Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud, Ie Pop Ups, And Virtumonde - Please Help!


  • This topic is locked This topic is locked
9 replies to this topic

#1 cynicall55

cynicall55

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 04 November 2007 - 01:01 PM

My computer is lagging and IE (which I don't use) has been popping up everywhere. I ran everything suggested, including installing a firewall. Spybot search and destroy keeps coming up with virtumonde and deleting it, and smitfraud. It says smitfraud will be removed upon restart, but it just won't go away!

Here is my log:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:23 AM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com; ad=http://spyguardpro.com
O4 - HKLM\..\Run: [rtasks] C:\Program Files\SpyGuardPro\rtasks.exe
O4 - HKLM\..\Run: [40e7d653] rundll32.exe "C:\WINDOWS\system32\kjqoxqnd.dll",b
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135132005406
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Testoc Control) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7347 bytes

Please let me know what to do and thank you for your time.

~Sarah

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 04 November 2007 - 02:32 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum cynicall55 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 cynicall55

cynicall55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 05 November 2007 - 11:24 AM

Hello Richie,

Thank you for responding so quickly!

ComboFix 07-11-05.1 - Whit 2007-11-05 9:14:42.1 - NTFSx86
Running from: C:\Documents and Settings\Whit.DB597091\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Whit.DB597091\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Whit.DB597091\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Whit.DB597091\Favorites\Online Security Guide.lnk
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\Seekmo Programs
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b147.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\a13
C:\WINDOWS\system32\e2
C:\WINDOWS\system32\i8
C:\WINDOWS\system32\i8\taldrvr11.exe
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\klkkj.bak2
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\x22
C:\WINDOWS\system32\x22\wr31drs.exe
C:\WINDOWS\winshow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE


((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-05 08:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 23:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Talkback
2007-11-04 11:27 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-11-04 11:27 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-11-04 11:27 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-11-04 11:27 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-11-04 11:27 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-11-04 11:27 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-11-04 11:27 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-11-04 11:26 <DIR> d-------- C:\Program Files\Sygate
2007-11-04 10:35 78,912 --a------ C:\WINDOWS\system32\qsokjlsx.dll
2007-11-04 10:32 86,080 --a------ C:\WINDOWS\system32\kjqoxqnd.dll
2007-11-04 00:11 <DIR> d-------- C:\Program Files\SpyGuardPro
2007-11-04 00:09 36,352 --a------ C:\WINDOWS\system32\vtutrro.dll
2007-11-03 10:29 81,472 --a------ C:\WINDOWS\system32\rwrjniss.dll
2007-11-02 09:26 82,496 --a------ C:\WINDOWS\system32\pefnuccn.dll
2007-11-01 21:25 35,840 --a------ C:\WINDOWS\mrofinu572.exe
2007-11-01 21:24 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-11-01 21:15 <DIR> d-------- C:\Documents and Settings\Whit.DB597091\Application Data\SpyGuardPro
2007-11-01 21:08 <DIR> d-------- C:\Program Files\Common Files\SpyGuardPro
2007-11-01 21:05 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-01 21:04 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-11-01 21:04 <DIR> d-------- C:\Temp\mZOr
2007-11-01 21:04 <DIR> d-------- C:\Temp
2007-10-28 22:47 <DIR> d-------- C:\Program Files\Veoh Networks
2007-10-20 14:41 <DIR> d-------- C:\Program Files\PCPitstop
2007-10-20 13:08 <DIR> d-------- C:\Program Files\CA
2007-10-20 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2007-10-20 13:08 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-10-20 13:08 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-10-20 13:08 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-10-20 13:08 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-10-20 13:08 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-10-20 13:08 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-10-19 23:54 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-19 23:25 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-17 01:55 <DIR> d-------- C:\Program Files\Paint.NET
2007-10-16 16:41 <DIR> d-------- C:\Documents and Settings\Whit.DB597091\Application Data\Apple Computer
2007-10-16 13:32 <DIR> d-------- C:\Documents and Settings\Whit.DB597091\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 16:10 47,104 ----a-w C:\WINDOWS\system32\Rpcnet.dll
2007-11-05 16:10 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.exe
2007-11-04 06:10 35,840 ----a-w C:\WINDOWS\mrofinu77.exe
2007-11-03 21:28 47,104 ----a-w C:\WINDOWS\system32\rpcnet.exe
2007-11-03 21:25 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.dll
2007-11-03 17:35 --------- d-----w C:\Program Files\MSN Messenger
2007-11-03 17:15 4,444 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-02 18:31 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\HouseCall 6.6
2007-10-29 04:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-24 21:38 75,016 ----a-w C:\WINDOWS\system32\isafprod.dll
2007-10-20 23:30 --------- d-----w C:\Program Files\Symantec
2007-10-20 23:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-20 23:22 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-20 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-20 23:12 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-17 07:46 --------- d-----w C:\Program Files\Photolightning
2007-10-17 07:43 --------- d-----w C:\Program Files\FotoFinish
2007-10-17 07:40 --------- d-----w C:\Program Files\Common Files\Corel
2007-10-17 07:32 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\Corel
2007-10-06 05:04 --------- d-----w C:\Program Files\DivX
2007-10-03 04:01 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-03 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-03 02:57 --------- d-----w C:\Program Files\Fenrir & Co
2007-10-03 02:09 --------- d-----w C:\Program Files\Ghostzilla
2007-10-03 02:09 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\Ghostzilla
2007-10-03 00:54 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\Grisoft
2007-10-03 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-02 21:53 --------- d-----w C:\Program Files\Lavasoft
2007-10-02 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-02 21:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-29 21:50 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\FotoFinish
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-26 05:17 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\SmartDraw
2007-09-25 22:42 --------- d-----w C:\Program Files\NetRatingsNetSight
2007-09-13 02:33 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\BitTorrent
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 20:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-08-13 23:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 23:54 413,696 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2007-08-13 23:54 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll
2007-08-13 23:54 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-13 23:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 23:54 156,160 ------w C:\WINDOWS\system32\dllcache\msls31.dll
2007-08-13 23:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 23:45 78,336 ------w C:\WINDOWS\system32\dllcache\ieencode.dll
2007-08-13 23:44 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-13 23:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 23:44 40,960 ------w C:\WINDOWS\system32\dllcache\licmgr10.dll
2007-08-13 23:42 17,408 ------w C:\WINDOWS\system32\dllcache\corpol.dll
2007-08-13 23:39 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-13 23:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 23:39 71,680 ------w C:\WINDOWS\system32\dllcache\admparse.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46ba30ff-b5cb-4407-ad5f-6853274d9e9e}]
2007-11-04 10:35 78912 --a------ C:\WINDOWS\system32\qsokjlsx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NielsenOnline"="C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2007-06-08 09:55]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-10-24 23:39]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-10-24 15:38]
"40e7d653"="C:\WINDOWS\system32\kjqoxqnd.dll" [2007-11-04 10:32]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-10-17 16:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwvur]
tuvwvur.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkklk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Autodetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Autodetect.lnk
backup=C:\WINDOWS\pss\Autodetect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Whit.DB597091^Start Menu^Programs^Startup^ScreenThemes.lnk]
path=C:\Documents and Settings\Whit.DB597091\Start Menu\Programs\Startup\ScreenThemes.lnk
backup=C:\WINDOWS\pss\ScreenThemes.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\WINDOWS\kdx\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]
C:\Program Files\ProfileWatcher\profilewatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seekmo]
"c:\program files\seekmo\seekmo.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusProtectPro 3.7]
"C:\Program Files\VirusProtectPro 3.7\VirusProtectPro 3.7.exe" /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"SAVScan"=3 (0x3)
"usnjsvc"=3 (0x3)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

R1 nnrnstdi;nnrnstdi;C:\WINDOWS\system32\drivers\nnrnstdi.sys
R3 km_filter;km_filter;C:\WINDOWS\system32\drivers\km_filter.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-05 16:11:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 10:12:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\autochk(2).exe:BAK 22528 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-11-05 10:14:47 - machine was rebooted
.
--- E O F ---


AND

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:27 AM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {e9e9d472-3586-f5da-7044-bc5bff03ab64} - {46ba30ff-b5cb-4407-ad5f-6853274d9e9e} - C:\WINDOWS\system32\qsokjlsx.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [40e7d653] rundll32.exe "C:\WINDOWS\system32\kjqoxqnd.dll",b
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135132005406
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Testoc Control) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: tuvwvur - tuvwvur.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7561 bytes


Thank you again,

Sarah

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 05 November 2007 - 02:48 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\qsokjlsx.dll
C:\WINDOWS\system32\kjqoxqnd.dll
C:\WINDOWS\system32\vtutrro.dll
C:\WINDOWS\system32\rwrjniss.dll
C:\WINDOWS\system32\pefnuccn.dll
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu77.exe
Folder::
C:\WINDOWS\system32\Mz02r
C:\Documents and Settings\Whit.DB597091\Application Data\SpyGuardPro
C:\Program Files\Common Files\SpyGuardPro
C:\WINDOWS\system32\Mz08r
C:\Temp\mZOr
C:\Temp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46ba30ff-b5cb-4407-ad5f-6853274d9e9e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"40e7d653"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwvur]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seekmo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusProtectPro 3.7]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 cynicall55

cynicall55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 05 November 2007 - 08:54 PM

ComboFix 07-11-05.1 - Whit 2007-11-05 18:14:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.141 [GMT -6:00]
Running from: C:\Documents and Settings\Whit.DB597091\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Whit.DB597091\Desktop\cfscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\system32\kjqoxqnd.dll
C:\WINDOWS\system32\pefnuccn.dll
C:\WINDOWS\system32\qsokjlsx.dll
C:\WINDOWS\system32\rwrjniss.dll
C:\WINDOWS\system32\vtutrro.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Whit.DB597091\Application Data\SpyGuardPro
C:\Documents and Settings\Whit.DB597091\Application Data\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Whit.DB597091\Application Data\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Whit.DB597091\Application Data\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Whit.DB597091\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Whit.DB597091\Application Data\SpyGuardPro\PGE.dat
C:\Program Files\Common Files\SpyGuardPro
C:\Temp
C:\Temp\mZOr\tOasF.log
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\kjqoxqnd.dll
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe
C:\WINDOWS\system32\Mz08r
C:\WINDOWS\system32\Mz08r\Mz08r1099.exe
C:\WINDOWS\system32\pefnuccn.dll
C:\WINDOWS\system32\qsokjlsx.dll
C:\WINDOWS\system32\rwrjniss.dll
C:\WINDOWS\system32\vtutrro.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.

2007-11-05 08:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 23:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Talkback
2007-11-04 11:27 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-11-04 11:27 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-11-04 11:27 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-11-04 11:27 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-11-04 11:27 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-11-04 11:27 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-11-04 11:27 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-11-04 11:26 <DIR> d-------- C:\Program Files\Sygate
2007-11-04 00:11 <DIR> d-------- C:\Program Files\SpyGuardPro
2007-10-28 22:47 <DIR> d-------- C:\Program Files\Veoh Networks
2007-10-20 14:41 <DIR> d-------- C:\Program Files\PCPitstop
2007-10-20 13:08 <DIR> d-------- C:\Program Files\CA
2007-10-20 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2007-10-20 13:08 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-10-20 13:08 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-10-20 13:08 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-10-20 13:08 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-10-20 13:08 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-10-20 13:08 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-10-19 23:54 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-19 23:25 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-17 01:55 <DIR> d-------- C:\Program Files\Paint.NET
2007-10-16 16:41 <DIR> d-------- C:\Documents and Settings\Whit.DB597091\Application Data\Apple Computer
2007-10-16 13:32 <DIR> d-------- C:\Documents and Settings\Whit.DB597091\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 00:19 47,104 ----a-w C:\WINDOWS\system32\Rpcnet.dll
2007-11-06 00:19 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.exe
2007-11-03 21:28 47,104 ----a-w C:\WINDOWS\system32\rpcnet.exe
2007-11-03 21:25 17,408 ----a-w C:\WINDOWS\system32\rpcnetp.dll
2007-11-03 17:35 --------- d-----w C:\Program Files\MSN Messenger
2007-11-03 17:15 4,444 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-02 18:31 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\HouseCall 6.6
2007-10-29 04:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-24 21:38 75,016 ----a-w C:\WINDOWS\system32\isafprod.dll
2007-10-20 23:30 --------- d-----w C:\Program Files\Symantec
2007-10-20 23:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-20 23:22 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-20 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-20 23:12 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-17 07:46 --------- d-----w C:\Program Files\Photolightning
2007-10-17 07:43 --------- d-----w C:\Program Files\FotoFinish
2007-10-17 07:40 --------- d-----w C:\Program Files\Common Files\Corel
2007-10-17 07:32 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\Corel
2007-10-06 05:04 --------- d-----w C:\Program Files\DivX
2007-10-03 04:01 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-03 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-03 02:57 --------- d-----w C:\Program Files\Fenrir & Co
2007-10-03 02:09 --------- d-----w C:\Program Files\Ghostzilla
2007-10-03 02:09 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\Ghostzilla
2007-10-03 00:54 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\Grisoft
2007-10-03 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-02 21:53 --------- d-----w C:\Program Files\Lavasoft
2007-10-02 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-02 21:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-29 21:50 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\FotoFinish
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-26 05:17 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\SmartDraw
2007-09-25 22:42 --------- d-----w C:\Program Files\NetRatingsNetSight
2007-09-13 02:33 --------- d-----w C:\Documents and Settings\Whit.DB597091\Application Data\BitTorrent
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 20:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-08-13 23:54 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
2007-08-13 23:54 413,696 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2007-08-13 23:54 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll
2007-08-13 23:54 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-13 23:54 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
2007-08-13 23:54 156,160 ------w C:\WINDOWS\system32\dllcache\msls31.dll
2007-08-13 23:45 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
2007-08-13 23:45 78,336 ------w C:\WINDOWS\system32\dllcache\ieencode.dll
2007-08-13 23:44 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-13 23:44 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
2007-08-13 23:44 40,960 ------w C:\WINDOWS\system32\dllcache\licmgr10.dll
2007-08-13 23:42 17,408 ------w C:\WINDOWS\system32\dllcache\corpol.dll
2007-08-13 23:39 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-13 23:39 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
2007-08-13 23:39 71,680 ------w C:\WINDOWS\system32\dllcache\admparse.dll
2007-08-13 23:39 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-05_10.13.28.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-06 00:20:11 16,384 --sha-w C:\WINDOWS\TEMP\Cookies\index.dat
+ 2007-11-06 00:20:11 16,384 --sha-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2007-11-06 00:21:25 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_ca8.dat
+ 2007-11-06 00:20:11 32,768 --sha-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NielsenOnline"="C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2007-06-08 09:55]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-10-24 23:39]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-10-24 15:38]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-10-17 16:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Autodetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Autodetect.lnk
backup=C:\WINDOWS\pss\Autodetect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Whit.DB597091^Start Menu^Programs^Startup^ScreenThemes.lnk]
path=C:\Documents and Settings\Whit.DB597091\Start Menu\Programs\Startup\ScreenThemes.lnk
backup=C:\WINDOWS\pss\ScreenThemes.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\WINDOWS\kdx\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]
C:\Program Files\ProfileWatcher\profilewatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"SAVScan"=3 (0x3)
"usnjsvc"=3 (0x3)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)

R1 nnrnstdi;nnrnstdi;C:\WINDOWS\system32\drivers\nnrnstdi.sys
R3 km_filter;km_filter;C:\WINDOWS\system32\drivers\km_filter.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 00:21:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 18:21:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\autochk(2).exe:BAK 22528 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-11-05 18:23:22 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-05 10:14
.
--- E O F ---


And:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:39 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135132005406
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Testoc Control) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7247 bytes


~Sarah

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 06 November 2007 - 03:51 AM

Click Start/Control Panel/Add or Remove Programs and remove NetRatingsNetSight,then restart your pc.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 cynicall55

cynicall55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 06 November 2007 - 09:27 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/06/2007 at 04:56 PM

Application Version : 3.9.1008

Core Rules Database Version : 3338
Trace Rules Database Version: 1339

Scan type : Complete Scan
Total Scan Time : 01:03:26

Memory items scanned : 375
Memory threats detected : 0
Registry items scanned : 6236
Registry threats detected : 0
File items scanned : 35828
File threats detected : 231

Adware.Tracking Cookie
C:\Documents and Settings\Whit.DB597091\Cookies\whit@revsci[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@protect.spyguardpro[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@calc.avsystemcare[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@gomyhit[3].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@spyguardpro[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@imrworldwide[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@sexbuddies[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.admedia365[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@clicksor[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@interclick[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@avsystemcare[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@ads.revsci[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@protect.trustedantivirus[3].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.burstnet[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@protect.spyguardpro[3].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@ad.yieldmanager[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@creative.adsrevenue[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@4.adbrite[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@976porn[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adecn[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adinterax[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adopt.hbmediapro[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adopt.specificclick[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adprofile[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@ads.adbrite[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@ads.adultswim[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@ads.monster[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@ads.realtechnetwork[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@ads.revsci[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adserver.softwareonline[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adserving.cpxinteractive[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adultactioncam[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adultbouncer[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adultfriendfinder[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adultmegacash[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adultrental[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@adultswim[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@aff.primaryads[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@atwola[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@austin.rentclicks[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@azoogleads[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@banners.nbcupromotes[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@bdsm101[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@belnk[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@click.cashengines[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@click.theonion[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@click.tmfmoney[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@cts.metricsdirect[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@deus.trafficgods[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@divavillage.advertserve[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@dmwmedia[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@doubleyourdating.directtrack[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@drivecleaner[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@eliterenting[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@exitexchange[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@fhg.best-sex-galleries[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@freesexnet[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@bleepergalleries[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@bleeping-grandmothers[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@bleeping-old[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@gamestats[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@go.drivecleaner[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@go.drivecleaner[3].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@gostats[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@grannybleeping[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@hentaicounter[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@hornyandhappy[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@hornymatches[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@indexstats[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@interclick[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@kanoodle[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@keywordmax[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@leadgenetwork[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@linksynergy[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@mature_women_sex[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@maxserving[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@media.adrevolver[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@media.ps2.gamespy[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@media.ps2.ign[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@mediaonenetwork[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@mediaservices.myspace[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@millnicmedia.directtrack[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@mindmedia[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@momsonsex[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@motherdaughterbleep[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@myhomemadeporn[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@naiadsystems[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@nakedmaturewoman[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@nextag[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@optimost[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@partypoker[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@petiteteenager[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@porn-factory[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@porn-russ-girl[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@pornobratva[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@precisionclick[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@publishers.clickbooth[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@rapidresponse.directtrack[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@rb4.worldsex[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@realsexcash[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@rentclicks[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@richmedia.yahoo[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@searchadnetwork[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@sec1.liveperson[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@server.cpmstar[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@server.iad.liveperson[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@server.iad.liveperson[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@server2.bkvtrack[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@sex-marathon[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@sex-xvideo[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@sexplaycam[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@sexsearchcom[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@sexy-flexy-girls[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@sexy-flexy-girls[3].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@sexycitycash[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@sexymyspacehotties[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@spamblockerutility[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@specificclick[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@stats.drivecleaner[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@teenageunicorn[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@teensforcash[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@thebestxxx[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@toseeka[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@track.searchignite[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@tracker.myspacemaps[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@tracker.netklix[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@traffic.el-ladies[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@tripod[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@trueadultdate[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@winantispyware[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@winantivirus[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@wt.sexsearchcom[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.3dstats[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.976porn[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.addfreestats[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.adult-matchfirm[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.adult-movies[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.adultactioncam[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.asiansexaction[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.cibleclick[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.crackthrust[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.crackwhoreconfessions[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.dmwmedia[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.drivecleaner[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.ebony-pornography[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.enterfreesex[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.bleepedgrannies[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.bleepedgrannies[3].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.bleeping-grandmothers[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.gallerieporno[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.googleadservices[6].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.grannypornmovs[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.homesweethomesex[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.hornyandhappy[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.hornymatches[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.hotadultworld[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.insex[3].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.jointheporn[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.lamaporn[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.lotsofpornmovies[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.macromedia[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.mediabuyerplanner[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.momsandbleepers[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.momsandbleepers[3].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.motherdaughterbleep[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.myprivatesexsite[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.naughtymaturesex[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.pantyhoseteen[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.pornjoy[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.pornsitejourney[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.pornspital[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.privatepornmovieclips[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.privatepornvideo[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.public-porno[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.retrobleeps[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.searchadnetwork[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.sex-movies[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.sexgrannies[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.sexhungrymoms[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.sexnoice[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.sexontaxi[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.sexygranma[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.sexymaturethumbs[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.sexymaturethumbs[3].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.teensnow[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.tgsex[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.topwebteens[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.trackspace[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.trafficadept[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.trafficholder[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.trafficstrategies[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.usporn[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.virginbleeped[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.w3counter[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.winantispyware[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.winantivirus[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.xxx69[2].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.xxxmaturez[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.xxxnrg[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www.youngpornmovies[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www1.addfreestats[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www2.hqualityporn[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@www8.addfreestats[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@xiti[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@xxxcreatures[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@xxxfolder[1].txt
C:\Documents and Settings\Whit.DB597091\Cookies\whit@xxxpower[2].txt

Malware.LocusSoftware Inc/SpyGuardPro
C:\Program Files\SpyGuardPro\history.db
C:\Program Files\SpyGuardPro\ResErrors.log
C:\Program Files\SpyGuardPro

Trojan.Downloader/Media-Codec
C:\DOCUMENTS AND SETTINGS\WHIT.DB597091\DESKTOP\VIDEOACCESSCODECINSTALL.EXE

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1549OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1549OINUNINSTALLER.EXE.VIR

Trojan.Downloader-Gen/TaLDrv
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\I8\TALDRVR11.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP491\A0317350.EXE

Trojan.Downloader-Gen/BundleBase
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MZ02R\MZ02R1065.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MZ08R\MZ08R1099.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP488\A0317118.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP492\A0319379.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP492\A0319380.EXE

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VTUTRRO.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP490\A0317331.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP492\A0319387.DLL

Trojan.Downloader-Gen/Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\X22\WR31DRS.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP491\A0317351.EXE

Trojan.Unknown Origin-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 06, 2007 8:21:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/11/2007
Kaspersky Anti-Virus database records: 424670
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 54446
Number of viruses found: 7
Number of infected objects: 10
Number of suspicious objects: 2
Duration of the scan process: 01:00:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject1.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Application Data\Mozilla\Firefox\Profiles\f0xdpfhv.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Application Data\Mozilla\Firefox\Profiles\f0xdpfhv.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Application Data\Mozilla\Firefox\Profiles\f0xdpfhv.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Application Data\Mozilla\Firefox\Profiles\f0xdpfhv.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Temp\iexplor.exe Infected: Trojan-Downloader.Win32.VB.bnw skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Temp\~DF1037.tmp Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Temp\~DF895.tmp Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Temp\~DFDDDA.tmp Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Temp\~DFFC0E.tmp Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Whit.DB597091\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Whit.DB597091\ntuser.dat Object is locked skipped
C:\Documents and Settings\Whit.DB597091\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped
C:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20060313060038.zip Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqdb.dat Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqsdb.dat Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kjqoxqnd.dll.vir Infected: Trojan.Win32.BHO.rf skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\pefnuccn.dll.vir Infected: Trojan.Win32.BHO.rd skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\qsokjlsx.dll.vir Infected: Trojan.Win32.BHO.rg skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rwrjniss.dll.vir Infected: Trojan.Win32.BHO.re skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP492\A0319383.dll Infected: Trojan.Win32.BHO.rf skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP492\A0319384.dll Infected: Trojan.Win32.BHO.rd skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP492\A0319385.dll Infected: Trojan.Win32.BHO.rg skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP492\A0319386.dll Infected: Trojan.Win32.BHO.re skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP493\A0320583.exe Infected: Trojan-Downloader.Win32.Zlob.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP493\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B169F78A-2F05-4EAE-B4CA-1AA536B06AC2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:25 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135132005406
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Testoc Control) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7261 bytes


The popups are gone, and it seems to be running better. Is it all better now?

~Sarah
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP487\A0315870.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP489\A0317214.EXE

Trojan.Downloader-Gen/Hammer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP487\A0315937.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP487\A0315938.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP487\A0315948.DLL

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 07 November 2007 - 03:29 AM

Enable the viewing of hidden files and folders,reverse the process when you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

* Run HijackThis.
* Click on "Open the Misc Tools" section.
* Click "Delete a file on reboot".
* Find and select this file if present:
C:\Documents and Settings\Whit.DB597091\Local Settings\Temp\iexplor.exe
* Click "Open".
* You will be asked if you want to restart your computer, click Yes.
* Your computer will be restarted.

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#9 cynicall55

cynicall55
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 11 November 2007 - 12:13 PM

Thank you so much for all your help!

~Sarah

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 11 November 2007 - 12:25 PM

You're most welcome Sarah :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users