Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning Bar On Top Of Internet Explorer


  • This topic is locked This topic is locked
13 replies to this topic

#1 mikew1450

mikew1450

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 03 November 2007 - 09:34 PM

can anyone help me figure this out, i keep getting warning bar top of explorer, says warning infected and need do virus scan, i did all said to remove with adware,spybot search, stinger, installed firewall. and still get warning sometimes on explorer, before i did virus scan it said was a trojan downloder zlob. i ran log as instructed. take a look see if what you think.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:53 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSVPS System - {7A22D62B-562F-4D55-8B1E-3AAA6C2BA688} - C:\WINDOWS\advreprwd.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The sdrmod - {521A5897-9EA7-43B4-A51D-B4C11D67BEEF} - C:\WINDOWS\sdrmod.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://img.member.yahoo.com/dl/atty/yinst_current.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1452/ftp...02/cpbrkpie.cab
O21 - SSODL: hupsrv - {0EEAFFCE-1925-4571-A2D8-1E4277AB760F} - C:\WINDOWS\hupsrv.dll
O21 - SSODL: bindmod - {C2FC6757-56AA-4E1B-AE0C-CDE9BAED22DB} - C:\WINDOWS\bindmod.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11926 bytes

BC AdBot (Login to Remove)

 


#2 mikew1450

mikew1450
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 04 November 2007 - 01:20 PM

can anyone look at my logs please, infested with something.thank you
i have ran adware 4 times, spybot destroy, stinger, still no luck, then ran combo fix, here is the logs from scan.



ComboFix 07-11-01.1 - HP_Administrator 2007-11-04 10:09:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.559 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Administrator\Desktop\Error Cleaner.url
C:\Documents and Settings\HP_Administrator\Desktop\Privacy Protector.url
C:\Documents and Settings\HP_Administrator\Desktop\Spyware&Malware Protection.url
c:\documents and settings\hp_administrator\favorites\Error Cleaner.url
c:\documents and settings\hp_administrator\favorites\Privacy Protector.url
c:\documents and settings\hp_administrator\favorites\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\sdrmod.dll
C:\WINDOWS\search_res.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-04 10:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 19:16 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-11-03 19:16 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-11-03 19:15 <DIR> d-------- C:\Program Files\Sygate
2007-11-03 19:15 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-11-03 09:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-03 09:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-03 09:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-03 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 08:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-31 15:11 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-10-31 15:03 339,968 --a------ C:\WINDOWS\bindmod.dll
2007-10-31 15:03 311,296 --a------ C:\WINDOWS\advreprwd.dll
2007-10-31 15:03 270,336 --a------ C:\WINDOWS\hupsrv.dll
2007-10-31 15:03 143,360 --a------ C:\WINDOWS\wtopmod.exe
2007-10-31 14:39 <DIR> d-------- C:\SDVDTemp
2007-10-31 14:33 39,264 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-10-31 14:28 <DIR> dr------- C:\Documents and Settings\HP_Administrator\Application Data\Brother
2007-10-31 10:19 <DIR> d-------- C:\Program Files\Brother
2007-10-31 10:19 <DIR> d-------- C:\Brother
2007-10-31 10:19 176,128 --------- C:\WINDOWS\system32\Pdrvinst.dll
2007-10-31 10:19 147,456 --a------ C:\WINDOWS\brunin03.dll
2007-10-31 10:19 126,976 --------- C:\WINDOWS\system32\BrfxD04a.dll
2007-10-31 10:19 81,920 --------- C:\WINDOWS\system32\BrWebIns.dll
2007-10-31 10:19 65,536 --------- C:\WINDOWS\system32\Brwebup.exe
2007-10-31 10:19 65,536 --------- C:\WINDOWS\system32\Brmfrmps.exe
2007-10-31 10:19 0 --a------ C:\WINDOWS\brdfxspd.dat
2007-10-31 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2007-10-31 09:07 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\TrueSwitch
2007-10-23 12:31 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-10-23 12:29 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-23 12:26 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-23 12:24 <DIR> dr-h----- C:\MSOCache
2007-10-23 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-23 07:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\DivX
2007-10-23 07:05 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-10-23 07:03 <DIR> d-------- C:\Program Files\DivX
2007-10-16 20:07 <DIR> d-------- C:\Program Files\BearShare
2007-10-08 08:19 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-04 14:47 --------- d-----w C:\Program Files\TrueSwitchAT&TYahoo
2007-11-04 00:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-02 14:19 --------- d-----w C:\Program Files\Lx_cats
2007-11-02 14:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 13:52 --------- d-----w C:\Program Files\The Weather Channel FW
2007-11-02 13:45 --------- d-----w C:\Program Files\Transparent
2007-11-02 13:45 --------- d-----w C:\Program Files\AndreaMosaic
2007-11-02 03:03 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!
2007-11-01 15:01 2,316 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-10-31 15:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-31 00:32 --------- d-----w C:\Program Files\Common Files\Real
2007-10-26 02:26 --------- d-----w C:\Program Files\TrueAssistant
2007-10-24 14:27 --------- d-----w C:\Program Files\BroadJump
2007-10-23 17:30 --------- d-----w C:\Program Files\Microsoft Works
2007-10-14 15:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-08 13:19 --------- d-----w C:\Program Files\iTunes
2007-10-08 13:01 --------- d-----w C:\Program Files\Apple Software Update
2007-10-03 23:35 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 23:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 23:35 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 23:35 --------- d-----w C:\Program Files\Symantec
2007-10-02 18:38 --------- d-----w C:\Program Files\Norton 360
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-22 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-22 15:55 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ahead
2007-09-22 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-17 19:48 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-15 14:00 --------- d-----w C:\Program Files\Pure Networks
2007-09-15 14:00 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-15 13:58 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AOL
2007-09-15 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-14 01:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-05 23:14 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-05 19:05 164 ----a-w C:\install.dat
2006-06-06 16:34:37 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A22D62B-562F-4D55-8B1E-3AAA6C2BA688}]
2007-10-31 12:18 311296 --a------ C:\WINDOWS\advreprwd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{521A5897-9EA7-43B4-A51D-B4C11D67BEEF}"= C:\WINDOWS\sdrmod.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{521A5897-9EA7-43B4-A51D-B4C11D67BEEF}]
[HKEY_CLASSES_ROOT\sdrmod.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{A17546CB-2CFA-451E-9367-98E3D9BE9B67}]
[HKEY_CLASSES_ROOT\sdrmod.ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 04:21]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 08:16]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 08:34]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 23:00]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 13:08]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 09:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe [2007-09-13 07:45:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-10-31 10:20:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hupsrv"= {0EEAFFCE-1925-4571-A2D8-1E4277AB760F} - C:\WINDOWS\hupsrv.dll [2007-10-31 12:18 270336]
"bindmod"= {C2FC6757-56AA-4E1B-AE0C-CDE9BAED22DB} - C:\WINDOWS\bindmod.dll [2007-10-31 12:18 339968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
" /C

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCCCATS]
rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe]
"C:\Program Files\Lexmark 3300 Series\lxccmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\5.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"C:\Program Files\MySpace\IM\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ps2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 18:13:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-29 13:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 10:14:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-04 10:16:11 - machine was rebooted
.
--- E O F ---

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:05 PM

Posted 04 November 2007 - 11:23 PM

Hello mikew1450,

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again!

Please download SmitfraudFix


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Edited by SifuMike, 04 November 2007 - 11:27 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 mikew1450

mikew1450
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 05 November 2007 - 07:03 PM

hey this worked perfect, thank you for your advice. i didnt have time to re do a log, should i redo one and post it make sure its clean totally.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:05 PM

Posted 05 November 2007 - 07:05 PM

The only way I can tell if you are clean is for you to post both the SmitfraudFix log and Hijackthis log.

I would not asked for them if it was not necessary.

The SmitfraudFix report is found at the root of the system drive, usually at C:\rapport.txt

Edited by SifuMike, 05 November 2007 - 07:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 mikew1450

mikew1450
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 06 November 2007 - 03:46 PM

here is the logs from scans.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:20 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: MSVPS System - {7A22D62B-562F-4D55-8B1E-3AAA6C2BA688} - C:\WINDOWS\advreprwd.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: The sdrmod - {521A5897-9EA7-43B4-A51D-B4C11D67BEEF} - C:\WINDOWS\sdrmod.dll (file missing)
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://img.member.yahoo.com/dl/atty/yinst_current.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1452/ftp...02/cpbrkpie.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9370 bytes




SmitFraudFix v2.249

Scan done at 15:34:22.79, Tue 11/06/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E6D9498E-FA6A-44D0-A8FD-C34DA87ADF9C}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:05 PM

Posted 06 November 2007 - 05:36 PM

Hi mikew1450,

We still need to remove some items.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
*******************************************
Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup

When everything is done and your log is clean again, you can enable it again.



Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O3 - Toolbar: The sdrmod - {521A5897-9EA7-43B4-A51D-B4C11D67BEEF} - C:\WINDOWS\sdrmod.dll (file missing)
O8 - Extra context menu item: &Search - ?p=ZK
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1452/ftp...02/cpbrkpie.cab


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
• Clean any others that you choose.

In the Applications Tab:
• Clean all including cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer.

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
 Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix  log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
 
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton Script blocking Service:

* Disable the Script Blocking Service:
To open Services, click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Services.
Find ScriptBlocking services, Right-click the service, and then click and then click Properties.
On the General tab, under Startup, click Disabled.
Under Service Status, click Stop button. Click Apply button.

* Disable the Script Blocking In Norton Settings:
Start Norton Antivirus.
Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
Click Script Blocking.
Uncheck Enable Script Blocking (recommended).
Click OK
You can reenable it afterwards when everything is clean again.

Edited by SifuMike, 06 November 2007 - 05:38 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 mikew1450

mikew1450
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 06 November 2007 - 08:16 PM

hey mike i did as you requested, here is new logs , also i noticed everytime i reboot, the sygate firewall does not start automaticly, i have to start the service, is this normal? anyways here is both logs.

ComboFix 07-11-07.3 - HP_Administrator 2007-11-06 19:31:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.570 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\advreprwd.dll
C:\WINDOWS\dat.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\wtopmod.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-06 19:01 <DIR> d-------- C:\Program Files\CCleaner
2007-11-06 18:54 <DIR> d-------- C:\Program Files\Sun
2007-11-06 18:47 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-06 16:41 <DIR> d-------- C:\Program Files\IE New Window Maximizer
2007-11-06 16:40 422,597 --a------ C:\iemaximizer24.exe
2007-11-06 16:16 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-11-06 15:21 75,384 --a------ C:\WINDOWS\TrueInstall.exe
2007-11-05 11:36 2,580 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-05 11:35 <DIR> d-------- C:\SmitfraudFix
2007-11-05 11:35 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-05 11:35 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-05 11:35 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-05 11:35 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-05 11:35 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-05 11:26 1,041,449 --a------ C:\SmitfraudFix.exe
2007-11-05 10:25 <DIR> d-------- C:\WINDOWS\Profiles
2007-11-04 10:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 19:16 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-11-03 19:16 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-11-03 19:15 <DIR> d-------- C:\Program Files\Sygate
2007-11-03 19:15 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-11-03 09:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-03 09:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-03 09:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-03 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 08:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-31 15:11 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-10-31 14:39 <DIR> d-------- C:\SDVDTemp
2007-10-31 14:33 39,264 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-10-31 14:28 <DIR> dr------- C:\Documents and Settings\HP_Administrator\Application Data\Brother
2007-10-31 10:19 <DIR> d-------- C:\Program Files\Brother
2007-10-31 10:19 <DIR> d-------- C:\Brother
2007-10-31 10:19 176,128 --------- C:\WINDOWS\system32\Pdrvinst.dll
2007-10-31 10:19 147,456 --a------ C:\WINDOWS\brunin03.dll
2007-10-31 10:19 126,976 --------- C:\WINDOWS\system32\BrfxD04a.dll
2007-10-31 10:19 81,920 --------- C:\WINDOWS\system32\BrWebIns.dll
2007-10-31 10:19 65,536 --------- C:\WINDOWS\system32\Brwebup.exe
2007-10-31 10:19 65,536 --------- C:\WINDOWS\system32\Brmfrmps.exe
2007-10-31 10:19 0 --a------ C:\WINDOWS\brdfxspd.dat
2007-10-31 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2007-10-31 09:07 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\TrueSwitch
2007-10-23 12:31 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-10-23 12:29 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-23 12:26 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-23 12:24 <DIR> dr-h----- C:\MSOCache
2007-10-23 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-23 07:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\DivX
2007-10-23 07:05 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-10-23 07:03 <DIR> d-------- C:\Program Files\DivX
2007-10-16 20:07 <DIR> d-------- C:\Program Files\BearShare
2007-10-08 08:19 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 00:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-06 23:54 --------- d-----w C:\Program Files\Java
2007-11-06 23:19 --------- d-----w C:\Program Files\Lx_cats
2007-11-06 21:24 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!
2007-11-06 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-06 20:21 --------- d-----w C:\Program Files\TrueSwitchAT&TYahoo
2007-11-05 22:34 2,316 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-11-05 17:03 --------- d-----w C:\Program Files\BroadJump
2007-11-04 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-02 14:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 13:52 --------- d-----w C:\Program Files\The Weather Channel FW
2007-11-02 13:45 --------- d-----w C:\Program Files\Transparent
2007-11-02 13:45 --------- d-----w C:\Program Files\AndreaMosaic
2007-10-31 15:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-31 00:32 --------- d-----w C:\Program Files\Common Files\Real
2007-10-26 02:26 --------- d-----w C:\Program Files\TrueAssistant
2007-10-23 17:30 --------- d-----w C:\Program Files\Microsoft Works
2007-10-14 15:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-08 13:19 --------- d-----w C:\Program Files\iTunes
2007-10-08 13:01 --------- d-----w C:\Program Files\Apple Software Update
2007-10-03 23:35 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 23:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 23:35 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 23:35 --------- d-----w C:\Program Files\Symantec
2007-10-02 18:38 --------- d-----w C:\Program Files\Norton 360
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-22 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-22 15:55 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ahead
2007-09-22 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-17 19:48 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-15 14:00 --------- d-----w C:\Program Files\Pure Networks
2007-09-15 14:00 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-15 13:58 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AOL
2007-09-15 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-14 01:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2006-06-06 16:34:37 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-04_10.15.32.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-05 00:09:41 65,536 ----a-w C:\WINDOWS\assembly\GAC\dao\10.0.4504.0__31bf3856ad364e35\DAO.DLL
+ 2007-11-05 00:09:24 1,612,592 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Access\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Access.dll
+ 2007-11-05 00:09:24 920,376 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Outlook\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Outlook.dll
+ 2007-11-05 00:09:24 35,648 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.OutlookViewCtl.dll
+ 2007-11-05 00:09:24 232,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Publisher\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Publisher.dll
+ 2007-11-05 00:08:51 12,104 ----a-w C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Access\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Access.dll
+ 2007-11-05 00:09:31 12,104 ----a-w C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Outlook\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Outlook.dll
+ 2007-11-05 00:09:30 12,632 ----a-w C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl.dll
+ 2007-11-05 00:09:37 12,104 ----a-w C:\WINDOWS\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Publisher\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Publisher.dll
+ 2004-08-10 04:00:00 61,440 -c--a-w C:\WINDOWS\ie7\admparse.dll
+ 2004-08-10 04:00:00 99,840 -c--a-w C:\WINDOWS\ie7\advpack.dll
+ 2004-08-10 04:00:00 35,328 -c--a-w C:\WINDOWS\ie7\corpol.dll
+ 2004-08-10 04:00:00 28,672 -c--a-w C:\WINDOWS\ie7\custsat.dll
+ 2007-08-22 12:55:30 357,888 -c--a-w C:\WINDOWS\ie7\dxtmsft.dll
+ 2007-08-22 12:55:31 205,824 -c--a-w C:\WINDOWS\ie7\dxtrans.dll
+ 2007-08-22 12:55:31 55,808 -c--a-w C:\WINDOWS\ie7\extmgr.dll
+ 2004-08-10 04:00:00 38,912 -c--a-w C:\WINDOWS\ie7\hmmapi.dll
+ 2004-08-10 04:00:00 34,304 -c--a-w C:\WINDOWS\ie7\ie4uinit.exe
+ 2004-08-10 04:00:00 139,264 -c--a-w C:\WINDOWS\ie7\ieakeng.dll
+ 2004-08-10 04:00:00 216,576 -c--a-w C:\WINDOWS\ie7\ieaksie.dll
+ 2004-08-10 04:00:00 221,184 -c--a-w C:\WINDOWS\ie7\ieakui.dll
+ 2004-08-10 04:00:00 323,584 -c--a-w C:\WINDOWS\ie7\iedkcs32.dll
+ 2007-08-21 10:19:39 18,432 -c--a-w C:\WINDOWS\ie7\iedw.exe
+ 2004-08-10 04:00:00 81,920 -c--a-w C:\WINDOWS\ie7\ieencode.dll
+ 2007-08-22 12:55:32 251,904 -c--a-w C:\WINDOWS\ie7\iepeers.dll
+ 2004-08-10 04:00:00 48,640 -c--a-w C:\WINDOWS\ie7\iernonce.dll
+ 2004-08-10 04:00:00 62,976 -c--a-w C:\WINDOWS\ie7\iesetup.dll
+ 2004-08-10 04:00:00 93,184 -c--a-w C:\WINDOWS\ie7\iexplore.exe
+ 2004-08-10 04:00:00 35,840 -c--a-w C:\WINDOWS\ie7\imgutil.dll
+ 2007-08-22 12:55:32 96,256 -c--a-w C:\WINDOWS\ie7\inseng.dll
+ 2006-05-18 05:24:25 450,560 -c--a-w C:\WINDOWS\ie7\jscript.dll
+ 2007-08-22 12:55:32 16,384 -c--a-w C:\WINDOWS\ie7\jsproxy.dll
+ 2004-08-10 04:00:00 22,016 -c--a-w C:\WINDOWS\ie7\licmgr10.dll
+ 2004-08-10 04:00:00 29,184 -c--a-w C:\WINDOWS\ie7\mshta.exe
+ 2007-08-22 12:55:36 3,064,832 -c--a-w C:\WINDOWS\ie7\mshtml.dll
+ 2007-08-22 12:55:37 449,024 -c--a-w C:\WINDOWS\ie7\mshtmled.dll
+ 2004-08-10 04:00:00 56,832 -c--a-w C:\WINDOWS\ie7\mshtmler.dll
+ 2004-08-10 04:00:00 146,432 -c--a-w C:\WINDOWS\ie7\msls31.dll
+ 2007-08-22 12:55:37 146,432 -c--a-w C:\WINDOWS\ie7\msrating.dll
+ 2007-08-22 12:55:38 532,480 -c--a-w C:\WINDOWS\ie7\mstime.dll
+ 2004-08-10 04:00:00 96,256 -c--a-w C:\WINDOWS\ie7\occache.dll
+ 2007-08-22 12:55:38 39,424 -c--a-w C:\WINDOWS\ie7\pngfilt.dll
+ 2006-11-08 02:04:18 31,856 -c--a-w C:\WINDOWS\ie7\spuninst\iecustom.dll
+ 2006-11-08 02:01:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2006-09-06 21:43:16 213,216 -c--a-w C:\WINDOWS\ie7\spuninst\spuninst.exe
+ 2006-09-06 21:43:18 371,424 -c--a-w C:\WINDOWS\ie7\spuninst\updspapi.dll
+ 2004-08-10 04:00:00 37,888 -c--a-w C:\WINDOWS\ie7\url.dll
+ 2007-08-22 12:55:43 617,984 -c--a-w C:\WINDOWS\ie7\urlmon.dll
+ 2004-08-10 04:00:00 417,792 -c--a-w C:\WINDOWS\ie7\vbscript.dll
+ 2007-06-26 15:13:22 851,968 -c--a-w C:\WINDOWS\ie7\vgx.dll
+ 2004-08-10 04:00:00 276,480 -c--a-w C:\WINDOWS\ie7\webcheck.dll
+ 2007-08-22 12:55:44 665,600 -c--a-w C:\WINDOWS\ie7\wininet.dll
- 2007-10-23 17:25:51 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2007-11-05 00:00:00 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2007-11-05 00:10:16 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2007-11-05 00:10:17 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2007-11-05 00:10:17 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2007-11-05 00:10:17 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2007-11-05 00:10:17 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-11-05 00:10:16 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-11-05 00:10:17 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2007-11-05 00:10:17 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-11-05 00:10:17 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2007-11-05 00:10:16 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 1998-10-29 20:45:06 306,688 ----a-w C:\WINDOWS\IsUninst.exe
+ 1998-10-29 21:45:06 306,688 ----a-w C:\WINDOWS\IsUninst.exe
- 2004-08-10 04:00:00 61,440 ------w C:\WINDOWS\system32\admparse.dll
+ 2006-11-07 08:26:44 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
- 2004-08-10 04:00:00 99,840 ------w C:\WINDOWS\system32\advpack.dll
+ 2006-11-07 08:26:24 123,904 ----a-w C:\WINDOWS\system32\advpack.dll
- 2006-10-27 16:10:48 516,832 ----a-w C:\WINDOWS\system32\CapiCom.dll
+ 2007-09-12 23:27:24 511,328 ----a-w C:\WINDOWS\system32\CapiCom.dll
- 2004-08-10 04:00:00 35,328 ------w C:\WINDOWS\system32\corpol.dll
+ 2006-10-17 17:03:56 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
- 2004-08-10 04:00:00 61,440 ------w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2006-11-07 08:26:44 71,680 ----a-w C:\WINDOWS\system32\dllcache\admparse.dll
- 2004-08-10 04:00:00 99,840 ------w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2006-11-07 08:26:24 123,904 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2004-08-10 04:00:00 35,328 ------w C:\WINDOWS\system32\dllcache\corpol.dll
+ 2006-10-17 17:03:56 17,408 ----a-w C:\WINDOWS\system32\dllcache\corpol.dll
- 2004-08-10 04:00:00 28,672 ------w C:\WINDOWS\system32\dllcache\custsat.dll
+ 2006-11-08 02:03:36 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll
- 2007-08-22 12:55:30 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2006-10-17 16:58:06 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-08-22 12:55:31 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2006-10-17 16:57:50 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-22 12:55:31 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2006-11-08 02:03:36 131,584 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2004-08-10 04:00:00 38,912 ------w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2006-10-17 16:44:36 60,416 ----a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
- 2004-08-10 04:00:00 34,304 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2006-11-07 08:26:28 54,784 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2004-08-10 04:00:00 139,264 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2006-11-07 08:26:56 152,064 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2004-08-10 04:00:00 216,576 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2006-11-07 08:27:02 229,376 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2004-08-10 04:00:00 221,184 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2006-11-07 08:25:14 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2004-08-10 04:00:00 323,584 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2006-11-07 08:27:10 382,976 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-21 10:19:39 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2006-10-17 17:04:50 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2004-08-10 04:00:00 81,920 ------w C:\WINDOWS\system32\dllcache\ieencode.dll
+ 2006-10-17 17:06:00 78,336 ----a-w C:\WINDOWS\system32\dllcache\ieencode.dll
- 2007-08-22 12:55:32 251,904 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2006-11-08 02:03:36 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2004-08-10 04:00:00 48,640 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2006-11-07 08:26:28 43,008 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2004-08-10 04:00:00 62,976 ------w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2006-11-07 08:26:42 55,296 ----a-w C:\WINDOWS\system32\dllcache\iesetup.dll
- 2004-08-10 04:00:00 93,184 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2006-10-17 17:04:40 622,080 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2004-08-10 04:00:00 35,840 ------w C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2006-10-17 16:57:58 36,352 ----a-w C:\WINDOWS\system32\dllcache\imgutil.dll
- 2007-08-22 12:55:32 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2006-11-07 08:26:24 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2006-05-18 05:24:25 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2006-10-17 17:00:00 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-08-22 12:55:32 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2006-11-08 02:03:36 27,136 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-10 04:00:00 22,016 ------w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2006-10-17 17:05:10 40,960 ----a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2004-08-10 04:00:00 29,184 ------w C:\WINDOWS\system32\dllcache\mshta.exe
+ 2006-10-17 16:56:10 45,568 ----a-w C:\WINDOWS\system32\dllcache\mshta.exe
- 2007-08-22 12:55:36 3,064,832 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2006-11-08 02:03:36 3,577,856 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-22 12:55:37 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2006-11-08 02:03:36 475,648 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2004-08-10 04:00:00 56,832 ------w C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2006-10-17 16:28:56 48,128 ----a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2004-08-10 04:00:00 146,432 ------w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2006-11-08 02:03:36 156,160 ----a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2007-08-22 12:55:37 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2006-10-17 17:05:10 192,000 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-22 12:55:38 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2006-11-08 02:03:36 670,720 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2004-08-10 04:00:00 96,256 ------w C:\WINDOWS\system32\dllcache\occache.dll
+ 2006-10-17 17:04:46 101,376 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2007-08-22 12:55:38 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2006-10-17 16:58:08 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2004-08-10 04:00:00 37,888 ------w C:\WINDOWS\system32\dllcache\url.dll
+ 2006-10-17 17:05:22 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-22 12:55:43 617,984 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2006-11-08 02:03:36 1,162,240 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2004-08-10 04:00:00 417,792 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2006-11-08 02:03:36 413,696 ----a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2007-06-26 15:13:22 851,968 -c----w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2006-11-08 02:03:36 765,952 ----a-w C:\WINDOWS\system32\dllcache\VGX.dll
- 2004-08-10 04:00:00 276,480 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2006-11-08 02:03:36 231,424 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-22 12:55:44 665,600 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2006-11-08 02:03:36 818,688 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2007-08-22 12:55:30 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2006-10-17 16:58:06 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-08-22 12:55:31 205,824 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2006-10-17 16:57:50 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-22 12:55:31 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2006-11-08 02:03:36 131,584 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-11-02 14:06:37 287,704 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-11-05 01:57:31 379,240 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2006-10-17 16:58:20 61,952 ------w C:\WINDOWS\system32\icardie.dll
+ 2006-06-29 13:05:44 26,112 ------w C:\WINDOWS\system32\idndl.dll
- 2004-08-10 04:00:00 34,304 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2006-11-07 08:26:28 54,784 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2004-08-10 04:00:00 139,264 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2006-11-07 08:26:56 152,064 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2004-08-10 04:00:00 216,576 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2006-11-07 08:27:02 229,376 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2004-08-10 04:00:00 221,184 ------w C:\WINDOWS\system32\ieakui.dll
+ 2006-11-07 08:25:14 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2006-09-06 04:01:26 2,451,824 ------w C:\WINDOWS\system32\ieapfltr.dat
+ 2006-10-17 16:27:56 380,928 ------w C:\WINDOWS\system32\ieapfltr.dll
- 2004-08-10 04:00:00 323,584 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2006-11-07 08:27:10 382,976 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2004-08-10 04:00:00 81,920 ------w C:\WINDOWS\system32\ieencode.dll
+ 2006-10-17 17:06:00 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
+ 2006-11-08 02:03:36 6,049,280 ------w C:\WINDOWS\system32\ieframe.dll
- 2007-08-22 12:55:32 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2006-11-08 02:03:36 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2004-08-10 04:00:00 48,640 ------w C:\WINDOWS\system32\iernonce.dll
+ 2006-11-07 08:26:28 43,008 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2006-10-17 16:57:20 266,752 ------w C:\WINDOWS\system32\iertutil.dll
- 2004-08-10 04:00:00 62,976 ------w C:\WINDOWS\system32\iesetup.dll
+ 2006-11-07 08:26:42 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2006-11-07 08:26:32 13,312 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2006-11-08 02:03:36 180,736 ------w C:\WINDOWS\system32\ieui.dll
- 2004-08-10 04:00:00 35,840 ------w C:\WINDOWS\system32\imgutil.dll
+ 2006-10-17 16:57:58 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2007-08-22 12:55:32 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2006-11-07 08:26:24 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2005-08-27 06:55:46 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-08-27 06:55:58 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-08-27 09:14:46 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2006-05-18 05:24:25 450,560 ------w C:\WINDOWS\system32\jscript.dll
+ 2006-10-17 17:00:00 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-08-22 12:55:32 16,384 ------w C:\WINDOWS\system32\jsproxy.dll
+ 2006-11-08 02:03:36 27,136 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2004-08-10 04:00:00 22,016 ------w C:\WINDOWS\system32\licmgr10.dll
+ 2006-10-17 17:05:10 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
- 2003-03-19 12:20:00 1,060,864 ----a-w C:\WINDOWS\system32\mfc71.dll
+ 2007-03-22 01:39:00 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.DLL
+ 2006-11-08 02:03:36 458,752 ------w C:\WINDOWS\system32\msfeeds.dll
+ 2006-11-08 02:03:36 50,688 ------w C:\WINDOWS\system32\msfeedsbs.dll
+ 2006-10-17 16:58:32 12,288 ------w C:\WINDOWS\system32\msfeedssync.exe
- 2004-08-10 04:00:00 29,184 ------w C:\WINDOWS\system32\mshta.exe
+ 2006-10-17 16:56:10 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
- 2007-08-22 12:55:36 3,064,832 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2006-11-08 02:03:36 3,577,856 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-22 12:55:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2006-11-08 02:03:36 475,648 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2004-08-10 04:00:00 56,832 ------w C:\WINDOWS\system32\mshtmler.dll
+ 2006-10-17 16:28:56 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2004-08-10 04:00:00 146,432 ------w C:\WINDOWS\system32\msls31.dll
+ 2006-11-08 02:03:36 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
- 2007-08-22 12:55:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2006-10-17 17:05:10 192,000 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-22 12:55:38 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2006-11-08 02:03:36 670,720 ----a-w C:\WINDOWS\system32\mstime.dll
- 2003-08-13 01:17:04 499,712 ------w C:\WINDOWS\system32\msvcp71.dll
+ 2007-03-22 01:33:00 503,808 ----a-w C:\WINDOWS\system32\MSVCP71.DLL
- 2002-01-05 10:37:00 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
+ 2002-01-05 12:37:00 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
- 2003-08-13 01:17:04 348,160 ------w C:\WINDOWS\system32\msvcr71.dll
+ 2007-03-22 01:33:00 348,160 ----a-w C:\WINDOWS\system32\MSVCR71.DLL
+ 2006-06-28 22:59:26 24,576 ------w C:\WINDOWS\system32\nlsdl.dll
+ 2006-06-29 13:05:44 23,552 ------w C:\WINDOWS\system32\normaliz.dll
- 2004-08-10 04:00:00 96,256 ------w C:\WINDOWS\system32\occache.dll
+ 2006-10-17 17:04:46 101,376 ----a-w C:\WINDOWS\system32\occache.dll
- 2007-08-22 12:55:38 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2006-10-17 16:58:08 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2004-08-10 04:00:00 37,888 ------w C:\WINDOWS\system32\url.dll
+ 2006-10-17 17:05:22 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-22 12:55:43 617,984 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2006-11-08 02:03:36 1,162,240 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-10 04:00:00 417,792 ------w C:\WINDOWS\system32\vbscript.dll
+ 2006-11-08 02:03:36 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2004-08-10 04:00:00 276,480 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2006-11-08 02:03:36 231,424 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2006-10-17 17:05:58 206,336 ------w C:\WINDOWS\system32\WinFXDocObj.exe
- 2007-08-22 12:55:44 665,600 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2006-11-08 02:03:36 818,688 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2006-07-14 15:51:51 121,856 ------w C:\WINDOWS\system32\xmllite.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 08:16]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 08:34]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 15:19]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 04:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 23:00]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []
"IE New Window Maximizer"="C:\Program Files\IE New Window Maximizer\iemaximizer.exe" [2005-02-08 23:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-10-31 10:20:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
" /C

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCCCATS]
rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe]
"C:\Program Files\Lexmark 3300 Series\lxccmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\5.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"C:\Program Files\MySpace\IM\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ps2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 19:13:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-29 13:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 19:35:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 19:36:57 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-04 10:16
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:12 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://img.member.yahoo.com/dl/atty/yinst_current.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9795 bytes

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:05 PM

Posted 06 November 2007 - 09:58 PM

Hi mikew1450,

I see you recently downloaded Bearshare.


Any peer-to-peer file swapping program, such as Audiogalaxy, Bearshare, Blubster, E-Mule, Gnucleus, Grokster, Imesh, KaZaa, KaZaa Lite, Limewire, Morpheus, Shareaza, WinMX and Xolox can degrade system performance and consume vast amounts of storage and may create security issues as outsiders are granted access to internal files.

They are often bundled with adware or spyware and recently been used for identity theft.

I recommend you uninstall Bearshare.




Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 mikew1450

mikew1450
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 07 November 2007 - 08:40 AM

hey mike, i already deleted bearshare , and did as you said, here is new logs.

ComboFix 07-11-07.3 - HP_Administrator 2007-11-07 8:33:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.576 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-06 19:01 <DIR> d-------- C:\Program Files\CCleaner
2007-11-06 18:54 <DIR> d-------- C:\Program Files\Sun
2007-11-06 18:47 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-06 16:41 <DIR> d-------- C:\Program Files\IE New Window Maximizer
2007-11-06 16:40 422,597 --a------ C:\iemaximizer24.exe
2007-11-06 16:16 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-11-06 15:21 75,384 --a------ C:\WINDOWS\TrueInstall.exe
2007-11-05 11:36 2,580 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-05 11:35 <DIR> d-------- C:\SmitfraudFix
2007-11-05 11:35 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-05 11:35 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-05 11:35 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-05 11:35 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-05 11:35 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-05 11:26 1,041,449 --a------ C:\SmitfraudFix.exe
2007-11-05 10:25 <DIR> d-------- C:\WINDOWS\Profiles
2007-11-04 10:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 19:16 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-11-03 19:16 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-11-03 19:15 <DIR> d-------- C:\Program Files\Sygate
2007-11-03 19:15 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-11-03 09:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-03 09:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-03 09:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-03 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 08:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-31 15:11 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-10-31 14:39 <DIR> d-------- C:\SDVDTemp
2007-10-31 14:33 39,264 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-10-31 14:28 <DIR> dr------- C:\Documents and Settings\HP_Administrator\Application Data\Brother
2007-10-31 10:19 <DIR> d-------- C:\Program Files\Brother
2007-10-31 10:19 <DIR> d-------- C:\Brother
2007-10-31 10:19 176,128 --------- C:\WINDOWS\system32\Pdrvinst.dll
2007-10-31 10:19 147,456 --a------ C:\WINDOWS\brunin03.dll
2007-10-31 10:19 126,976 --------- C:\WINDOWS\system32\BrfxD04a.dll
2007-10-31 10:19 81,920 --------- C:\WINDOWS\system32\BrWebIns.dll
2007-10-31 10:19 65,536 --------- C:\WINDOWS\system32\Brwebup.exe
2007-10-31 10:19 65,536 --------- C:\WINDOWS\system32\Brmfrmps.exe
2007-10-31 10:19 0 --a------ C:\WINDOWS\brdfxspd.dat
2007-10-31 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2007-10-31 09:07 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\TrueSwitch
2007-10-23 12:31 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-10-23 12:29 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-23 12:26 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-23 12:24 <DIR> dr-h----- C:\MSOCache
2007-10-23 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-23 07:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\DivX
2007-10-23 07:05 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-10-23 07:03 <DIR> d-------- C:\Program Files\DivX
2007-10-16 20:07 <DIR> d-------- C:\Program Files\BearShare
2007-10-08 08:19 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 13:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 02:40 --------- d-----w C:\Program Files\Lx_cats
2007-11-06 23:54 --------- d-----w C:\Program Files\Java
2007-11-06 21:24 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!
2007-11-06 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-06 20:21 --------- d-----w C:\Program Files\TrueSwitchAT&TYahoo
2007-11-05 22:34 2,316 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-11-05 17:03 --------- d-----w C:\Program Files\BroadJump
2007-11-04 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-02 14:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 13:52 --------- d-----w C:\Program Files\The Weather Channel FW
2007-11-02 13:45 --------- d-----w C:\Program Files\Transparent
2007-11-02 13:45 --------- d-----w C:\Program Files\AndreaMosaic
2007-10-31 15:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-31 00:32 --------- d-----w C:\Program Files\Common Files\Real
2007-10-26 02:26 --------- d-----w C:\Program Files\TrueAssistant
2007-10-23 17:30 --------- d-----w C:\Program Files\Microsoft Works
2007-10-14 15:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-08 13:19 --------- d-----w C:\Program Files\iTunes
2007-10-08 13:01 --------- d-----w C:\Program Files\Apple Software Update
2007-10-03 23:35 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 23:35 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-03 23:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 23:35 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 23:35 --------- d-----w C:\Program Files\Symantec
2007-10-02 18:38 --------- d-----w C:\Program Files\Norton 360
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-22 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-22 15:55 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ahead
2007-09-22 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-17 19:48 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-15 14:00 --------- d-----w C:\Program Files\Pure Networks
2007-09-15 14:00 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-15 13:58 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AOL
2007-09-15 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-14 01:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-06-06 16:34:37 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 08:16]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 08:34]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 15:19]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 04:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 23:00]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []
"IE New Window Maximizer"="C:\Program Files\IE New Window Maximizer\iemaximizer.exe" [2005-02-08 23:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-10-31 10:20:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
" /C

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCCCATS]
rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe]
"C:\Program Files\Lexmark 3300 Series\lxccmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\5.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"C:\Program Files\MySpace\IM\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\5.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ps2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 19:13:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-29 13:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 08:36:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 8:36:50
C:\ComboFix2.txt ... 2007-11-06 19:36
C:\ComboFix3.txt ... 2007-11-04 10:16
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:50 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://img.member.yahoo.com/dl/atty/yinst_current.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9845 bytes

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:05 PM

Posted 07 November 2007 - 02:45 PM

Hi mikew1450,

We still have some items to get rid of.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\SmitfraudFix.exe

Folder:: 
C:\SmitfraudFix
C:\rapport.txt
C:\Program Files\BearShare

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 07 November 2007 - 02:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 mikew1450

mikew1450
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 07 November 2007 - 05:28 PM

hey mike here is new logs i created.... also i deleted spybot search and destroy, it was driving me insane with pop ups.



ComboFix 07-11-07.3 - HP_Administrator 2007-11-07 17:19:04.4 - NTFSx86
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\cfscript.txt
* Created a new restore point

FILE
C:\SmitfraudFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\BearShare
C:\Program Files\BearShare\BearShare.dat
C:\Program Files\BearShare\db\config.bin
C:\Program Files\BearShare\db\gwebcache.dat
C:\Program Files\BearShare\db\Hostiles.txt
C:\Program Files\BearShare\db\library.2.db
C:\Program Files\BearShare\db\library.2.db.lastgoodload.bak
C:\Program Files\BearShare\db\library.db
C:\Program Files\BearShare\db\library.db.lastgoodload.bak
C:\Program Files\BearShare\FreePeers.ini
C:\Program Files\BearShare\proinstall2.ini
C:\rapport.txt\
C:\SmitfraudFix
C:\SmitfraudFix.exe
C:\SmitfraudFix\dumphive.exe
C:\SmitfraudFix\exit.exe
C:\SmitfraudFix\GenericRenosFix.exe
C:\SmitfraudFix\HostsChk.exe
C:\SmitfraudFix\Process.exe
C:\SmitfraudFix\Reboot.exe
C:\SmitfraudFix\restart.exe
C:\SmitfraudFix\SmitfraudFix.cmd
C:\SmitfraudFix\SmiUpdate.exe
C:\SmitfraudFix\SrchSTS.exe
C:\SmitfraudFix\swreg.exe
C:\SmitfraudFix\swsc.exe
C:\SmitfraudFix\swxcacls.exe
C:\SmitfraudFix\unzip.exe
C:\SmitfraudFix\VCCLSID.exe
C:\SmitfraudFix\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-06 19:01 <DIR> d-------- C:\Program Files\CCleaner
2007-11-06 18:54 <DIR> d-------- C:\Program Files\Sun
2007-11-06 18:47 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-06 16:41 <DIR> d-------- C:\Program Files\IE New Window Maximizer
2007-11-06 16:40 422,597 --a------ C:\iemaximizer24.exe
2007-11-06 16:16 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-11-06 15:21 75,384 --a------ C:\WINDOWS\TrueInstall.exe
2007-11-05 11:36 2,580 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-05 11:35 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-05 11:35 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-05 11:35 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-05 11:35 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-05 11:35 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-05 10:25 <DIR> d-------- C:\WINDOWS\Profiles
2007-11-04 10:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 19:16 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-11-03 19:16 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-11-03 19:16 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-11-03 19:15 <DIR> d-------- C:\Program Files\Sygate
2007-11-03 19:15 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-11-03 09:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-03 09:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-03 09:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-03 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-02 08:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-31 15:11 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-10-31 14:39 <DIR> d-------- C:\SDVDTemp
2007-10-31 14:33 39,264 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-10-31 14:28 <DIR> dr------- C:\Documents and Settings\HP_Administrator\Application Data\Brother
2007-10-31 10:19 <DIR> d-------- C:\Program Files\Brother
2007-10-31 10:19 <DIR> d-------- C:\Brother
2007-10-31 10:19 176,128 --------- C:\WINDOWS\system32\Pdrvinst.dll
2007-10-31 10:19 147,456 --a------ C:\WINDOWS\brunin03.dll
2007-10-31 10:19 126,976 --------- C:\WINDOWS\system32\BrfxD04a.dll
2007-10-31 10:19 81,920 --------- C:\WINDOWS\system32\BrWebIns.dll
2007-10-31 10:19 65,536 --------- C:\WINDOWS\system32\Brwebup.exe
2007-10-31 10:19 65,536 --------- C:\WINDOWS\system32\Brmfrmps.exe
2007-10-31 10:19 0 --a------ C:\WINDOWS\brdfxspd.dat
2007-10-31 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2007-10-31 09:07 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\TrueSwitch
2007-10-23 12:31 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-10-23 12:29 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-23 12:26 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-23 12:24 <DIR> dr-h----- C:\MSOCache
2007-10-23 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-23 07:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\DivX
2007-10-23 07:05 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-10-23 07:03 <DIR> d-------- C:\Program Files\DivX
2007-10-08 08:19 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 16:16 --------- d-----w C:\Program Files\Lx_cats
2007-11-07 13:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-06 23:54 --------- d-----w C:\Program Files\Java
2007-11-06 21:24 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!
2007-11-06 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-06 20:21 --------- d-----w C:\Program Files\TrueSwitchAT&TYahoo
2007-11-05 22:34 2,316 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-11-05 17:03 --------- d-----w C:\Program Files\BroadJump
2007-11-04 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-02 14:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 13:52 --------- d-----w C:\Program Files\The Weather Channel FW
2007-11-02 13:45 --------- d-----w C:\Program Files\Transparent
2007-11-02 13:45 --------- d-----w C:\Program Files\AndreaMosaic
2007-10-31 15:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-31 00:32 --------- d-----w C:\Program Files\Common Files\Real
2007-10-26 02:26 --------- d-----w C:\Program Files\TrueAssistant
2007-10-23 17:30 --------- d-----w C:\Program Files\Microsoft Works
2007-10-14 15:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-08 13:19 --------- d-----w C:\Program Files\iTunes
2007-10-08 13:01 --------- d-----w C:\Program Files\Apple Software Update
2007-10-03 23:35 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 23:35 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-03 23:35 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-03 23:35 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-03 23:35 --------- d-----w C:\Program Files\Symantec
2007-10-02 18:38 --------- d-----w C:\Program Files\Norton 360
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-22 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-22 15:55 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Ahead
2007-09-22 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 18:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 18:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 18:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 18:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 18:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 18:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 18:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 18:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-17 19:48 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-15 14:00 --------- d-----w C:\Program Files\Pure Networks
2007-09-15 14:00 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-15 13:58 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\AOL
2007-09-15 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-14 01:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-06-06 16:34:37 22 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 08:16]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 08:34]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 15:19]
"LXCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 04:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 23:00]
"MsgCenterExe"="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []
"IE New Window Maximizer"="C:\Program Files\IE New Window Maximizer\iemaximizer.exe" [2005-02-08 23:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-10-31 10:20:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EarthLink Installer]
" /C

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCCCATS]
rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe]
"C:\Program Files\Lexmark 3300 Series\lxccmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"C:\Program Files\MySpace\IM\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ps2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 19:13:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-29 13:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 17:22:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 17:22:40
C:\ComboFix2.txt ... 2007-11-07 08:36
C:\ComboFix3.txt ... 2007-11-06 19:36
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:12 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter2.0] "C:\Program Files\Brother\ControlCenter2\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://img.member.yahoo.com/dl/atty/yinst_current.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9842 bytes

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:05 PM

Posted 07 November 2007 - 05:55 PM

Hi mikew1450,

i deleted spybot search and destroy, it was driving me insane with pop ups.

Do you mean the Spybot Teatimer popups? Those notify you of registry changes and ask you to if they are OK or not. Teatimer is a very good defense against malware, so I recommend you keep it active.

Your log looks clean! :thumbsup: Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 07 November 2007 - 05:56 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:05 PM

Posted 10 November 2007 - 05:16 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users