Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans Vundo, Virtumundo, Generaldownloader.k, Pwcrack Passview And Others


  • This topic is locked This topic is locked
18 replies to this topic

#1 AriesNine

AriesNine

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 18 November 2007 - 11:23 AM

Hi,
I have been having problems with several trojans and backdoors. These include Vundo, Winfixer, Tfactory, Zeno, Virtumundo, Pwcrack Passview and I'm sure some others.

I have used TrendMicro Housecall, McAfee Security, Adaware Personal SE, Spybot S and D, Vundofix, FixVundo, Norton Security Scan, Stinger for McAfee.

Different files come up in each scan and are claimed to be removed. With Spybot I keep getting the same Virtumundo files that come up but are not removed. McAfee keeps alerting me and also claims to be removing files but these files keep showing up. I have run regedit to verify bad keys but have not deleted them because I am not comfortable with that.

I have used Hijack This and Combofix. Here are the logs from those scans.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:53 AM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [bc79ea8d] rundll32.exe "C:\WINDOWS\system32\vaahoheu.dll",b
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Documents and Settings\Admin\Desktop\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: bw+0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: offline-8876480 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: McAfee Application Installer Cleanup (0165211194615764) (0165211194615764mcinstcleanup) - Unknown owner - C:\DOCUME~1\Admin\LOCALS~1\Temp\016521~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 22199 bytes


And my Combofix log:


ComboFix 07-11-08.3 - Admin 2007-11-18 9:33:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.331 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\pstwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-18 09:48 36,864 --a------ C:\svchost.exe
2007-11-18 09:44 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-11-18 09:44 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-18 08:50 36,352 --a------ C:\WINDOWS\system32\tuvtrop.dll
2007-11-18 08:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 07:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 14:17 <DIR> d-------- C:\GameRival
2007-11-17 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-17 09:58 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SiteAdvisor
2007-11-17 09:26 36,352 --a------ C:\WINDOWS\system32\yayaxxv.dll
2007-11-15 16:19 85,056 --a------ C:\WINDOWS\system32\vaahoheu.dll
2007-11-15 14:42 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Twilight Games
2007-11-15 12:36 36,352 --a------ C:\WINDOWS\system32\qomjkjj.dll
2007-11-15 12:02 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2007-11-15 07:14 <DIR> d-------- C:\Program Files\Ballhalla
2007-11-15 07:14 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Land Of Runes
2007-11-15 07:12 <DIR> d-------- C:\Program Files\Gallop for Gold
2007-11-15 07:11 <DIR> d-------- C:\Program Files\Land of Runes
2007-11-15 07:10 <DIR> d-------- C:\Program Files\Mythic Pearls - The Legend of Tirnanog
2007-11-15 06:58 <DIR> d-------- C:\Program Files\Lucky Clover
2007-11-14 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-14 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\logishrd
2007-11-14 08:13 <DIR> d-------- C:\VundoFix Backups
2007-11-14 07:44 85,056 --a------ C:\WINDOWS\system32\eynaponj.dll
2007-11-14 07:19 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\McAfee
2007-11-14 06:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-14 06:11 37,376 --a------ C:\WINDOWS\system32\mljjklj.dll
2007-11-14 04:21 215,552 --------- C:\WINDOWS\system32\dllcache\osk.exe
2007-11-14 04:21 72,704 --------- C:\WINDOWS\system32\dllcache\magnify.exe
2007-11-14 04:21 53,760 --------- C:\WINDOWS\system32\dllcache\narrator.exe
2007-11-14 04:21 50,176 --------- C:\WINDOWS\system32\dllcache\utilman.exe
2007-11-14 04:21 35,840 --------- C:\WINDOWS\system32\dllcache\umandlg.dll
2007-11-13 09:20 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-11-13 09:16 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-13 09:08 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-11-13 07:55 <DIR> d-------- C:\Program Files\CONEXANT
2007-11-12 20:42 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-11-12 17:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-12 16:57 <DIR> d-------- C:\WINDOWS\B3673A4EBAA249608563002F00B68E53.TMP
2007-11-12 16:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 15:58 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-11-10 18:03 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-10 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fugazo
2007-11-10 07:23 <DIR> d-------- C:\Program Files\Diner Dash Hometown Hero
2007-11-05 06:14 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Eyeblaster
2007-11-02 06:19 <DIR> d-------- C:\Program Files\Val`Gor
2007-11-02 06:17 <DIR> d-------- C:\Program Files\Heroes of Hellas
2007-10-30 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeptunesAdve
2007-10-27 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SugarGames
2007-10-26 09:31 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Abra Academy2
2007-10-25 07:23 <DIR> d-------- C:\Program Files\Mysteryville 2
2007-10-25 07:19 <DIR> d-------- C:\Program Files\Peggle Deluxe
2007-10-24 22:14 <DIR> d-------- C:\Program Files\Mortimer Beckett And The Secrets Of Spooky Manor
2007-10-24 06:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eGames
2007-10-24 06:42 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\eGames
2007-10-21 18:51 323,624 --a------ C:\WINDOWS\system32\wiaaut.dll
2007-10-20 07:13 <DIR> d-------- C:\Program Files\Burger Shop
2007-10-19 13:16 2,109,976 --a------ C:\WINDOWS\system32\drivers\Lvckap.sys
2007-10-19 07:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FireGlow
2007-10-19 06:08 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Super-Cow

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-18 15:52 260 ----a-w C:\1654.bat
2007-11-18 15:52 172,032 ----a-w C:\d.exe
2007-11-18 15:51 9,808 ----a-w C:\b.exe
2007-11-18 15:51 12,288 ----a-w C:\a.exe
2007-11-18 15:51 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire
2007-11-18 14:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 15:27 278,538 ----a-w C:\WINDOWS\Fonts\Setup.exe
2007-11-17 14:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-17 14:40 --------- d-----w C:\Documents and Settings\Admin\Application Data\iWin
2007-11-16 20:19 --------- d-----w C:\Program Files\iWin.com
2007-11-15 02:51 --------- d-----w C:\Program Files\Logitech
2007-11-15 01:05 --------- d-----w C:\Program Files\Games
2007-11-14 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-14 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-13 15:36 --------- d-----w C:\Program Files\MSBuild
2007-11-12 23:20 --------- d-----w C:\Program Files\McAfee
2007-11-10 23:58 278,537 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-11-06 20:15 --------- d-----w C:\Program Files\iTunes
2007-11-06 20:15 --------- d-----w C:\Program Files\iPod
2007-11-06 20:09 --------- d-----w C:\Program Files\QuickTime
2007-11-02 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-10-28 18:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\funkitron
2007-10-15 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-15 15:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\PlayFirst
2007-10-15 14:41 --------- d-----w C:\Documents and Settings\Admin\Application Data\ViquaSoft
2007-10-12 08:00 41,752 ----a-w C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-12 07:56 13,848 ----a-w C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-12 07:56 1,279,000 ----a-w C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-12 00:59 25,624 ----a-w C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-10-12 00:59 2,142,488 ----a-w C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-10-12 00:15 85,302 ----a-w C:\WINDOWS\system32\drivers\LVFeL002.cfg
2007-10-12 00:15 69,592 ----a-w C:\WINDOWS\system32\drivers\LVFaL000.cfg
2007-10-12 00:15 227,172 ----a-w C:\WINDOWS\system32\drivers\LVFeL000.cfg
2007-10-12 00:15 146,680 ----a-w C:\WINDOWS\system32\drivers\LVFeL001.cfg
2007-10-11 06:01 --------- d-----w C:\Documents and Settings\Admin\Application Data\Legends of pirates
2007-10-10 17:18 --------- d-----w C:\Program Files\Java
2007-10-09 14:00 --------- d-----w C:\Program Files\Cyberlink
2007-10-09 13:53 --------- d-----w C:\Program Files\VLC Video player
2007-10-09 13:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\dvdcss
2007-10-09 13:33 --------- d-----w C:\Program Files\InterActual
2007-10-04 14:50 --------- d-----w C:\Documents and Settings\Admin\Application Data\ForgottenRiddles
2007-09-30 22:39 --------- d-----w C:\Documents and Settings\Admin\Application Data\Apple Computer
2007-09-30 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-09-26 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-09-26 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGames
2007-09-26 18:06 --------- d-----w C:\Program Files\Mystery of Shark Island
2007-09-25 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Legacy Interactive
2007-09-25 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\7Wonders2
2007-09-25 02:54 --------- d-----w C:\Documents and Settings\Admin\Application Data\BitTorrent
2007-09-25 00:49 --------- d-----w C:\Documents and Settings\Admin\Application Data\DivX
2007-09-24 23:48 873,608 ----a-w C:\Program Files\BitTorrent-6.0.exe
2007-09-24 23:42 59,575 ----a-w C:\Program Files\Zeitgeist.DVDRip.XviD.torrent
2007-09-24 21:14 --------- d-----w C:\Program Files\DivX
2007-09-22 21:19 --------- d-----w C:\Program Files\Microsoft Money
2007-09-21 04:07 --------- d-----w C:\Program Files\Apple Software Update
2007-09-20 04:46 --------- d-----w C:\Documents and Settings\Admin\Application Data\Jane s Hotel
2007-08-06 20:37 8,717,752 ----a-w C:\Program Files\pal_install_qt_a105_r42004_p115.exe
2007-07-24 02:04 308,888 -c--a-w C:\Program Files\Install_AIM.exe
2007-07-15 23:07 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2007-07-15 23:05 482,512 -c--a-w C:\Program Files\realarcade_ambient_stub.exe
2007-07-11 06:23 15,732,984 -c--a-w C:\Program Files\GoogleEarthWin.exe
2007-06-23 17:13 177,152 -c--a-w C:\Program Files\utorrent.exe
2007-05-17 05:00 3,676,952 -c--a-w C:\Program Files\DivXWebPlayerInstaller.exe
2007-05-03 20:06 728,624 -c--a-w C:\Program Files\aolsetup.exe
2007-05-03 20:06 4,424 -c--a-w C:\Program Files\aolsetup.bin
2007-05-03 20:06 1,544 -c--a-w C:\Program Files\main.ini
.

((((((((((((((((((((((((((((( snapshot@2007-11-18_ 8.51.24.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-18 11:26:40 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-18 15:41:31 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-18 11:26:40 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-18 15:41:31 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-18 11:26:40 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-18 15:41:31 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-18 15:51:56 36,352 ----a-w C:\WINDOWS\system32\ddcdaxv.dll
+ 2007-11-18 15:50:51 320,608 ----a-w C:\WINDOWS\system32\jkklk.dll
- 2007-11-18 14:50:26 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
+ 2007-11-18 15:52:17 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
- 2007-11-18 14:50:26 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
+ 2007-11-18 15:52:17 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
+ 2007-11-18 15:53:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1060.dat
- 2007-11-18 14:50:26 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-18 15:52:17 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16BD21BF-8857-48D5-BC03-02146BB711D4}]
2007-11-18 09:50 320608 --a------ C:\WINDOWS\system32\jkklk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
2007-01-31 03:58 78848 --a------ C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
2007-11-15 12:36 36352 --a------ C:\WINDOWS\system32\qomjkjj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 22:12 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 09:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 09:44]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 13:46 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [2005-02-07 21:00]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 09:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-11-10 17:58]
"bc79ea8d"="C:\WINDOWS\system32\vaahoheu.dll" [2007-11-15 16:19]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-12-07 21:28]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:00]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-30 12:44]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:21]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]
"Uniblue RegistryBooster 2"="C:\Documents and Settings\Admin\Desktop\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-04-30 12:44:13]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-30 12:42:09]
PalStart.lnk - C:\Program Files\Paltalk Messenger\palstart.exe [2007-05-25 11:55:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMHelp"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuPinnedList"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMHelp"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuPinnedList"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\qomjkjj.dll [2007-11-15 12:36 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjkjj]
qomjkjj.dll 2007-11-15 12:36 36352 C:\WINDOWS\system32\qomjkjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll 2005-12-06 22:16 176128 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkklk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S2 0165211194615764mcinstcleanup;McAfee Application Installer Cleanup (0165211194615764);C:\DOCUME~1\Admin\LOCALS~1\Temp\016521~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Windows Sidebar]
C:\WINDOWS\system32\hidec /W C:\VAIO\Tools\REGTLIB.EXE "C:\Program Files\Windows Sidebar\sidebar.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s C:\VAIO\.\vshellext.dll
.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 19:49:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 08:18:58 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-11-01 06:01:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-11-16 21:52:07 C:\WINDOWS\Tasks\Norton Security Scan.job"
"2007-11-18 03:35:27 C:\WINDOWS\Tasks\User_Feed_Synchronization-{9BCAFF5A-2C0A-4711-BCDD-7C1115F94A22}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 09:46:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\klkkj.ini 317 bytes
C:\WINDOWS\system32\klkkj.ini2 317 bytes
C:\WINDOWS\system32\jkklk.dll 320608 bytes executable
C:\WINDOWS\system32\ddcdaxv.dll 36352 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
Completion time: 2007-11-18 9:55:58 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-18 08:54
.
--- E O F ---

Any assistance is very much appreciated. I have been dealing with this for some time now.

Thank you!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:21 AM

Posted 27 November 2007 - 02:08 AM

Hello AriesNine,


You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Since you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 AriesNine

AriesNine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 27 November 2007 - 10:23 AM

Greetings SifuMike,

Thank you for your assistance.
Thank you also for the heads up about combofix. This is my first trojan so I'm a little on the green side. Will remember not to run it unless instructed. I did not see anything in the log that was labeled 'quarantine'.

Here are my logs....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:25 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - C:\WINDOWS\system32\vtustuv.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8544C14D-01A4-42BB-A7D7-BE8F216BD07F} - C:\WINDOWS\system32\jkklk.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinPatrol] C:\Documents and Settings\Admin\Desktop\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: bw+0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: offline-8876480 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: vtustuv - C:\WINDOWS\SYSTEM32\vtustuv.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 22194 bytes


ComboFix 07-11-19.4 - Admin 2007-11-27 8:59:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.298 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-27 00:21 36,864 --a------ C:\WINDOWS\system32\jkkjhfe.dll
2007-11-26 19:51 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-11-26 19:49 7,106,392 --a------ C:\Program Files\ITP32Eng.exe
2007-11-26 15:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-26 15:42 36,864 --a------ C:\WINDOWS\system32\vtustuv.dll
2007-11-26 15:23 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-11-26 15:23 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2007-11-26 15:23 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-11-26 15:23 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-11-24 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFish
2007-11-24 07:57 <DIR> d-------- C:\Program Files\Amazing Adventures - The Lost Tomb
2007-11-20 10:24 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-20 10:12 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\HouseCall 6.6
2007-11-20 10:11 702,489 ---hs---- C:\WINDOWS\system32\ebaymcrh.ini
2007-11-20 10:11 85,056 --a------ C:\WINDOWS\system32\hrcmyabe.dll
2007-11-20 07:16 37,376 --a------ C:\WINDOWS\system32\tuvuspq.dll
2007-11-19 11:15 1,771,241 ---hs---- C:\WINDOWS\system32\wqpjmhgd.ini
2007-11-19 11:15 85,056 --a------ C:\WINDOWS\system32\dghmjpqw.dll
2007-11-18 19:51 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\WinPatrol
2007-11-18 09:51 481,452 --ahs---- C:\WINDOWS\system32\klkkj.ini2
2007-11-18 09:50 481,452 --ahs---- C:\WINDOWS\system32\klkkj.ini
2007-11-18 09:44 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-11-18 09:44 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-18 07:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 14:17 <DIR> d-------- C:\GameRival
2007-11-17 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-17 09:58 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SiteAdvisor
2007-11-15 16:19 1,844,897 ---hs---- C:\WINDOWS\system32\uehohaav.ini
2007-11-15 14:42 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Twilight Games
2007-11-15 12:02 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2007-11-15 07:14 <DIR> d-------- C:\Program Files\Ballhalla
2007-11-15 07:14 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Land Of Runes
2007-11-15 07:12 <DIR> d-------- C:\Program Files\Gallop for Gold
2007-11-15 07:11 <DIR> d-------- C:\Program Files\Land of Runes
2007-11-15 07:10 <DIR> d-------- C:\Program Files\Mythic Pearls - The Legend of Tirnanog
2007-11-15 06:58 <DIR> d-------- C:\Program Files\Lucky Clover
2007-11-14 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-14 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\logishrd
2007-11-14 07:44 85,056 --a------ C:\WINDOWS\system32\eynaponj.dll
2007-11-14 07:19 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\McAfee
2007-11-14 06:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-14 04:21 215,552 --------- C:\WINDOWS\system32\dllcache\osk.exe
2007-11-14 04:21 72,704 --------- C:\WINDOWS\system32\dllcache\magnify.exe
2007-11-14 04:21 53,760 --------- C:\WINDOWS\system32\dllcache\narrator.exe
2007-11-14 04:21 50,176 --------- C:\WINDOWS\system32\dllcache\utilman.exe
2007-11-14 04:21 35,840 --------- C:\WINDOWS\system32\dllcache\umandlg.dll
2007-11-13 09:20 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-11-13 09:16 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-13 09:08 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-11-13 07:55 <DIR> d-------- C:\Program Files\CONEXANT
2007-11-12 20:42 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-11-12 17:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-12 16:57 <DIR> d-------- C:\WINDOWS\B3673A4EBAA249608563002F00B68E53.TMP
2007-11-12 16:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 15:58 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-11-10 18:03 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-10 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fugazo
2007-11-10 07:23 <DIR> d-------- C:\Program Files\Diner Dash Hometown Hero
2007-11-05 06:14 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Eyeblaster
2007-11-02 06:19 <DIR> d-------- C:\Program Files\Val`Gor
2007-11-02 06:17 <DIR> d-------- C:\Program Files\Heroes of Hellas
2007-10-30 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeptunesAdve
2007-10-27 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SugarGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 14:24 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire
2007-11-26 23:35 --------- d-----w C:\Program Files\iTunes
2007-11-26 22:31 --------- d-----w C:\Program Files\McAfee
2007-11-26 03:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-11-26 01:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-25 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-11-24 13:49 --------- d-----w C:\Program Files\iWin.com
2007-11-21 16:09 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-18 14:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 14:40 --------- d-----w C:\Documents and Settings\Admin\Application Data\iWin
2007-11-15 02:51 --------- d-----w C:\Program Files\Logitech
2007-11-15 01:08 --------- d-----w C:\Program Files\Peggle Deluxe
2007-11-15 01:07 --------- d-----w C:\Program Files\Mysteryville 2
2007-11-15 01:07 --------- d-----w C:\Program Files\Mortimer Beckett And The Secrets Of Spooky Manor
2007-11-15 01:05 --------- d-----w C:\Program Files\Games
2007-11-14 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-14 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-13 15:36 --------- d-----w C:\Program Files\MSBuild
2007-11-10 23:58 278,537 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-11-06 20:15 --------- d-----w C:\Program Files\iPod
2007-11-06 20:09 --------- d-----w C:\Program Files\QuickTime
2007-11-02 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-10-28 18:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\funkitron
2007-10-26 15:32 --------- d-----w C:\Documents and Settings\Admin\Application Data\Abra Academy2
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-24 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\eGames
2007-10-24 12:42 --------- d-----w C:\Documents and Settings\Admin\Application Data\eGames
2007-10-22 05:44 --------- d-----w C:\Program Files\Burger Shop
2007-10-22 00:51 323,624 ----a-w C:\WINDOWS\system32\wiaaut.dll
2007-10-19 19:16 2,109,976 ----a-w C:\WINDOWS\system32\drivers\Lvckap.sys
2007-10-19 13:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\FireGlow
2007-10-19 12:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\Super-Cow
2007-10-15 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-15 15:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\PlayFirst
2007-10-15 14:41 --------- d-----w C:\Documents and Settings\Admin\Application Data\ViquaSoft
2007-10-12 08:00 490,008 ----a-w C:\WINDOWS\system32\LVUI2.dll
2007-10-12 08:00 465,432 ----a-w C:\WINDOWS\system32\LVUI2RC.dll
2007-10-12 08:00 41,752 ----a-w C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-12 07:57 416,280 ----a-w C:\WINDOWS\system32\lvcodec2.dll
2007-10-12 07:57 195,096 ----a-w C:\WINDOWS\system32\lvci1150.dll
2007-10-12 07:56 13,848 ----a-w C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-12 07:56 1,279,000 ----a-w C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-12 07:18 21,138 ----a-w C:\WINDOWS\system32\Repository.reg
2007-10-12 00:59 25,624 ----a-w C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-10-12 00:59 2,142,488 ----a-w C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-10-12 00:15 85,302 ----a-w C:\WINDOWS\system32\drivers\LVFeL002.cfg
2007-10-12 00:15 69,592 ----a-w C:\WINDOWS\system32\drivers\LVFaL000.cfg
2007-10-12 00:15 227,172 ----a-w C:\WINDOWS\system32\drivers\LVFeL000.cfg
2007-10-12 00:15 146,680 ----a-w C:\WINDOWS\system32\drivers\LVFeL001.cfg
2007-10-11 06:01 --------- d-----w C:\Documents and Settings\Admin\Application Data\Legends of pirates
2007-10-10 17:18 --------- d-----w C:\Program Files\Java
2007-10-09 14:00 --------- d-----w C:\Program Files\Cyberlink
2007-10-09 13:53 --------- d-----w C:\Program Files\VLC Video player
2007-10-09 13:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\dvdcss
2007-10-09 13:33 --------- d-----w C:\Program Files\InterActual
2007-10-04 14:50 --------- d-----w C:\Documents and Settings\Admin\Application Data\ForgottenRiddles
2007-09-30 22:39 --------- d-----w C:\Documents and Settings\Admin\Application Data\Apple Computer
2007-09-30 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-09-24 23:48 873,608 ----a-w C:\Program Files\BitTorrent-6.0.exe
2007-09-24 23:42 59,575 ----a-w C:\Program Files\Zeitgeist.DVDRip.XviD.torrent
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-06 20:37 8,717,752 ----a-w C:\Program Files\pal_install_qt_a105_r42004_p115.exe
2007-07-24 02:04 308,888 -c--a-w C:\Program Files\Install_AIM.exe
2007-07-15 23:07 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2007-07-15 23:05 482,512 -c--a-w C:\Program Files\realarcade_ambient_stub.exe
2007-07-11 06:23 15,732,984 -c--a-w C:\Program Files\GoogleEarthWin.exe
2007-06-23 17:13 177,152 -c--a-w C:\Program Files\utorrent.exe
2007-05-17 05:00 3,676,952 -c--a-w C:\Program Files\DivXWebPlayerInstaller.exe
2007-05-03 20:06 728,624 -c--a-w C:\Program Files\aolsetup.exe
2007-05-03 20:06 4,424 -c--a-w C:\Program Files\aolsetup.bin
2007-05-03 20:06 1,544 -c--a-w C:\Program Files\main.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}]
2007-11-26 15:42 36864 --a------ C:\WINDOWS\system32\vtustuv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8544C14D-01A4-42BB-A7D7-BE8F216BD07F}]
C:\WINDOWS\system32\jkklk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-12-07 21:28]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:00]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-30 12:44]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:21]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 22:12 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 09:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 09:44]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 13:46 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 09:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-11-10 17:58]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"WinPatrol"="C:\Documents and Settings\Admin\Desktop\WinPatrol\winpatrol.exe" [2007-10-26 10:06]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-12-07 21:28]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-20 04:04 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-04-30 12:44:13]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-30 12:42:09]
PalStart.lnk - C:\Program Files\Paltalk Messenger\palstart.exe [2007-05-25 11:55:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}"= C:\WINDOWS\system32\vtustuv.dll [2007-11-26 15:42 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtustuv]
vtustuv.dll 2007-11-26 15:42 36864 C:\WINDOWS\system32\vtustuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll 2005-12-06 22:16 176128 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Windows Sidebar]
C:\WINDOWS\system32\hidec /W C:\VAIO\Tools\REGTLIB.EXE "C:\Program Files\Windows Sidebar\sidebar.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s C:\VAIO\.\vshellext.dll
.
Contents of the 'Scheduled Tasks' folder
"2007-11-20 19:49:29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 08:18:58 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-11-01 06:01:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-11-27 01:53:27 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job"
- c:\Program Files\Microsoft IntelliType Pro\itype.exe
"2007-11-23 21:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2007-11-27 15:10:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{9BCAFF5A-2C0A-4711-BCDD-7C1115F94A22}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 09:08:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 9:11:30
C:\ComboFix2.txt ... 2007-11-18 09:55
C:\ComboFix3.txt ... 2007-11-18 08:54
.
--- E O F ---


Thank You!!

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:21 AM

Posted 27 November 2007 - 01:49 PM

Hi AriesNine,


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - C:\WINDOWS\system32\vtustuv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8544C14D-01A4-42BB-A7D7-BE8F216BD07F} - C:\WINDOWS\system32\jkklk.dll (file missing)


I don't believe Logitech Desktop Messenger is something you will ever miss, but instead of uninstalling it, just follow my instructions below (which will stop it running) but will still leave it available for you to run manualy, should you so desire.

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe


Fix all of the O18 - Protocol entries.
O18 - Protocol: bw+0 - {41C5A3A9-435F-47C2-9A15-18A4A99502FF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\tuvtrop.dll
C:\WINDOWS\system32\yayaxxv.dll
C:\WINDOWS\system32\vaahoheu.dll
C:\WINDOWS\system32\qomjkjj.dll
C:\WINDOWS\system32\eynaponj.dll
C:\WINDOWS\system32\mljjklj.dll
C:\WINDOWS\system32\vaahoheu.dll
C:\WINDOWS\system32\qomjkjj.dll
C:\WINDOWS\system32\klkkj.ini 
C:\WINDOWS\system32\klkkj.ini2 
C:\WINDOWS\system32\jkklk.dll 
C:\WINDOWS\system32\ddcdaxv.dll 
C:\1654.bat
C:\d.exe
C:\b.exe
C:\a.exe

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16BD21BF-8857-48D5-BC03-02146BB711D4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bc79ea8d"=-  
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"=-  
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjkjj] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] 
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 AriesNine

AriesNine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 27 November 2007 - 05:21 PM

Hi
Thank you for the instructions. I have been busy today! I have to go to work now but I will be on top of this when I get home and will reply in length later.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:21 AM

Posted 27 November 2007 - 06:16 PM

That is OK. I will will be here. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 AriesNine

AriesNine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 27 November 2007 - 11:01 PM

:thumbsup:


I screwed up the combofix scan after putting in the txt file. I forgot to disconnect from the net and disable my firewall.

How would you like me to proceed? Do you want the logs for that and hijack this anyway?

And yes the trojan is still here as i'm getting prompts from WinPatrol that an add on is trying to install itself into IE.

So sorry for the screw up! I know you do this on your own time.

Edited by AriesNine, 27 November 2007 - 11:03 PM.


#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:21 AM

Posted 27 November 2007 - 11:08 PM

How would you like me to proceed? Do you want the logs for that and hijack this anyway?



Lets see the log for ComboFix to see if it worked.

We may have to start over. :thumbsup:

Edited by SifuMike, 27 November 2007 - 11:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 AriesNine

AriesNine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 27 November 2007 - 11:32 PM

Thank you for replying so soon! I really appreciate your help!
Hopefully this is good news!


ComboFix 07-11-19.4 - Admin 2007-11-27 21:33:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.342 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\1654.bat
C:\a.exe
C:\b.exe
C:\d.exe
C:\WINDOWS\system32\ddcdaxv.dll
C:\WINDOWS\system32\eynaponj.dll
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.ini2
C:\WINDOWS\system32\mljjklj.dll
C:\WINDOWS\system32\qomjkjj.dll
C:\WINDOWS\system32\tuvtrop.dll
C:\WINDOWS\system32\vaahoheu.dll
C:\WINDOWS\system32\yayaxxv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\eynaponj.dll
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.ini2

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-27 21:22 <DIR> d-------- C:\Program Files\CCleaner
2007-11-27 00:21 36,864 --a------ C:\WINDOWS\system32\jkkjhfe.dll
2007-11-26 19:51 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-11-26 19:49 7,106,392 --a------ C:\Program Files\ITP32Eng.exe
2007-11-26 15:59 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-26 15:42 36,864 --a------ C:\WINDOWS\system32\vtustuv.dll
2007-11-26 15:23 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-11-26 15:23 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2007-11-26 15:23 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-11-26 15:23 14,848 --a------ C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-11-24 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFish
2007-11-24 07:57 <DIR> d-------- C:\Program Files\Amazing Adventures - The Lost Tomb
2007-11-20 10:24 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-20 10:12 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\HouseCall 6.6
2007-11-20 10:11 702,489 ---hs---- C:\WINDOWS\system32\ebaymcrh.ini
2007-11-20 10:11 85,056 --a------ C:\WINDOWS\system32\hrcmyabe.dll
2007-11-20 07:16 37,376 --a------ C:\WINDOWS\system32\tuvuspq.dll
2007-11-19 11:15 1,771,241 ---hs---- C:\WINDOWS\system32\wqpjmhgd.ini
2007-11-19 11:15 85,056 --a------ C:\WINDOWS\system32\dghmjpqw.dll
2007-11-18 19:51 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\WinPatrol
2007-11-18 09:44 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-11-18 09:44 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-18 07:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 14:17 <DIR> d-------- C:\GameRival
2007-11-17 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-17 09:58 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SiteAdvisor
2007-11-15 16:19 1,844,897 ---hs---- C:\WINDOWS\system32\uehohaav.ini
2007-11-15 14:42 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Twilight Games
2007-11-15 12:02 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2007-11-15 07:14 <DIR> d-------- C:\Program Files\Ballhalla
2007-11-15 07:14 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Land Of Runes
2007-11-15 07:12 <DIR> d-------- C:\Program Files\Gallop for Gold
2007-11-15 07:11 <DIR> d-------- C:\Program Files\Land of Runes
2007-11-15 07:10 <DIR> d-------- C:\Program Files\Mythic Pearls - The Legend of Tirnanog
2007-11-15 06:58 <DIR> d-------- C:\Program Files\Lucky Clover
2007-11-14 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-14 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\logishrd
2007-11-14 07:19 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\McAfee
2007-11-14 06:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-14 04:21 215,552 --------- C:\WINDOWS\system32\dllcache\osk.exe
2007-11-14 04:21 72,704 --------- C:\WINDOWS\system32\dllcache\magnify.exe
2007-11-14 04:21 53,760 --------- C:\WINDOWS\system32\dllcache\narrator.exe
2007-11-14 04:21 50,176 --------- C:\WINDOWS\system32\dllcache\utilman.exe
2007-11-14 04:21 35,840 --------- C:\WINDOWS\system32\dllcache\umandlg.dll
2007-11-13 09:20 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-11-13 09:16 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-13 09:08 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-11-13 07:55 <DIR> d-------- C:\Program Files\CONEXANT
2007-11-12 20:42 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-11-12 17:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-12 16:57 <DIR> d-------- C:\WINDOWS\B3673A4EBAA249608563002F00B68E53.TMP
2007-11-12 16:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 15:58 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-11-10 18:03 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-10 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fugazo
2007-11-10 07:23 <DIR> d-------- C:\Program Files\Diner Dash Hometown Hero
2007-11-05 06:14 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Eyeblaster
2007-11-02 06:19 <DIR> d-------- C:\Program Files\Val`Gor
2007-11-02 06:17 <DIR> d-------- C:\Program Files\Heroes of Hellas
2007-10-30 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeptunesAdve

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 03:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 14:24 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire
2007-11-26 23:35 --------- d-----w C:\Program Files\iTunes
2007-11-26 22:31 --------- d-----w C:\Program Files\McAfee
2007-11-26 03:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-11-26 01:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-25 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-11-24 13:49 --------- d-----w C:\Program Files\iWin.com
2007-11-21 16:09 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-17 14:40 --------- d-----w C:\Documents and Settings\Admin\Application Data\iWin
2007-11-15 02:51 --------- d-----w C:\Program Files\Logitech
2007-11-15 01:08 --------- d-----w C:\Program Files\Peggle Deluxe
2007-11-15 01:07 --------- d-----w C:\Program Files\Mysteryville 2
2007-11-15 01:07 --------- d-----w C:\Program Files\Mortimer Beckett And The Secrets Of Spooky Manor
2007-11-15 01:05 --------- d-----w C:\Program Files\Games
2007-11-14 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-14 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-13 15:36 --------- d-----w C:\Program Files\MSBuild
2007-11-10 23:58 278,537 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-11-06 20:15 --------- d-----w C:\Program Files\iPod
2007-11-06 20:09 --------- d-----w C:\Program Files\QuickTime
2007-11-02 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-10-28 18:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\funkitron
2007-10-27 16:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SugarGames
2007-10-26 15:32 --------- d-----w C:\Documents and Settings\Admin\Application Data\Abra Academy2
2007-10-24 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\eGames
2007-10-24 12:42 --------- d-----w C:\Documents and Settings\Admin\Application Data\eGames
2007-10-22 05:44 --------- d-----w C:\Program Files\Burger Shop
2007-10-19 19:16 2,109,976 ----a-w C:\WINDOWS\system32\drivers\Lvckap.sys
2007-10-19 13:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\FireGlow
2007-10-19 12:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\Super-Cow
2007-10-15 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-15 15:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\PlayFirst
2007-10-15 14:41 --------- d-----w C:\Documents and Settings\Admin\Application Data\ViquaSoft
2007-10-12 08:00 41,752 ----a-w C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-12 07:56 13,848 ----a-w C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-12 07:56 1,279,000 ----a-w C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-12 00:59 25,624 ----a-w C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-10-12 00:59 2,142,488 ----a-w C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-10-12 00:15 85,302 ----a-w C:\WINDOWS\system32\drivers\LVFeL002.cfg
2007-10-12 00:15 69,592 ----a-w C:\WINDOWS\system32\drivers\LVFaL000.cfg
2007-10-12 00:15 227,172 ----a-w C:\WINDOWS\system32\drivers\LVFeL000.cfg
2007-10-12 00:15 146,680 ----a-w C:\WINDOWS\system32\drivers\LVFeL001.cfg
2007-10-11 06:01 --------- d-----w C:\Documents and Settings\Admin\Application Data\Legends of pirates
2007-10-10 17:18 --------- d-----w C:\Program Files\Java
2007-10-09 14:00 --------- d-----w C:\Program Files\Cyberlink
2007-10-09 13:53 --------- d-----w C:\Program Files\VLC Video player
2007-10-09 13:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\dvdcss
2007-10-09 13:33 --------- d-----w C:\Program Files\InterActual
2007-10-04 14:50 --------- d-----w C:\Documents and Settings\Admin\Application Data\ForgottenRiddles
2007-09-30 22:39 --------- d-----w C:\Documents and Settings\Admin\Application Data\Apple Computer
2007-09-30 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-09-24 23:48 873,608 ----a-w C:\Program Files\BitTorrent-6.0.exe
2007-09-24 23:42 59,575 ----a-w C:\Program Files\Zeitgeist.DVDRip.XviD.torrent
2007-08-06 20:37 8,717,752 ----a-w C:\Program Files\pal_install_qt_a105_r42004_p115.exe
2007-07-24 02:04 308,888 -c--a-w C:\Program Files\Install_AIM.exe
2007-07-15 23:07 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2007-07-15 23:05 482,512 -c--a-w C:\Program Files\realarcade_ambient_stub.exe
2007-07-11 06:23 15,732,984 -c--a-w C:\Program Files\GoogleEarthWin.exe
2007-06-23 17:13 177,152 -c--a-w C:\Program Files\utorrent.exe
2007-05-17 05:00 3,676,952 -c--a-w C:\Program Files\DivXWebPlayerInstaller.exe
2007-05-03 20:06 728,624 -c--a-w C:\Program Files\aolsetup.exe
2007-05-03 20:06 4,424 -c--a-w C:\Program Files\aolsetup.bin
2007-05-03 20:06 1,544 -c--a-w C:\Program Files\main.ini
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_ 9.09.08.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 14:11:35 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-28 03:41:03 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-27 14:11:35 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-28 03:41:03 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-27 14:11:35 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-28 03:41:03 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}]
2007-11-26 15:42 36864 --a------ C:\WINDOWS\system32\vtustuv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-12-07 21:28]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:21]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 22:12 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 09:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 09:44]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 13:46 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 09:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [2007-11-10 17:58]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"WinPatrol"="C:\Documents and Settings\Admin\Desktop\WinPatrol\winpatrol.exe" [2007-10-26 10:06]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-12-07 21:28]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-20 04:04 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-30 12:42:09]
PalStart.lnk - C:\Program Files\Paltalk Messenger\palstart.exe [2007-05-25 11:55:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}"= C:\WINDOWS\system32\vtustuv.dll [2007-11-26 15:42 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtustuv]
vtustuv.dll 2007-11-26 15:42 36864 C:\WINDOWS\system32\vtustuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll 2005-12-06 22:16 176128 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Windows Sidebar]
C:\WINDOWS\system32\hidec /W C:\VAIO\Tools\REGTLIB.EXE "C:\Program Files\Windows Sidebar\sidebar.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s C:\VAIO\.\vshellext.dll
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 19:49:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 08:18:58 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-11-01 06:01:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-11-27 01:53:27 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job"
- c:\Program Files\Microsoft IntelliType Pro\itype.exe
"2007-11-23 21:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
"2007-11-28 03:50:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{9BCAFF5A-2C0A-4711-BCDD-7C1115F94A22}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 21:46:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 21:52:58 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 09:11
C:\ComboFix3.txt ... 2007-11-18 09:55
.
--- E O F ---

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:21 AM

Posted 28 November 2007 - 12:01 AM

Hi AriesNine,

Make sure you have your registry protectors (WinPatrol, Teatimer) disabled, as well as your antivirus program.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\jkkjhfe.dll
C:\WINDOWS\system32\vtustuv.dll
C:\WINDOWS\system32\ebaymcrh.ini
C:\WINDOWS\system32\hrcmyabe.dll
C:\WINDOWS\system32\tuvuspq.dll
C:\WINDOWS\system32\wqpjmhgd.ini
C:\WINDOWS\system32\dghmjpqw.dll
C:\WINDOWS\system32\uehohaav.ini
C:\WINDOWS\Fonts\svchost.exe

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}"=- 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtustuv]


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 AriesNine

AriesNine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 November 2007 - 01:06 AM

Greetings....back from the scans....here we go.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:27 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinPatrol] C:\Documents and Settings\Admin\Desktop\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: vtustuv - vtustuv.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 9540 bytes


ComboFix 07-11-19.4 - Admin 2007-11-27 23:43:12.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.380 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\dghmjpqw.dll
C:\WINDOWS\system32\ebaymcrh.ini
C:\WINDOWS\system32\hrcmyabe.dll
C:\WINDOWS\system32\jkkjhfe.dll
C:\WINDOWS\system32\tuvuspq.dll
C:\WINDOWS\system32\uehohaav.ini
C:\WINDOWS\system32\vtustuv.dll
C:\WINDOWS\system32\wqpjmhgd.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\dghmjpqw.dll
C:\WINDOWS\system32\ebaymcrh.ini
C:\WINDOWS\system32\hrcmyabe.dll
C:\WINDOWS\system32\jkkjhfe.dll
C:\WINDOWS\system32\tuvuspq.dll
C:\WINDOWS\system32\uehohaav.ini
C:\WINDOWS\system32\vtustuv.dll
C:\WINDOWS\system32\wqpjmhgd.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-27 21:22 <DIR> d-------- C:\Program Files\CCleaner
2007-11-26 19:51 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-11-26 19:49 7,106,392 --a------ C:\Program Files\ITP32Eng.exe
2007-11-26 15:23 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-11-24 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFish
2007-11-24 07:57 <DIR> d-------- C:\Program Files\Amazing Adventures - The Lost Tomb
2007-11-20 10:24 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-20 10:12 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\HouseCall 6.6
2007-11-18 19:51 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\WinPatrol
2007-11-18 09:44 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-18 07:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 14:17 <DIR> d-------- C:\GameRival
2007-11-17 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-17 09:58 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SiteAdvisor
2007-11-15 14:42 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Twilight Games
2007-11-15 12:02 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2007-11-15 07:14 <DIR> d-------- C:\Program Files\Ballhalla
2007-11-15 07:14 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Land Of Runes
2007-11-15 07:12 <DIR> d-------- C:\Program Files\Gallop for Gold
2007-11-15 07:11 <DIR> d-------- C:\Program Files\Land of Runes
2007-11-15 07:10 <DIR> d-------- C:\Program Files\Mythic Pearls - The Legend of Tirnanog
2007-11-15 06:58 <DIR> d-------- C:\Program Files\Lucky Clover
2007-11-14 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-14 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\logishrd
2007-11-14 07:19 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\McAfee
2007-11-14 06:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-14 04:21 215,552 --a------ C:\WINDOWS\system32\dllcache\osk.exe
2007-11-14 04:21 72,704 --a------ C:\WINDOWS\system32\dllcache\magnify.exe
2007-11-14 04:21 53,760 --a------ C:\WINDOWS\system32\dllcache\narrator.exe
2007-11-14 04:21 50,176 --a------ C:\WINDOWS\system32\dllcache\utilman.exe
2007-11-14 04:21 35,840 --a------ C:\WINDOWS\system32\dllcache\umandlg.dll
2007-11-13 09:16 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-13 07:55 <DIR> d-------- C:\Program Files\CONEXANT
2007-11-12 20:42 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-11-12 17:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-12 16:57 <DIR> d-------- C:\WINDOWS\B3673A4EBAA249608563002F00B68E53.TMP
2007-11-12 16:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 15:58 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-11-10 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fugazo
2007-11-10 07:23 <DIR> d-------- C:\Program Files\Diner Dash Hometown Hero
2007-11-05 06:14 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Eyeblaster
2007-11-02 06:19 <DIR> d-------- C:\Program Files\Val`Gor
2007-11-02 06:17 <DIR> d-------- C:\Program Files\Heroes of Hellas
2007-10-30 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeptunesAdve

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 03:49 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire
2007-11-26 23:35 --------- d-----w C:\Program Files\iTunes
2007-11-26 22:31 --------- d-----w C:\Program Files\McAfee
2007-11-26 03:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-11-26 01:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-25 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-11-24 13:49 --------- d-----w C:\Program Files\iWin.com
2007-11-21 16:09 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-17 14:40 --------- d-----w C:\Documents and Settings\Admin\Application Data\iWin
2007-11-15 02:51 --------- d-----w C:\Program Files\Logitech
2007-11-15 01:08 --------- d-----w C:\Program Files\Peggle Deluxe
2007-11-15 01:07 --------- d-----w C:\Program Files\Mysteryville 2
2007-11-15 01:07 --------- d-----w C:\Program Files\Mortimer Beckett And The Secrets Of Spooky Manor
2007-11-15 01:05 --------- d-----w C:\Program Files\Games
2007-11-14 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-14 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-13 15:36 --------- d-----w C:\Program Files\MSBuild
2007-11-06 20:15 --------- d-----w C:\Program Files\iPod
2007-11-06 20:09 --------- d-----w C:\Program Files\QuickTime
2007-11-02 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-10-28 18:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\funkitron
2007-10-27 16:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SugarGames
2007-10-26 15:32 --------- d-----w C:\Documents and Settings\Admin\Application Data\Abra Academy2
2007-10-24 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\eGames
2007-10-24 12:42 --------- d-----w C:\Documents and Settings\Admin\Application Data\eGames
2007-10-22 05:44 --------- d-----w C:\Program Files\Burger Shop
2007-10-19 19:16 2,109,976 ----a-w C:\WINDOWS\system32\drivers\Lvckap.sys
2007-10-19 13:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\FireGlow
2007-10-19 12:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\Super-Cow
2007-10-15 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-15 15:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\PlayFirst
2007-10-15 14:41 --------- d-----w C:\Documents and Settings\Admin\Application Data\ViquaSoft
2007-10-12 08:00 41,752 ----a-w C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-12 07:56 13,848 ----a-w C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-12 07:56 1,279,000 ----a-w C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-12 00:59 25,624 ----a-w C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-10-12 00:59 2,142,488 ----a-w C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-10-12 00:15 85,302 ----a-w C:\WINDOWS\system32\drivers\LVFeL002.cfg
2007-10-12 00:15 69,592 ----a-w C:\WINDOWS\system32\drivers\LVFaL000.cfg
2007-10-12 00:15 227,172 ----a-w C:\WINDOWS\system32\drivers\LVFeL000.cfg
2007-10-12 00:15 146,680 ----a-w C:\WINDOWS\system32\drivers\LVFeL001.cfg
2007-10-11 06:01 --------- d-----w C:\Documents and Settings\Admin\Application Data\Legends of pirates
2007-10-10 17:18 --------- d-----w C:\Program Files\Java
2007-10-09 14:00 --------- d-----w C:\Program Files\Cyberlink
2007-10-09 13:53 --------- d-----w C:\Program Files\VLC Video player
2007-10-09 13:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\dvdcss
2007-10-09 13:33 --------- d-----w C:\Program Files\InterActual
2007-10-04 14:50 --------- d-----w C:\Documents and Settings\Admin\Application Data\ForgottenRiddles
2007-09-30 22:39 --------- d-----w C:\Documents and Settings\Admin\Application Data\Apple Computer
2007-09-30 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-09-24 23:48 873,608 ----a-w C:\Program Files\BitTorrent-6.0.exe
2007-09-24 23:42 59,575 ----a-w C:\Program Files\Zeitgeist.DVDRip.XviD.torrent
2007-08-06 20:37 8,717,752 ----a-w C:\Program Files\pal_install_qt_a105_r42004_p115.exe
2007-07-24 02:04 308,888 -c--a-w C:\Program Files\Install_AIM.exe
2007-07-15 23:07 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2007-07-15 23:05 482,512 -c--a-w C:\Program Files\realarcade_ambient_stub.exe
2007-07-11 06:23 15,732,984 -c--a-w C:\Program Files\GoogleEarthWin.exe
2007-06-23 17:13 177,152 -c--a-w C:\Program Files\utorrent.exe
2007-05-17 05:00 3,676,952 -c--a-w C:\Program Files\DivXWebPlayerInstaller.exe
2007-05-03 20:06 728,624 -c--a-w C:\Program Files\aolsetup.exe
2007-05-03 20:06 4,424 -c--a-w C:\Program Files\aolsetup.bin
2007-05-03 20:06 1,544 -c--a-w C:\Program Files\main.ini
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_ 9.09.08.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 14:11:35 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-28 03:41:03 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-27 14:11:35 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-28 03:41:03 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-12-07 21:28]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:21]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 22:12 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 09:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 09:44]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 13:46 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 09:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"WinPatrol"="C:\Documents and Settings\Admin\Desktop\WinPatrol\winpatrol.exe" [2007-10-26 10:06]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-12-07 21:28]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-20 04:04 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-30 12:42:09]
PalStart.lnk - C:\Program Files\Paltalk Messenger\palstart.exe [2007-05-25 11:55:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtustuv]
vtustuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll 2005-12-06 22:16 176128 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Windows Sidebar]
C:\WINDOWS\system32\hidec /W C:\VAIO\Tools\REGTLIB.EXE "C:\Program Files\Windows Sidebar\sidebar.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s C:\VAIO\.\vshellext.dll
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 19:49:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 08:18:58 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-11-01 06:01:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-11-23 21:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2007-11-28 05:55:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{9BCAFF5A-2C0A-4711-BCDD-7C1115F94A22}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 23:54:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 23:58:28 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 21:53
C:\ComboFix3.txt ... 2007-11-27 09:11
.
--- E O F ---

Gimme some good news!! :thumbsup:

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:21 AM

Posted 28 November 2007 - 01:25 AM

Hi AriesNine,

Sorry, not clean yet. But we are almost clean.

Make sure you have your registry protectors (WinPatrol, Teatimer) disabled, as well as your disabling you antivirus program.

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O20 - Winlogon Notify: vtustuv - vtustuv.dll (file missing)







Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\Fonts\svchost.exe

Registry:: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Host Process"=- " 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtustuv]


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 28 November 2007 - 01:27 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 AriesNine

AriesNine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 November 2007 - 02:24 AM

At least we are getting there!!

You are mentioning my registry protectors again....I'm hoping that they didn't show up or interfere and that you are only reminding me. McAffee is kind of a bleep about being shut down...so I'm hoping that hasn't been a problem.

I will be back tomorrow to do the next scan. It takes so much time to shut it all down to get it ready and it's very late here.

Thank you again...talk to you soon.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:21 AM

Posted 28 November 2007 - 08:41 AM

You are mentioning my registry protectors again....I'm hoping that they didn't show up or interfere and that you are only reminding me. McAffee is kind of a bleep about being shut down...so I'm hoping that hasn't been a problem.



Yes, I am remininding you. :thumbsup:

To disable MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a sign.
right-click it -> chose "Exit."
a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 AriesNine

AriesNine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 November 2007 - 10:49 AM

Thanks! ;)

My McAfee right click menu does not have an 'exit' option. All the programs have to be disabled manually. At least so far in surfing through the program that is what I'm finding. I'm running Security Center version 8.0. Thank you for the instructions though. :thumbsup:

Anyway....new logs.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:55 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinPatrol] C:\Documents and Settings\Admin\Desktop\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 9091 bytes


ComboFix 07-11-19.4 - Admin 2007-11-28 9:36:35.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.388 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Fonts\svchost.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-27 21:22 <DIR> d-------- C:\Program Files\CCleaner
2007-11-26 19:51 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-11-26 19:49 7,106,392 --a------ C:\Program Files\ITP32Eng.exe
2007-11-26 15:23 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-11-24 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BigFish
2007-11-24 07:57 <DIR> d-------- C:\Program Files\Amazing Adventures - The Lost Tomb
2007-11-20 10:24 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-20 10:12 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\HouseCall 6.6
2007-11-18 19:51 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\WinPatrol
2007-11-18 09:44 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-18 07:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 14:17 <DIR> d-------- C:\GameRival
2007-11-17 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-17 09:58 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SiteAdvisor
2007-11-15 14:42 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Twilight Games
2007-11-15 12:02 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue
2007-11-15 07:14 <DIR> d-------- C:\Program Files\Ballhalla
2007-11-15 07:14 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Land Of Runes
2007-11-15 07:12 <DIR> d-------- C:\Program Files\Gallop for Gold
2007-11-15 07:11 <DIR> d-------- C:\Program Files\Land of Runes
2007-11-15 07:10 <DIR> d-------- C:\Program Files\Mythic Pearls - The Legend of Tirnanog
2007-11-15 06:58 <DIR> d-------- C:\Program Files\Lucky Clover
2007-11-14 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-14 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-14 20:43 <DIR> d-------- C:\Program Files\Common Files\logishrd
2007-11-14 07:19 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\McAfee
2007-11-14 06:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-14 04:21 215,552 --a------ C:\WINDOWS\system32\dllcache\osk.exe
2007-11-14 04:21 72,704 --a------ C:\WINDOWS\system32\dllcache\magnify.exe
2007-11-14 04:21 53,760 --a------ C:\WINDOWS\system32\dllcache\narrator.exe
2007-11-14 04:21 50,176 --a------ C:\WINDOWS\system32\dllcache\utilman.exe
2007-11-14 04:21 35,840 --a------ C:\WINDOWS\system32\dllcache\umandlg.dll
2007-11-13 09:16 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-11-13 07:55 <DIR> d-------- C:\Program Files\CONEXANT
2007-11-12 20:42 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-11-12 17:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-12 16:57 <DIR> d-------- C:\WINDOWS\B3673A4EBAA249608563002F00B68E53.TMP
2007-11-12 16:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 15:58 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-11-10 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fugazo
2007-11-10 07:23 <DIR> d-------- C:\Program Files\Diner Dash Hometown Hero
2007-11-05 06:14 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Eyeblaster
2007-11-02 06:19 <DIR> d-------- C:\Program Files\Val`Gor
2007-11-02 06:17 <DIR> d-------- C:\Program Files\Heroes of Hellas
2007-10-30 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeptunesAdve

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-28 03:49 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire
2007-11-26 23:35 --------- d-----w C:\Program Files\iTunes
2007-11-26 22:31 --------- d-----w C:\Program Files\McAfee
2007-11-26 03:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-11-26 01:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-25 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-11-24 13:49 --------- d-----w C:\Program Files\iWin.com
2007-11-21 16:09 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-17 14:40 --------- d-----w C:\Documents and Settings\Admin\Application Data\iWin
2007-11-15 02:51 --------- d-----w C:\Program Files\Logitech
2007-11-15 01:08 --------- d-----w C:\Program Files\Peggle Deluxe
2007-11-15 01:07 --------- d-----w C:\Program Files\Mysteryville 2
2007-11-15 01:07 --------- d-----w C:\Program Files\Mortimer Beckett And The Secrets Of Spooky Manor
2007-11-15 01:05 --------- d-----w C:\Program Files\Games
2007-11-14 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-14 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-13 15:36 --------- d-----w C:\Program Files\MSBuild
2007-11-11 00:03 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2007-11-06 20:15 --------- d-----w C:\Program Files\iPod
2007-11-06 20:09 --------- d-----w C:\Program Files\QuickTime
2007-11-02 12:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-10-28 18:59 --------- d-----w C:\Documents and Settings\Admin\Application Data\funkitron
2007-10-27 16:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SugarGames
2007-10-26 15:32 --------- d-----w C:\Documents and Settings\Admin\Application Data\Abra Academy2
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-24 12:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\eGames
2007-10-24 12:42 --------- d-----w C:\Documents and Settings\Admin\Application Data\eGames
2007-10-22 05:44 --------- d-----w C:\Program Files\Burger Shop
2007-10-22 00:51 323,624 ----a-w C:\WINDOWS\system32\wiaaut.dll
2007-10-19 19:16 2,109,976 ----a-w C:\WINDOWS\system32\drivers\Lvckap.sys
2007-10-19 13:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\FireGlow
2007-10-19 12:13 --------- d-----w C:\Documents and Settings\Admin\Application Data\Super-Cow
2007-10-15 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-15 15:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\PlayFirst
2007-10-15 14:41 --------- d-----w C:\Documents and Settings\Admin\Application Data\ViquaSoft
2007-10-12 08:00 490,008 ----a-w C:\WINDOWS\system32\LVUI2.dll
2007-10-12 08:00 465,432 ----a-w C:\WINDOWS\system32\LVUI2RC.dll
2007-10-12 08:00 41,752 ----a-w C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-12 07:57 416,280 ----a-w C:\WINDOWS\system32\lvcodec2.dll
2007-10-12 07:57 195,096 ----a-w C:\WINDOWS\system32\lvci1150.dll
2007-10-12 07:56 13,848 ----a-w C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-12 07:56 1,279,000 ----a-w C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-12 07:18 21,138 ----a-w C:\WINDOWS\system32\Repository.reg
2007-10-12 00:59 25,624 ----a-w C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-10-12 00:59 2,142,488 ----a-w C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-10-12 00:15 85,302 ----a-w C:\WINDOWS\system32\drivers\LVFeL002.cfg
2007-10-12 00:15 69,592 ----a-w C:\WINDOWS\system32\drivers\LVFaL000.cfg
2007-10-12 00:15 227,172 ----a-w C:\WINDOWS\system32\drivers\LVFeL000.cfg
2007-10-12 00:15 146,680 ----a-w C:\WINDOWS\system32\drivers\LVFeL001.cfg
2007-10-11 06:01 --------- d-----w C:\Documents and Settings\Admin\Application Data\Legends of pirates
2007-10-10 17:18 --------- d-----w C:\Program Files\Java
2007-10-09 14:00 --------- d-----w C:\Program Files\Cyberlink
2007-10-09 13:53 --------- d-----w C:\Program Files\VLC Video player
2007-10-09 13:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\dvdcss
2007-10-09 13:33 --------- d-----w C:\Program Files\InterActual
2007-10-04 14:50 --------- d-----w C:\Documents and Settings\Admin\Application Data\ForgottenRiddles
2007-09-30 22:39 --------- d-----w C:\Documents and Settings\Admin\Application Data\Apple Computer
2007-09-30 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-09-24 23:48 873,608 ----a-w C:\Program Files\BitTorrent-6.0.exe
2007-09-24 23:42 59,575 ----a-w C:\Program Files\Zeitgeist.DVDRip.XviD.torrent
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-06 20:37 8,717,752 ----a-w C:\Program Files\pal_install_qt_a105_r42004_p115.exe
2007-07-24 02:04 308,888 -c--a-w C:\Program Files\Install_AIM.exe
2007-07-15 23:07 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2007-07-15 23:05 482,512 -c--a-w C:\Program Files\realarcade_ambient_stub.exe
2007-07-11 06:23 15,732,984 -c--a-w C:\Program Files\GoogleEarthWin.exe
2007-06-23 17:13 177,152 -c--a-w C:\Program Files\utorrent.exe
2007-05-17 05:00 3,676,952 -c--a-w C:\Program Files\DivXWebPlayerInstaller.exe
2007-05-03 20:06 728,624 -c--a-w C:\Program Files\aolsetup.exe
2007-05-03 20:06 4,424 -c--a-w C:\Program Files\aolsetup.bin
2007-05-03 20:06 1,544 -c--a-w C:\Program Files\main.ini
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_ 9.09.08.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 14:11:35 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-28 12:39:45 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-27 14:11:35 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-28 12:39:45 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-27 14:11:35 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-28 12:39:45 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-12-07 21:28]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:21]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 16:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 22:12 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 09:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 09:44]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 13:46 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33]
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 09:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"WinPatrol"="C:\Documents and Settings\Admin\Desktop\WinPatrol\winpatrol.exe" [2007-10-26 10:06]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-12-07 21:28]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-20 04:04 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-04-30 12:42:09]
PalStart.lnk - C:\Program Files\Paltalk Messenger\palstart.exe [2007-05-25 11:55:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoRecentDocsMenu"= 1 (0x1)
"NoRecentDocsHistory"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll 2005-12-06 22:16 176128 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Windows Sidebar]
C:\WINDOWS\system32\hidec /W C:\VAIO\Tools\REGTLIB.EXE "C:\Program Files\Windows Sidebar\sidebar.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"C:\Program Files\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BADA65A0-86B7-462B-B720-CE66655C73F5}]
regsvr32 /s C:\VAIO\.\vshellext.dll
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 19:49:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 08:18:58 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-11-01 06:01:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-11-23 21:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2007-11-28 15:40:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{9BCAFF5A-2C0A-4711-BCDD-7C1115F94A22}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 09:41:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 9:43:20
C:\ComboFix2.txt ... 2007-11-27 23:58
C:\ComboFix3.txt ... 2007-11-27 21:53
.
--- E O F ---


Now I'm really ready for the good news!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users