Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde And Persistent Popup Issues


  • This topic is locked This topic is locked
65 replies to this topic

#1 j and j

j and j

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 06 November 2007 - 12:50 PM

Looking for assistance. I've gone through the prep guide and could get adaware and spybot to give a clean bill, but popups kept coming back. Then virtumonde would reappear in adaware (along with occasional hotfix and smitfraud). Bitdefender came up with more (log attached) but mcafee stinger was clean. As a matter of fact, bitdefender said adaware was infected (with trojan.fotomoto). Only one of bitdefender's many results could be disinfected.

Added zonealarm and did the windows update.

A few popup sites I get - admedia365 and setthetrend

Here's the HijackThis log. Thanks in advance for any help. - jennifer


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:08 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ddnbupxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\John\LOCALS~1\Temp\B~NSISu_.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\John\LOCALS~1\Temp\A~NSISu_.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPZinw12.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://my.netzero.net/s/search?r=minisearch
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec

Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet

Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP

Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [f8d5d763] rundll32.exe "C:\WINDOWS\system32\llydqisc.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9

-reboot 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless

Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital

Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare

software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software

Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file

missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66}

- C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}

- C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -

https://sslvpn.lutron.com/dana-cached/setup...perSetupSP1.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware

2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ddnbupxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper

Networks\Common Files\dsNcService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company -

C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program

Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program

Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 11083 bytes

Attached Files


Edited by j and j, 06 November 2007 - 12:52 PM.


BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:55 PM

Posted 06 November 2007 - 08:28 PM

Hello and welcome to BC.

You have not only vundo but also a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy, known to replace legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. The cleaning process will take several rounds so please stay tuned until all is cleaned.
Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**
  • Close any open browsers. Disconnect from the internet.
  • Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix. Remember to re-enable them when you are done.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. Please make sure that the wordwrap is unchecked in the Format menu.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


==================================

Please download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please provide Find AWF report in your reply.

#3 j and j

j and j
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 06 November 2007 - 10:29 PM

Got and ran combofix
Got and ran awf
Reran hijackthis

Hijack file included in post. Other logs are attached.

Thanks for your same day attention!

PS Security Toolbar added itself to ie this last go around.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:01 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {25499400-83B4-4040-87BE-C8BD09F6B1F7} - \
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kclabdpl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kclabdpl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [f8d5d763] rundll32.exe "C:\WINDOWS\system32\llydqisc.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.lutron.com/dana-cached/setup...perSetupSP1.cab
O20 - Winlogon Notify: kclabdpl - C:\WINDOWS\SYSTEM32\kclabdpl.dll
O20 - Winlogon Notify: urqnopn - urqnopn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 11357 bytes

Attached Files



#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:55 PM

Posted 07 November 2007 - 08:34 AM

Hi,

Scan with HijackThis and put a checkmark against the following entries:

O2 - BHO: (no name) - {25499400-83B4-4040-87BE-C8BD09F6B1F7} - \
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kclabdpl.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kclabdpl.dll
O4 - HKLM\..\Run: [f8d5d763] rundll32.exe "C:\WINDOWS\system32\llydqisc.dll",b
O4 - Startup: PowerReg Scheduler V3.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutarabit.com
O20 - Winlogon Notify: kclabdpl - C:\WINDOWS\SYSTEM32\kclabdpl.dll
O20 - Winlogon Notify: urqnopn - urqnopn.dll (file missing)


Close all browsers other than HijackThis and click on "fix checked".

===================================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/115311/virtumonde-and-persistent-popup-issues/?p=655737
KILLALL::

File::
C:\WINDOWS\system32\llydqisc.dll
C:\WINDOWS\SYSTEM32\kclabdpl.dll
C:\WINDOWS\SYSTEM32\kclabdpl.dll
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu1000106.exe

Folder::
C:\WINDOWS\SYSTEM32\Mz02r
C:\WINDOWS\Sm9obg
C:\temp\mZOr

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C6BE6F-69C4-427B-B3B1-FD61FEE208ED}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}] 
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Collect::
C:\WINDOWS\SYSTEM32\qinsuhyf.dll
C:\WINDOWS\SYSTEM32\kclabdpl.dll
C:\WINDOWS\SYSTEM32\wglgtywm.dll
C:\WINDOWS\SYSTEM32\ddnbupxx.exe
C:\WINDOWS\SYSTEM32\vyymtaxv.dll
C:\WINDOWS\SYSTEM32\gobbcprr.dll

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.[/quote]

===================================

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
C:\Program Files\Common Files\Dell\EUSW\bak\Support.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\Creative\Shared Files\bak\CamTray.exe
C:\Program Files\Dell\Media Experience\bak\PCMService.exe
C:\Program Files\DellSupport\bak\DSAgnt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\Intuit\QAgent\bak\QAGENT.EXE
C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe
C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Simple Star\PhotoShow Deluxe\data\Xtras\bak\mssysmgr.exe
C:\Program Files\Symantec\LiveUpdate\bak\SNDMon.EXE
C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
C:\WINDOWS\SYSTEM32\bak\igfxtray.exe
C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe
C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe


Next, close and click Yes to save the changes.

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

===========================================

Please post back:

the Combofix log
the new FindAWF
a fresh HijackThis log taken after a reboot.

Please do not attach them. Make two or three posts, if too long.

#5 j and j

j and j
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 07 November 2007 - 11:38 AM

Did the fixes in HJT (although I noticed the entries were still there even after everything else was done and I did the final scan?)
Ran the CFScript in ComboFix, file was submitted.
Ran FindAWF Option 2 (I did not add the quotemarks as it stated, but only copy/pasted as your posting stated)
Ran HJT after reboot

Even though I shutdown ZA and Spybot SD before I do things, they always restart after reboot, which ComboFix doesn't seem to like. Are there settings to not have them load on startup?

Here are the logfiles....Additional posts if needed (sorry about the attachments).

Thanks!
Jennifer

------------------------

ComboFix 07-11-07.3 - John 2007-11-07 10:43:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.854 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\SYSTEM32\kclabdpl.dll
C:\WINDOWS\system32\llydqisc.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\John\Desktop\Live Safety Center.lnk
C:\Documents and Settings\John\Desktop\Online Security Guide.lnk
c:\documents and settings\john\favorites\Online Security Guide.lnk
C:\temp\mZOr
C:\temp\mZOr\tOasF.log
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\Sm9obg
C:\WINDOWS\Sm9obg\mA6Cv0.vbs
C:\WINDOWS\SYSTEM32\ddnbupxx.exe
C:\WINDOWS\SYSTEM32\gobbcprr.dll
C:\WINDOWS\SYSTEM32\kclabdpl.dll
C:\WINDOWS\system32\kclabdpl.dllbox
C:\WINDOWS\SYSTEM32\Mz02r
C:\WINDOWS\SYSTEM32\Mz02r\Mz02r1065.exe
C:\WINDOWS\SYSTEM32\qinsuhyf.dll
C:\WINDOWS\SYSTEM32\vyymtaxv.dll
C:\WINDOWS\SYSTEM32\wglgtywm.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-06 20:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 11:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 11:34 788,512 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-11-06 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-06 11:30 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-06 11:30 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-11-06 10:58 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-11-04 19:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-11-04 11:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-11-04 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-04 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-11-04 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2007-11-04 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-10-31 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 18:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2007-10-31 17:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-31 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-31 17:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 15:52 10,268 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-06 17:18 --------- d-----w C:\Program Files\NetZero
2007-11-05 00:40 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-05 00:40 --------- d-----w C:\Program Files\MSN Messenger
2007-11-05 00:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 00:39 --------- d-----w C:\Program Files\Digital Line Detect
2007-10-18 01:09 --------- d-----w C:\Documents and Settings\John\Application Data\U3
2007-10-03 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-02 21:49 --------- d-----w C:\Program Files\QuickTime
2007-10-02 21:49 --------- d-----w C:\Program Files\DellSupport
2007-09-25 20:59 --------- d-----w C:\Documents and Settings\Alex and Lauren\Application Data\Creative
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
2005-12-15 16:03 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-06_21.34.43.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-10-16 19:11:00 1,257,472 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2007-11-07 08:02:07 1,265,664 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2006-05-31 03:12:55 1,224,704 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2007-11-07 08:02:10 1,232,896 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2007-11-07 08:03:34 118,784 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_303b4d36\CustomMarshalers.dll
+ 2007-11-07 08:02:30 61,440 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_5a3396a0\CustomMarshalers.dll
+ 2007-11-07 08:03:59 2,969,600 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VisualStudio\1.0.5000.0__b03f5f7f11d50a3a_7300685f\Microsoft.VisualStudio.dll
+ 2007-11-07 08:03:11 1,372,160 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VisualStudio\1.0.5000.0__b03f5f7f11d50a3a_adc7a67d\Microsoft.VisualStudio.dll
+ 2007-11-07 08:03:06 3,256,320 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VSDesigner\7.0.5000.0__b03f5f7f11d50a3a_27cfb330\Microsoft.VSDesigner.dll
+ 2007-11-07 08:03:57 6,774,784 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VSDesigner\7.0.5000.0__b03f5f7f11d50a3a_2e2ddd2b\Microsoft.VSDesigner.dll
+ 2007-11-07 08:02:57 3,391,488 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_a04858c3\mscorlib.dll
+ 2007-11-07 08:03:52 8,908,800 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_c6fa10fa\mscorlib.dll
+ 2007-11-07 08:02:50 1,470,464 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_310b8b5e\System.Design.dll
+ 2007-11-07 08:03:45 3,395,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_387fc0c6\System.Design.dll
+ 2007-11-07 08:02:32 90,112 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_3db80df8\System.Drawing.Design.dll
+ 2007-11-07 08:03:35 192,512 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_f51a3138\System.Drawing.Design.dll
+ 2007-11-07 08:02:53 835,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_25f371f4\System.Drawing.dll
+ 2007-11-07 08:03:47 2,244,608 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_f5948c75\System.Drawing.dll
+ 2007-11-07 08:02:40 3,018,752 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_78fd3fbe\System.Windows.Forms.dll
+ 2007-11-07 08:03:39 7,884,800 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_e7d91f02\System.Windows.Forms.dll
+ 2007-11-07 08:02:45 2,088,960 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_6c901e56\System.Xml.dll
+ 2007-11-07 08:03:43 5,513,216 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_7103785f\System.Xml.dll
+ 2007-11-07 08:02:28 1,966,080 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_6ed26995\System.dll
+ 2007-11-07 08:03:31 4,788,224 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_f3c6c3f5\System.dll
+ 2007-11-07 08:04:14 18,432 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjscor\1.0.5000.0__b03f5f7f11d50a3a_1e8b0936\vjscor.dll
+ 2007-11-07 08:03:28 20,480 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjscor\1.0.5000.0__b03f5f7f11d50a3a_b3ddbb2d\vjscor.dll
+ 2007-11-07 08:04:01 155,648 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSharpCodeProvider\7.0.5000.0__b03f5f7f11d50a3a_6f4f846f\VJSharpCodeProvider.dll
+ 2007-11-07 08:03:12 69,632 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSharpCodeProvider\7.0.5000.0__b03f5f7f11d50a3a_9dd9b678\VJSharpCodeProvider.dll
+ 2007-11-07 08:03:27 4,468,736 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjslib\1.0.5000.0__b03f5f7f11d50a3a_1397ca84\vjslib.dll
+ 2007-11-07 08:04:11 12,165,120 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjslib\1.0.5000.0__b03f5f7f11d50a3a_e5ea65a6\vjslib.dll
+ 2007-11-07 08:03:17 32,768 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\vjslibcw\1.0.5000.0__b03f5f7f11d50a3a_dfabf205\vjslibcw.dll
+ 2007-11-07 08:04:02 16,896 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSWfcBrowserStubLib\1.0.5000.0__b03f5f7f11d50a3a_2eed5b1e\VJSWfcBrowserStubLib.dll
+ 2007-11-07 08:03:14 10,240 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\VJSWfcBrowserStubLib\1.0.5000.0__b03f5f7f11d50a3a_f277109e\VJSWfcBrowserStubLib.dll
+ 2006-05-31 03:13:18 1,953,792 ------w C:\WINDOWS\assembly\temp\4AGLQW17CH\System.dll
+ 2006-05-31 03:12:55 1,224,704 ------w C:\WINDOWS\assembly\temp\BINSX28EKQ\System.dll
+ 2006-05-31 03:14:03 3,379,200 ------w C:\WINDOWS\assembly\temp\CINSX39EJP\mscorlib.dll
+ 2006-05-31 03:13:58 835,584 ------w C:\WINDOWS\assembly\temp\EKQV17DJPU\System.Drawing.dll
+ 2006-05-31 03:13:48 2,088,960 ------w C:\WINDOWS\assembly\temp\JPUZ4AGMSX\System.Xml.dll
+ 2006-05-31 03:13:40 3,014,656 ------w C:\WINDOWS\assembly\temp\KQV06CHMSY\System.Windows.Forms.dll
- 2004-07-15 05:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2007-04-14 02:30:52 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-15 05:49:22 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-14 02:30:52 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2004-07-15 04:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-14 01:57:52 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-21 01:09:14 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-14 01:57:58 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2004-07-15 04:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-14 01:56:30 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 04:33:04 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-14 01:58:00 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-15 18:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2007-04-14 01:50:46 2,142,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-21 01:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-14 01:58:02 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2004-07-15 04:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-14 01:57:00 2,523,136 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2004-07-15 04:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-14 01:57:28 2,514,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2004-08-10 20:20:00 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2007-01-15 21:11:26 73,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2004-07-15 05:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3724\_aspnet_isapi.dll
+ 2004-07-15 04:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3724\_CORPerfMonExt.dll
+ 2004-07-15 04:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3724\_fusion.dll
+ 2004-07-15 04:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3724\_mscorjit.dll
+ 2004-07-15 18:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3724\_mscorlib.dll
+ 2003-02-21 01:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3724\_mscorsn.dll
+ 2004-07-15 04:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3724\_mscorsvr.dll
+ 2004-07-15 04:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3724\_mscorwks.dll
+ 2003-02-21 10:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3724\_msvcr71.dll
+ 2004-07-15 04:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3724\_PerfCounter.dll
- 2004-07-15 18:31:16 1,224,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2007-04-14 02:35:38 1,232,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2004-10-08 10:20:12 1,257,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-14 02:35:46 1,265,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2004-07-15 04:24:50 155,648 ----a-w C:\WINDOWS\SYSTEM32\mscoree.dll
+ 2006-12-22 17:28:14 271,360 ----a-w C:\WINDOWS\SYSTEM32\mscoree.dll
+ 2006-12-22 18:02:36 6,144 ----a-w C:\WINDOWS\SYSTEM32\MUI\0409\mscorees.dll
- 2007-11-06 16:56:56 4,212 ---ha-w C:\WINDOWS\SYSTEM32\zllictbl.dat
+ 2007-11-07 15:54:21 4,212 ---h--w C:\WINDOWS\SYSTEM32\zllictbl.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 313,472 2006-03-30 20:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

----a-w 69,632 2005-10-14 03:26:04 C:\Program Files\Common Files\Dell\EUSW\bak\Support.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Common Files\Dell\EUSW\Support.exe

----a-w 218,032 2006-09-11 08:40:32 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

----a-w 151,597 2004-02-20 19:34:11 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 155,648 2003-02-13 07:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

----a-w 70,816 2003-11-10 18:30:02 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 258,048 2005-03-29 06:13:31 C:\Program Files\Creative\Shared Files\bak\CamTray.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Creative\Shared Files\CamTray.exe

----a-w 204,800 2003-08-27 01:47:34 C:\Program Files\Dell\Media Experience\bak\PCMService.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Dell\Media Experience\PCMService.exe

----a-w 460,784 2007-03-15 15:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\DellSupport\DSAgnt.exe

----a-w 69,632 2002-04-17 15:42:56 C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

----a-w 49,152 2005-12-15 15:18:50 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

----a-w 98,304 1999-08-30 12:19:14 C:\Program Files\Intuit\QAgent\bak\QAGENT.EXE
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Intuit\QAgent\QAGENT.EXE

----a-w 200,704 2003-06-18 18:00:00 C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Microsoft Money\System\mnyexpr.exe

----a-w 53,248 2003-10-06 16:05:40 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

----a-w 118,784 2003-10-06 16:05:40 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

----a-w 70,800 2003-12-12 00:35:18 C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Norton Internet Security\UrlLstCk.exe

----a-w 77,824 2004-02-20 19:33:45 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\QuickTime\qttask.exe

----a-w 180,224 2003-12-03 13:42:49 C:\Program Files\Simple Star\PhotoShow Deluxe\data\Xtras\bak\mssysmgr.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Simple Star\PhotoShow Deluxe\data\Xtras\mssysmgr.exe

----a-w 87,184 2004-05-21 18:59:46 C:\Program Files\Symantec\LiveUpdate\bak\SNDMon.EXE
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Symantec\LiveUpdate\SNDMon.EXE

----a-w 114,688 2003-04-07 06:07:38 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
----a-w 28,176 2007-10-02 21:43:30 C:\WINDOWS\SYSTEM32\hkcmd.exe

----a-w 155,648 2003-04-07 06:19:52 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe
----a-w 28,176 2007-10-02 21:43:30 C:\WINDOWS\SYSTEM32\igfxtray.exe

----a-w 155,648 2001-07-09 19:50:42 C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe
----a-w 28,176 2007-10-02 21:43:30 C:\WINDOWS\SYSTEM32\NeroCheck.exe

----a-w 114,741 2003-08-06 07:04:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe
----a-w 28,176 2007-10-02 21:43:30 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C6BE6F-69C4-427B-B3B1-FD61FEE208ED}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25499400-83B4-4040-87BE-C8BD09F6B1F7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-10-02 16:43]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-10-02 16:43]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-10-02 16:43]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-10-02 16:43]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2007-10-02 16:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-02 16:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-02 16:43]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2007-10-02 16:43]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2007-10-02 16:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-02 16:43]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2007-10-02 16:43]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2007-10-02 16:43]
"QAGENT"="C:\Program Files\Intuit\QAgent\QAGENT.EXE" [2007-10-02 16:43]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2007-10-02 16:43]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-10-02 16:43]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 12:01 C:\WINDOWS\SYSTEM32\P0630Pin.dll]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-10-02 16:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"f8d5d763"="C:\WINDOWS\system32\llydqisc.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE" [2007-10-02 16:43]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2007-10-02 16:43]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2007-10-02 16:43]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2007-10-02 16:43]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-10-02 16:43]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2007-10-02 16:43]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-10-02 16:43]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-08-18 16:09:58]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-02-20 14:31:07]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2005-12-15 12:00:54]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2004-03-16 20:45:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kclabdpl]
kclabdpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnopn]

R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys
R3 BLKWGD;Belkin Wireless G Desktop Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGD.sys
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\wlanndi5.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81046ebe-8612-11db-bd81-00038a000015}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 16:02:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 10:56:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 11:05:50 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-06 21:44
.
--- E O F ---
-----------------------

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 11/07/2007
The current time is: 11:11:22.25


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 10:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

12/11/2003 07:35 PM 70,800 UrlLstCk.exe
1 File(s) 70,800 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

02/20/2004 02:33 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

04/07/2003 01:07 AM 114,688 hkcmd.exe
04/07/2003 01:19 AM 155,648 igfxtray.exe
07/09/2001 02:50 PM 155,648 NeroCheck.exe
3 File(s) 425,984 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

11/10/2003 01:30 PM 70,816 ccApp.exe
1 File(s) 70,816 bytes

Directory of C:\PROGRA~1\CREATIVE\SHARED~1\BAK

03/29/2005 01:13 AM 258,048 CamTray.exe
1 File(s) 258,048 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

08/26/2003 08:47 PM 204,800 PCMService.exe
1 File(s) 204,800 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 10:42 AM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

12/15/2005 10:18 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTUIT\QAGENT\BAK

08/30/1999 07:19 AM 98,304 QAGENT.EXE
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\MICROS~3\SYSTEM\BAK

06/18/2003 01:00 PM 200,704 mnyexpr.exe
1 File(s) 200,704 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

10/06/2003 11:05 AM 118,784 mm_tray.exe
10/06/2003 11:05 AM 53,248 mmtask.exe
2 File(s) 172,032 bytes

Directory of C:\PROGRA~1\SYMANTEC\LIVEUP~1\BAK

05/21/2004 01:59 PM 87,184 SNDMon.EXE
1 File(s) 87,184 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/06/2003 02:04 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~3.0\READER\BAK

03/30/2006 03:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\COMMON~1\DELL\EUSW\BAK

10/13/2005 10:26 PM 69,632 Support.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

09/11/2006 03:40 AM 218,032 ISUSPM.exe
1 File(s) 218,032 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

02/20/2004 02:34 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

02/13/2003 02:01 AM 155,648 sgtray.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\SIMPLE~1\PHOTOS~1\DATA\XTRAS\BAK

12/03/2003 08:42 AM 180,224 mssysmgr.exe
1 File(s) 180,224 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28176 Oct 2 2007 "C:\Program Files\DellSupport\DSAgnt.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
28176 Oct 2 2007 "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
70800 Dec 11 2003 "C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
77824 Feb 20 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
114688 Apr 7 2003 "C:\DRIVERS\VIDEO\HKCMD.EXE"
114688 Apr 7 2003 "C:\WINDOWS\SYSTEM32\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
155648 Apr 7 2003 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE"
155648 Apr 7 2003 "C:\WINDOWS\SYSTEM32\igfxtray.exe"
155648 Apr 7 2003 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
155648 Apr 7 2003 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
28176 Oct 2 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
70816 Nov 10 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
28176 Oct 2 2007 "C:\Program Files\Creative\Shared Files\CamTray.exe"
258048 Mar 29 2005 "C:\Program Files\Creative\Shared Files\bak\CamTray.exe"
28176 Oct 2 2007 "C:\Program Files\Dell\Media Experience\PCMService.exe"
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
28176 Oct 2 2007 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
28176 Oct 2 2007 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Dec 15 2005 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
28176 Oct 2 2007 "C:\Program Files\Intuit\QAgent\QAGENT.EXE"
98304 Aug 30 1999 "C:\Program Files\Intuit\QAgent\bak\QAGENT.EXE"
28176 Oct 2 2007 "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
200704 Jun 18 2003 "C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe"
28176 Oct 2 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
53248 Jun 3 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
53248 Oct 6 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
28176 Oct 2 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
135168 Jun 3 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
118784 Oct 6 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
28176 Oct 2 2007 "C:\Program Files\Symantec\LiveUpdate\SNDMon.EXE"
87184 May 21 2004 "C:\Program Files\Symantec\LiveUpdate\bak\SNDMon.EXE"
114741 Aug 6 2003 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
114741 Aug 6 2003 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
114741 Aug 6 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
28176 Oct 2 2007 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
28176 Oct 2 2007 "C:\Program Files\Common Files\Dell\EUSW\Support.exe"
77824 May 27 2004 "C:\Program Files\Dell\Support\bin\Support.exe"
69632 Oct 13 2005 "C:\Program Files\Common Files\Dell\EUSW\bak\Support.exe"
323584 May 27 2004 "C:\Documents and Settings\All Users\Application Data\Dell\Alert\491\Support.exe"
69632 Oct 13 2005 "C:\Documents and Settings\All Users\Application Data\Dell\Alert\588\Support.exe"
28176 Oct 2 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
218032 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
28176 Oct 2 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151597 Feb 20 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
28176 Oct 2 2007 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
155648 Feb 13 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
28176 Oct 2 2007 "C:\Program Files\Simple Star\PhotoShow Deluxe\data\Xtras\mssysmgr.exe"
180224 Dec 3 2003 "C:\Program Files\Simple Star\PhotoShow Deluxe\data\Xtras\bak\mssysmgr.exe"


end of report

-------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:48 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10C6BE6F-69C4-427B-B3B1-FD61FEE208ED} - (no file)
O2 - BHO: (no name) - {25499400-83B4-4040-87BE-C8BD09F6B1F7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [f8d5d763] rundll32.exe "C:\WINDOWS\system32\llydqisc.dll",b
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.lutron.com/dana-cached/setup...perSetupSP1.cab
O20 - Winlogon Notify: kclabdpl - kclabdpl.dll (file missing)
O20 - Winlogon Notify: urqnopn - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 11336 bytes

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:55 PM

Posted 07 November 2007 - 04:11 PM

Hi,

Disable the Norton Script Blocking Service:

Click Start>Run, type in services.msc and hit enter.

From the list find ScriptBlocking Service and right click on it... choose properties. Stop the service and change the Startup to Disabled for now and exit the services console.

===============================

Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
=============================

I see you have Adaware 2007. If you are running the Adwatch function of Adaware, you'll need to disable that too, or better yet uninstall/remove Adaware temporarily until the machine is clean. You can reinstall it afterwards.

=============================

Open notepad (it must be notepad, not wordpad, or it won't work) and copy/paste the text inside the code box below into it (starting from File::.....):

File::
Program Files\TTC.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C6BE6F-69C4-427B-B3B1-FD61FEE208ED}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25499400-83B4-4040-87BE-C8BD09F6B1F7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}] 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f8d5d763"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kclabdpl]  
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnopn]

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

=========================================

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\DellSupport\bak
C:\Program Files\Norton Internet Security\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\SYSTEM32\bak
C:\WINDOWS\SYSTEM32\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Creative\Shared Files\bak
C:\Program Files\Dell\Media Experience\bak
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
C:\Program Files\Hewlett-Packard\HP Software Update\bak
C:\Program Files\Intuit\QAgent\bak\
C:\Program Files\Microsoft Money\System\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\Symantec\LiveUpdate\bak\
C:\WINDOWS\SYSTEM32\dla\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\
C:\Program Files\Common Files\Dell\EUSW\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Simple Star\PhotoShow Deluxe\data\Xtras\bak


Next, close and click Yes to save the changes.

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Select 4 then Enter to reset domain zones

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

==========================================

Restart your computer

==========================================

Scan with HijackThis and post the fresh log along with the Combofix.txt and the FindAWF log.

Edited by amateur, 07 November 2007 - 04:15 PM.


#7 j and j

j and j
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 07 November 2007 - 07:08 PM

Did the disabling and uninstalled adaware
Executed CFScript
Executed FindAWF
Restarted
Ran HJT

Logfiles are below (where the heck did whataboutadog come from?)

THANKS!

---------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:32 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.lutron.com/dana-cached/setup...perSetupSP1.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10428 bytes

-----------


ComboFix 07-11-07.3 - John 2007-11-07 18:37:18.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.798 [GMT -5:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-07 11:11 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe
2007-11-06 20:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 11:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 11:34 837,664 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-11-06 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-06 11:30 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-06 11:30 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-11-06 10:58 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-11-04 19:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-11-04 11:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-11-04 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-04 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-11-04 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2007-11-04 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-10-31 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 18:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2007-10-31 17:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-31 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 16:20 10,436 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-06 17:18 --------- d-----w C:\Program Files\NetZero
2007-11-05 00:40 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-05 00:40 --------- d-----w C:\Program Files\MSN Messenger
2007-11-05 00:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 00:39 --------- d-----w C:\Program Files\Digital Line Detect
2007-10-18 01:09 --------- d-----w C:\Documents and Settings\John\Application Data\U3
2007-10-03 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-02 21:49 --------- d-----w C:\Program Files\QuickTime
2007-10-02 21:49 --------- d-----w C:\Program Files\DellSupport
2007-09-25 20:59 --------- d-----w C:\Documents and Settings\Alex and Lauren\Application Data\Creative
2007-09-06 21:14 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-08-22 13:12 96,256 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
2005-12-15 16:03 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot_2007-11-07_11.00.18.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-02 21:43:30 28,176 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
+ 2003-08-06 07:04:00 114,741 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
- 2007-10-02 21:43:30 28,176 ----a-w C:\WINDOWS\SYSTEM32\hkcmd.exe
+ 2003-04-07 06:07:38 114,688 ----a-w C:\WINDOWS\SYSTEM32\hkcmd.exe
- 2007-10-02 21:43:30 28,176 ----a-w C:\WINDOWS\SYSTEM32\igfxtray.exe
+ 2003-04-07 06:19:52 155,648 ----a-w C:\WINDOWS\SYSTEM32\igfxtray.exe
- 2007-11-07 15:54:21 4,212 ---h--w C:\WINDOWS\SYSTEM32\zllictbl.dat
+ 2007-11-07 16:22:21 4,212 ---h--w C:\WINDOWS\SYSTEM32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 313,472 2006-03-30 20:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

----a-w 69,632 2005-10-14 03:26:04 C:\Program Files\Common Files\Dell\EUSW\bak\Support.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Common Files\Dell\EUSW\Support.exe

----a-w 218,032 2006-09-11 08:40:32 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

----a-w 151,597 2004-02-20 19:34:11 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 155,648 2003-02-13 07:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

----a-w 70,816 2003-11-10 18:30:02 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 258,048 2005-03-29 06:13:31 C:\Program Files\Creative\Shared Files\bak\CamTray.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Creative\Shared Files\CamTray.exe

----a-w 204,800 2003-08-27 01:47:34 C:\Program Files\Dell\Media Experience\bak\PCMService.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Dell\Media Experience\PCMService.exe

----a-w 460,784 2007-03-15 15:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\DellSupport\DSAgnt.exe

----a-w 69,632 2002-04-17 15:42:56 C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

----a-w 49,152 2005-12-15 15:18:50 C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

----a-w 98,304 1999-08-30 12:19:14 C:\Program Files\Intuit\QAgent\bak\QAGENT.EXE
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Intuit\QAgent\QAGENT.EXE

----a-w 200,704 2003-06-18 18:00:00 C:\Program Files\Microsoft Money\System\bak\mnyexpr.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Microsoft Money\System\mnyexpr.exe

----a-w 53,248 2003-10-06 16:05:40 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

----a-w 118,784 2003-10-06 16:05:40 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

----a-w 70,800 2003-12-12 00:35:18 C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Norton Internet Security\UrlLstCk.exe

----a-w 77,824 2004-02-20 19:33:45 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\QuickTime\qttask.exe

----a-w 180,224 2003-12-03 13:42:49 C:\Program Files\Simple Star\PhotoShow Deluxe\data\Xtras\bak\mssysmgr.exe
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Simple Star\PhotoShow Deluxe\data\Xtras\mssysmgr.exe

----a-w 87,184 2004-05-21 18:59:46 C:\Program Files\Symantec\LiveUpdate\bak\SNDMon.EXE
----a-w 28,176 2007-10-02 21:43:30 C:\Program Files\Symantec\LiveUpdate\SNDMon.EXE

----a-w 114,688 2003-04-07 06:07:38 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
----a-w 114,688 2003-04-07 06:07:38 C:\WINDOWS\SYSTEM32\hkcmd.exe

----a-w 155,648 2003-04-07 06:19:52 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe
----a-w 155,648 2003-04-07 06:19:52 C:\WINDOWS\SYSTEM32\igfxtray.exe

----a-w 155,648 2001-07-09 19:50:42 C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe
----a-w 155,648 2001-07-09 19:50:42 C:\WINDOWS\SYSTEM32\NeroCheck.exe

----a-w 114,741 2003-08-06 07:04:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe
----a-w 114,741 2003-08-06 07:04:00 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 01:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 01:07]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-10-02 16:43]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2007-10-02 16:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-02 16:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-02 16:43]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2007-10-02 16:43]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2007-10-02 16:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-02 16:43]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2007-10-02 16:43]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2007-10-02 16:43]
"QAGENT"="C:\Program Files\Intuit\QAgent\QAGENT.EXE" [2007-10-02 16:43]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2007-10-02 16:43]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 12:01 C:\WINDOWS\SYSTEM32\P0630Pin.dll]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-10-02 16:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE" [2007-10-02 16:43]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2007-10-02 16:43]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2007-10-02 16:43]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2007-10-02 16:43]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-10-02 16:43]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2007-10-02 16:43]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-10-02 16:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-08-18 16:09:58]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-02-20 14:31:07]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2005-12-15 12:00:54]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2004-03-16 20:45:25]

R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
R3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys
S3 BLKWGD;Belkin Wireless G Desktop Card Service;C:\WINDOWS\system32\DRIVERS\BLKWGD.sys
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\wlanndi5.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81046ebe-8612-11db-bd81-00038a000015}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-07 23:42:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 18:44:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 18:45:43
C:\ComboFix2.txt ... 2007-11-07 11:05
C:\ComboFix3.txt ... 2007-11-06 21:44
.
--- E O F ---


----------



Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Wed 11/07/2007
The current time is: 18:48:55.04


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\INTUIT\QAGENT\BAK

08/30/1999 07:19 AM 98,304 QAGENT.EXE
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMANTEC\LIVEUP~1\BAK

05/21/2004 01:59 PM 87,184 SNDMon.EXE
1 File(s) 87,184 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~3.0\READER\BAK

03/30/2006 03:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28176 Oct 2 2007 "C:\Program Files\Intuit\QAgent\QAGENT.EXE"
98304 Aug 30 1999 "C:\Program Files\Intuit\QAgent\bak\QAGENT.EXE"
28176 Oct 2 2007 "C:\Program Files\Symantec\LiveUpdate\SNDMon.EXE"
87184 May 21 2004 "C:\Program Files\Symantec\LiveUpdate\bak\SNDMon.EXE"
28176 Oct 2 2007 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"


end of report

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:55 PM

Posted 07 November 2007 - 08:19 PM

Hi,

Please run Notepad and copy/paste the following text in blue into a new file: It's important that you use notepad, not wordpad.

attrib -r -h -s C:\Program Files\TTC.dll
del C:\Program Files\TTC.dll


Save the file to the desktop as remove.bat and make sure the "Save as Type" field says "All Files".

Then please go to the desktop and double-click on remove.bat.

============================

Double-click FindAWF.exe to start the tool.
  • Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
  • A text file will open up. Please copy/paste the following bolded text into the text file: ( be sure to include the quote marks around those file paths)
"C:\Program Files\Intuit\QAgent\bak\QAGENT.EXE"
"C:\Program Files\Symantec\LiveUpdate\bak\SNDMon.EXE"
"C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"

  • Close the .txt file and click 'Yes' to save the changes.
  • When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply.


#9 j and j

j and j
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 07 November 2007 - 08:50 PM

Ran the batch file.
Ran AWF (did I screw things up by not using quotes before?)

Here's the log. Thanks!


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 11/07/2007
The current time is: 20:43:28.92


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\INTUIT\QAGENT\BAK

08/30/1999 07:19 AM 98,304 QAGENT.EXE
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYMANTEC\LIVEUP~1\BAK

05/21/2004 01:59 PM 87,184 SNDMon.EXE
1 File(s) 87,184 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~3.0\READER\BAK

03/30/2006 03:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 Aug 30 1999 "C:\Program Files\Intuit\QAgent\QAGENT.EXE"
98304 Aug 30 1999 "C:\Program Files\Intuit\QAgent\bak\QAGENT.EXE"
87184 May 21 2004 "C:\Program Files\Symantec\LiveUpdate\SNDMon.EXE"
87184 May 21 2004 "C:\Program Files\Symantec\LiveUpdate\bak\SNDMon.EXE"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"


end of report

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:55 PM

Posted 07 November 2007 - 09:09 PM

Hi,

Ran AWF (did I screw things up by not using quotes before?)

No, you didn't. I did. :thumbsup:

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed. (No quotation marks this time):

C:\PROGRAM FILES\MSNMESSENGER\BAK
C:\Program Files\Intuit\QAgent\bak
C:\Program Files\Symantec\LiveUpdate\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak


Next, close and click Yes to save the changes.

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Option 4:
Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

====================================

Restart the computer

====================================

Perform an online scan using Internet Explorer with Panda ActiveScan
  • Click on Posted Image located at the bottom of the page.
  • A "pop up" window will appear. Please ensure that your pop up blocker doesn't block it
  • Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place
Begin the scan by selecting Posted Image
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on Posted Image then click Posted Image and post back the contents please.
====================================

Please post back:

awf text
Panda Online scan results.
a fresh HijackThis log


#11 j and j

j and j
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 08 November 2007 - 07:41 AM

Ran AWF
Ran PandaScan (took much longer than the very first time) - no word wrap on the file, but the long lines wrap on my piddly monitor and resolution, sorry about that!
Ran HJT

Logs follow....

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:56 AM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intuit\QAgent\QAGENT.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rcn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.lutron.com/dana-cached/setup...perSetupSP1.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10530 bytes
------------------



Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Wed 11/07/2007
The current time is: 21:27:57.54


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~3.0\READER\BAK

03/30/2006 03:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"


end of report
------------------



Incident Status Location

Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@adrevolver[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@ads.pointroll[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@atwola[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@doubleclick[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@errorsafe[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@go[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@perf.overture[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@stat.onestat[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@statse.webtrendslive[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@target[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@trafficmp[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@www.burstbeacon[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@www.errorsafe[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Alex and Lauren\Cookies\alex and lauren@zedo[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\John\Cookies\john@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John\Cookies\john@ad.yieldmanager[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\John\Cookies\john@ads.addynamix[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\John\Cookies\john@ads.addynamix[3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\John\Cookies\john@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\John\Cookies\john@atdmt[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\John\Cookies\john@atdmt[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\John\Cookies\john@atdmt[3].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\John\Cookies\john@azjmp[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\John\Cookies\john@azjmp[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\John\Cookies\john@bs.serving-sys[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\John\Cookies\john@casalemedia[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\John\Cookies\john@casalemedia[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\John\Cookies\john@com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\John\Cookies\john@did-it[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\John\Cookies\john@doubleclick[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\John\Cookies\john@enhance[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\John\Cookies\john@fastclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\John\Cookies\john@fastclick[3].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\John\Cookies\john@goclick[1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\John\Cookies\john@goclick[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\John\Cookies\john@goclick[4].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\John\Cookies\john@go[2].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\John\Cookies\john@linksynergy[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\John\Cookies\john@maxserving[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\John\Cookies\john@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\John\Cookies\john@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\John\Cookies\john@perf.overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\John\Cookies\john@perf.overture[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\John\Cookies\john@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\John\Cookies\john@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\John\Cookies\john@serving-sys[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\John\Cookies\john@target[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\John\Cookies\john@toplist[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\John\Cookies\john@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\John\Cookies\john@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\John\Cookies\john@www.burstbeacon[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\John\Cookies\john@zedo[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\John\Cookies\john@zedo[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\John\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\John\Desktop\ComboFix.exe[nircmd.cfexe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\John\Desktop\[4]-Submit_2007-11-07@10.43.zip[kclabdpl.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\John\Desktop\[4]-Submit_2007-11-07@10.43.zip[qinsuhyf.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20071107-103525-294.dll
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20071107-103525-754-PowerReg Scheduler V3.exe
Adware:Adware/TTC Not disinfected C:\Program Files\TTC.dll
Virus:Trj/Downloader.MDW Disinfected C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir
Adware:Adware/Yazzle Not disinfected C:\qoobox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir
Adware:Adware/Yazzle Not disinfected C:\qoobox\Quarantine\C\WINDOWS\mrofinu572.exe.vir
Adware:Adware/CommAd Not disinfected C:\qoobox\Quarantine\C\WINDOWS\Sm9obg\mA6Cv0.vbs.vir
Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\e2\caws83122.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\kclabdpl.dll.vir
Virus:Trj/Downloader.OZB Disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\tijsumlo.exe.vir
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\mrofinu572.exe.tmp
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Virus:Generic Malware Disinfected C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\Xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:55 PM

Posted 08 November 2007 - 12:05 PM

Hi,

You can go ahead and delete Submit_2007-11-07@10.43.zip from your desktop

================================

Download: ResetProtocolDefaults.reg
http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

==================================

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for
more information.

==================================

Now, run HijackThis. Close all windows and browsers except HijackThis.
Click on Open Misc Tools
Click on Delete a File On Reboot
Click once on the file below to select it:

C:\Program Files\TTC.dll

do the same for this one if listed

C:\WINDOWS\mrofinu572.exe.tmp

Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following

O15 - Trusted Zone: *.whataboutadog.com

Close all other windows/browsers/applications, except HijackThis and click on Fix checked.

=================================

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\PROGRAM FILES\ADOBE\ACROBAT 3.0\READER\BAK


Next, close and click Yes to save the changes.

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

=================================

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

=================================

Reboot in Normal Mode

=================================

Please download Ccleaner and save it to your desktop
.
Tutorial for CCleaner

Set Options in CCleaner and run Cleaning Scan. Open the CCleaner program.

( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner block and Windows tab

    Check all items under Internet Explorer, except Auto Complete Form History; everything under Windows Explorer; and everything under System except Memory Dump and Windows Log Files. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck "Only delete files in Windows Temp folders older than 48 hours".
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button. Check "Only delete files in Windows Temp folders older than 48 hours".
Please run Ccleaner with the above settings for each user account.

=================================

Please post the AWF text and a fresh HijackThis log.

P.S. Is Netzero your ISP?

#13 j and j

j and j
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 08 November 2007 - 08:29 PM

It never dawned on me that I would be cleaning up two accounts!! After doing ccleaner on the other user account, I also did a HJT and got a file with very different entries. Including some things already cleaned from my (admin) account. The other account is a non-admin user. I'm doing this interim post, because after wrapping up the ccleaner, something has happened on the problem pc (I'm on another) that I cannot Restart or Turn Off. I was wanting to do a reboot because my network connection was not working after multiple repairs. After a few prompts to end programs (one being CRTController), it's now hung with no toolbar, but only wallpaper.

I'm hesitant to cycle power until I hear back from you.

Thanks.

PS A long time ago I used Netzero ( I noticed the ie settings and figured I'd clean them later). I now have a cable modem. The problem PC is wireless.

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:55 PM

Posted 08 November 2007 - 08:44 PM

Can you get a HijackThis log from the other account and post it here?

#15 j and j

j and j
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 08 November 2007 - 08:47 PM

ok, while I was cleaning up in another room, it got through the hang and is now starting up. Stand by for the files.....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users