Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scprot4.exe, Ultimate Defender


  • Please log in to reply
16 replies to this topic

#1 I Chimera

I Chimera

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 18 November 2007 - 12:31 PM

Hi,
my pc has become infected with scprot4.exe and ultimate defender. Norton cannot find or delete these items however i keep recieving warnings about trojan.vnundo and downloaders which are blocked but not removed from system. My system is seriously unwell. I would welcome your expert advice.
Thanks in advance.
here is the hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:07:35, on 18/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [jpzdngjfykp] C:\WINDOWS\system32\ftecip.exe
O4 - HKLM\..\Run: [ScheduIe] C:\WINDOWS\nrchk.exe /i
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\svchst.exe /i
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [34c768c7] rundll32.exe "C:\WINDOWS\system32\cubkcdyg.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (Snapfish Drag and Drop upload plugin) - http://ie.pixaco.com/static/download/pixacodndupload.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/27464415e9f0e5...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0039ACE.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 13059 bytes

BC AdBot (Login to Remove)

 


m

#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:03 PM

Posted 23 November 2007 - 07:03 PM

Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every
inquiry.

Please disable Spybot Search and Destroy TeaTimer as it may interfere with what we are trying to accomplish
  • Open Spybot Search & Destroy
  • In the Mode menu click Advanced Mode, if not already selected.
  • Select: Yes at the Warning prompt.
  • Expand the Tools menu.
  • Click: Resident
  • Uncheck the Resident TeaTimer (Protection of overall system settings) active.
  • In the File menu click Exit
Restart the computer!!

~~~~
Next, download ComboFix
Save to the Desktop <<< Important!!

Now, go to Start > Run, and copy/paste the following command in the Open box:

"%userprofile%\desktop\combofix.exe" /killall


Example:
Posted Image

Click:OK

Follow the prompts to install ComboFix.
Then, type 1 and press Enter to begin the scan.

Do not mouse-click the ComboFix window while it runs. It may cause it to stall.

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the ComboFix.txt, and a new HijackThis log in your reply.

Old duck...


#3 I Chimera

I Chimera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 25 November 2007 - 01:41 AM

Hi,
Thanks for the reply. It took a while but i knew you'd come good. :blink:
I encountered a problem running the combofix. Something about not being able to locate an SED file? On the restart it took up 100% cpu. I just ended the process 'sed.cfexe' but it didnt seem to affect the ability to generate a log thankfully. also i discovered im a google whack on the process ftecip.exe. At least i got something out of it. :thumbsup:


ComboFix 07-11-19.3 - James 2007-11-25 5:22:25.1 - NTFSx86
Running from: C:Documents and SettingsJamesdesktopcombofix.exe
Command switches used :: /killall
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:Documents and SettingsJamesApplication DataEHMD5.dll
C:Documents and SettingsJamesApplication DataMBSIconPlugin1635.dll
C:Program FilesSecCenter
C:Program FilesSecCenterscprot4.exe
C:Program FilesUltimate Defender
C:WINDOWScookies.ini
C:WINDOWSsystem32ddaby.dll
C:WINDOWSsystem32fibagbia
C:WINDOWSsystem32fibagbiabg1.gif
C:WINDOWSsystem32fibagbiabgtop.gif
C:WINDOWSsystem32fibagbiabottom1.gif
C:WINDOWSsystem32fibagbiaessentials.gif
C:WINDOWSsystem32fibagbiafibagbia1.exe
C:WINDOWSsystem32fibagbiafibagbia2.exe
C:WINDOWSsystem32fibagbiafibagbia3.exe
C:WINDOWSsystem32fibagbiaicon1.ico
C:WINDOWSsystem32fibagbiainstall1.gif
C:WINDOWSsystem32fibagbialeft1.gif
C:WINDOWSsystem32fibagbiali.gif
C:WINDOWSsystem32fibagbialogo.gif
C:WINDOWSsystem32fibagbiamain.htm
C:WINDOWSsystem32fibagbiamainframe.htm
C:WINDOWSsystem32fibagbiareinstall1.gif
C:WINDOWSsystem32fibagbiaright1.gif
C:WINDOWSsystem32fibagbias1.htm
C:WINDOWSsystem32fibagbias2.htm
C:WINDOWSsystem32fibagbias3.htm
C:WINDOWSsystem32fibagbiaSMTop1.gif
C:WINDOWSsystem32fibagbiaSMTop2.gif
C:WINDOWSsystem32fibagbiaSMTop3.gif
C:WINDOWSsystem32fibagbiaSMTop4.gif
C:WINDOWSsystem32fibagbiasoft1_off.gif
C:WINDOWSsystem32fibagbiasoft1_off_ext.gif
C:WINDOWSsystem32fibagbiasoft1_on.gif
C:WINDOWSsystem32fibagbiasoft1_on_ext.gif
C:WINDOWSsystem32fibagbiasoft2_off.gif
C:WINDOWSsystem32fibagbiasoft2_off_ext.gif
C:WINDOWSsystem32fibagbiasoft2_on.gif
C:WINDOWSsystem32fibagbiasoft2_on_ext.gif
C:WINDOWSsystem32fibagbiasoft3_off.gif
C:WINDOWSsystem32fibagbiasoft3_off_ext.gif
C:WINDOWSsystem32fibagbiasoft3_on.gif
C:WINDOWSsystem32fibagbiasoft3_on_ext.gif
C:WINDOWSsystem32fibagbiasoftbottom_off.gif
C:WINDOWSsystem32fibagbiasoftbottom_on.gif
C:WINDOWSsystem32fibagbiasoftleft_off.gif
C:WINDOWSsystem32fibagbiasoftleft_on.gif
C:WINDOWSsystem32fibagbiatop1.gif
C:WINDOWSsystem32fibagbiatop2.gif
C:WINDOWSsystem32fibagbiaturnoff1.gif
C:WINDOWSsystem32fibagbiaturnon1.gif
C:WINDOWSsystem32fkmdvbtn
C:WINDOWSsystem32fkmdvbtnbg1.gif
C:WINDOWSsystem32fkmdvbtnbgtop.gif
C:WINDOWSsystem32fkmdvbtnbottom1.gif
C:WINDOWSsystem32fkmdvbtnessentials.gif
C:WINDOWSsystem32fkmdvbtnfkmdvbtn1.exe
C:WINDOWSsystem32fkmdvbtnfkmdvbtn2.exe
C:WINDOWSsystem32fkmdvbtnfkmdvbtn3.exe
C:WINDOWSsystem32fkmdvbtnicon1.ico
C:WINDOWSsystem32fkmdvbtninstall1.gif
C:WINDOWSsystem32fkmdvbtnleft1.gif
C:WINDOWSsystem32fkmdvbtnli.gif
C:WINDOWSsystem32fkmdvbtnlogo.gif
C:WINDOWSsystem32fkmdvbtnmain.htm
C:WINDOWSsystem32fkmdvbtnmainframe.htm
C:WINDOWSsystem32fkmdvbtnreinstall1.gif
C:WINDOWSsystem32fkmdvbtnright1.gif
C:WINDOWSsystem32fkmdvbtns1.htm
C:WINDOWSsystem32fkmdvbtns2.htm
C:WINDOWSsystem32fkmdvbtns3.htm
C:WINDOWSsystem32fkmdvbtnSMTop1.gif
C:WINDOWSsystem32fkmdvbtnSMTop2.gif
C:WINDOWSsystem32fkmdvbtnSMTop3.gif
C:WINDOWSsystem32fkmdvbtnSMTop4.gif
C:WINDOWSsystem32fkmdvbtnsoft1_off.gif
C:WINDOWSsystem32fkmdvbtnsoft1_off_ext.gif
C:WINDOWSsystem32fkmdvbtnsoft1_on.gif
C:WINDOWSsystem32fkmdvbtnsoft1_on_ext.gif
C:WINDOWSsystem32fkmdvbtnsoft2_off.gif
C:WINDOWSsystem32fkmdvbtnsoft2_off_ext.gif
C:WINDOWSsystem32fkmdvbtnsoft2_on.gif
C:WINDOWSsystem32fkmdvbtnsoft2_on_ext.gif
C:WINDOWSsystem32fkmdvbtnsoft3_off.gif
C:WINDOWSsystem32fkmdvbtnsoft3_off_ext.gif
C:WINDOWSsystem32fkmdvbtnsoft3_on.gif
C:WINDOWSsystem32fkmdvbtnsoft3_on_ext.gif
C:WINDOWSsystem32fkmdvbtnsoftbottom_off.gif
C:WINDOWSsystem32fkmdvbtnsoftbottom_on.gif
C:WINDOWSsystem32fkmdvbtnsoftleft_off.gif
C:WINDOWSsystem32fkmdvbtnsoftleft_on.gif
C:WINDOWSsystem32fkmdvbtntop1.gif
C:WINDOWSsystem32fkmdvbtntop2.gif
C:WINDOWSsystem32fkmdvbtnturnoff1.gif
C:WINDOWSsystem32fkmdvbtnturnon1.gif
C:WINDOWSSYSTEM32hgjlm.ini
C:WINDOWSSYSTEM32hgjlm.ini2
C:WINDOWSSYSTEM32kjkmp.bak1
C:WINDOWSSYSTEM32kjkmp.bak2
C:WINDOWSSYSTEM32kjkmp.ini
C:WINDOWSSYSTEM32kjkmp.ini2
C:WINDOWSSYSTEM32kjkmp.tmp
C:WINDOWSSYSTEM32ybadd.ini
C:WINDOWSSYSTEM32ybadd.ini2

.
((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-18 16:43 <DIR> d-------- C:Program FilesTrend Micro
2007-11-16 10:38 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataSpybot - Search & Destroy
2007-11-16 03:18 <DIR> d-------- C:Program FilesLavasoft
2007-11-16 03:18 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataLavasoft
2007-11-16 03:16 <DIR> d-------- C:Program FilesCommon FilesWise Installation Wizard
2007-11-15 19:15 <DIR> d-------- C:Documents and SettingsJamesApplication DataAVG7
2007-11-15 19:10 <DIR> d-------- C:Documents and SettingsLocalServiceApplication DataAVG7
2007-11-13 23:32 <DIR> d-------- C:Program Filesmrypwdyl
2007-11-02 19:50 <DIR> d-------- C:Program FilesWindows Sidebar
2007-11-02 19:48 <DIR> d-------- C:Program FilesNorton Internet Security
2007-11-01 22:39 <DIR> d-a------ C:Documents and SettingsAll UsersApplication DataTEMP
2007-11-01 22:38 <DIR> d-------- C:Program FilesSpyware Doctor
2007-11-01 22:38 <DIR> d-------- C:Documents and SettingsJamesApplication DataPC Tools
2007-11-01 16:12 <DIR> d-------- C:Documents and SettingsAll UsersApplication DataSecTaskMan
2007-11-01 16:11 <DIR> d-------- C:Program FilesSecurity Task Manager
2007-10-31 22:58 <DIR> d-------- C:Program FilesKxtlvkqt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 05:17 --------- d-----w C:Documents and SettingsAll UsersApplication DataSymantec
2007-11-25 04:55 84,345 ----a-w C:WINDOWSSYSTEM32mqjknroy.dll
2007-11-25 04:55 81,472 ----a-w C:WINDOWSSYSTEM32tcpvhduo.dll
2007-11-25 04:50 --------- d-----w C:Program FilesCommon FilesSymantec Shared
2007-11-23 19:42 84,345 ----a-w C:WINDOWSSYSTEM32eamgpgjc.dll
2007-11-23 19:39 83,520 ----a-w C:WINDOWSSYSTEM32xvduqgvl.dll
2007-11-23 11:17 --------- d-----w C:Documents and SettingsJamesApplication DataSkype
2007-11-20 14:41 84,544 ----a-w C:WINDOWSSYSTEM32rsgefjln.dll
2007-11-20 14:41 84,345 ----a-w C:WINDOWSSYSTEM32jtnrpoaw.dll
2007-11-19 09:21 84,345 ----a-w C:WINDOWSSYSTEM32dgptswdy.dll
2007-11-18 16:58 --------- d-----w C:Documents and SettingsAll UsersApplication DataAvg7
2007-11-16 12:36 --------- d-----w C:Program FilesMyWay
2007-11-15 03:41 --------- d-----w C:Program FilesAutoCAD 2005
2007-11-14 11:54 4,000 ----a-w C:WINDOWSSYSTEM32rngbvfbp.dll
2007-11-05 21:40 805 ----a-w C:WINDOWSsystem32driversSYMEVENT.INF
2007-11-05 21:40 60,800 ----a-w C:WINDOWSSYSTEM32S32EVNT1.DLL
2007-11-05 21:40 123,952 ----a-w C:WINDOWSsystem32driversSYMEVENT.SYS
2007-11-05 21:40 10,740 ----a-w C:WINDOWSsystem32driversSYMEVENT.CAT
2007-11-05 21:40 --------- d-----w C:Program FilesSymantec
2007-11-02 19:36 --------- d-----w C:Program FilesNorton AntiVirus
2007-11-02 19:01 --------- d-----w C:Program FilesNorton Password Manager
2007-11-01 22:13 --------- d--h--w C:Program FilesInstallShield Installation Information
2007-11-01 22:13 --------- d-----w C:Program FilesMacromedia
2007-11-01 22:06 5,408 ----a-w C:WINDOWSSYSTEM32dlkocnjm.dll
2007-11-01 21:54 --------- d-----w C:Program FilesCommon FilesMacromedia
2007-11-01 21:50 --------- d-----w C:Program FilesLimeWire
2007-11-01 21:50 --------- d-----w C:Program FilesCanasta
2007-10-31 21:50 --------- d-----w C:Documents and SettingsJamesApplication DataSymantec
2007-10-31 21:33 --------- d-----w C:Documents and SettingsMargaretApplication DataSymantec
2007-10-26 03:34 8,460,288 ----a-w C:WINDOWSSYSTEM32DLLCACHEshell32.dll
2007-10-25 10:26 53,248 ----a-w C:WINDOWSbdoscandel.exe
2007-10-23 16:35 --------- d-----w C:Program FilesProgram Files
2007-10-23 00:40 --------- d-----w C:Program FilesCommon FilesAdobe
2007-10-18 10:15 --------- d-----w C:Program FilesCommon FilesMacrovision Shared
2007-10-16 01:33 --------- d-----w C:Documents and SettingsAll UsersApplication DataFLEXnet
2007-10-15 19:47 --------- d-----w C:Documents and SettingsJamesApplication DataDownload Manager
2007-10-04 20:12 --------- d-----w C:Program FilesMicrosoft ActiveSync
2007-10-04 20:09 --------- d-----w C:Program FilesMicrosoft.NET
2007-10-04 17:11 29,000 ----a-w C:WINDOWSsystem32driverskcom.sys
2007-10-04 17:10 79,688 ----a-w C:WINDOWSsystem32driversiksyssec.sys
2007-10-04 17:10 62,280 ----a-w C:WINDOWSsystem32driversiksysflt.sys
2007-10-04 17:10 41,288 ----a-w C:WINDOWSsystem32driversikfilesec.sys
2007-08-29 14:18 577,928 ----a-w C:WINDOWSSYSTEM32SymNeti.dll
2006-02-28 02:33 18,432 ---ha-w C:Documents and SettingsJamesApplication DataEHEncrypt.dll
1997-07-14 12:45 1,031,793 ----a-w C:Documents and SettingsJamesdisk.exe
2005-05-05 15:34 56 --sh--r C:WINDOWSSYSTEM32CF303D40FA.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~Browser Helper Objects{29609901-621B-4D71-99AA-5D6C632E2B69}]

[HKEY_LOCAL_MACHINE~Browser Helper Objects{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
C:Program FilesKxtlvkqtrztxkuim.dll

[HKEY_LOCAL_MACHINE~Browser Helper Objects{3A6D65A2-EB8A-4ECB-9334-BF24B4B608B2}]

[HKEY_LOCAL_MACHINE~Browser Helper Objects{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 03:51 316784 --a------ C:Program FilesCommon FilesSymantec SharedcoSharedBrowser2.0coIEPlg.dll

[HKEY_LOCAL_MACHINE~Browser Helper Objects{60E2746A-9C2E-45A2-85CE-7E1A8A890961}]
C:WINDOWSsystem32gebcyaa.dll

[HKEY_LOCAL_MACHINE~Browser Helper Objects{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-11-02 19:49 116088 --a------ C:PROGRA~1COMMON~1SYMANT~1IDSIPSBHO.dll

[HKEY_LOCAL_MACHINE~Browser Helper Objects{9FB5B4F9-A1FD-4BF7-AB33-DFD869CF3689}]

[HKEY_LOCAL_MACHINE~Browser Helper Objects{ACBDB067-71BF-42BE-BFEB-029F17FC4889}]

[HKEY_LOCAL_MACHINE~Browser Helper Objects{B79F1537-C852-411F-947A-A1EAB2A56F24}]
C:WINDOWSsystem32mljgh.dll

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:Program FilesCommon FilesSymantec SharedcoSharedBrowser2.0CoIEPlg.dll [2007-08-25 03:51 316784]

[HKEY_CLASSES_ROOTclsid{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOTCoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOTCoIEPlg.CoToolbar]

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:Program FilesCommon FilesSymantec SharedcoSharedBrowser2.0CoIEPlg.dll [2007-08-25 03:51 316784]

[HKEY_CLASSES_ROOTclsid{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOTCoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOTCoIEPlg.CoToolbar]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"satmat"="C:WINDOWSsatmat.exe" []
"jpzdngjfykp"="C:WINDOWSsystem32ftecip.exe" []
"ScheduIe"="C:WINDOWSnrchk.exe" []
"SheduIer"="C:WINDOWSsvchst.exe" []
"Acrobat Assistant 8.0"="C:Program FilesAdobeAcrobat 8.0AcrobatAcrotray.exe" [2007-05-10 21:46]
"MSConfig"="C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe" [2004-08-04 07:56]
"TkBellExe"="C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" [2006-11-02 19:38]
"ccApp"="C:Program FilesCommon FilesSymantec SharedccApp.exe" [2007-10-23 16:18]
"osCheck"="C:Program FilesNorton Internet SecurityosCheck.exe" [2007-08-25 04:53]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"CTFMON.EXE"="C:WINDOWSSystem32CTFMON.EXE" [2004-08-04 07:56]

C:Documents and SettingsMargaretStart MenuProgramsStartup
PowerReg Scheduler V3.exe [2006-04-21 10:41:11]

C:Documents and SettingsJamesStart MenuProgramsStartup
PowerReg Scheduler V3.exe [2006-02-25 04:01:13]

C:Documents and SettingsAll UsersStart MenuProgramsStartup
Adobe Gamma Loader.lnk - C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe [2004-03-04 01:27:54]
Adobe Reader Speed Launch.lnk - C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe [2005-09-24 06:05:26]
AutoCAD Startup Accelerator.lnk - C:Program FilesCommon FilesAutodesk Sharedacstart16.exe [2004-02-25 01:35:22]
dlbcserv.lnk - C:Program FilesDell Photo Printer 720dlbcserv.exe [2005-08-22 18:10:55]

[hklmsoftwaremicrosoftwindowscurrentversionexplorershellexecutehooks]
"{60E2746A-9C2E-45A2-85CE-7E1A8A890961}"= C:WINDOWSsystem32gebcyaa.dll [ ]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifygebcyaa]
gebcyaa.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyreq]
C:WINDOWSsystem32req.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifywinrzf32]
winrzf32.dll

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
"Authentication Packages"= msv1_0 C:WINDOWSsystem32ddaby.dll

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalsdauxservice]
@=""

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalsdcoreservice]
@=""

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:Documents and SettingsAll UsersStart MenuProgramsStartupAdobe Gamma Loader.exe.lnk
backup=C:WINDOWSpssAdobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:Documents and SettingsAll UsersStart MenuProgramsStartupExif Launcher.lnk
backup=C:WINDOWSpssExif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:Documents and SettingsAll UsersStart MenuProgramsStartupGStartup.lnk
backup=C:WINDOWSpssGStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^PageKeeper Jobs.lnk]
path=C:Documents and SettingsAll UsersStart MenuProgramsStartupPageKeeper Jobs.lnk
backup=C:WINDOWSpssPageKeeper Jobs.lnkCommon Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Documents and Settings^James^Start Menu^Programs^Startup^OCRAWARE.lnk]
path=C:Documents and SettingsJamesStart MenuProgramsStartupOCRAWARE.lnk
backup=C:WINDOWSpssOCRAWARE.lnkStartup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupreg34c768c7]
rundll32.exe C:WINDOWSsystem32cubkcdyg.dll,b

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAltnetPointsManager]
c:program filesaltnetpoints managerpoints manager.exe -s

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregBCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregccApp]
2007-10-23 16:18 51048 --a------ C:Program FilesCommon FilesSymantec SharedccApp.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregccRegVfy]
C:Program FilesCommon FilesSymantec SharedccRegVfy.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregcity axis software mapi]
C:Documents and SettingsAll UsersApplication DataCool trust city axisborestupid.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCMESys]
C:Program FilesCommon FilesCMEIICMESys.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregCTDrive]
rundll32.exe C:WINDOWSsystem32drvxoh.dll,startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregdla]
2003-08-06 01:04 114741 --a------ C:WINDOWSsystem32dlatfswctrl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregDVDSentry]
2003-08-13 10:27 28672 --a------ C:WINDOWSSystem32DSentry.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregetbrun]
C:windowssystem32elitecog32.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregfarmmext]
C:WINDOWSfarmmext.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupreggcasServ]
C:WINDOWSNeroCheck.exe /i

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregGoogle Desktop Search]
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupreghyfcxodo]
rundll32.exe C:Program Filesjwrqtirktalslapi.dll,Init

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregiTunesHelper]
2006-09-12 00:58 229952 --a------ C:Program FilesiTunesiTunesHelper.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregKAZAA]
C:Program FilesKazaakazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMoreResults]
C:Program FilesMoreResultsMoreResults.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMSMSGS]
C:Program FilesMessengermsmsgs.exe /background

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregMsnMsgr]
C:Program FilesMSN Messengermsnmsgr.exe /background

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNeroFilterCheck]
2006-01-12 14:40 155648 --a------ C:Program FilesCommon FilesAheadLibNeroCheck.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNvCplDaemon]
RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregP2P Networking]
C:WINDOWSSystem32P2P NetworkingP2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregPCMService]
2003-08-26 19:47 204800 --------- C:Program FilesDellMedia ExperiencePCMService.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregProtection]
C:WINDOWSruntask.exe C:WINDOWSprotection.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuicktime]
C:WINDOWSqttasks.exe /i

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
C:Program FilesQuickTimeqttask.exe -atboottime

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregramexp]
C:WINDOWSramex.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregRealPlayer]
C:Program FilesRealRealPlayerrealplay.exe /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregREGSHAVE]
C:Program FilesREGSHAVEREGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregrwlyvkve]
rundll32.exe C:Program Filesmrypwdylofavkbon.dll,Init

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSAHAgent]
C:WINDOWSSystem32SahAgent.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSC2]
C:Program FilesSecCenterscprot4.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSkype]
C:Program FilesSkypePhoneSkype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSonic RecordNow!]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSony Ericsson PC Suite]
C:Program FilesSony EricssonMobile2Application LauncherApplication Launcher.exe /startoptions

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregTkBellExe]
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe -osboot

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregupdmgr]
C:Program FilesCommon filesupdmgrupdmgr.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregViewpointPhotosDeviceConnect]
2005-11-21 22:57 140880 --a------ C:Program FilesViewpointViewpoint Toolbar V35FotomatDeviceConnect.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregwarez]
C:Program FilesWarezWarez.exe /minimized

R2 LiveUpdate Notice;LiveUpdate Notice;"C:Program FilesCommon FilesSymantec SharedccSvcHst.exe" /h ccCommon
R2 ScanDrv;ScanDrv;C:WINDOWSsystem32driversScanDrv.sys
R3 SymIMMP;SymIMMP;C:WINDOWSsystem32DRIVERSSymIM.sys
S3 COH_Mon;COH_Mon;??C:WINDOWSsystem32DriversCOH_Mon.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:WINDOWSsystem32DRIVERSSymIM.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 23:59:47 C:WINDOWSTasksNorton Internet Security - Run Full System Scan - James.job"
- C:Program FilesNorton Internet SecurityNorton AntiVirusNavw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 05:49:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 6:17:00 - machine was rebooted
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:23:08, on 25/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
C:Program FilesLavasoftAd-Aware 2007aawservice.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32LEXPPS.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesSymantecLiveUpdateAluSchedulerSvc.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSExplorer.EXE
C:Program FilesAdobeAcrobat 8.0AcrobatAcrotray.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
C:WINDOWSsystem32taskmgr.exe
C:WINDOWSsystem32notepad.exe
C:Program FilesOutlook Expressmsimn.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet Explorer,(Default) = www.google.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O2 - BHO: (no name) - {29609901-621B-4D71-99AA-5D6C632E2B69} - (no file)
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - C:Program FilesKxtlvkqtrztxkuim.dll (file missing)
O2 - BHO: (no name) - {3A6D65A2-EB8A-4ECB-9334-BF24B4B608B2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:Program FilesCommon FilesSymantec SharedcoSharedBrowser2.0coIEPlg.dll
O2 - BHO: (no name) - {60E2746A-9C2E-45A2-85CE-7E1A8A890961} - C:WINDOWSsystem32gebcyaa.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:PROGRA~1COMMON~1SYMANT~1IDSIPSBHO.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: (no name) - {9FB5B4F9-A1FD-4BF7-AB33-DFD869CF3689} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:Program FilesViewpointViewpoint Toolbar V35ViewBarBHO.dll
O2 - BHO: (no name) - {ACBDB067-71BF-42BE-BFEB-029F17FC4889} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O2 - BHO: (no name) - {B79F1537-C852-411F-947A-A1EAB2A56F24} - C:WINDOWSsystem32mljgh.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesWindows Live Toolbarmsntb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:Program FilesViewpointViewpoint Toolbar V35ViewBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesWindows Live Toolbarmsntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:Program FilesCommon FilesSymantec SharedcoSharedBrowser2.0CoIEPlg.dll
O4 - HKLM..Run: [satmat] C:WINDOWSsatmat.exe
O4 - HKLM..Run: [jpzdngjfykp] C:WINDOWSsystem32ftecip.exe
O4 - HKLM..Run: [ScheduIe] C:WINDOWSnrchk.exe /i
O4 - HKLM..Run: [SheduIer] C:WINDOWSsvchst.exe /i
O4 - HKLM..Run: [Acrobat Assistant 8.0] "C:Program FilesAdobeAcrobat 8.0AcrobatAcrotray.exe"
O4 - HKLM..Run: [MSConfig] C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe /auto
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [osCheck] "C:Program FilesNorton Internet SecurityosCheck.exe"
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:Program FilesCommon FilesAutodesk Sharedacstart16.exe
O4 - Global Startup: dlbcserv.lnk = C:Program FilesDell Photo Printer 720dlbcserv.exe
O8 - Extra context menu item: &Google Search - res://c:program filesgoogleGoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:Program FilesViewpointViewpoint Toolbar V35ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:Program FilesWindows Live Toolbarmsntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:program filesgoogleGoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:program filesgoogleGoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:program filesgoogleGoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:program filesgoogleGoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:WINDOWSbdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:WINDOWSbdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (Snapfish Drag and Drop upload plugin) - http://ie.pixaco.com/static/download/pixacodndupload.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/27464415e9f0e5...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:Program FilesAutoCAD 2002AcDcToday.ocx
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:Program FilesAutoCAD 2002InstBanr.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:Program FilesAutoCAD 2002InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:Program FilesAutoCAD 2002AcPreview.ocx
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O20 - Winlogon Notify: gebcyaa - gebcyaa.dll (file missing)
O20 - Winlogon Notify: req - C:WINDOWSsystem32req.dll (file missing)
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:Program FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:Program FilesCommon FilesAutodesk SharedServiceAdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:Program FilesSymantecLiveUpdateAluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedVAScannercomHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:Program FilesSymantecLiveUpdateLuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:Program FilesIntelNCSSyncNetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:Program FilesSpyware Doctorsvcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:Program FilesSpyware Doctorswdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe

--
End of file - 14832 bytes

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:03 PM

Posted 25 November 2007 - 11:28 PM

It is rather unusual that there are no back-slashes appearing in the paths of the entries contained in your logs.

As an example, a file path should read as follows:
C:\WINDOWS\SYSTEM32\mqjknroy.dll

...instead of:

C:WINDOWSSYSTEM32mqjknroy.dll


Were your logs copied from an email, or, what was used to copy the logs to?

Old duck...


#5 I Chimera

I Chimera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 26 November 2007 - 08:43 AM

Yeah that is unusual. I didn't notice. I can't explain it. I copied directly from the text file and just pasted into the reply. Should i re-post the logs? The back-slash appears fine in the logs. No problem.

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:03 PM

Posted 26 November 2007 - 11:16 AM

Should i re-post the logs? The back-slash appears fine in the logs.

Please do.

Try copying the reports to Notepad, and then posting them here.

Old duck...


#7 I Chimera

I Chimera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 26 November 2007 - 11:21 AM

ComboFix 07-11-19.3 - James 2007-11-25 5:22:25.1 - NTFSx86
Running from: C:\Documents and Settings\James\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\James\Application Data\EHMD5.dll
C:\Documents and Settings\James\Application Data\MBSIconPlugin1635.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Ultimate Defender
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\fibagbia
C:\WINDOWS\system32\fibagbia\bg1.gif
C:\WINDOWS\system32\fibagbia\bgtop.gif
C:\WINDOWS\system32\fibagbia\bottom1.gif
C:\WINDOWS\system32\fibagbia\essentials.gif
C:\WINDOWS\system32\fibagbia\fibagbia1.exe
C:\WINDOWS\system32\fibagbia\fibagbia2.exe
C:\WINDOWS\system32\fibagbia\fibagbia3.exe
C:\WINDOWS\system32\fibagbia\icon1.ico
C:\WINDOWS\system32\fibagbia\install1.gif
C:\WINDOWS\system32\fibagbia\left1.gif
C:\WINDOWS\system32\fibagbia\li.gif
C:\WINDOWS\system32\fibagbia\logo.gif
C:\WINDOWS\system32\fibagbia\main.htm
C:\WINDOWS\system32\fibagbia\mainframe.htm
C:\WINDOWS\system32\fibagbia\reinstall1.gif
C:\WINDOWS\system32\fibagbia\right1.gif
C:\WINDOWS\system32\fibagbia\s1.htm
C:\WINDOWS\system32\fibagbia\s2.htm
C:\WINDOWS\system32\fibagbia\s3.htm
C:\WINDOWS\system32\fibagbia\SMTop1.gif
C:\WINDOWS\system32\fibagbia\SMTop2.gif
C:\WINDOWS\system32\fibagbia\SMTop3.gif
C:\WINDOWS\system32\fibagbia\SMTop4.gif
C:\WINDOWS\system32\fibagbia\soft1_off.gif
C:\WINDOWS\system32\fibagbia\soft1_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft1_on.gif
C:\WINDOWS\system32\fibagbia\soft1_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_off.gif
C:\WINDOWS\system32\fibagbia\soft2_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_on.gif
C:\WINDOWS\system32\fibagbia\soft2_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_off.gif
C:\WINDOWS\system32\fibagbia\soft3_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_on.gif
C:\WINDOWS\system32\fibagbia\soft3_on_ext.gif
C:\WINDOWS\system32\fibagbia\softbottom_off.gif
C:\WINDOWS\system32\fibagbia\softbottom_on.gif
C:\WINDOWS\system32\fibagbia\softleft_off.gif
C:\WINDOWS\system32\fibagbia\softleft_on.gif
C:\WINDOWS\system32\fibagbia\top1.gif
C:\WINDOWS\system32\fibagbia\top2.gif
C:\WINDOWS\system32\fibagbia\turnoff1.gif
C:\WINDOWS\system32\fibagbia\turnon1.gif
C:\WINDOWS\system32\fkmdvbtn
C:\WINDOWS\system32\fkmdvbtn\bg1.gif
C:\WINDOWS\system32\fkmdvbtn\bgtop.gif
C:\WINDOWS\system32\fkmdvbtn\bottom1.gif
C:\WINDOWS\system32\fkmdvbtn\essentials.gif
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn1.exe
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn2.exe
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn3.exe
C:\WINDOWS\system32\fkmdvbtn\icon1.ico
C:\WINDOWS\system32\fkmdvbtn\install1.gif
C:\WINDOWS\system32\fkmdvbtn\left1.gif
C:\WINDOWS\system32\fkmdvbtn\li.gif
C:\WINDOWS\system32\fkmdvbtn\logo.gif
C:\WINDOWS\system32\fkmdvbtn\main.htm
C:\WINDOWS\system32\fkmdvbtn\mainframe.htm
C:\WINDOWS\system32\fkmdvbtn\reinstall1.gif
C:\WINDOWS\system32\fkmdvbtn\right1.gif
C:\WINDOWS\system32\fkmdvbtn\s1.htm
C:\WINDOWS\system32\fkmdvbtn\s2.htm
C:\WINDOWS\system32\fkmdvbtn\s3.htm
C:\WINDOWS\system32\fkmdvbtn\SMTop1.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop2.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop3.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop4.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\softbottom_off.gif
C:\WINDOWS\system32\fkmdvbtn\softbottom_on.gif
C:\WINDOWS\system32\fkmdvbtn\softleft_off.gif
C:\WINDOWS\system32\fkmdvbtn\softleft_on.gif
C:\WINDOWS\system32\fkmdvbtn\top1.gif
C:\WINDOWS\system32\fkmdvbtn\top2.gif
C:\WINDOWS\system32\fkmdvbtn\turnoff1.gif
C:\WINDOWS\system32\fkmdvbtn\turnon1.gif
C:\WINDOWS\SYSTEM32\hgjlm.ini
C:\WINDOWS\SYSTEM32\hgjlm.ini2
C:\WINDOWS\SYSTEM32\kjkmp.bak1
C:\WINDOWS\SYSTEM32\kjkmp.bak2
C:\WINDOWS\SYSTEM32\kjkmp.ini
C:\WINDOWS\SYSTEM32\kjkmp.ini2
C:\WINDOWS\SYSTEM32\kjkmp.tmp
C:\WINDOWS\SYSTEM32\ybadd.ini
C:\WINDOWS\SYSTEM32\ybadd.ini2

.
((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-18 16:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 03:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-16 03:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 03:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 19:15 <DIR> d-------- C:\Documents and Settings\James\Application Data\AVG7
2007-11-15 19:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-13 23:32 <DIR> d-------- C:\Program Files\mrypwdyl
2007-11-02 19:50 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-11-02 19:48 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-11-01 22:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-01 22:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-01 22:38 <DIR> d-------- C:\Documents and Settings\James\Application Data\PC Tools
2007-11-01 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-01 16:11 <DIR> d-------- C:\Program Files\Security Task Manager
2007-10-31 22:58 <DIR> d-------- C:\Program Files\Kxtlvkqt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 05:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-25 04:55 84,345 ----a-w C:\WINDOWS\SYSTEM32\mqjknroy.dll
2007-11-25 04:55 81,472 ----a-w C:\WINDOWS\SYSTEM32\tcpvhduo.dll
2007-11-25 04:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-23 19:42 84,345 ----a-w C:\WINDOWS\SYSTEM32\eamgpgjc.dll
2007-11-23 19:39 83,520 ----a-w C:\WINDOWS\SYSTEM32\xvduqgvl.dll
2007-11-23 11:17 --------- d-----w C:\Documents and Settings\James\Application Data\Skype
2007-11-20 14:41 84,544 ----a-w C:\WINDOWS\SYSTEM32\rsgefjln.dll
2007-11-20 14:41 84,345 ----a-w C:\WINDOWS\SYSTEM32\jtnrpoaw.dll
2007-11-19 09:21 84,345 ----a-w C:\WINDOWS\SYSTEM32\dgptswdy.dll
2007-11-18 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-16 12:36 --------- d-----w C:\Program Files\MyWay
2007-11-15 03:41 --------- d-----w C:\Program Files\AutoCAD 2005
2007-11-14 11:54 4,000 ----a-w C:\WINDOWS\SYSTEM32\rngbvfbp.dll
2007-11-05 21:40 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 21:40 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-11-05 21:40 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-05 21:40 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 21:40 --------- d-----w C:\Program Files\Symantec
2007-11-02 19:36 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-02 19:01 --------- d-----w C:\Program Files\Norton Password Manager
2007-11-01 22:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 22:13 --------- d-----w C:\Program Files\Macromedia
2007-11-01 22:06 5,408 ----a-w C:\WINDOWS\SYSTEM32\dlkocnjm.dll
2007-11-01 21:54 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-01 21:50 --------- d-----w C:\Program Files\LimeWire
2007-11-01 21:50 --------- d-----w C:\Program Files\Canasta
2007-10-31 21:50 --------- d-----w C:\Documents and Settings\James\Application Data\Symantec
2007-10-31 21:33 --------- d-----w C:\Documents and Settings\Margaret\Application Data\Symantec
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-23 16:35 --------- d-----w C:\Program Files\Program Files
2007-10-23 00:40 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-18 10:15 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-16 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-15 19:47 --------- d-----w C:\Documents and Settings\James\Application Data\Download Manager
2007-10-04 20:12 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-04 20:09 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-04 17:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 17:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 17:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 17:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-29 14:18 577,928 ----a-w C:\WINDOWS\SYSTEM32\SymNeti.dll
2006-02-28 02:33 18,432 ---ha-w C:\Documents and Settings\James\Application Data\EHEncrypt.dll
1997-07-14 12:45 1,031,793 ----a-w C:\Documents and Settings\James\disk.exe
2005-05-05 15:34 56 --sh--r C:\WINDOWS\SYSTEM32\CF303D40FA.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29609901-621B-4D71-99AA-5D6C632E2B69}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
C:\Program Files\Kxtlvkqt\rztxkuim.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A6D65A2-EB8A-4ECB-9334-BF24B4B608B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 03:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60E2746A-9C2E-45A2-85CE-7E1A8A890961}]
C:\WINDOWS\system32\gebcyaa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-11-02 19:49 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9FB5B4F9-A1FD-4BF7-AB33-DFD869CF3689}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACBDB067-71BF-42BE-BFEB-029F17FC4889}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B79F1537-C852-411F-947A-A1EAB2A56F24}]
C:\WINDOWS\system32\mljgh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 03:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 03:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"satmat"="C:\WINDOWS\satmat.exe" []
"jpzdngjfykp"="C:\WINDOWS\system32\ftecip.exe" []
"ScheduIe"="C:\WINDOWS\nrchk.exe" []
"SheduIer"="C:\WINDOWS\svchst.exe" []
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:56]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-02 19:38]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 04:53]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]

C:\Documents and Settings\Margaret\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-04-21 10:41:11]

C:\Documents and Settings\James\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-02-25 04:01:13]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-03-04 01:27:54]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 06:05:26]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 01:35:22]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-08-22 18:10:55]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{60E2746A-9C2E-45A2-85CE-7E1A8A890961}"= C:\WINDOWS\system32\gebcyaa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcyaa]
gebcyaa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\req]
C:\WINDOWS\system32\req.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrzf32]
winrzf32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaby.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PageKeeper Jobs.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
backup=C:\WINDOWS\pss\PageKeeper Jobs.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^James^Start Menu^Programs^Startup^OCRAWARE.lnk]
path=C:\Documents and Settings\James\Start Menu\Programs\Startup\OCRAWARE.lnk
backup=C:\WINDOWS\pss\OCRAWARE.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\34c768c7]
rundll32.exe C:\WINDOWS\system32\cubkcdyg.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-10-23 16:18 51048 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\city axis software mapi]
C:\Documents and Settings\All Users\Application Data\Cool trust city axis\borestupid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
C:\Program Files\Common Files\CMEII\CMESys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe C:\WINDOWS\system32\drvxoh.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 01:04 114741 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 10:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\etbrun]
C:\windows\system32\elitecog32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farmmext]
C:\WINDOWS\farmmext.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\WINDOWS\NeroCheck.exe /i

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hyfcxodo]
rundll32.exe C:\Program Files\jwrqtirk\talslapi.dll,Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-09-12 00:58 229952 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoreResults]
C:\Program Files\MoreResults\MoreResults.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-26 19:47 204800 --------- C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Protection]
C:\WINDOWS\runtask.exe C:\WINDOWS\protection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quicktime]
C:\WINDOWS\qttasks.exe /i

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ramexp]
C:\WINDOWS\ramex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealPlayer\realplay.exe /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rwlyvkve]
rundll32.exe C:\Program Files\mrypwdyl\ofavkbon.dll,Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\Program Files\SecCenter\scprot4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
C:\Program Files\Common files\updmgr\updmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
2005-11-21 22:57 140880 --a------ C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez]
C:\Program Files\Warez\Warez.exe /minimized

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R2 ScanDrv;ScanDrv;C:\WINDOWS\system32\drivers\ScanDrv.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 23:59:47 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - James.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 05:49:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 6:17:00 - machine was rebooted
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:23:08, on 25/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {29609901-621B-4D71-99AA-5D6C632E2B69} - (no file)
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - C:\Program Files\Kxtlvkqt\rztxkuim.dll (file missing)
O2 - BHO: (no name) - {3A6D65A2-EB8A-4ECB-9334-BF24B4B608B2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: (no name) - {60E2746A-9C2E-45A2-85CE-7E1A8A890961} - C:\WINDOWS\system32\gebcyaa.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9FB5B4F9-A1FD-4BF7-AB33-DFD869CF3689} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: (no name) - {ACBDB067-71BF-42BE-BFEB-029F17FC4889} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B79F1537-C852-411F-947A-A1EAB2A56F24} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [jpzdngjfykp] C:\WINDOWS\system32\ftecip.exe
O4 - HKLM\..\Run: [ScheduIe] C:\WINDOWS\nrchk.exe /i
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\svchst.exe /i
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (Snapfish Drag and Drop upload plugin) - http://ie.pixaco.com/static/download/pixacodndupload.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/27464415e9f0e5...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: gebcyaa - gebcyaa.dll (file missing)
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14832 bytes

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:03 PM

Posted 26 November 2007 - 11:37 AM

Good!! Thanks!!
That makes it workable.

Have an appointment to go to...will check things out later today and post further instructions.

Old duck...


#9 I Chimera

I Chimera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 26 November 2007 - 11:42 AM

Yeah that was a strange one. No probs.
Thanks for your help :thumbsup:

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:03 PM

Posted 26 November 2007 - 06:10 PM

Please go to: Start > Run, type: control
Press OK

Double-click on: Add/Remove Programs
Check the list of Currently Installed Programs for any of the following:
Viewpoint
Viewpoint Manager
Viewpoint Media Player


Select each item and then: Remove

~~~~
Next, run HijackThis, Scan
Check box for:

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/

O2 - BHO: (no name) - {29609901-621B-4D71-99AA-5D6C632E2B69} - (no file)
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - C:\Program Files\Kxtlvkqt\rztxkuim.dll (file missing)
O2 - BHO: (no name) - {3A6D65A2-EB8A-4ECB-9334-BF24B4B608B2} - (no file)
O2 - BHO: (no name) - {60E2746A-9C2E-45A2-85CE-7E1A8A890961} - C:\WINDOWS\system32\gebcyaa.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9FB5B4F9-A1FD-4BF7-AB33-DFD869CF3689} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: (no name) - {ACBDB067-71BF-42BE-BFEB-029F17FC4889} - (no file)
O2 - BHO: (no name) - {B79F1537-C852-411F-947A-A1EAB2A56F24} - C:\WINDOWS\system32\mljgh.dll (file missing)

O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [jpzdngjfykp] C:\WINDOWS\system32\ftecip.exe
O4 - HKLM\..\Run: [ScheduIe] C:\WINDOWS\nrchk.exe /i
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\svchst.exe /i
O4 - Startup: PowerReg Scheduler V3.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML

O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab

O20 - Winlogon Notify: gebcyaa - gebcyaa.dll (file missing)
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)

Select: Fix checked

~~~~
Open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

File::
C:\WINDOWS\SYSTEM32\mqjknroy.dll
C:\WINDOWS\SYSTEM32\tcpvhduo.dll
C:\WINDOWS\SYSTEM32\eamgpgjc.dll
C:\WINDOWS\SYSTEM32\xvduqgvl.dll
C:\WINDOWS\SYSTEM32\rsgefjln.dll
C:\WINDOWS\SYSTEM32\jtnrpoaw.dll
C:\WINDOWS\SYSTEM32\dgptswdy.dll
C:\WINDOWS\SYSTEM32\rngbvfbp.dll
C:\WINDOWS\SYSTEM32\dlkocnjm.dll
C:\WINDOWS\system32\cubkcdyg.dll
C:\WINDOWS\system32\drvxoh.dll
C:\WINDOWS\System32\SahAgent.exe

Folder::
C:\Program Files\mrypwdyl
C:\Program Files\Kxtlvkqt
C:\Program Files\MyWay
C:\Documents and Settings\Margaret\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe
C:\Program Files\Altnet
C:\Documents and Settings\All Users\Application Data\Cool trust city axis
C:\Program Files\Common Files\CMEII
C:\Program Files\Kazaa
C:\WINDOWS\System32\P2P Networking
C:\Program Files\SecCenter
C:\Program Files\Warez
C:\Program Files\jwrqtirk

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29609901-621B-4D71-99AA-5D6C632E2B69}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A6D65A2-EB8A-4ECB-9334-BF24B4B608B2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60E2746A-9C2E-45A2-85CE-7E1A8A890961}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9FB5B4F9-A1FD-4BF7-AB33-DFD869CF3689}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACBDB067-71BF-42BE-BFEB-029F17FC4889}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B79F1537-C852-411F-947A-A1EAB2A56F24}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"satmat"=-
"jpzdngjfykp"=-
"ScheduIe"=-
"SheduIer"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{60E2746A-9C2E-45A2-85CE-7E1A8A890961}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcyaa]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\req]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrzf32]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\34c768c7]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\city axis software mapi]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hyfcxodo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rwlyvkve]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez]



Save as CFScript.txt <<< Important!!
Change the Save as type to: All Files
Save it to the Desktop.

Posted Image

Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please provide the contents of the new ComboFix log , and the new HijackThis log in your reply.

Old duck...


#11 I Chimera

I Chimera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 26 November 2007 - 07:58 PM

OK,
here's the new logfiles.
Although i have a query. I ran msconfig and in the startup there are a lot of exe's which would have been disabled over the course of time. Should i enable them and run a hijackthis scan?
Thanks again.



ComboFix 07-11-19.3 - James 2007-11-27 0:14:57.2 - NTFSx86
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\cubkcdyg.dll
C:\WINDOWS\SYSTEM32\dgptswdy.dll
C:\WINDOWS\SYSTEM32\dlkocnjm.dll
C:\WINDOWS\system32\drvxoh.dll
C:\WINDOWS\SYSTEM32\eamgpgjc.dll
C:\WINDOWS\SYSTEM32\jtnrpoaw.dll
C:\WINDOWS\SYSTEM32\mqjknroy.dll
C:\WINDOWS\SYSTEM32\rngbvfbp.dll
C:\WINDOWS\SYSTEM32\rsgefjln.dll
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\SYSTEM32\tcpvhduo.dll
C:\WINDOWS\SYSTEM32\xvduqgvl.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Cool trust city axis
C:\Documents and Settings\All Users\Application Data\Cool trust city axis\BASHMAILFILM
C:\Documents and Settings\All Users\Application Data\Cool trust city axis\BLAHBAITFIND
C:\Documents and Settings\All Users\Application Data\Cool trust city axis\list tons anti
C:\Documents and Settings\Margaret\Start Menu\Programs\Startup\
C:\Documents and Settings\Margaret\Start Menu\Programs\Startup\\DESKTOP.INI
C:\Documents and Settings\Margaret\Start Menu\Programs\Startup\\PowerReg Scheduler V3.exe
C:\Program Files\Kazaa
C:\Program Files\Kazaa\BGP2P\bdupd.dll
C:\Program Files\Kazaa\BGP2P\plugins.htm
C:\Program Files\Kazaa\BGP2P\plugins\ace.xmd
C:\Program Files\Kazaa\BGP2P\plugins\adsntfs.xmd
C:\Program Files\Kazaa\BGP2P\plugins\alz.xmd
C:\Program Files\Kazaa\BGP2P\plugins\arc.xmd
C:\Program Files\Kazaa\BGP2P\plugins\arj.xmd
C:\Program Files\Kazaa\BGP2P\plugins\bach.xmd
C:\Program Files\Kazaa\BGP2P\plugins\bzip2.xmd
C:\Program Files\Kazaa\BGP2P\plugins\cab.xmd
C:\Program Files\Kazaa\BGP2P\plugins\ceva_dll.cvd
C:\Program Files\Kazaa\BGP2P\plugins\ceva_emu.cvd
C:\Program Files\Kazaa\BGP2P\plugins\ceva_vfs.cvd
C:\Program Files\Kazaa\BGP2P\plugins\cevakrnl.cvd
C:\Program Files\Kazaa\BGP2P\plugins\cevakrnl.ivd
C:\Program Files\Kazaa\BGP2P\plugins\cevakrnl.rvd
C:\Program Files\Kazaa\BGP2P\plugins\cevakrnl.xmd
C:\Program Files\Kazaa\BGP2P\plugins\chm.xmd
C:\Program Files\Kazaa\BGP2P\plugins\cpio.xmd
C:\Program Files\Kazaa\BGP2P\plugins\cran.cvd
C:\Program Files\Kazaa\BGP2P\plugins\cran.ivd
C:\Program Files\Kazaa\BGP2P\plugins\cran.xmd
C:\Program Files\Kazaa\BGP2P\plugins\dbx.xmd
C:\Program Files\Kazaa\BGP2P\plugins\docfile.xmd
C:\Program Files\Kazaa\BGP2P\plugins\emalware.cvd
C:\Program Files\Kazaa\BGP2P\plugins\emalware.ivd
C:\Program Files\Kazaa\BGP2P\plugins\emalware.xmd
C:\Program Files\Kazaa\BGP2P\plugins\epoc.xmd
C:\Program Files\Kazaa\BGP2P\plugins\gzip.xmd
C:\Program Files\Kazaa\BGP2P\plugins\ha.xmd
C:\Program Files\Kazaa\BGP2P\plugins\hlp.xmd
C:\Program Files\Kazaa\BGP2P\plugins\hpe.cvd
C:\Program Files\Kazaa\BGP2P\plugins\hpe.xmd
C:\Program Files\Kazaa\BGP2P\plugins\hqx.xmd
C:\Program Files\Kazaa\BGP2P\plugins\html.xmd
C:\Program Files\Kazaa\BGP2P\plugins\imp.xmd
C:\Program Files\Kazaa\BGP2P\plugins\inno.xmd
C:\Program Files\Kazaa\BGP2P\plugins\instyler.xmd
C:\Program Files\Kazaa\BGP2P\plugins\iso.xmd
C:\Program Files\Kazaa\BGP2P\plugins\java.cvd
C:\Program Files\Kazaa\BGP2P\plugins\java.xmd
C:\Program Files\Kazaa\BGP2P\plugins\jpeg.xmd
C:\Program Files\Kazaa\BGP2P\plugins\lha.xmd
C:\Program Files\Kazaa\BGP2P\plugins\lnk.xmd
C:\Program Files\Kazaa\BGP2P\plugins\mbox.xmd
C:\Program Files\Kazaa\BGP2P\plugins\mbx.xmd
C:\Program Files\Kazaa\BGP2P\plugins\mdx.xmd
C:\Program Files\Kazaa\BGP2P\plugins\mdx_97.cvd
C:\Program Files\Kazaa\BGP2P\plugins\mdx_97.ivd
C:\Program Files\Kazaa\BGP2P\plugins\mdx_w95.cvd
C:\Program Files\Kazaa\BGP2P\plugins\mdx_x95.cvd
C:\Program Files\Kazaa\BGP2P\plugins\mdx_xf.cvd
C:\Program Files\Kazaa\BGP2P\plugins\mime.xmd
C:\Program Files\Kazaa\BGP2P\plugins\mso.xmd
C:\Program Files\Kazaa\BGP2P\plugins\na.cvd
C:\Program Files\Kazaa\BGP2P\plugins\na.xmd
C:\Program Files\Kazaa\BGP2P\plugins\nelf.cvd
C:\Program Files\Kazaa\BGP2P\plugins\nelf.xmd
C:\Program Files\Kazaa\BGP2P\plugins\nsis.xmd
C:\Program Files\Kazaa\BGP2P\plugins\objd.xmd
C:\Program Files\Kazaa\BGP2P\plugins\pdf.xmd
C:\Program Files\Kazaa\BGP2P\plugins\pst.xmd
C:\Program Files\Kazaa\BGP2P\plugins\rar.xmd
C:\Program Files\Kazaa\BGP2P\plugins\rpm.xmd
C:\Program Files\Kazaa\BGP2P\plugins\rtf.xmd
C:\Program Files\Kazaa\BGP2P\plugins\rup.cvd
C:\Program Files\Kazaa\BGP2P\plugins\rup.xmd
C:\Program Files\Kazaa\BGP2P\plugins\sdx.cvd
C:\Program Files\Kazaa\BGP2P\plugins\sdx.ivd
C:\Program Files\Kazaa\BGP2P\plugins\sdx.xmd
C:\Program Files\Kazaa\BGP2P\plugins\sfx.xmd
C:\Program Files\Kazaa\BGP2P\plugins\swf.xmd
C:\Program Files\Kazaa\BGP2P\plugins\tar.xmd
C:\Program Files\Kazaa\BGP2P\plugins\td0.xmd
C:\Program Files\Kazaa\BGP2P\plugins\thebat.xmd
C:\Program Files\Kazaa\BGP2P\plugins\tnef.xmd
C:\Program Files\Kazaa\BGP2P\plugins\unpack.cvd
C:\Program Files\Kazaa\BGP2P\plugins\unpack.ivd
C:\Program Files\Kazaa\BGP2P\plugins\unpack.xmd
C:\Program Files\Kazaa\BGP2P\plugins\update.txt
C:\Program Files\Kazaa\BGP2P\plugins\uudecode.xmd
C:\Program Files\Kazaa\BGP2P\plugins\ve.cvd
C:\Program Files\Kazaa\BGP2P\plugins\ve.ivd
C:\Program Files\Kazaa\BGP2P\plugins\ve.xmd
C:\Program Files\Kazaa\BGP2P\plugins\vedata.cvd
C:\Program Files\Kazaa\BGP2P\plugins\viza.xmd
C:\Program Files\Kazaa\BGP2P\plugins\wise.xmd
C:\Program Files\Kazaa\BGP2P\plugins\xishield.xmd
C:\Program Files\Kazaa\BGP2P\plugins\z.xmd
C:\Program Files\Kazaa\BGP2P\plugins\zip.xmd
C:\Program Files\Kazaa\BGP2P\plugins\zoo.xmd
C:\Program Files\Kazaa\BGP2P\versions.dat
C:\Program Files\Kazaa\Db\ctx4-050420.cab
C:\Program Files\Kazaa\Db\data1024.dbb
C:\Program Files\Kazaa\Db\data256.dbb
C:\Program Files\Kazaa\Db\k7tqkgkk_tssv125.dat
C:\Program Files\Kazaa\Db\np.tmp
C:\Program Files\Kazaa\Db\ova4-050420.cab
C:\Program Files\Kazaa\Db\tsi4-050417a.cab
C:\Program Files\Kazaa\Db\tss4.cab
C:\Program Files\Kazaa\My Shared Folder\.kpl
C:\Program Files\Kazaa\My Shared Folder\AlbumArt_{00000000-0000-0000-0000-000000000000}_Large.jpg
C:\Program Files\Kazaa\My Shared Folder\bikes\Thumbs.db
C:\Program Files\Kazaa\My Shared Folder\desktop.ini
C:\Program Files\Kazaa\My Shared Folder\Folder.jpg
C:\Program Files\Kazaa\My Shared Folder\nick drake\06 Things Behind the Sun.mp3
C:\Program Files\Kazaa\plugins.htm
C:\Program Files\Kazaa\Skins\Orbital Shadows\Thumbs.db
C:\Program Files\Kazaa\versions.dat
C:\Program Files\Kxtlvkqt
C:\Program Files\mrypwdyl
C:\Program Files\MyWay
C:\WINDOWS\SYSTEM32\dgptswdy.dll
C:\WINDOWS\SYSTEM32\dlkocnjm.dll
C:\WINDOWS\SYSTEM32\eamgpgjc.dll
C:\WINDOWS\SYSTEM32\jtnrpoaw.dll
C:\WINDOWS\SYSTEM32\mqjknroy.dll
C:\WINDOWS\SYSTEM32\rngbvfbp.dll
C:\WINDOWS\SYSTEM32\rsgefjln.dll
C:\WINDOWS\SYSTEM32\tcpvhduo.dll
C:\WINDOWS\SYSTEM32\xvduqgvl.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-18 16:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 03:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-16 03:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 03:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 19:15 <DIR> d-------- C:\Documents and Settings\James\Application Data\AVG7
2007-11-15 19:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-02 19:50 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-11-02 19:48 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-11-01 22:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-01 22:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-01 22:38 <DIR> d-------- C:\Documents and Settings\James\Application Data\PC Tools
2007-11-01 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-01 16:11 <DIR> d-------- C:\Program Files\Security Task Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 00:28 --------- d-----w C:\Program Files\Viewpoint
2007-11-27 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-26 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-26 22:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-26 22:08 532,480 ----a-w C:\WINDOWS\SYSTEM32\Audi R8 Screensaver.scr
2007-11-25 20:16 --------- d-----w C:\Documents and Settings\James\Application Data\Skype
2007-11-18 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-15 03:41 --------- d-----w C:\Program Files\AutoCAD 2005
2007-11-05 21:40 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 21:40 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-11-05 21:40 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-05 21:40 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 21:40 --------- d-----w C:\Program Files\Symantec
2007-11-02 19:36 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-02 19:01 --------- d-----w C:\Program Files\Norton Password Manager
2007-11-01 22:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 22:13 --------- d-----w C:\Program Files\Macromedia
2007-11-01 21:54 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-01 21:50 --------- d-----w C:\Program Files\LimeWire
2007-11-01 21:50 --------- d-----w C:\Program Files\Canasta
2007-10-31 21:50 --------- d-----w C:\Documents and Settings\James\Application Data\Symantec
2007-10-31 21:33 --------- d-----w C:\Documents and Settings\Margaret\Application Data\Symantec
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-23 16:35 --------- d-----w C:\Program Files\Program Files
2007-10-23 00:40 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-18 10:15 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-16 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-15 19:47 --------- d-----w C:\Documents and Settings\James\Application Data\Download Manager
2007-10-04 20:12 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-04 20:09 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-04 17:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 17:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 17:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 17:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-29 14:18 577,928 ----a-w C:\WINDOWS\SYSTEM32\SymNeti.dll
2006-02-28 02:33 18,432 ---ha-w C:\Documents and Settings\James\Application Data\EHEncrypt.dll
1997-07-14 12:45 1,031,793 ----a-w C:\Documents and Settings\James\disk.exe
2005-05-05 15:34 56 --sh--r C:\WINDOWS\SYSTEM32\CF303D40FA.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_ 6.16.22.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-26 22:08:29 34,304 ----a-w C:\WINDOWS\SYSTEM32\Audi R8 Screensaver dir\saver1.dll
+ 2007-11-26 22:08:29 18,192 ----a-w C:\WINDOWS\SYSTEM32\Audi R8 Screensaver dir\saver2.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 03:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-11-02 19:49 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 03:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 03:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:56]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-02 19:38]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 04:53]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 00:58]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-03-04 01:27:54]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 06:05:26]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 01:35:22]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-08-22 18:10:55]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PageKeeper Jobs.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
backup=C:\WINDOWS\pss\PageKeeper Jobs.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^James^Start Menu^Programs^Startup^OCRAWARE.lnk]
path=C:\Documents and Settings\James\Start Menu\Programs\Startup\OCRAWARE.lnk
backup=C:\WINDOWS\pss\OCRAWARE.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-10-23 16:18 51048 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 01:04 114741 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 10:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\etbrun]
C:\windows\system32\elitecog32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farmmext]
C:\WINDOWS\farmmext.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\WINDOWS\NeroCheck.exe /i

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-09-12 00:58 229952 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoreResults]
C:\Program Files\MoreResults\MoreResults.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-26 19:47 204800 --------- C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Protection]
C:\WINDOWS\runtask.exe C:\WINDOWS\protection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quicktime]
C:\WINDOWS\qttasks.exe /i

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ramexp]
C:\WINDOWS\ramex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealPlayer\realplay.exe /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
C:\Program Files\Common files\updmgr\updmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R2 ScanDrv;ScanDrv;C:\WINDOWS\system32\drivers\ScanDrv.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 00:12:18 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - James.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 00:30:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-27 0:37:59 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-25 06:17
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:41:28, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (Snapfish Drag and Drop upload plugin) - http://ie.pixaco.com/static/download/pixacodndupload.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/27464415e9f0e5...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 13428 bytes

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:03 PM

Posted 26 November 2007 - 11:44 PM

On your question regarding MSConfig. Let me take a good look to see what is in there before you enable anything. If any malware related entries are still in MSConfig, and the related file is still present, they will load up after the next startup. We do not want to do that.

Also, let‘s get a different ‘picture’ of the system. You may be able to get rid of a few entries by uninstalling them.

Please download Deckard's System Scanner (DSS)
Save it to the Desktop
Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your firewall offers a warning, allow the program to run
  • When finished, DSS opens two Notepad files: main.txt <- this one is maximized and extra.txt <-this one is minimized
Please post the contents of main.txt in your reply.
(A copy of the file is also found in C:\Deckard\System Scanner)

Also, attach the extra.txt to your post.
Do the following:
  • Below the reply to thread box, it says: Attachments
  • To the right of Attachments, select Browse, and go to C:\Deckard\System Scanner\extra.txt
  • Then, click Upload

Old duck...


#13 I Chimera

I Chimera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 27 November 2007 - 01:07 AM

OK,

More logfiles. I think we're gettin there?! Thanks again. couldn't do it on my own. :thumbsup:


Deckard's System Scanner v20071014.68
Run by James on 2007-11-27 05:35:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2007-11-27 05:35:50 UTC - RP6 - Deckard's System Scanner Restore Point
4: 2007-11-27 00:13:37 UTC - RP5 - ComboFix created restore point
3: 2007-11-26 06:02:35 UTC - RP4 - System Checkpoint
2: 2007-11-25 05:19:52 UTC - RP3 - ComboFix created restore point
1: 2007-11-25 05:19:31 UTC - RP2 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as James.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:38:29, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\James\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\James.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (Snapfish Drag and Drop upload plugin) - http://ie.pixaco.com/static/download/pixacodndupload.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/27464415e9f0e5...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 13172 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071127-000235-117 O2 - BHO: (no name) - {60E2746A-9C2E-45A2-85CE-7E1A8A890961} - C:\WINDOWS\system32\gebcyaa.dll (file missing)
backup-20071127-000235-160 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20071127-000235-249 O2 - BHO: (no name) - {ACBDB067-71BF-42BE-BFEB-029F17FC4889} - (no file)
backup-20071127-000235-363 O2 - BHO: (no name) - {29609901-621B-4D71-99AA-5D6C632E2B69} - (no file)
backup-20071127-000235-418 O2 - BHO: (no name) - {B79F1537-C852-411F-947A-A1EAB2A56F24} - C:\WINDOWS\system32\mljgh.dll (file missing)
backup-20071127-000235-524 O4 - HKLM\..\Run: [ScheduIe] C:\WINDOWS\nrchk.exe /i
backup-20071127-000235-571 O4 - HKLM\..\Run: [jpzdngjfykp] C:\WINDOWS\system32\ftecip.exe
backup-20071127-000235-685 O4 - Startup: PowerReg Scheduler V3.exe
backup-20071127-000235-722 O2 - BHO: (no name) - {3A6D65A2-EB8A-4ECB-9334-BF24B4B608B2} - (no file)
backup-20071127-000235-766 O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\svchst.exe /i
backup-20071127-000235-834 O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
backup-20071127-000235-942 O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - C:\Program Files\Kxtlvkqt\rztxkuim.dll (file missing)
backup-20071127-000235-982 O2 - BHO: (no name) - {9FB5B4F9-A1FD-4BF7-AB33-DFD869CF3689} - (no file)
backup-20071127-000236-459 O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab
backup-20071127-000237-376 O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
backup-20071127-000237-419 O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
backup-20071127-000237-827 O20 - Winlogon Notify: gebcyaa - gebcyaa.dll (file missing)

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R2 ScanDrv - c:\windows\system32\drivers\scandrv.sys <Not Verified; Agfa-Gevaert N.V.; >
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 catchme - c:\docume~1\james\locals~1\temp\catchme.sys (file missing)
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - c:\windows\system32\drivers\el90xbc5.sys <Not Verified; 3Com Corporation; 3Com EtherLink PCI>
S3 i81x - c:\windows\system32\drivers\i81xnt5.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP0 - c:\windows\system32\drivers\wadv01nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP1 - c:\windows\system32\drivers\wadv02nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP2 - c:\windows\system32\drivers\wadv05nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP3 - c:\windows\system32\drivers\wsiintxx.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 SE27obex (Sony Ericsson Device 039 USB WMC OBEX Interface) - c:\windows\system32\drivers\se27obex.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC OBEX Interface>
S4 cbidf - c:\windows\system32\drivers\cbidf2k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys <Not Verified; Mylex Corporation; Mylex Disk Array Controller Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-27 00:12:18 622 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - James.job


-- Files created between 2007-10-27 and 2007-11-27 -----------------------------

2007-11-26 22:08:28 532480 --a------ C:\WINDOWS\system32\Audi R8 Screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2007-11-26 22:08:28 0 d-------- C:\WINDOWS\system32\Audi R8 Screensaver dir
2007-11-26 20:22:10 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-18 16:43:01 0 d-------- C:\Program Files\Trend Micro
2007-11-18 02:49:20 0 d-------- C:\WINDOWS\BDOSCAN8
2007-11-16 10:38:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 03:18:40 0 d-------- C:\Program Files\Lavasoft
2007-11-16 03:18:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 03:16:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 19:15:23 0 d-------- C:\Documents and Settings\James\Application Data\AVG7
2007-11-15 19:10:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-02 19:50:10 0 d-------- C:\Program Files\Windows Sidebar
2007-11-02 19:48:13 0 d-------- C:\Program Files\Norton Internet Security
2007-11-01 22:39:07 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-01 22:38:37 0 d-------- C:\Program Files\Spyware Doctor
2007-11-01 22:38:37 0 d-------- C:\Documents and Settings\James\Application Data\PC Tools
2007-11-01 16:12:09 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-01 16:11:57 0 d-------- C:\Program Files\Security Task Manager
2007-10-31 22:41:15 0 dr------- C:\Documents and Settings\LocalService\Favorites


-- Find3M Report ---------------------------------------------------------------

2007-11-27 05:38:17 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-27 00:28:53 0 d-------- C:\Program Files\Viewpoint
2007-11-25 20:16:26 0 d-------- C:\Documents and Settings\James\Application Data\Skype
2007-11-20 21:53:33 0 d-------- C:\Documents and Settings\James\Application Data\Adobe
2007-11-16 03:16:44 0 d-------- C:\Program Files\Common Files
2007-11-15 03:41:43 0 d-------- C:\Program Files\AutoCAD 2005
2007-11-05 21:40:24 0 d-------- C:\Program Files\Symantec
2007-11-02 19:36:34 0 d-------- C:\Program Files\Norton AntiVirus
2007-11-02 19:01:39 0 d-------- C:\Program Files\Norton Password Manager
2007-11-01 22:13:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-01 22:13:33 0 d-------- C:\Program Files\Macromedia
2007-11-01 22:12:51 0 d-------- C:\Documents and Settings\James\Application Data\Macromedia
2007-11-01 21:54:26 0 d-------- C:\Program Files\Common Files\Macromedia
2007-11-01 21:50:49 0 d-------- C:\Program Files\LimeWire
2007-11-01 21:50:10 0 d-------- C:\Program Files\Canasta
2007-10-31 21:50:24 0 d-------- C:\Documents and Settings\James\Application Data\Symantec
2007-10-25 10:26:48 53248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-23 16:35:48 0 d-------- C:\Program Files\Program Files
2007-10-23 00:40:26 0 d-------- C:\Program Files\Common Files\Adobe
2007-10-18 10:15:29 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-15 19:47:22 0 d-------- C:\Documents and Settings\James\Application Data\Download Manager
2007-10-04 20:12:23 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-04 20:09:38 0 d-------- C:\Program Files\Microsoft.NET


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
25/08/2007 03:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
02/11/2007 19:49 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [25/08/2007 03:51 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/05/2007 21:46]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [04/08/2004 07:56]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/11/2006 19:38]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [23/10/2007 16:18]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [25/08/2007 04:53]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/09/2006 00:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 07:56]

C:\Documents and Settings\James\Start Menu\Programs\Startup\
DESKTOP.INI [03/09/2002 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [04/03/2004 01:27:54]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [24/09/2005 06:05:26]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [25/02/2004 01:35:22]
DESKTOP.INI [03/09/2002 09:00:00]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [22/08/2005 18:10:55]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PageKeeper Jobs.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
backup=C:\WINDOWS\pss\PageKeeper Jobs.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^James^Start Menu^Programs^Startup^OCRAWARE.lnk]
path=C:\Documents and Settings\James\Start Menu\Programs\Startup\OCRAWARE.lnk
backup=C:\WINDOWS\pss\OCRAWARE.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\etbrun]
C:\windows\system32\elitecog32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farmmext]
C:\WINDOWS\farmmext.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\WINDOWS\NeroCheck.exe /i

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoreResults]
C:\Program Files\MoreResults\MoreResults.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Protection]
C:\WINDOWS\runtask.exe C:\WINDOWS\protection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quicktime]
C:\WINDOWS\qttasks.exe /i

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ramexp]
C:\WINDOWS\ramex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
C:\Program Files\Common files\updmgr\updmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-11-27 05:39:30 ------------

Attached Files



#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:03 PM

Posted 27 November 2007 - 06:50 PM

Please go to: Start > Run, type: control
Press OK
Double-click on: Add/Remove Programs

On the list of Currently Installed Programs, look for and, if found, uninstall the following by selecting the entry and clicking on Remove:
Startnow Navigation Helper (v1.0.1.1)

~~~~
Nerxt, run HijackThis, Scan
Check box for the following (if present):

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab

Select: Fix checked

~~~~
Once again, open Notepad
Copy/ paste the blue text below to Notepad:

File::
C:\windows\system32\elitecog32.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\runtask.exe
C:\WINDOWS\protection.exe
C:\WINDOWS\ramex.exe

Folder::
C:\Program Files\MoreResults\MoreResults.exe
C:\Program Files\Viewpoint
C:\Program Files\Common files\updmgr

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\etbrun]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farmmext]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoreResults]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Protection]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ramexp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]



Save as CFScript.txt <-Important!!
Change the Save as type to: All Files
Save it to the Desktop.

Posted Image

Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Please provide the contents of the new ComboFix log in your reply.

Old duck...


#15 I Chimera

I Chimera
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 28 November 2007 - 12:33 AM

Once again,


ComboFix 07-11-19.3 - James 2007-11-28 5:13:00.3 - NTFSx86
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\farmmext.exe
C:\WINDOWS\protection.exe
C:\WINDOWS\ramex.exe
C:\WINDOWS\runtask.exe
C:\windows\system32\elitecog32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\newdotnet
C:\Program Files\newdotnet\readme.txt
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_03000F11.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\atmosphere.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\BlueStreak.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ExtremeShot.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts2Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VETsdk.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AtmoHWConfig.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AvatarsDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\BookmarksDefault.prf
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultAvatarIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultWorldIcon.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\InternetChatHelp.url
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
C:\WINDOWS\protection.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-28 04:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hyperbar
2007-11-18 16:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 03:18 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-16 03:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 03:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 19:15 <DIR> d-------- C:\Documents and Settings\James\Application Data\AVG7
2007-11-15 19:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-02 19:50 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-11-02 19:48 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-11-01 22:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-01 22:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-01 22:38 <DIR> d-------- C:\Documents and Settings\James\Application Data\PC Tools
2007-11-01 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-01 16:11 <DIR> d-------- C:\Program Files\Security Task Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-28 04:50 --------- d-----w C:\Program Files\Warez P2P Client
2007-11-28 04:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-27 19:31 --------- d-----w C:\Documents and Settings\James\Application Data\Skype
2007-11-26 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-18 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-15 03:41 --------- d-----w C:\Program Files\AutoCAD 2005
2007-11-05 21:40 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-05 21:40 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-05 21:40 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-05 21:40 --------- d-----w C:\Program Files\Symantec
2007-11-02 19:36 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-02 19:01 --------- d-----w C:\Program Files\Norton Password Manager
2007-11-01 22:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 22:13 --------- d-----w C:\Program Files\Macromedia
2007-11-01 21:54 --------- d-----w C:\Program Files\Common Files\Macromedia
2007-11-01 21:50 --------- d-----w C:\Program Files\LimeWire
2007-11-01 21:50 --------- d-----w C:\Program Files\Canasta
2007-10-31 21:50 --------- d-----w C:\Documents and Settings\James\Application Data\Symantec
2007-10-31 21:33 --------- d-----w C:\Documents and Settings\Margaret\Application Data\Symantec
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-23 16:35 --------- d-----w C:\Program Files\Program Files
2007-10-23 00:40 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-18 10:15 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-16 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-15 19:47 --------- d-----w C:\Documents and Settings\James\Application Data\Download Manager
2007-10-04 20:12 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-04 20:09 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-04 17:11 29,000 ----a-w C:\WINDOWS\system32\drivers\kcom.sys
2007-10-04 17:10 79,688 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-04 17:10 62,280 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-04 17:10 41,288 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2006-02-28 02:33 18,432 ---ha-w C:\Documents and Settings\James\Application Data\EHEncrypt.dll
1997-07-14 12:45 1,031,793 ----a-w C:\Documents and Settings\James\disk.exe
2005-05-05 15:34 56 --sh--r C:\WINDOWS\SYSTEM32\CF303D40FA.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_ 6.16.22.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-26 22:08:29 34,304 ----a-w C:\WINDOWS\SYSTEM32\Audi R8 Screensaver dir\saver1.dll
+ 2007-11-26 22:08:29 18,192 ----a-w C:\WINDOWS\SYSTEM32\Audi R8 Screensaver dir\saver2.dll
+ 2007-11-26 22:08:28 532,480 ----a-w C:\WINDOWS\SYSTEM32\Audi R8 Screensaver.scr
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 03:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-11-02 19:49 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 03:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 03:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:56]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-02 19:38]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 04:53]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 00:58]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-03-04 01:27:54]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 06:05:26]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 01:35:22]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-08-22 18:10:55]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PageKeeper Jobs.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
backup=C:\WINDOWS\pss\PageKeeper Jobs.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^James^Start Menu^Programs^Startup^OCRAWARE.lnk]
path=C:\Documents and Settings\James\Start Menu\Programs\Startup\OCRAWARE.lnk
backup=C:\WINDOWS\pss\OCRAWARE.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-10-23 16:18 51048 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 01:04 114741 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 10:27 28672 --a------ C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\WINDOWS\NeroCheck.exe /i

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-09-12 00:58 229952 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-26 19:47 204800 --------- C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quicktime]
C:\WINDOWS\qttasks.exe /i

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
C:\Program Files\Real\RealPlayer\realplay.exe /RunUPGToolCommandReBoot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R2 ScanDrv;ScanDrv;C:\WINDOWS\system32\drivers\ScanDrv.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-27 00:12:18 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - James.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 05:25:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 5:28:48 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 00:38
C:\ComboFix3.txt ... 2007-11-25 06:17
.
--- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users