Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.agent.pz Help Please!


  • Please log in to reply
17 replies to this topic

#1 VforSteve

VforSteve

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 03 December 2007 - 02:21 AM

I don't know what to do to fix this :thumbsup:

Any help would be greatly appreaciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:36 AM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\wsnpoem.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - C:\Program Files\Ljatfotb\qqnpcckw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50} - C:\WINDOWS\system32\ljjgdcc.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [xetubury] rundll32.exe "C:\Program Files\xetubury\nmnmjgjg.dll",Init
O4 - HKLM\..\Run: [hgjulyzk] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hgjulyzk.dll"
O4 - HKLM\..\Run: [evqnotkl] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\evqnotkl.dll"
O4 - HKLM\..\Run: [xwtyxyxu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xwtyxyxu.dll"
O4 - HKLM\..\Run: [gpefctyv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\gpefctyv.dll"
O4 - HKLM\..\Run: [afcdixir] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\afcdixir.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151790425328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156274996203
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll
O20 - Winlogon Notify: ljjgdcc - C:\WINDOWS\SYSTEM32\ljjgdcc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11135 bytes

BC AdBot (Login to Remove)

 


#2 VforSteve

VforSteve
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 03 December 2007 - 01:26 PM

Sorry for the double post...just bumping my thread because I really need help.

Sorry again!!

Thanks all

#3 VforSteve

VforSteve
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 03 December 2007 - 10:24 PM

I'm desperate :thumbsup::blink:

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:32 PM

Posted 04 December 2007 - 01:00 PM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 VforSteve

VforSteve
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 04 December 2007 - 04:10 PM

Thank you so much! Should I post a new Hijack This report because I have run several spybot and avg sweeps since I posted this.

I guess I will post it, just incase you need it...sorry if you didn't!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:53 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\wsnpoem.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - C:\Program Files\Ljatfotb\qqnpcckw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50} - C:\WINDOWS\system32\ljjgdcc.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [xetubury] rundll32.exe "C:\Program Files\xetubury\nmnmjgjg.dll",Init
O4 - HKLM\..\Run: [hgjulyzk] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hgjulyzk.dll"
O4 - HKLM\..\Run: [evqnotkl] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\evqnotkl.dll"
O4 - HKLM\..\Run: [xwtyxyxu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xwtyxyxu.dll"
O4 - HKLM\..\Run: [gpefctyv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\gpefctyv.dll"
O4 - HKLM\..\Run: [afcdixir] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\afcdixir.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [SpybotDeletingA2605] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6422] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6738] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2898] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\RunOnce: [SpybotDeletingB5583] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4692] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB95] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4967] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151790425328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156274996203
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll
O20 - Winlogon Notify: ljjgdcc - C:\WINDOWS\SYSTEM32\ljjgdcc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12388 bytes

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:32 PM

Posted 04 December 2007 - 05:43 PM

Hi,

Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 VforSteve

VforSteve
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 04 December 2007 - 07:22 PM

Combofix keeps closing when it scans it's own folder...it doesn't create a log either. It does create a zip file though. What should I do?

Nevermind...I am dumb.

ComboFix 07-12-02.6 - Steven 2007-12-04 19:27:24.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -5:00]
Running from: C:\Documents and Settings\Steven\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\wsnpoem.sys
C:\WINDOWS\system32\wsnpoem.exe
C:\WINDOWS\system32\xpdx.sys
.
---- Previous Run -------
.
C:\d.exe
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\SecCenter\scprot4.exe.bak
C:\WINDOWS\system32\bwbkcnad
C:\WINDOWS\system32\bwbkcnad\bg1.gif
C:\WINDOWS\system32\bwbkcnad\bgtop.gif
C:\WINDOWS\system32\bwbkcnad\bottom1.gif
C:\WINDOWS\system32\bwbkcnad\bwbkcnad1.exe
C:\WINDOWS\system32\bwbkcnad\bwbkcnad2.exe
C:\WINDOWS\system32\bwbkcnad\bwbkcnad3.exe
C:\WINDOWS\system32\bwbkcnad\essentials.gif
C:\WINDOWS\system32\bwbkcnad\icon1.ico
C:\WINDOWS\system32\bwbkcnad\install1.gif
C:\WINDOWS\system32\bwbkcnad\left1.gif
C:\WINDOWS\system32\bwbkcnad\li.gif
C:\WINDOWS\system32\bwbkcnad\logo.gif
C:\WINDOWS\system32\bwbkcnad\main.htm
C:\WINDOWS\system32\bwbkcnad\mainframe.htm
C:\WINDOWS\system32\bwbkcnad\reinstall1.gif
C:\WINDOWS\system32\bwbkcnad\right1.gif
C:\WINDOWS\system32\bwbkcnad\s1.htm
C:\WINDOWS\system32\bwbkcnad\s2.htm
C:\WINDOWS\system32\bwbkcnad\s3.htm
C:\WINDOWS\system32\bwbkcnad\SMTop1.gif
C:\WINDOWS\system32\bwbkcnad\SMTop2.gif
C:\WINDOWS\system32\bwbkcnad\SMTop3.gif
C:\WINDOWS\system32\bwbkcnad\SMTop4.gif
C:\WINDOWS\system32\bwbkcnad\soft1_off.gif
C:\WINDOWS\system32\bwbkcnad\soft1_off_ext.gif
C:\WINDOWS\system32\bwbkcnad\soft1_on.gif
C:\WINDOWS\system32\bwbkcnad\soft1_on_ext.gif
C:\WINDOWS\system32\bwbkcnad\soft2_off.gif
C:\WINDOWS\system32\bwbkcnad\soft2_off_ext.gif
C:\WINDOWS\system32\bwbkcnad\soft2_on.gif
C:\WINDOWS\system32\bwbkcnad\soft2_on_ext.gif
C:\WINDOWS\system32\bwbkcnad\soft3_off.gif
C:\WINDOWS\system32\bwbkcnad\soft3_off_ext.gif
C:\WINDOWS\system32\bwbkcnad\soft3_on.gif
C:\WINDOWS\system32\bwbkcnad\soft3_on_ext.gif
C:\WINDOWS\system32\bwbkcnad\softbottom_off.gif
C:\WINDOWS\system32\bwbkcnad\softbottom_on.gif
C:\WINDOWS\system32\bwbkcnad\softleft_off.gif
C:\WINDOWS\system32\bwbkcnad\softleft_on.gif
C:\WINDOWS\system32\bwbkcnad\top1.gif
C:\WINDOWS\system32\bwbkcnad\top2.gif
C:\WINDOWS\system32\bwbkcnad\turnoff1.gif
C:\WINDOWS\system32\bwbkcnad\turnon1.gif
C:\WINDOWS\system32\drvfutr.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\xpdx.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WSNPOEM.SYS
-------\wsnpoem.sys
-------\xpdx


-------\LEGACY_XPDX


-------\LEGACY_XPDX


-------\LEGACY_XPDX


-------\LEGACY_XPDX


-------\LEGACY_XPDX


-------\LEGACY_XPDX


((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-03 20:01 . 2007-12-03 20:01 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Grisoft
2007-12-03 20:01 . 2007-12-03 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 20:01 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-02 17:22 . 2007-12-02 17:22 <DIR> d-------- C:\Program Files\Ljatfotb
2007-12-02 09:14 . 2007-12-02 09:14 <DIR> d-------- C:\Program Files\Sobwjscd
2007-12-01 20:11 . 2007-12-01 20:11 <DIR> d-------- C:\Program Files\Vwrhzqzh
2007-12-01 19:39 . 2007-12-01 19:39 <DIR> d-------- C:\Program Files\Fndkxixc
2007-12-01 18:09 . 2007-12-01 18:09 57,856 --a------ C:\oaif.exe
2007-12-01 18:09 . 2007-12-01 18:09 46,292 --a------ C:\rtfjiqam.exe
2007-12-01 18:09 . 2007-12-01 18:09 2 --a------ C:\-2073916336
2007-12-01 18:06 . 2007-12-01 18:06 <DIR> d-------- C:\Program Files\xetubury
2007-12-01 18:06 . 2007-12-01 18:06 <DIR> d-------- C:\Program Files\Akaqohjr
2007-12-01 18:06 . 2007-12-01 18:06 1,148,902 --a------ C:\Install
2007-12-01 18:06 . 2007-12-01 18:06 102,912 --a------ C:\WINDOWS\system32\drvfut.dll
2007-12-01 18:06 . 2007-12-01 18:06 35,840 --a------ C:\WINDOWS\system32\ljjgdcc.dll
2007-12-01 18:06 . 2007-12-01 18:06 34,304 --a------ C:\WINDOWS\system32\iifddda.dll
2007-11-14 06:57 . 2007-11-14 06:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 18:16 --------- d-----w C:\Program Files\Warcraft III
2007-11-19 22:04 --------- d-----w C:\Program Files\Hi-Net Software
2007-11-19 22:00 --------- d-----w C:\Program Files\WinPcap
2007-11-19 05:36 --------- d-----w C:\Program Files\Sophos
2007-10-28 16:16 --------- d-----w C:\Program Files\AIM6
2007-10-28 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-28 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-27 23:13 --------- d-----w C:\Documents and Settings\Steven\Application Data\Azureus
2007-10-24 23:01 --------- d-----w C:\Program Files\Full Tilt Poker
2007-10-20 16:36 --------- d-----w C:\Program Files\Java
2007-10-19 19:10 --------- d-----w C:\Program Files\QuickSFV
2007-10-16 21:39 12,788,931 ----a-w C:\Program Files\FullTiltSetup.exe
2007-10-16 21:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 20:27 --------- d-----w C:\Program Files\Azureus
2007-10-12 17:50 --------- d-----w C:\Program Files\World of Warcraft
2007-10-11 21:39 --------- d-----w C:\Program Files\DivX
2007-10-08 03:51 --------- d-----w C:\Documents and Settings\Steven\Application Data\Apple Computer
2007-10-08 03:42 --------- d-----w C:\Program Files\IK Multimedia
2007-10-08 03:39 --------- d-----w C:\Program Files\Common Files\Digidesign
2007-10-08 03:39 --------- d-----w C:\Program Files\Antares Audio Technologies
2007-10-08 03:32 --------- d-----w C:\Program Files\ASIO4ALL v2
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\PxCpyI64.exe
2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\PxInsI64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-25 21:00 2,766,648 ----a-w C:\Program Files\isobuster_all_lang.exe
2007-09-23 18:54 2,495,288 ----a-w C:\Program Files\bootdreams_061.exe
2007-09-19 23:25 11,445,497 ----a-w C:\Program Files\mameppk_bin_gcc-0.119-20070914.zip
2007-08-21 18:38 3,097,334 ----a-w C:\Program Files\DotArank_v23beta_setup.exe
2007-07-25 19:13 49,943,864 ----a-w C:\Program Files\iTunesSetup.exe
2007-06-13 05:02 5,380,096 ----a-w C:\Program Files\Azureus_3.0.1.4_windows.exe
2007-03-04 19:35 2,394,383 ----a-w C:\Program Files\WC3Banlist_3.0.exe
2007-02-22 23:28 698,176 ----a-w C:\Program Files\LOTRO_Beta2_Downloader.exe
2007-02-12 18:57 359,112 ----a-w C:\Program Files\LimeWireWin.exe
2007-01-10 22:02 6,440,983 ----a-w C:\Program Files\VideoraiPodConverter_Install.exe
2006-12-09 01:25 9,817,673 ----a-w C:\Program Files\bitpim-0.9.09-setup.exe
2006-12-08 04:35 24,192 ----a-w C:\Documents and Settings\Steven\usbsermptxp.sys
2006-12-08 04:35 22,768 ----a-w C:\Documents and Settings\Steven\usbsermpt.sys
2006-12-08 04:00 92,064 ----a-w C:\Documents and Settings\Steven\mqdmmdm.sys
2006-12-08 04:00 9,232 ----a-w C:\Documents and Settings\Steven\mqdmmdfl.sys
2006-12-08 04:00 79,328 ----a-w C:\Documents and Settings\Steven\mqdmserd.sys
2006-12-08 04:00 66,656 ----a-w C:\Documents and Settings\Steven\mqdmbus.sys
2006-12-08 04:00 6,208 ----a-w C:\Documents and Settings\Steven\mqdmcmnt.sys
2006-12-08 04:00 5,936 ----a-w C:\Documents and Settings\Steven\mqdmwhnt.sys
2006-12-08 04:00 4,048 ----a-w C:\Documents and Settings\Steven\mqdmcr.sys
2006-10-05 01:59 94,124,474 ----a-w C:\Program Files\StudioPatch10_6_0.exe
2006-09-25 21:09 5,917,258 ----a-w C:\Program Files\powertab.zip
2006-09-12 02:14 420,350,502 ----a-w C:\Program Files\MSSetup.exe
2006-07-25 02:55 59,310,760 ----a-w C:\Program Files\iPodSetup.exe
2006-07-01 23:26 376 ----a-w C:\Program Files\Shortcut to setup.lnk
2006-06-04 06:09 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2006-06-01 04:00 1,059,159 ----a-w C:\Program Files\ATITool_0.24.exe
2006-05-17 05:52 3,932,910 ----a-w C:\Program Files\TM20.exe
2005-08-21 20:57 6,147,272 ----a-w C:\Program Files\cuteftppro.exe
2005-07-29 16:47 1,014,067 ----a-w C:\Program Files\wrar35b7.exe
2005-04-29 00:50 4,466,776 ----a-w C:\Program Files\Install_AIM.exe
2004-07-26 07:16 1,117,491 ----a-w C:\Program Files\dvdshrink32setup.exe
2003-08-20 10:06 2,512,896 ----a-w C:\Program Files\PTEditor17.msi
2003-08-20 10:05 41 ----a-w C:\Program Files\Setup.Ini
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2002-01-05 11:46 65,536 ----a-w C:\Program Files\Setup.Exe
2001-09-25 19:05 1,707,856 ----a-w C:\Program Files\InstMsiA.Exe
2001-09-11 22:04 1,821,008 ----a-w C:\Program Files\InstMsiW.Exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{245A6CD4-5EA9-B9EB-791A-06F67243094D}]
2007-12-02 17:22 102400 --a------ C:\Program Files\Ljatfotb\qqnpcckw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}]
2007-12-01 18:06 35840 --a------ C:\WINDOWS\system32\ljjgdcc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 20:05]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-09-23 17:04]
"ANIWZCSService"="C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 15:12]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00]
"CTHelper"="CTHELPER.EXE" [2004-03-10 20:50 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 09:57]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"USB2Check"="RUNDLL32.exe" [2004-08-12 08:27 C:\WINDOWS\system32\rundll32.exe]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2003-11-10 15:06]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"razer"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-10-08 15:27]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

C:\Documents and Settings\Steven\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-03-04 01:09:01]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
ATITool.lnk - C:\Program Files\ATITool\ATITool.exe [2005-05-30 17:58:48]
FirePod Control Panel.lnk - C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe [2006-07-01 17:36:30]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-06-30 10:20:43]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}"= C:\WINDOWS\system32\ljjgdcc.dll [2007-12-01 18:06 35840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjgdcc]
ljjgdcc.dll 2007-12-01 18:06 35840 C:\WINDOWS\system32\ljjgdcc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll

R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
R3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 pae_1394;pae_1394;C:\WINDOWS\system32\Drivers\pae_1394.sys
S3 pae_avs;pae_avs;C:\WINDOWS\system32\Drivers\pae_avs.sys
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys
S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys
S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys
S3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys
S4 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 19:39:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest 749 bytes
C:\WINDOWS\WindowsUpdate.log 1995771 bytes
C:\WINDOWS\winhelp.exe 256192 bytes
C:\WINDOWS\winhlp32.exe 283648 bytes executable
C:\WINDOWS\wininit.ini 2749 bytes
C:\WINDOWS\wmprfnld.prx 32964 bytes
C:\WINDOWS\winnt.bmp 48680 bytes
C:\WINDOWS\winnt256.bmp 48680 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log 33623 bytes
C:\WINDOWS\wmp11.log 21446 bytes
C:\WINDOWS\WMPrfAra.prx 33336 bytes
C:\WINDOWS\WMPrfCHS.prx 136 bytes
C:\WINDOWS\WMPrfCHT.prx 132 bytes
C:\WINDOWS\wmprfcsy.prx 35474 bytes
C:\WINDOWS\wmprfdan.prx 31712 bytes
C:\WINDOWS\WMPrfDeu.prx 33820 bytes
C:\WINDOWS\wmprfell.prx 36594 bytes
C:\WINDOWS\wmprfesp.prx 35590 bytes
C:\WINDOWS\wmprffin.prx 31764 bytes
C:\WINDOWS\wmprffra.prx 37916 bytes
C:\WINDOWS\wmprfheb.prx 28718 bytes
C:\WINDOWS\wmprfhun.prx 37014 bytes
C:\WINDOWS\wmprfita.prx 35680 bytes
C:\WINDOWS\WMPrfJpn.prx 23304 bytes
C:\WINDOWS\WMPrfKor.prx 22338 bytes
C:\WINDOWS\wmprfnor.prx 32852 bytes
C:\WINDOWS\wmprfplk.prx 35822 bytes
C:\WINDOWS\wmprfptb.prx 33694 bytes
C:\WINDOWS\wmprfptg.prx 35916 bytes
C:\WINDOWS\wmprfrus.prx 804 bytes
C:\WINDOWS\wmprfsky.prx 38232 bytes
C:\WINDOWS\wmprfslv.prx 33580 bytes
C:\WINDOWS\wmprfsve.prx 33314 bytes
C:\WINDOWS\wmprftrk.prx 32022 bytes
C:\WINDOWS\wmsetup.log 123352 bytes
C:\WINDOWS\wmsetup10.log 3731 bytes
C:\WINDOWS\WMSysPr9.prx 316640 bytes
C:\WINDOWS\Wudf01000Inst.log 14461 bytes
C:\WINDOWS\xpsp1hfm.log 390 bytes
C:\WINDOWS\Zapotec.bmp 9522 bytes
C:\WINDOWS\_default.pif 707 bytes
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.BAK 4933091 bytes
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.CDF 4933091 bytes
C:\WINDOWS\È 99 bytes

scan completed successfully
hidden files: 45

**************************************************************************
.
Completion time: 2007-12-04 19:39:42 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:05 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - C:\Program Files\Ljatfotb\qqnpcckw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50} - C:\WINDOWS\system32\ljjgdcc.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151790425328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156274996203
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll
O20 - Winlogon Notify: ljjgdcc - C:\WINDOWS\SYSTEM32\ljjgdcc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10661 bytes

Edited by VforSteve, 04 December 2007 - 07:41 PM.


#8 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:32 PM

Posted 05 December 2007 - 06:19 PM

Hello,
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Program Files\Ljatfotb
C:\Program Files\Sobwjscd
C:\Program Files\Vwrhzqzh
C:\Program Files\Fndkxixc
C:\Program Files\xetubury
C:\Program Files\Akaqohjr
C:\-2073916336
C:\Install

File::
C:\oaif.exe
C:\rtfjiqam.exe
C:\WINDOWS\system32\drvfut.dll
C:\WINDOWS\system32\ljjgdcc.dll
C:\WINDOWS\system32\iifddda.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{245A6CD4-5EA9-B9EB-791A-06F67243094D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{79B3844B-6DAC-4B78-B0B8-C99D8BBDCD50}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjgdcc]

  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Please go here to run an online scannner from ESET:
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems
In your next reply, please post:
  • The results from ComboFix.
  • The results from Eset online scanner.
  • A new HijackThis log.
  • Also let me know about of any remaining problems.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#9 VforSteve

VforSteve
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 06 December 2007 - 02:12 AM

ComboFix 07-12-02.6 - Steven 2007-12-06 1:05:39.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.580 [GMT -5:00]
Running from: C:\Documents and Settings\Steven\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\oaif.exe
C:\rtfjiqam.exe
C:\WINDOWS\system32\drvfut.dll
C:\WINDOWS\system32\iifddda.dll
C:\WINDOWS\system32\ljjgdcc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2073916336\
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Steven\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Steven\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Steven\Favorites\Online Security Guide.lnk
C:\Install\
C:\WINDOWS\system32\pyhecwkr.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-05 22:15 . 2007-12-06 01:11 6,834 --ahs---- C:\WINDOWS\system32\npqss.ini2
2007-12-05 22:15 . 2007-12-06 01:12 6,834 --ahs---- C:\WINDOWS\system32\npqss.ini
2007-12-05 21:23 . 2007-12-05 21:23 145,984 --a------ C:\WINDOWS\system32\pyhecwkr.dll
2007-12-05 21:22 . 2007-12-05 21:22 145,984 --a------ C:\WINDOWS\system32\iqqktben.dll
2007-12-04 21:22 . 2007-12-04 21:22 331,872 --a------ C:\WINDOWS\system32\ssqpn.dll
2007-12-03 20:01 . 2007-12-03 20:01 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Grisoft
2007-12-03 20:01 . 2007-12-03 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 20:01 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-01 18:09 . 2007-12-01 18:09 2 --a------ C:\-2073916336
2007-12-01 18:06 . 2007-12-01 18:06 1,148,902 --a------ C:\Install
2007-11-14 06:57 . 2007-11-14 06:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 18:16 --------- d-----w C:\Program Files\Warcraft III
2007-11-19 22:04 --------- d-----w C:\Program Files\Hi-Net Software
2007-11-19 22:00 --------- d-----w C:\Program Files\WinPcap
2007-11-19 05:36 --------- d-----w C:\Program Files\Sophos
2007-10-28 16:16 --------- d-----w C:\Program Files\AIM6
2007-10-28 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-28 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-27 23:13 --------- d-----w C:\Documents and Settings\Steven\Application Data\Azureus
2007-10-24 23:01 --------- d-----w C:\Program Files\Full Tilt Poker
2007-10-20 16:36 --------- d-----w C:\Program Files\Java
2007-10-19 19:10 --------- d-----w C:\Program Files\QuickSFV
2007-10-16 21:39 12,788,931 ----a-w C:\Program Files\FullTiltSetup.exe
2007-10-16 21:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 20:27 --------- d-----w C:\Program Files\Azureus
2007-10-12 17:50 --------- d-----w C:\Program Files\World of Warcraft
2007-10-11 21:39 --------- d-----w C:\Program Files\DivX
2007-10-08 03:51 --------- d-----w C:\Documents and Settings\Steven\Application Data\Apple Computer
2007-10-08 03:42 --------- d-----w C:\Program Files\IK Multimedia
2007-10-08 03:39 --------- d-----w C:\Program Files\Common Files\Digidesign
2007-10-08 03:39 --------- d-----w C:\Program Files\Antares Audio Technologies
2007-10-08 03:32 --------- d-----w C:\Program Files\ASIO4ALL v2
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 ----a-w C:\WINDOWS\system32\PxCpyI64.exe
2007-09-28 16:07 118,520 ----a-w C:\WINDOWS\system32\PxInsI64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-25 21:00 2,766,648 ----a-w C:\Program Files\isobuster_all_lang.exe
2007-09-23 18:54 2,495,288 ----a-w C:\Program Files\bootdreams_061.exe
2007-09-19 23:25 11,445,497 ----a-w C:\Program Files\mameppk_bin_gcc-0.119-20070914.zip
2007-08-21 18:38 3,097,334 ----a-w C:\Program Files\DotArank_v23beta_setup.exe
2007-07-25 19:13 49,943,864 ----a-w C:\Program Files\iTunesSetup.exe
2007-06-13 05:02 5,380,096 ----a-w C:\Program Files\Azureus_3.0.1.4_windows.exe
2007-03-04 19:35 2,394,383 ----a-w C:\Program Files\WC3Banlist_3.0.exe
2007-02-22 23:28 698,176 ----a-w C:\Program Files\LOTRO_Beta2_Downloader.exe
2007-02-12 18:57 359,112 ----a-w C:\Program Files\LimeWireWin.exe
2007-01-10 22:02 6,440,983 ----a-w C:\Program Files\VideoraiPodConverter_Install.exe
2006-12-09 01:25 9,817,673 ----a-w C:\Program Files\bitpim-0.9.09-setup.exe
2006-12-08 04:35 24,192 ----a-w C:\Documents and Settings\Steven\usbsermptxp.sys
2006-12-08 04:35 22,768 ----a-w C:\Documents and Settings\Steven\usbsermpt.sys
2006-12-08 04:00 92,064 ----a-w C:\Documents and Settings\Steven\mqdmmdm.sys
2006-12-08 04:00 9,232 ----a-w C:\Documents and Settings\Steven\mqdmmdfl.sys
2006-12-08 04:00 79,328 ----a-w C:\Documents and Settings\Steven\mqdmserd.sys
2006-12-08 04:00 66,656 ----a-w C:\Documents and Settings\Steven\mqdmbus.sys
2006-12-08 04:00 6,208 ----a-w C:\Documents and Settings\Steven\mqdmcmnt.sys
2006-12-08 04:00 5,936 ----a-w C:\Documents and Settings\Steven\mqdmwhnt.sys
2006-12-08 04:00 4,048 ----a-w C:\Documents and Settings\Steven\mqdmcr.sys
2006-10-05 01:59 94,124,474 ----a-w C:\Program Files\StudioPatch10_6_0.exe
2006-09-25 21:09 5,917,258 ----a-w C:\Program Files\powertab.zip
2006-09-12 02:14 420,350,502 ----a-w C:\Program Files\MSSetup.exe
2006-07-25 02:55 59,310,760 ----a-w C:\Program Files\iPodSetup.exe
2006-07-01 23:26 376 ----a-w C:\Program Files\Shortcut to setup.lnk
2006-06-04 06:09 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2006-06-01 04:00 1,059,159 ----a-w C:\Program Files\ATITool_0.24.exe
2006-05-17 05:52 3,932,910 ----a-w C:\Program Files\TM20.exe
2005-08-21 20:57 6,147,272 ----a-w C:\Program Files\cuteftppro.exe
2005-07-29 16:47 1,014,067 ----a-w C:\Program Files\wrar35b7.exe
2005-04-29 00:50 4,466,776 ----a-w C:\Program Files\Install_AIM.exe
2004-07-26 07:16 1,117,491 ----a-w C:\Program Files\dvdshrink32setup.exe
2003-08-20 10:06 2,512,896 ----a-w C:\Program Files\PTEditor17.msi
2003-08-20 10:05 41 ----a-w C:\Program Files\Setup.Ini
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2002-01-05 11:46 65,536 ----a-w C:\Program Files\Setup.Exe
2001-09-25 19:05 1,707,856 ----a-w C:\Program Files\InstMsiA.Exe
2001-09-11 22:04 1,821,008 ----a-w C:\Program Files\InstMsiW.Exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4282E6ED-D22E-4F0C-8300-16F50EF29338}]
2007-12-04 21:22 331872 --a------ C:\WINDOWS\system32\ssqpn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-12-05 21:23 145984 --a------ C:\WINDOWS\system32\pyhecwkr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\pyhecwkr.dll [2007-12-05 21:23 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 20:05]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-09-23 17:04]
"ANIWZCSService"="C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 15:12]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00]
"CTHelper"="CTHELPER.EXE" [2004-03-10 20:50 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 09:57]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"USB2Check"="RUNDLL32.exe" [2004-08-12 08:27 C:\WINDOWS\system32\rundll32.exe]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2003-11-10 15:06]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"razer"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-10-08 15:27]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

C:\Documents and Settings\Steven\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-03-04 01:09:01]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
ATITool.lnk - C:\Program Files\ATITool\ATITool.exe [2005-05-30 17:58:48]
FirePod Control Panel.lnk - C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe [2006-07-01 17:36:30]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-06-30 10:20:43]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pyhecwkr]
pyhecwkr.dll 2007-12-05 21:23 145984 C:\WINDOWS\system32\pyhecwkr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ssqpn.dll

R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
R3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 pae_1394;pae_1394;C:\WINDOWS\system32\Drivers\pae_1394.sys
S3 pae_avs;pae_avs;C:\WINDOWS\system32\Drivers\pae_avs.sys
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys
S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys
S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys
S3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys
S4 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 01:11:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest 749 bytes
C:\WINDOWS\WindowsUpdate.log 2049106 bytes
C:\WINDOWS\winhelp.exe 256192 bytes
C:\WINDOWS\winhlp32.exe 283648 bytes executable
C:\WINDOWS\wininit.ini 2864 bytes
C:\WINDOWS\wmprfnld.prx 32964 bytes
C:\WINDOWS\winnt.bmp 48680 bytes
C:\WINDOWS\winnt256.bmp 48680 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log 33623 bytes
C:\WINDOWS\wmp11.log 21446 bytes
C:\WINDOWS\WMPrfAra.prx 33336 bytes
C:\WINDOWS\WMPrfCHS.prx 136 bytes
C:\WINDOWS\WMPrfCHT.prx 132 bytes
C:\WINDOWS\wmprfcsy.prx 35474 bytes
C:\WINDOWS\wmprfdan.prx 31712 bytes
C:\WINDOWS\WMPrfDeu.prx 33820 bytes
C:\WINDOWS\wmprfell.prx 36594 bytes
C:\WINDOWS\wmprfesp.prx 35590 bytes
C:\WINDOWS\wmprffin.prx 31764 bytes
C:\WINDOWS\wmprffra.prx 37916 bytes
C:\WINDOWS\wmprfheb.prx 28718 bytes
C:\WINDOWS\wmprfhun.prx 37014 bytes
C:\WINDOWS\wmprfita.prx 35680 bytes
C:\WINDOWS\WMPrfJpn.prx 23304 bytes
C:\WINDOWS\WMPrfKor.prx 22338 bytes
C:\WINDOWS\wmprfnor.prx 32852 bytes
C:\WINDOWS\wmprfplk.prx 35822 bytes
C:\WINDOWS\wmprfptb.prx 33694 bytes
C:\WINDOWS\wmprfptg.prx 35916 bytes
C:\WINDOWS\wmprfrus.prx 804 bytes
C:\WINDOWS\wmprfsky.prx 38232 bytes
C:\WINDOWS\wmprfslv.prx 33580 bytes
C:\WINDOWS\wmprfsve.prx 33314 bytes
C:\WINDOWS\wmprftrk.prx 32022 bytes
C:\WINDOWS\wmsetup.log 123352 bytes
C:\WINDOWS\wmsetup10.log 3731 bytes
C:\WINDOWS\WMSysPr9.prx 316640 bytes
C:\WINDOWS\Wudf01000Inst.log 14461 bytes
C:\WINDOWS\xpsp1hfm.log 390 bytes
C:\WINDOWS\Zapotec.bmp 9522 bytes
C:\WINDOWS\_default.pif 707 bytes
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.BAK 4933091 bytes
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.CDF 4933091 bytes
C:\WINDOWS\È 99 bytes

scan completed successfully
hidden files: 45

**************************************************************************
.
Completion time: 2007-12-06 1:13:13 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-04 19:39
.
--- E O F ---

I can't copy and paste the Eset results...it found 18 harmful products and was unable to clean many of them.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:36 AM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pyhecwkr.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151790425328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156274996203
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9978 bytes

#10 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:32 PM

Posted 06 December 2007 - 11:54 AM

Hi,

1. Please update your AVG Anti-Spyware.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
  • Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
2. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


3. Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\pyhecwkr.dll
C:\WINDOWS\system32\iqqktben.dll
C:\WINDOWS\system32\ssqpn.dll


Folder::
C:\-2073916336
C:\Install

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4282E6ED-D22E-4F0C-8300-16F50EF29338}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[-HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pyhecwkr]

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



4. Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

5. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
6. Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report
7. In your next reply please post:
  • A new HijackThis log.
  • ComboFix results.
  • AVG Anti-Spyware results.
  • Panda's TotalScan results.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#11 VforSteve

VforSteve
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 07 December 2007 - 12:21 PM

Hey, I am away from my computer until Sunday, I was not able to finish up those scans before I left, but I will post all the results on Sunday, when I am back. Thanks so much for your continued help, I really appreaciate it.

#12 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:32 PM

Posted 08 December 2007 - 01:42 PM

OK VforSteve,

No problem i wait! :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#13 VforSteve

VforSteve
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 10 December 2007 - 11:19 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:34 AM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151790425328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156274996203
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10428 bytes

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:40:32 PM 12/5/2007

+ Scan result:



C:\Documents and Settings\Steven\Cookies\steven@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@media.adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Steven\Cookies\steven@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.


::Report end

;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-12-10 09:35:51
PROTECTIONS: 0
MALWARE: 35
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@doubleclick[1].txt
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@ccbill[1].txt
00162900 Cookie/MediaTickets TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@kinghost[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@com[2].txt
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@landing.domainsponsor[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@xiti[1].txt
00167744 Cookie/GoStats TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@gostats[2].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@azjmp[1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@toplist[2].txt
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@club.cdfreaks[1].txt
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@cdfreaks[2].txt
00171633 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@www5.addfreestats[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@questionmarket[2].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@bravenet[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@go[2].txt
00216065 Cookie/Screensavers TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@i.screensavers[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@atwola[2].txt
00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@www3.addfreestats[1].txt
00286734 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@adserver.filefront[2].txt
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\NirCmd.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Steven\Desktop\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Steven\Desktop\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP627\A0152385.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP626\A0152324.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP625\A0152237.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP624\A0150203.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0149145.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP622\A0148079.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0148014.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0147985.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0147985.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0147973.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0147845.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0147929.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0147887.exe
01559636 Adware/WinAntiSpyware Adware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0147801.dll
01559636 Adware/WinAntiSpyware Adware No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\drvfutr.dll.vir
01559760 Application/MagicAntiSpy HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP618\A0145620.exe
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Steven\Cookies\steven@adserver.easyad[2].txt
02684838 W32/Virutas.Z Virus No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP618\A0146615.exe
02688348 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP628\A0152406.dll
02688348 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP628\A0152398.dll
02688348 Spyware/Virtumonde Spyware No 1 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\pyhecwkr.dll.vir
02688348 Spyware/Virtumonde Spyware No 1 Yes No C:\qoobox\Quarantine\catchme2007-12-06_161549.01.zip[pyhecwkr.dll]
02688348 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP627\A0152379.dll
02733269 Application/UltimateCleaner HackTools No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\bwbkcnad\bwbkcnad3.exe.vir
02733269 Application/UltimateCleaner HackTools No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0147800.exe
02865988 Adware/MalwareAlarm Adware No 1 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP618\A0145614.exe
02874271 Adware/UltimateFixer Adware No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\bwbkcnad\bwbkcnad1.exe.vir
02874271 Adware/UltimateFixer Adware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0147798.exe
02874272 Adware/UltimateFixer Adware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP621\A0147799.exe
02874272 Adware/UltimateFixer Adware No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\bwbkcnad\bwbkcnad2.exe.vir
02874327 Spyware/Virtumonde Spyware No 1 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\iifddda.dll.vir
02874327 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0148101.dll
02883023 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0148105.dll
02883023 Spyware/Virtumonde Spyware No 1 Yes No C:\qoobox\Quarantine\catchme2007-12-05_221048.32.zip[ljjgdcc.dll]
02883429 W32/Rizalof.AHW.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0148098.exe
02883429 W32/Rizalof.AHW.worm Virus/Worm No 1 Yes No C:\qoobox\Quarantine\C\oaif.exe.vir
02883479 Spyware/Virtumonde Spyware No 1 Yes No C:\qoobox\Quarantine\C\Program Files\xetubury\nmnmjgjg.dll.vir
02883479 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0148097.dll
02883738 Dialer.KVW Dialers No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0148100.dll
02883738 Dialer.KVW Dialers No 0 Yes No C:\qoobox\Quarantine\C\WINDOWS\system32\drvfut.dll.vir
02883803 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0148093.dll
02883803 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0148094.dll
02883803 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0148096.dll
02883803 Spyware/Vundo Spyware No 0 Yes No C:\qoobox\Quarantine\C\Program Files\Ljatfotb\qqnpcckw.dll.vir
02883803 Spyware/Vundo Spyware No 0 Yes No C:\qoobox\Quarantine\C\Program Files\Sobwjscd\abkkrbct.dll.vir
02883803 Spyware/Vundo Spyware No 0 Yes No C:\qoobox\Quarantine\C\Program Files\Fndkxixc\faxfiznp.dll.vir
02883803 Spyware/Vundo Spyware No 0 Yes No C:\qoobox\Quarantine\C\Program Files\Akaqohjr\fabfymae.dll.vir
02883803 Spyware/Vundo Spyware No 0 Yes No C:\qoobox\Quarantine\C\Program Files\Vwrhzqzh\lzoofyao.dll.vir
02883803 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP620\A0147792.dll
02883803 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP618\A0147649.dll
02883803 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0148095.dll
02883803 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP618\A0146628.dll
02883803 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP618\A0145627.dll
02883803 Spyware/Vundo Spyware No 0 Yes No C:\System Volume Information\_restore{A955FAF2-AC2E-47B5-B650-A8008F096237}\RP623\A0148092.dll
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================


I can't find my ComboFix log...I had run it Friday before I left. I found a few of the logs but I think they are old...I will post the newest of them anyway. It may be the right one anyway...

ComboFix 07-12-02.6 - Steven 2007-12-06 16:07:51.13 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.533 [GMT -5:00]
Running from: C:\Documents and Settings\Steven\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\iqqktben.dll
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\pyhecwkr.dll
C:\WINDOWS\system32\ssqpn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2073916336\
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Steven\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Steven\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Steven\Favorites\Online Security Guide.lnk
C:\Install\
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\pyhecwkr.dll
C:\WINDOWS\system32\pyhecwkr.dllbox
C:\WINDOWS\system32\ssqpn.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-06 01:15 . 2007-12-06 02:08 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-03 20:01 . 2007-12-03 20:01 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Grisoft
2007-12-03 20:01 . 2007-12-03 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 20:01 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-01 18:09 . 2007-12-01 18:09 2 --a------ C:\-2073916336
2007-12-01 18:06 . 2007-12-01 18:06 1,148,902 --a------ C:\Install
2007-11-14 06:57 . 2007-11-14 06:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 18:16 --------- d-----w C:\Program Files\Warcraft III
2007-11-19 22:04 --------- d-----w C:\Program Files\Hi-Net Software
2007-11-19 22:00 --------- d-----w C:\Program Files\WinPcap
2007-11-19 05:36 --------- d-----w C:\Program Files\Sophos
2007-10-28 16:16 --------- d-----w C:\Program Files\AIM6
2007-10-28 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-28 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-27 23:13 --------- d-----w C:\Documents and Settings\Steven\Application Data\Azureus
2007-10-24 23:01 --------- d-----w C:\Program Files\Full Tilt Poker
2007-10-20 16:36 --------- d-----w C:\Program Files\Java
2007-10-19 19:10 --------- d-----w C:\Program Files\QuickSFV
2007-10-16 21:39 12,788,931 ----a-w C:\Program Files\FullTiltSetup.exe
2007-10-16 21:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 20:27 --------- d-----w C:\Program Files\Azureus
2007-10-12 17:50 --------- d-----w C:\Program Files\World of Warcraft
2007-10-11 21:39 --------- d-----w C:\Program Files\DivX
2007-10-08 03:51 --------- d-----w C:\Documents and Settings\Steven\Application Data\Apple Computer
2007-10-08 03:42 --------- d-----w C:\Program Files\IK Multimedia
2007-10-08 03:39 --------- d-----w C:\Program Files\Common Files\Digidesign
2007-10-08 03:39 --------- d-----w C:\Program Files\Antares Audio Technologies
2007-10-08 03:32 --------- d-----w C:\Program Files\ASIO4ALL v2
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 ----a-w C:\WINDOWS\system32\PxCpyI64.exe
2007-09-28 16:07 118,520 ----a-w C:\WINDOWS\system32\PxInsI64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-25 21:00 2,766,648 ----a-w C:\Program Files\isobuster_all_lang.exe
2007-09-23 18:54 2,495,288 ----a-w C:\Program Files\bootdreams_061.exe
2007-09-19 23:25 11,445,497 ----a-w C:\Program Files\mameppk_bin_gcc-0.119-20070914.zip
2007-08-21 18:38 3,097,334 ----a-w C:\Program Files\DotArank_v23beta_setup.exe
2007-07-25 19:13 49,943,864 ----a-w C:\Program Files\iTunesSetup.exe
2007-06-13 05:02 5,380,096 ----a-w C:\Program Files\Azureus_3.0.1.4_windows.exe
2007-03-04 19:35 2,394,383 ----a-w C:\Program Files\WC3Banlist_3.0.exe
2007-02-22 23:28 698,176 ----a-w C:\Program Files\LOTRO_Beta2_Downloader.exe
2007-02-12 18:57 359,112 ----a-w C:\Program Files\LimeWireWin.exe
2007-01-10 22:02 6,440,983 ----a-w C:\Program Files\VideoraiPodConverter_Install.exe
2006-12-09 01:25 9,817,673 ----a-w C:\Program Files\bitpim-0.9.09-setup.exe
2006-12-08 04:35 24,192 ----a-w C:\Documents and Settings\Steven\usbsermptxp.sys
2006-12-08 04:35 22,768 ----a-w C:\Documents and Settings\Steven\usbsermpt.sys
2006-12-08 04:00 92,064 ----a-w C:\Documents and Settings\Steven\mqdmmdm.sys
2006-12-08 04:00 9,232 ----a-w C:\Documents and Settings\Steven\mqdmmdfl.sys
2006-12-08 04:00 79,328 ----a-w C:\Documents and Settings\Steven\mqdmserd.sys
2006-12-08 04:00 66,656 ----a-w C:\Documents and Settings\Steven\mqdmbus.sys
2006-12-08 04:00 6,208 ----a-w C:\Documents and Settings\Steven\mqdmcmnt.sys
2006-12-08 04:00 5,936 ----a-w C:\Documents and Settings\Steven\mqdmwhnt.sys
2006-12-08 04:00 4,048 ----a-w C:\Documents and Settings\Steven\mqdmcr.sys
2006-10-05 01:59 94,124,474 ----a-w C:\Program Files\StudioPatch10_6_0.exe
2006-09-25 21:09 5,917,258 ----a-w C:\Program Files\powertab.zip
2006-09-12 02:14 420,350,502 ----a-w C:\Program Files\MSSetup.exe
2006-07-25 02:55 59,310,760 ----a-w C:\Program Files\iPodSetup.exe
2006-07-01 23:26 376 ----a-w C:\Program Files\Shortcut to setup.lnk
2006-06-04 06:09 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2006-06-01 04:00 1,059,159 ----a-w C:\Program Files\ATITool_0.24.exe
2006-05-17 05:52 3,932,910 ----a-w C:\Program Files\TM20.exe
2005-08-21 20:57 6,147,272 ----a-w C:\Program Files\cuteftppro.exe
2005-07-29 16:47 1,014,067 ----a-w C:\Program Files\wrar35b7.exe
2004-07-26 07:16 1,117,491 ----a-w C:\Program Files\dvdshrink32setup.exe
2003-08-20 10:06 2,512,896 ----a-w C:\Program Files\PTEditor17.msi
2003-08-20 10:05 41 ----a-w C:\Program Files\Setup.Ini
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2002-01-05 11:46 65,536 ----a-w C:\Program Files\Setup.Exe
2001-09-25 19:05 1,707,856 ----a-w C:\Program Files\InstMsiA.Exe
2001-09-11 22:04 1,821,008 ----a-w C:\Program Files\InstMsiW.Exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-04_19.39.15.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 21:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 20:05]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-09-23 17:04]
"ANIWZCSService"="C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 15:12]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00]
"CTHelper"="CTHELPER.EXE" [2004-03-10 20:50 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 09:57]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"USB2Check"="RUNDLL32.exe" [2004-08-12 08:27 C:\WINDOWS\system32\rundll32.exe]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2003-11-10 15:06]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"razer"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-10-08 15:27]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

C:\Documents and Settings\Steven\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-03-04 01:09:01]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
ATITool.lnk - C:\Program Files\ATITool\ATITool.exe [2005-05-30 17:58:48]
FirePod Control Panel.lnk - C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe [2006-07-01 17:36:30]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-06-30 10:20:43]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ssqpn.dll

R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
R3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 pae_1394;pae_1394;C:\WINDOWS\system32\Drivers\pae_1394.sys
S3 pae_avs;pae_avs;C:\WINDOWS\system32\Drivers\pae_avs.sys
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys
S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys
S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys
S3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys
S4 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 16:15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest 749 bytes
C:\WINDOWS\WindowsUpdate.log 2052944 bytes
C:\WINDOWS\winhelp.exe 256192 bytes
C:\WINDOWS\winhlp32.exe 283648 bytes executable
C:\WINDOWS\wininit.ini 2864 bytes
C:\WINDOWS\wmprfnld.prx 32964 bytes
C:\WINDOWS\winnt.bmp 48680 bytes
C:\WINDOWS\winnt256.bmp 48680 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log 33623 bytes
C:\WINDOWS\wmp11.log 21446 bytes
C:\WINDOWS\WMPrfAra.prx 33336 bytes
C:\WINDOWS\WMPrfCHS.prx 136 bytes
C:\WINDOWS\WMPrfCHT.prx 132 bytes
C:\WINDOWS\wmprfcsy.prx 35474 bytes
C:\WINDOWS\wmprfdan.prx 31712 bytes
C:\WINDOWS\WMPrfDeu.prx 33820 bytes
C:\WINDOWS\wmprfell.prx 36594 bytes
C:\WINDOWS\wmprfesp.prx 35590 bytes
C:\WINDOWS\wmprffin.prx 31764 bytes
C:\WINDOWS\wmprffra.prx 37916 bytes
C:\WINDOWS\wmprfheb.prx 28718 bytes
C:\WINDOWS\wmprfhun.prx 37014 bytes
C:\WINDOWS\wmprfita.prx 35680 bytes
C:\WINDOWS\WMPrfJpn.prx 23304 bytes
C:\WINDOWS\WMPrfKor.prx 22338 bytes
C:\WINDOWS\wmprfnor.prx 32852 bytes
C:\WINDOWS\wmprfplk.prx 35822 bytes
C:\WINDOWS\wmprfptb.prx 33694 bytes
C:\WINDOWS\wmprfptg.prx 35916 bytes
C:\WINDOWS\wmprfrus.prx 804 bytes
C:\WINDOWS\wmprfsky.prx 38232 bytes
C:\WINDOWS\wmprfslv.prx 33580 bytes
C:\WINDOWS\wmprfsve.prx 33314 bytes
C:\WINDOWS\wmprftrk.prx 32022 bytes
C:\WINDOWS\wmsetup.log 123352 bytes
C:\WINDOWS\wmsetup10.log 3731 bytes
C:\WINDOWS\WMSysPr9.prx 316640 bytes
C:\WINDOWS\Wudf01000Inst.log 14461 bytes
C:\WINDOWS\xpsp1hfm.log 390 bytes
C:\WINDOWS\Zapotec.bmp 9522 bytes
C:\WINDOWS\_default.pif 707 bytes
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.BAK 4933091 bytes
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.CDF
C:\WINDOWS\È 99 bytes

scan completed successfully
hidden files: 45

**************************************************************************
.
Completion time: 2007-12-06 16:17:32 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-06 01:13
C:\ComboFix3.txt ... 2007-12-04 19:39
.
--- E O F ---

#14 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:32 PM

Posted 12 December 2007 - 09:45 AM

Hello VforSteve,

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad".
This may change, read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player).

If you choose to remove Viewpoint, please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove:

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoit Toolbar


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files and Folders, "if present":

C:\Program Files\Viewpoint <- this folder


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\-2073916336
C:\Install

File::
C:\WINDOWS\system32\ssqpn.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt", Please post that in your next reply, along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#15 VforSteve

VforSteve
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 12 December 2007 - 11:10 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:20 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\WC3Banlist\WC3Banlist.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151790425328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156274996203
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10304 bytes

ComboFix 07-12-02.6 - Steven 2007-12-12 13:02:53.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.581 [GMT -5:00]
Running from: C:\Documents and Settings\Steven\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ssqpn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2073916336\
C:\Install\

.
((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-09 22:47 . 2007-12-09 22:48 <DIR> d-------- C:\Program Files\Panda Security
2007-12-06 01:15 . 2007-12-06 02:08 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-03 20:01 . 2007-12-03 20:01 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Grisoft
2007-12-03 20:01 . 2007-12-03 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 20:01 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-01 18:09 . 2007-12-01 18:09 2 --a------ C:\-2073916336
2007-12-01 18:06 . 2007-12-01 18:06 1,148,902 --a------ C:\Install
2007-11-14 06:57 . 2007-11-14 06:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 18:00 --------- d-----w C:\Documents and Settings\Steven\Application Data\Viewpoint
2007-12-12 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-12 01:26 --------- d-----w C:\Program Files\Warcraft III
2007-12-10 20:06 --------- d-----w C:\Program Files\Last.fm
2007-11-19 22:04 --------- d-----w C:\Program Files\Hi-Net Software
2007-11-19 22:00 --------- d-----w C:\Program Files\WinPcap
2007-11-19 05:36 --------- d-----w C:\Program Files\Sophos
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-28 16:16 --------- d-----w C:\Program Files\AIM6
2007-10-28 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-27 23:13 --------- d-----w C:\Documents and Settings\Steven\Application Data\Azureus
2007-10-24 23:01 --------- d-----w C:\Program Files\Full Tilt Poker
2007-10-20 16:36 --------- d-----w C:\Program Files\Java
2007-10-19 19:10 --------- d-----w C:\Program Files\QuickSFV
2007-10-16 21:39 12,788,931 ----a-w C:\Program Files\FullTiltSetup.exe
2007-10-16 21:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 20:27 --------- d-----w C:\Program Files\Azureus
2007-10-12 17:50 --------- d-----w C:\Program Files\World of Warcraft
2007-09-25 21:00 2,766,648 ----a-w C:\Program Files\isobuster_all_lang.exe
2007-09-23 18:54 2,495,288 ----a-w C:\Program Files\bootdreams_061.exe
2007-09-19 23:25 11,445,497 ----a-w C:\Program Files\mameppk_bin_gcc-0.119-20070914.zip
2007-08-21 18:38 3,097,334 ----a-w C:\Program Files\DotArank_v23beta_setup.exe
2007-07-25 19:13 49,943,864 ----a-w C:\Program Files\iTunesSetup.exe
2007-06-13 05:02 5,380,096 ----a-w C:\Program Files\Azureus_3.0.1.4_windows.exe
2007-03-04 19:35 2,394,383 ----a-w C:\Program Files\WC3Banlist_3.0.exe
2007-02-22 23:28 698,176 ----a-w C:\Program Files\LOTRO_Beta2_Downloader.exe
2007-02-12 18:57 359,112 ----a-w C:\Program Files\LimeWireWin.exe
2007-01-10 22:02 6,440,983 ----a-w C:\Program Files\VideoraiPodConverter_Install.exe
2006-12-09 01:25 9,817,673 ----a-w C:\Program Files\bitpim-0.9.09-setup.exe
2006-12-08 04:35 24,192 ----a-w C:\Documents and Settings\Steven\usbsermptxp.sys
2006-12-08 04:35 22,768 ----a-w C:\Documents and Settings\Steven\usbsermpt.sys
2006-12-08 04:00 92,064 ----a-w C:\Documents and Settings\Steven\mqdmmdm.sys
2006-12-08 04:00 9,232 ----a-w C:\Documents and Settings\Steven\mqdmmdfl.sys
2006-12-08 04:00 79,328 ----a-w C:\Documents and Settings\Steven\mqdmserd.sys
2006-12-08 04:00 66,656 ----a-w C:\Documents and Settings\Steven\mqdmbus.sys
2006-12-08 04:00 6,208 ----a-w C:\Documents and Settings\Steven\mqdmcmnt.sys
2006-12-08 04:00 5,936 ----a-w C:\Documents and Settings\Steven\mqdmwhnt.sys
2006-12-08 04:00 4,048 ----a-w C:\Documents and Settings\Steven\mqdmcr.sys
2006-10-05 01:59 94,124,474 ----a-w C:\Program Files\StudioPatch10_6_0.exe
2006-09-25 21:09 5,917,258 ----a-w C:\Program Files\powertab.zip
2006-09-12 02:14 420,350,502 ----a-w C:\Program Files\MSSetup.exe
2006-07-25 02:55 59,310,760 ----a-w C:\Program Files\iPodSetup.exe
2006-07-01 23:26 376 ----a-w C:\Program Files\Shortcut to setup.lnk
2006-06-04 06:09 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2006-06-01 04:00 1,059,159 ----a-w C:\Program Files\ATITool_0.24.exe
2006-05-17 05:52 3,932,910 ----a-w C:\Program Files\TM20.exe
2005-08-21 20:57 6,147,272 ----a-w C:\Program Files\cuteftppro.exe
2005-07-29 16:47 1,014,067 ----a-w C:\Program Files\wrar35b7.exe
2004-07-26 07:16 1,117,491 ----a-w C:\Program Files\dvdshrink32setup.exe
2003-08-20 10:06 2,512,896 ----a-w C:\Program Files\PTEditor17.msi
2003-08-20 10:05 41 ----a-w C:\Program Files\Setup.Ini
2002-07-26 22:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2002-01-05 11:46 65,536 ----a-w C:\Program Files\Setup.Exe
2001-09-25 19:05 1,707,856 ----a-w C:\Program Files\InstMsiA.Exe
2001-09-11 22:04 1,821,008 ----a-w C:\Program Files\InstMsiW.Exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-04_19.39.15.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 19:37:26 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll
+ 2007-07-18 19:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2007-08-20 10:04:34 214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-08-20 10:04:34 132,608 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-08-20 10:04:34 153,088 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-08-20 10:04:35 230,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-08-17 07:34:25 161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-08-20 10:04:38 44,544 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-08-17 10:21:21 625,152 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-08-20 10:04:39 27,648 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-08-20 10:04:41 3,584,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-08-20 10:04:41 477,696 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-08-20 10:04:41 193,024 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-08-20 10:04:42 671,232 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-08-20 10:04:42 1,152,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-08-20 10:04:43 824,832 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
+ 2007-12-12 15:30:52 4,978 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{9CD9C224-CA26-460C-8052-5AA3CE827663}.bin
- 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-08-20 10:04:34 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-10-10 23:55:51 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-20 10:04:34 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-20 10:04:34 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2007-10-10 23:55:51 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-08-17 10:20:54 63,488 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-20 10:04:35 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-08-17 07:34:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 05:46:55 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-08-20 10:04:38 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-10-10 23:55:55 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2007-10-10 23:55:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-08-17 10:21:21 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-10-10 10:59:52 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-20 10:04:39 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-12 13:22:26 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
+ 2007-07-06 10:05:47 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
- 2004-08-12 13:22:27 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
+ 2007-07-06 12:46:59 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
- 2004-08-12 13:22:27 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
- 2004-08-12 13:22:27 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
+ 2007-07-06 12:46:59 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
- 2004-08-12 13:22:29 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
+ 2007-07-06 12:46:59 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
- 2004-08-12 13:22:29 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
+ 2007-07-06 12:46:59 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
- 2004-08-12 13:22:30 95,744 -c--a-w C:\WINDOWS\system32\dllcache\mqsec.dll
+ 2007-07-06 12:46:59 95,744 -c--a-w C:\WINDOWS\system32\dllcache\mqsec.dll
- 2004-08-12 13:22:31 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
- 2004-08-12 13:22:31 471,552 -c--a-w C:\WINDOWS\system32\dllcache\mqutil.dll
+ 2007-07-06 12:46:59 471,552 -c--a-w C:\WINDOWS\system32\dllcache\mqutil.dll
- 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-20 10:04:41 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-20 10:04:41 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-10 23:55:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-20 10:04:42 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:55:59 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-20 10:04:42 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-10 23:55:59 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2005-08-30 03:54:26 1,287,168 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2007-08-20 10:04:42 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-10-10 23:55:59 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-20 10:04:42 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-20 10:04:42 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-10-10 23:56:00 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-20 10:04:43 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-10 23:56:00 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-10-19 02:47:18 222,208 -c--a-w C:\WINDOWS\system32\dllcache\WMASF.dll
+ 2007-10-27 22:40:30 222,720 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2004-08-12 13:22:26 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
+ 2007-07-06 10:05:47 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
- 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
- 2004-08-12 13:22:27 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
+ 2007-07-06 12:46:59 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
- 2004-08-12 13:22:27 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
- 2004-08-12 13:22:27 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
+ 2007-07-06 12:46:59 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
- 2004-08-12 13:22:29 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
+ 2007-07-06 12:46:59 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
- 2004-08-12 13:22:29 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
+ 2007-07-06 12:46:59 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
- 2004-08-12 13:22:30 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
+ 2007-07-06 12:46:59 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
- 2004-08-12 13:22:31 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
- 2004-08-12 13:22:31 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
+ 2007-07-06 12:46:59 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
- 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:55:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:55:59 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:55:59 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 21:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
- 2005-08-30 03:54:26 1,287,168 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
- 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
- 2006-10-19 02:47:18 222,208 ----a-w C:\WINDOWS\system32\WMASF.dll
+ 2007-10-27 22:40:30 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 20:05]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-09-23 17:04]
"ANIWZCSService"="C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 15:12]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 00:00]
"CTHelper"="CTHELPER.EXE" [2004-03-10 20:50 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 09:57]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-22 23:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"USB2Check"="RUNDLL32.exe" [2004-08-12 08:27 C:\WINDOWS\system32\rundll32.exe]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 15:42]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2003-11-10 15:06]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"razer"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-10-08 15:27]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

C:\Documents and Settings\Steven\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-06-30 10:20:43]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-03-04 01:09:01]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
ATITool.lnk - C:\Program Files\ATITool\ATITool.exe [2005-05-30 17:58:48]
FirePod Control Panel.lnk - C:\Program Files\PreSonus\1394AudioDriver_FIREPOD\FIREPOD.exe [2006-07-01 17:36:30]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\detoured.dll

R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
R3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 pae_1394;pae_1394;C:\WINDOWS\system32\Drivers\pae_1394.sys
S3 pae_avs;pae_avs;C:\WINDOWS\system32\Drivers\pae_avs.sys
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMNDS.sys
S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys
S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys
S3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys
S4 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 13:19:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\WindowsShell.Manifest 749 bytes
C:\WINDOWS\WindowsUpdate.log 1138686 bytes
C:\WINDOWS\winhelp.exe 256192 bytes
C:\WINDOWS\winhlp32.exe 283648 bytes executable
C:\WINDOWS\wininit.ini 2864 bytes
C:\WINDOWS\wmprfnld.prx 32964 bytes
C:\WINDOWS\winnt.bmp 48680 bytes
C:\WINDOWS\winnt256.bmp 48680 bytes
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log 33623 bytes
C:\WINDOWS\wmp11.log 21446 bytes
C:\WINDOWS\WMPrfAra.prx 33336 bytes
C:\WINDOWS\WMPrfCHS.prx 136 bytes
C:\WINDOWS\WMPrfCHT.prx 132 bytes
C:\WINDOWS\wmprfcsy.prx 35474 bytes
C:\WINDOWS\wmprfdan.prx 31712 bytes
C:\WINDOWS\WMPrfDeu.prx 33820 bytes
C:\WINDOWS\wmprfell.prx 36594 bytes
C:\WINDOWS\wmprfesp.prx 35590 bytes
C:\WINDOWS\wmprffin.prx 31764 bytes
C:\WINDOWS\wmprffra.prx 37916 bytes
C:\WINDOWS\wmprfheb.prx 28718 bytes
C:\WINDOWS\wmprfhun.prx 37014 bytes
C:\WINDOWS\wmprfita.prx 35680 bytes
C:\WINDOWS\WMPrfJpn.prx 23304 bytes
C:\WINDOWS\WMPrfKor.prx 22338 bytes
C:\WINDOWS\wmprfnor.prx 32852 bytes
C:\WINDOWS\wmprfplk.prx 35822 bytes
C:\WINDOWS\wmprfptb.prx 33694 bytes
C:\WINDOWS\wmprfptg.prx 35916 bytes
C:\WINDOWS\wmprfrus.prx 804 bytes
C:\WINDOWS\wmprfsky.prx 38232 bytes
C:\WINDOWS\wmprfslv.prx 33580 bytes
C:\WINDOWS\wmprfsve.prx 33314 bytes
C:\WINDOWS\wmprftrk.prx 32022 bytes
C:\WINDOWS\wmsetup.log 123352 bytes
C:\WINDOWS\wmsetup10.log 3731 bytes
C:\WINDOWS\WMSysPr9.prx 316640 bytes
C:\WINDOWS\Wudf01000Inst.log 14461 bytes
C:\WINDOWS\xpsp1hfm.log 390 bytes
C:\WINDOWS\Zapotec.bmp 9522 bytes
C:\WINDOWS\_default.pif 707 bytes
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.BAK 4933091 bytes
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.CDF
C:\WINDOWS\È 99 bytes

scan completed successfully
hidden files: 45

**************************************************************************
.
Completion time: 2007-12-12 13:21:09 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-06 16:17
C:\ComboFix3.txt ... 2007-12-06 01:13
.
--- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users