
C:\d0b9618f1301cc42fc\msscp.dll
C:\d0b9618f1301cc42fc\mswmdm.dll
C:\d0b9618f1301cc42fc\portabledeviceapi.dll
C:\d0b9618f1301cc42fc\portabledeviceclassextension.dll
C:\d0b9618f1301cc42fc\portabledevicetypes.dll
C:\d0b9618f1301cc42fc\portabledevicewiacompat.dll
C:\d0b9618f1301cc42fc\portabledevicewmdrm.dll
C:\d0b9618f1301cc42fc\qasf.dll
C:\d0b9618f1301cc42fc\spuninst.exe
C:\d0b9618f1301cc42fc\spupdsvc.exe
C:\d0b9618f1301cc42fc\update\update.exe
C:\d0b9618f1301cc42fc\update\update.inf
C:\d0b9618f1301cc42fc\update\update.ver
C:\d0b9618f1301cc42fc\update\updspapi.dll
C:\d0b9618f1301cc42fc\update\wmfdist11.cat
C:\d0b9618f1301cc42fc\update\wmfdist11.cdf
C:\d0b9618f1301cc42fc\update\wpdinstallutil.dll
C:\d0b9618f1301cc42fc\uwdf.exe
C:\d0b9618f1301cc42fc\wdfapi.dll
C:\d0b9618f1301cc42fc\wdfmgr.exe
C:\d0b9618f1301cc42fc\wmadmod.dll
C:\d0b9618f1301cc42fc\wmadmoe.dll
C:\d0b9618f1301cc42fc\wmasf.dll
C:\d0b9618f1301cc42fc\wmdmlog.dll
C:\d0b9618f1301cc42fc\wmdmps.dll
C:\d0b9618f1301cc42fc\wmdrmdev.dll
C:\d0b9618f1301cc42fc\wmdrmnet.dll
C:\d0b9618f1301cc42fc\wmdrmsdk.dll
C:\d0b9618f1301cc42fc\wmidx.dll
C:\d0b9618f1301cc42fc\wmnetmgr.dll
C:\d0b9618f1301cc42fc\wmsdmod.dll
C:\d0b9618f1301cc42fc\wmsdmoe2.dll
C:\d0b9618f1301cc42fc\wmsetsdk.exe
C:\d0b9618f1301cc42fc\wmspdmod.dll
C:\d0b9618f1301cc42fc\wmspdmoe.dll
C:\d0b9618f1301cc42fc\wmvadvd.dll
C:\d0b9618f1301cc42fc\wmvadve.dll
C:\d0b9618f1301cc42fc\wmvcore.dll
C:\d0b9618f1301cc42fc\wmvdecod.dll
C:\d0b9618f1301cc42fc\wmvdmod.dll
C:\d0b9618f1301cc42fc\wmvdmoe2.dll
C:\d0b9618f1301cc42fc\wmvencod.dll
C:\d0b9618f1301cc42fc\wmvsdecd.dll
C:\d0b9618f1301cc42fc\wmvsencd.dll
C:\d0b9618f1301cc42fc\wmvxencd.dll
C:\d0b9618f1301cc42fc\wpd_ci.dll
C:\d0b9618f1301cc42fc\wpdconns.dll
C:\d0b9618f1301cc42fc\wpdinstallutil.dll
C:\d0b9618f1301cc42fc\wpdmtp.dll
C:\d0b9618f1301cc42fc\wpdmtp.inf
C:\d0b9618f1301cc42fc\wpdmtpdr.dll
C:\d0b9618f1301cc42fc\wpdmtphw.inf
C:\d0b9618f1301cc42fc\wpdmtpus.dll
C:\d0b9618f1301cc42fc\wpdshext.dll
C:\d0b9618f1301cc42fc\wpdshextautoplay.exe
C:\d0b9618f1301cc42fc\wpdshserviceobj.dll
C:\d0b9618f1301cc42fc\wpdsp.dll
C:\d0b9618f1301cc42fc\wpdusb.sys
C:\Documents and Settings\All\g2mdlhlpx.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\btasv.dll
C:\WINDOWS\system32\drivers\lsisrmki.dat
C:\WINDOWS\system32\drivers\snkwevbj.dat
C:\WINDOWS\system32\fccawtr.dll
C:\WINDOWS\system32\fccaxxw.dll
C:\WINDOWS\system32\fcccaab.dll
C:\WINDOWS\system32\khfdaax.dll
C:\WINDOWS\system32\khfeeef.dll
C:\WINDOWS\system32\ktasr.dll
C:\WINDOWS\system32\mljgdaa.dll
C:\WINDOWS\system32\opnligg.dll
C:\WINDOWS\system32\pmnligh.dll
C:\WINDOWS\system32\qommljj.dll
C:\WINDOWS\system32\sipov.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\tcprp.dll
C:\WINDOWS\system32\tuvwwvu.dll
C:\WINDOWS\system32\vtuvtqo.dll
C:\WINDOWS\system32\wmcntmfb.dll
C:\WINDOWS\system32\xxyaaaw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NOITTUKV
-------\noittukv


((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-27 10:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-25 06:39 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-10 06:22 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 18:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-09 18:31 <DIR> d-------- C:\Documents and Settings\All\Application Data\PC Tools
2007-10-09 18:31 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-09 18:31 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-09 18:31 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-09 18:31 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-09 18:30 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-09 17:51 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-10-06 23:50 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-09-27 18:49 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-27 18:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 18:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-25 16:52 --------- d-----w C:\Program Files\Dl_cats
2007-10-10 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-10 01:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-09 22:13 --------- d-----w C:\Program Files\Norton 360
2007-10-09 21:47 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-09 21:47 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-09 21:47 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-09 21:47 --------- d-----w C:\Program Files\Symantec
2007-09-26 19:56 --------- d-----w C:\Program Files\Dell Photo AIO Printer 926
2007-09-25 07:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-09-24 21:11 --------- d-----w C:\Documents and Settings\All\Application Data\Line 6
2007-09-24 21:06 --------- d-----w C:\Program Files\Sonoma Wire Works
2007-09-24 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonoma Wire Works
2007-09-24 09:58 --------- d-----w C:\Documents and Settings\All\Application Data\Corel
2007-09-24 09:57 --------- d-----w C:\Program Files\Corel
2007-09-24 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-09-24 09:55 --------- d-----w C:\Program Files\Common Files\Corel
2007-09-24 09:54 --------- d-----w C:\Program Files\Dell
2007-09-24 09:53 --------- d-----w C:\Program Files\Dell PC Fax
2007-09-23 13:46 --------- d-----w C:\Documents and Settings\All\Application Data\DellFaxCtr
2007-09-23 12:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DellFaxCtr
2007-09-23 12:56 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-06 22:58 --------- d-----w C:\Documents and Settings\All\Application Data\Image Zone Express
2007-05-24 23:08 25,904 ----a-w C:\Documents and Settings\All\Application Data\GDIPFONTCACHEV1.DAT
2007-05-01 10:36 11,254 ----a-w C:\Documents and Settings\All\locate.com
.

((((((((((((((((((((((((((((( snapshot@2007-10-27_10.47.11.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 06:00:06 29,056 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
- 2007-10-09 22:32:32 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-27 14:52:20 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-09 22:32:32 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-27 14:52:20 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 57,344 2005-06-07 03:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 50,736 2006-11-07 15:29:02 C:\Program Files\AIM6\bak\aim6.exe
----a-w 50,736 2007-04-27 21:17:26 C:\Program Files\AIM6\aim6.exe

----a-w 483,394 2001-12-17 15:18:06 C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe

----a-w 49,152 2006-02-19 07:41:10 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 278,528 2006-02-23 19:45:20 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 86,102 2002-12-16 11:10:34 C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe

----a-w 155,648 2006-07-10 17:34:36 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 53,248 2002-02-05 02:32:10 C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE

----a-w 57,344 2001-11-21 05:49:46 C:\Program Files\Support.com\bin\bak\tgkill.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" []
"ComcastSUPPORT"="C:\Program Files\Support.com\bin\tgkill.exe" []
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16]
"nwiz"="nwiz.exe" [2003-10-06 15:16 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"C:\DOCUME~1\All\LOCALS~1\Temp\update.exe"="C:\DOCUME~1\All\LOCALS~1\Temp\update.exe" []
"dlcxmon.exe"="C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 12:57]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 18:04]
"FaxCenterServer"="C:\Program Files\Dell PC Fax\fm3032.exe" [2006-11-03 18:09]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 11:06]
"DLCXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 01:31]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 15:16]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 22:53:14]
EZ-DUB Finder.lnk - C:\Program Files\EZ-DUB\EZ-DUB.exe [2005-09-13 19:47:52]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R2 dlcx_device;dlcx_device;C:\WINDOWS\system32\dlcxcoms.exe -service
R2 EraserSvc10732;Symantec Eraser Service;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
S3 ADBLOCK.DLL;Lavasoft Firewall PlugIn (ADBLOCK.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\ADBLOCK.DLL
S3 ARP.DLL;Lavasoft Firewall PlugIn (ARP.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\ARP.DLL
S3 CONTENT.DLL;Lavasoft Firewall PlugIn (CONTENT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\CONTENT.DLL
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys
S3 DNSCACHE.DLL;Lavasoft Firewall PlugIn (DNSCACHE.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\DNSCACHE.DLL
S3 EraserUtilDrv10710;EraserUtilDrv10710;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10710.sys
S3 EraserUtilDrv10733;EraserUtilDrv10733;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys
S3 EraserUtilDrvI3;EraserUtilDrvI3;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI3.sys
S3 FTPFILT.DLL;Lavasoft Firewall PlugIn (FTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\FTPFILT.DLL
S3 HTMLFILT.DLL;Lavasoft Firewall PlugIn (HTMLFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\HTMLFILT.DLL
S3 HTTPFILT.DLL;Lavasoft Firewall PlugIn (HTTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\HTTPFILT.DLL
S3 IMAPFILT.DLL;Lavasoft Firewall PlugIn (IMAPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\IMAPFILT.DLL
S3 MAILFILT.DLL;Lavasoft Firewall PlugIn (MAILFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\MAILFILT.DLL
S3 NNTPFILT.DLL;Lavasoft Firewall PlugIn (NNTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\NNTPFILT.DLL
S3 POP3FILT.DLL;Lavasoft Firewall PlugIn (POP3FILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\POP3FILT.DLL
S3 PROTECT.DLL;Lavasoft Firewall PlugIn (PROTECT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\PROTECT.DLL
S3 RIOXDRV;SONICblue Rio generic driver XP+;C:\WINDOWS\system32\Drivers\RIOXDRV.sys
S3 SECRET.DLL;Lavasoft Firewall PlugIn (SECRET.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\SECRET.DLL

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 14:46:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\DOCUME~1\\All\\LOCALS~1\\Temp\\update.exe"="C:\\DOCUME~1\\All\\LOCALS~1\\Temp\\update.exe"
.
Completion time: 2007-10-27 14:54:48 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-27 10:54
C:\ComboFix3.txt ... 2007-08-04 23:25
.
--- E O F ---


And here's the FIndAWF


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

06-11-07 11:29 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06-02-23 15:45 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\LEXMAR~1\BAK

02-12-16 07:10 86,102 lxbabmgr.exe
1 File(s) 86,102 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06-07-10 13:34 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\REGSHAVE\BAK

02-02-04 22:32 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

01-12-17 11:18 483,394 CFD.exe
1 File(s) 483,394 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

06-02-19 03:41 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

01-11-21 01:49 57,344 tgkill.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

05-06-06 23:46 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\QOOBOX\PURITY\PROGRA~1\COMMON~1\FNTS~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50736 Apr 27 2007 "C:\Program Files\AIM6\aim6.exe"
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
86102 Dec 16 2002 "C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe"
155648 Jul 10 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
483394 Dec 17 2001 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
57344 Nov 21 2001 "C:\Program Files\Support.com\bin\bak\tgkill.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report



What next?

Thanks!

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 28 October 2007 - 04:43 AM

Double-click FindAWF.exe to start the tool.
Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
A text file will open up.
Please copy and paste the following bold text inside the quote box below into the text file:

"C:\Program Files\AIM6\bak\aim6.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
"C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Support.com\bin\bak\tgkill.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


Close the files.txt and click Yes to save the changes.
FindAWF will now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log.
Copy and paste the contents of that log in your next reply.
Posted Image
Posted Image

#7 Scottman

Scottman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 28 October 2007 - 08:24 AM

RichieUK

We are rolling now!

Here's the log:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 07-10-28
The current time is: 9:22:36.18


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

06-11-07 11:29 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06-02-23 15:45 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\LEXMAR~1\BAK

02-12-16 07:10 86,102 lxbabmgr.exe
1 File(s) 86,102 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06-07-10 13:34 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\REGSHAVE\BAK

02-02-04 22:32 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

01-12-17 11:18 483,394 CFD.exe
1 File(s) 483,394 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

06-02-19 03:41 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

01-11-21 01:49 57,344 tgkill.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

05-06-06 23:46 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\QOOBOX\PURITY\PROGRA~1\COMMON~1\FNTS~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50736 Nov 7 2006 "C:\Program Files\AIM6\aim6.exe"
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
86102 Dec 16 2002 "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
86102 Dec 16 2002 "C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe"
155648 Jul 10 2006 "C:\Program Files\QuickTime\qttask.exe"
155648 Jul 10 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\REGSHAVE.EXE"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
483394 Dec 17 2001 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
483394 Dec 17 2001 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
57344 Nov 21 2001 "C:\Program Files\Support.com\bin\tgkill.exe"
57344 Nov 21 2001 "C:\Program Files\Support.com\bin\bak\tgkill.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

I hope the natsties are on the run now!

What's next?

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 28 October 2007 - 08:46 AM

Double-click FindAWF.exe to start the tool.
Select option #3 - Remove bak folders by typing 3 and press 'Enter'
A text file will open up.
Please copy/paste the following bold text inside the quote box below into the text file:

"C:\Program Files\AIM6\bak"
"C:\Program Files\iTunes\bak"
"C:\Program Files\Lexmark X5100 Series\bak"
"C:\Program Files\QuickTime\bak"
"C:\Program Files\REGSHAVE\bak"
"C:\Program Files\BroadJump\Client Foundation\bak"
"C:\Program Files\HP\HP Software Update\bak"
"C:\Program Files\Support.com\bin\bak"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak"


Then close folders.txt and let it save the changes.
FindAWF will now remove the bak folders and open a log aferwards.
Copy and paste the contents of that log in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#9 Scottman

Scottman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 28 October 2007 - 10:59 AM

Here ya go!


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 07-10-28
The current time is: 11:56:37.71


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

06-11-07 11:29 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06-02-23 15:45 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\LEXMAR~1\BAK

02-12-16 07:10 86,102 lxbabmgr.exe
1 File(s) 86,102 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06-07-10 13:34 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\REGSHAVE\BAK

02-02-04 22:32 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

01-12-17 11:18 483,394 CFD.exe
1 File(s) 483,394 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

06-02-19 03:41 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

01-11-21 01:49 57,344 tgkill.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

05-06-06 23:46 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\QOOBOX\PURITY\PROGRA~1\COMMON~1\FNTS~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50736 Nov 7 2006 "C:\Program Files\AIM6\aim6.exe"
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
86102 Dec 16 2002 "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
86102 Dec 16 2002 "C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe"
155648 Jul 10 2006 "C:\Program Files\QuickTime\qttask.exe"
155648 Jul 10 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\REGSHAVE.EXE"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
483394 Dec 17 2001 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
483394 Dec 17 2001 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
57344 Nov 21 2001 "C:\Program Files\Support.com\bin\tgkill.exe"
57344 Nov 21 2001 "C:\Program Files\Support.com\bin\bak\tgkill.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report


Next?

#10 Scottman

Scottman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 28 October 2007 - 11:01 AM

Forgot the HJT log

Sorry!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01, on 07-10-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toggle.com/index.php?rvs=hompag
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [C:\DOCUME~1\All\LOCALS~1\Temp\update.exe] C:\DOCUME~1\All\LOCALS~1\Temp\update.exe
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {97E7818A-29C2-441E-857C-EBA970D7B5D2} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {D34637AF-8024-434D-A488-4BC633950521} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {DD9FC0CA-BFEF-496F-AB22-C995E60BA7D5} - http://www.comcast.net (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162659590343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.leaguelineup.com/XUpload.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Symantec Eraser Service (EraserSvc10732) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 10190 bytes

Scottman

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 28 October 2007 - 08:13 PM

Run 'ESET Online Scanner' using Internet Explorer:
http://www.eset.com/onlinescan/
Place a check in the box 'YES,I accept the Terms of Use' after reading.
Then click 'Start'.
Allow the activex control to install.
Then click 'Start' in the 'ESET Online Scanner' window.
Place a check in the box 'Remove found threats'.
Leave the box 'Scan unwanted applications' blank.
Then press 'Scan'.
The scan will take up some time so please be patient.
Once the scan has finished,post the entire contents of the logfile:
C:\Program Files\EsetOnlineScanner\log.txt


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#12 Scottman

Scottman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 30 October 2007 - 05:52 AM

Richie UK

Had some problems. I ran the ESET, no problems (although it took a couple of hours). I then ran the F-Secure, and it took many hours to complete. It made it through the scans, and found 950 viruses, and 13 spyware programs! When I went to bed it was in the "cleaning and disinfeting" mode. When I came down this morning, I got a message that Internet explorer stopped working. WHen I clicked the "don't send" button, everything disappeared, no log file. It took a very long time for my computer to boot up...maybe 15minutes, mostly a blank screen.

In any event, here's the ESET log:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2622 (20071028)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=8659f44659b237408c103030e04aca93
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2007-10-29 11:13:19
# local_time=2007-10-29 07:13:19 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=219377
# found=18
# scan_time=3014
C:\QooBox\Purity\WINDOWS\system32\SSEMBL~1\w?wexec.exe probably a variant of Win32/Adware.PurityScan application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\Temporary\wininstall.exe.vir probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Program Files\WinAble\winable.exe.vir probably a variant of Win32/TrojanDownloader.Adload trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\tsitra801.exe.vir Win32/TrojanDownloader.Agent.BLS trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\btasv.dll.vir probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\glbyjdvj.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\jjytmeux.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\KB79238020.exe.vir a variant of Win32/TrojanDropper.Agent.AKO trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\ktasr.dll.vir probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\qkvwckpj.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\sipov.dll.vir probably a variant of Win32/TrojanClicker.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\tcprp.dll.vir probably a variant of Win32/TrojanClicker.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\update177.exe.vir Win32/Rootkit.Agent.EY trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\update281.exe.vir a variant of Win32/TrojanDownloader.Agent.NRL trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/TrojanDownloader.Tiny.NJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Wfbh23.sys.vir Win32/Rootkit.Agent.HU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\DirectX\systemregistry32_sp2.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\DirectX\systemregistry32_sp2x.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000


Here's a Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:51, on 07-10-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [C:\DOCUME~1\All\LOCALS~1\Temp\update.exe] C:\DOCUME~1\All\LOCALS~1\Temp\update.exe
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {97E7818A-29C2-441E-857C-EBA970D7B5D2} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {D34637AF-8024-434D-A488-4BC633950521} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {DD9FC0CA-BFEF-496F-AB22-C995E60BA7D5} - http://www.comcast.net (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162659590343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.leaguelineup.com/XUpload.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Symantec Eraser Service (EraserSvc10732) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 9802 bytes


What's next?

Scottman

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 30 October 2007 - 06:18 AM

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#14 Scottman

Scottman
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 30 October 2007 - 09:52 PM

Kaspersky Scan

7-10-30 22:48
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/10/2007
Kaspersky Anti-Virus database records: 421396
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics
Total number of scanned objects 65825
Number of viruses found 18
Number of infected objects 26
Number of suspicious objects 4
Duration of the scan process 01:06:05

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All\.housecall6.6\Quarantine\15509114.exe.0ac_a01844 Infected: Trojan-Downloader.Win32.Tiny.fy skipped
C:\Documents and Settings\All\.housecall6.6\Quarantine\18958648.exe.0ac_a01844 Infected: Trojan-Downloader.Win32.Tiny.fy skipped
C:\Documents and Settings\All\.housecall6.6\Quarantine\comsch.exe.0ac_a01844 Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All\.housecall6.6\Quarantine\image19.com.0ac_a01844 Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\All\.housecall6.6\Quarantine\kbdfi32.dll.0ac_a01844 Infected: Trojan-Proxy.Win32.Delf.cc skipped
C:\Documents and Settings\All\.housecall6.6\Quarantine\lprhelp32.dll.0ac_a01844 Infected: Trojan-Proxy.Win32.Delf.cc skipped
C:\Documents and Settings\All\.housecall6.6\Quarantine\msiutil.exe.0ac_a01844 Infected: Trojan-Proxy.Win32.Delf.cc skipped
C:\Documents and Settings\All\Application Data\Sun\Java\Deployment\log\plugin150_03.trace Object is locked skipped
C:\Documents and Settings\All\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\All\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\All\Local Settings\Application Data\AOL OCP\AIM\Storage\data\bcrwarlock122\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\All\Local Settings\Application Data\AOL OCP\AIM\Storage\data\xdyingxsmilesx\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\All\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\All\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\All\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All\Local Settings\History\History.IE5\MSHist012007103020071031\index.dat Object is locked skipped
C:\Documents and Settings\All\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\All\Local Settings\Temp\hsperfdata_All\3340 Object is locked skipped
C:\Documents and Settings\All\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\All\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip/wml.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\01F4D5B6.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\52CF6543.TMP Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\snkwevbj.sys.vir Infected: Rootkit.Win32.Agent.iy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rt25.exe.vir Infected: Packed.Win32.PolyCrypt.d skipped
C:\QooBox\Quarantine\catchme2007-10-27_144519.29.zip/lsisrmki.dat Infected: Trojan.Win32.Agent.cid skipped
C:\QooBox\Quarantine\catchme2007-10-27_144519.29.zip/snkwevbj.dat Infected: Trojan.Win32.Agent.cid skipped
C:\QooBox\Quarantine\catchme2007-10-27_144519.29.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000005.exe Infected: Trojan-Downloader.Win32.Small.fww skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000006.exe Infected: Trojan.Win32.Pakes.dm skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000007.exe Infected: Backdoor.Win32.Agent.bxx skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000008.exe Infected: Trojan.Win32.Qhost.it skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000009.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000011.sys Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000012.sys Infected: Rootkit.Win32.Agent.iy skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000219.exe Infected: Trojan.Win32.Agent.bqn skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000225.exe Infected: Trojan-Downloader.Win32.Adload.lv skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000269.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP2\A0000279.sys Infected: Rootkit.Win32.Agent.jy skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP3\A0000441.dll Infected: Trojan-Clicker.Win32.Agent.lu skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP3\A0000442.dll Infected: Trojan-Clicker.Win32.Agent.lu skipped
C:\System Volume Information\_restore{DAAAFEA1-51C1-4DC2-9990-640EF10B8705}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dgne.1 Infected: Trojan.Win32.Delf.agk skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50, on 07-10-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\aim6\anotify.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [C:\DOCUME~1\All\LOCALS~1\Temp\update.exe] C:\DOCUME~1\All\LOCALS~1\Temp\update.exe
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Help - {97E7818A-29C2-441E-857C-EBA970D7B5D2} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {D34637AF-8024-434D-A488-4BC633950521} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {DD9FC0CA-BFEF-496F-AB22-C995E60BA7D5} - http://www.comcast.net (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162659590343
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.leaguelineup.com/XUpload.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: Symantec Eraser Service (EraserSvc10732) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 10015 bytes


What's next?

Thanks!

Scottman.

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 31 October 2007 - 07:36 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\QooBox
C:\WINDOWS\system32\dgne.1

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Delete everything inside this folder:
C:\Documents and Settings\All\.housecall6.6\Quarantine

Click on Start/Run,type cleanmgr into the 'Open:' space,then press Ok.
Let it scan your system for files to remove.
Make sure these 3 are checked and nothing else,then press Ok.
* Temporary Files
* Temporary Internet Files
* Recycle Bin


Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:

Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

Also post a new Hijackthis log please.
Let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users