Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Win32.virtumonde


  • Please log in to reply
16 replies to this topic

#1 KC750

KC750

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 18 December 2007 - 11:12 PM

I've gone through the preparation steps, and have not been able to remove the Win32.Virtumonde virus. Any help you can provide with the HJT logs would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:44 PM, on 18-Dec-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: SyncBackSE.lnk = C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwnb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173148968882
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://activation.sympatico.ca/wizlet/Symp...nadaActiveX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...177/mcfscan.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6227 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 AM

Posted 20 December 2007 - 01:14 AM

Hello KC750,

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 KC750

KC750
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 20 December 2007 - 10:39 PM

Vundofix too a long time to scan, and produced an error message (Error: 75 Path/File Access Error) during the removal.

Here's the new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:39 PM, on 20-Dec-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C339FD2-D30E-4804-BCF4-A01E3B994D1E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E653B97-B8CA-48F9-BD44-97541137F72F} - (no file)
O2 - BHO: {c7e1588c-cc82-4d2b-7914-89c3c3b3b09a} - {a90b3b3c-3c98-4197-b2d4-28ccc8851e7c} - C:\WINDOWS\system32\tkpebbiv.dll
O2 - BHO: (no name) - {AB783D5D-1BB1-4566-A958-A14D3E1C6B45} - (no file)
O2 - BHO: (no name) - {BF862BC8-AE50-4444-AF27-E3B9FDA7D8AD} - C:\WINDOWS\system32\rqrop.dll (file missing)
O2 - BHO: (no name) - {F4996738-911C-4734-AFDE-C41868616D45} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: SyncBackSE.lnk = C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwnb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173148968882
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://activation.sympatico.ca/wizlet/Symp...nadaActiveX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...177/mcfscan.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6946 bytes

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 AM

Posted 20 December 2007 - 11:33 PM

Hi KC750,

Looks like VundoFix removed most of the malware. :thumbsup:

Old versions of java are exploitable and need to be uninstalled.

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following by double-clicking on the following entry:
J2SE Runtime Environment 5.0 Update 6


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {3C339FD2-D30E-4804-BCF4-A01E3B994D1E} - (no file)
O2 - BHO: (no name) - {7E653B97-B8CA-48F9-BD44-97541137F72F} - (no file)
O2 - BHO: {c7e1588c-cc82-4d2b-7914-89c3c3b3b09a} - {a90b3b3c-3c98-4197-b2d4-28ccc8851e7c} - C:\WINDOWS\system32\tkpebbiv.dll
O2 - BHO: (no name) - {AB783D5D-1BB1-4566-A958-A14D3E1C6B45} - (no file)
O2 - BHO: (no name) - {BF862BC8-AE50-4444-AF27-E3B9FDA7D8AD} - C:\WINDOWS\system32\rqrop.dll (file missing)
O2 - BHO: (no name) - {F4996738-911C-4734-AFDE-C41868616D45} - (no file)


*******************************************


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer

 Let's run ComboFix.

Disable your Avast antivirus while we run ComboFix, as it will prevent it from working.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
 Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix  log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not run Combofix more than once.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

 Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 KC750

KC750
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 21 December 2007 - 11:48 PM

Thanks for all of your help. It's nice to be making progress with this finally :-)

The time change seems to be helping us resolve this rather quickly :-)

Here's the new HJT info with the Combofix log attached.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:14 PM, on 21-Dec-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: SyncBackSE.lnk = C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwnb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173148968882
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://activation.sympatico.ca/wizlet/Symp...nadaActiveX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...177/mcfscan.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6306 bytes

Attached Files



#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 AM

Posted 22 December 2007 - 12:30 AM

Hi KC750,


Please, Do NOT attach any of the log files, as it is very hard to read that way.

Post the ComboFix.txt file

Edited by SifuMike, 22 December 2007 - 12:31 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 KC750

KC750
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 December 2007 - 09:05 AM

Sorry about that... Newbies!@#$ :-)

ComboFix 07-12-21.4 - Kirk 2007-12-21 19:56:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.221 [GMT -5:00]
Running from: C:\Documents and Settings\Kirk\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kirk\Application Data\inst.exe
C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-21 19:23 . 2007-12-21 20:03 3,162,278 --------- C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000004-005A1102}.BAK
2007-12-21 18:25 . 2007-12-21 18:25 <DIR> d-------- C:\Program Files\CCleaner
2007-12-20 22:06 . 2007-12-20 22:06 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-19 00:20 . 2007-12-19 00:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-19 00:09 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-19 00:01 . 2007-12-19 00:05 <DIR> d-------- C:\Documents and Settings\Kirk\.SunDownloadManager
2007-12-18 22:46 . 2007-12-18 22:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 12:46 . 2007-12-18 19:51 <DIR> d-------- C:\Documents and Settings\Kirk\.housecall6.6
2007-12-18 10:27 . 2007-12-18 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-18 10:23 . 2007-12-18 10:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-15 09:29 . 2007-12-15 09:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-15 08:20 . 2007-12-15 08:20 <DIR> d-------- C:\Deckard
2007-12-14 23:16 . 2007-12-20 22:12 <DIR> d-------- C:\VundoFix Backups
2007-12-14 22:34 . 2007-12-14 22:34 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-14 22:20 . 2007-12-14 22:22 <DIR> d-------- C:\Fix
2007-12-14 20:29 . 2007-12-14 20:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-13 23:02 . 2007-12-13 23:02 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-10 00:10 . 2007-12-14 22:28 <DIR> d-------- C:\Program Files\a-squared Free
2007-12-09 14:09 . 1997-12-17 18:33 304,128 --a------ C:\WINDOWS\IsUninst.exe
2007-12-09 14:01 . 2007-12-09 14:02 <DIR> d-------- C:\temp\FPL75
2007-12-04 22:17 . 2007-12-04 22:17 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-04 17:50 . 2007-12-04 17:50 <DIR> d-------- C:\cygwin
2007-12-04 17:15 . 2007-12-04 17:15 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-12-04 16:09 . 2007-12-04 17:00 <DIR> d-------- C:\Vdefs
2007-12-04 13:41 . 2007-12-09 17:56 805,501 ---hs---- C:\WINDOWS\system32\ptuicfdy.ini
2007-12-04 11:18 . 2007-12-04 11:19 803,215 ---hs---- C:\WINDOWS\system32\lwqtogbt.ini
2007-12-03 17:17 . 2007-12-04 11:16 794,229 ---hs---- C:\WINDOWS\system32\jrupwjua.ini
2007-12-03 06:27 . 2007-12-04 12:52 69,632 --ahs---- C:\WINDOWS\system32\aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
2007-12-02 21:39 . 2007-12-02 22:18 70,103 --ahs---- C:\WINDOWS\system32\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
2007-12-01 12:00 . 2007-12-02 12:00 793,664 ---hs---- C:\WINDOWS\system32\qbcxolbj.ini
2007-12-01 11:57 . 2007-12-21 20:08 503,840 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-01 11:57 . 2007-12-21 20:04 10,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-01 11:39 . 2007-12-01 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 19:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]
"MpsOnn"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2002-07-04 09:45]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

C:\Documents and Settings\Kirk\Start Menu\Programs\Startup\
CoolMon.lnk - C:\Program Files\CoolMon\CoolMon.exe [2007-02-23 22:07:57]
SyncBackSE.lnk - C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2005-11-02 22:55:27]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\WinFax\WfxSeh32.Dll [1998-07-27 03:54 38400]

R0 stwlfbus;stwlfbus;C:\WINDOWS\system32\DRIVERS\stwlfbus.sys [2003-04-27 11:39]
R2 cis1284;cis1284;C:\WINDOWS\system32\drivers\cis1284.sys [2000-09-05 10:10]
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\system32\Drivers\PGPsdk.sys [2002-11-26 15:05]
R2 PGPsdkServ;PGPsdkService;C:\WINDOWS\system32\PGPsdkServ.exe [2002-11-26 15:05]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-09-22 16:44]
R3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys [2004-08-03 21:41]
R3 st3wolf;st3wolf;C:\WINDOWS\system32\DRIVERS\st3wolf.sys [2003-04-27 10:43]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2005-04-12 19:21]
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2005-04-12 19:21]
R3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys [2005-04-12 19:21]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2005-04-12 19:21]
S0 mpegport;mpegport;C:\WINDOWS\system32\DRIVERS\mpegport.sys []
S2 713xTVCard;SAA7130 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-15 12:00]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys []
S2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-11-19 07:57]
S2 rmdvd;RM DVD helper;C:\WINDOWS\system32\DRIVERS\rmdvd.sys []
S2 WDMTVTuner;Universal WDM TV Tuner;C:\WINDOWS\system32\drivers\WDMTuner.sys [2004-11-30 11:00]
S3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-11-19 07:57]
S3 rmquasar;Hollywood Plus MiniDriver;C:\WINDOWS\system32\DRIVERS\rmquasar.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 STV673;STV0673 Camera;C:\WINDOWS\system32\drivers\STV673.sys [2000-09-15 13:24]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys [2005-04-12 19:21]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-09-28 22:58]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-21 04:30:16 C:\WINDOWS\Tasks\shutdown.job"
- C:\WINDOWS\system32\shutdown.exe
"2007-12-21 14:00:11 C:\WINDOWS\Tasks\SyncBackSE Abit_C_backups.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe(-m
"2007-12-21 22:53:46 C:\WINDOWS\Tasks\SyncBackSE Abit_Documents and Settings backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe(-m
"2007-12-21 22:53:45 C:\WINDOWS\Tasks\SyncBackSE DeskPro_Documents and Settings Backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe+-m
"2007-12-21 07:00:36 C:\WINDOWS\Tasks\SyncBackSE Our Documents backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-21 08:30:10 C:\WINDOWS\Tasks\SyncBackSE Our Documents external backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe#-m
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 20:08:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-21 20:13:43 - machine was rebooted
.
2007-12-09 22:11:32 --- E O F ---

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 AM

Posted 22 December 2007 - 12:57 PM

Hi KC750,

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'. :thumbsup:

Find these two very long files and let me know what file extension is and exact file names.
It looks like ComboFix chopped off some of it.

C:\WINDOWS\system32\aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

C:\WINDOWS\system32\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

*************************

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\ptuicfdy.ini
C:\WINDOWS\system32\lwqtogbt.ini
C:\WINDOWS\system32\jrupwjua.ini
C:\WINDOWS\system32\qbcxolbj.ini

Folder::
C:\VundoFix Backups


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 KC750

KC750
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 December 2007 - 03:14 PM

The file names do not have extenions and the properties show they are system files, created at the beginning of December. They are 68Kb and 69Kb in size.

I'm running the script now and will provide the HJT log file when it's done.

#10 KC750

KC750
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 December 2007 - 05:42 PM

OK, ComboFix is finished with the script and here are the new logs.

Should I rename or delete the two aaaabbb... files without extensions?

Thanks again for being so prompt and sticking with this problem. It's appreciated.

KC

ComboFix 07-12-21.4 - Kirk 2007-12-22 16:06:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.212 [GMT -5:00]
Running from: C:\Documents and Settings\Kirk\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kirk\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\jrupwjua.ini
C:\WINDOWS\system32\lwqtogbt.ini
C:\WINDOWS\system32\ptuicfdy.ini
C:\WINDOWS\system32\qbcxolbj.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\enhmdrqe.dll.bad
C:\VundoFix Backups\porqr.bak1.bad
C:\VundoFix Backups\porqr.bak2.bad
C:\VundoFix Backups\porqr.ini.bad
C:\VundoFix Backups\rqrop.dll.bad
C:\WINDOWS\system32\jrupwjua.ini
C:\WINDOWS\system32\lwqtogbt.ini
C:\WINDOWS\system32\ptuicfdy.ini
C:\WINDOWS\system32\qbcxolbj.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-21 19:23 . 2007-12-21 23:51 3,162,278 --a------ C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000004-005A1102}.BAK
2007-12-21 18:25 . 2007-12-21 18:25 <DIR> d-------- C:\Program Files\CCleaner
2007-12-20 22:06 . 2007-12-20 22:06 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-19 00:20 . 2007-12-19 00:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-19 00:09 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-19 00:01 . 2007-12-19 00:05 <DIR> d-------- C:\Documents and Settings\Kirk\.SunDownloadManager
2007-12-18 22:46 . 2007-12-18 22:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 12:46 . 2007-12-18 19:51 <DIR> d-------- C:\Documents and Settings\Kirk\.housecall6.6
2007-12-18 10:27 . 2007-12-18 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-18 10:23 . 2007-12-18 10:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-15 09:29 . 2007-12-15 09:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-15 08:20 . 2007-12-15 08:20 <DIR> d-------- C:\Deckard
2007-12-14 22:34 . 2007-12-14 22:34 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-14 22:20 . 2007-12-14 22:22 <DIR> d-------- C:\Fix
2007-12-14 20:29 . 2007-12-14 20:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-13 23:02 . 2007-12-13 23:02 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-10 00:10 . 2007-12-22 11:54 <DIR> d-------- C:\Program Files\a-squared Free
2007-12-09 14:09 . 1997-12-17 18:33 304,128 --a------ C:\WINDOWS\IsUninst.exe
2007-12-09 14:01 . 2007-12-09 14:02 <DIR> d-------- C:\temp\FPL75
2007-12-04 22:17 . 2007-12-04 22:17 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-04 17:50 . 2007-12-04 17:50 <DIR> d-------- C:\cygwin
2007-12-04 17:15 . 2007-12-04 17:15 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-12-04 16:09 . 2007-12-04 17:00 <DIR> d-------- C:\Vdefs
2007-12-03 06:27 . 2007-12-04 12:52 69,632 --ahs---- C:\WINDOWS\system32\aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
2007-12-02 21:39 . 2007-12-02 22:18 70,103 --ahs---- C:\WINDOWS\system32\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
2007-12-01 11:57 . 2007-12-22 16:13 1,601,568 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-01 11:57 . 2007-12-21 23:51 10,328 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-01 11:39 . 2007-12-01 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 19:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]
"MpsOnn"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2002-07-04 09:45]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

C:\Documents and Settings\Kirk\Start Menu\Programs\Startup\
CoolMon.lnk - C:\Program Files\CoolMon\CoolMon.exe [2007-02-23 22:07:57]
SyncBackSE.lnk - C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2005-11-02 22:55:27]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\WinFax\WfxSeh32.Dll [1998-07-27 03:54 38400]

R0 stwlfbus;stwlfbus;C:\WINDOWS\system32\DRIVERS\stwlfbus.sys [2003-04-27 11:39]
R2 cis1284;cis1284;C:\WINDOWS\system32\drivers\cis1284.sys [2000-09-05 10:10]
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\system32\Drivers\PGPsdk.sys [2002-11-26 15:05]
R2 PGPsdkServ;PGPsdkService;C:\WINDOWS\system32\PGPsdkServ.exe [2002-11-26 15:05]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-09-22 16:44]
R3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys [2004-08-03 21:41]
R3 st3wolf;st3wolf;C:\WINDOWS\system32\DRIVERS\st3wolf.sys [2003-04-27 10:43]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2005-04-12 19:21]
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2005-04-12 19:21]
R3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys [2005-04-12 19:21]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2005-04-12 19:21]
S0 mpegport;mpegport;C:\WINDOWS\system32\DRIVERS\mpegport.sys []
S2 713xTVCard;SAA7130 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-15 12:00]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys []
S2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-11-19 07:57]
S2 rmdvd;RM DVD helper;C:\WINDOWS\system32\DRIVERS\rmdvd.sys []
S2 WDMTVTuner;Universal WDM TV Tuner;C:\WINDOWS\system32\drivers\WDMTuner.sys [2004-11-30 11:00]
S3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-11-19 07:57]
S3 rmquasar;Hollywood Plus MiniDriver;C:\WINDOWS\system32\DRIVERS\rmquasar.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 STV673;STV0673 Camera;C:\WINDOWS\system32\drivers\STV673.sys [2000-09-15 13:24]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys [2005-04-12 19:21]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-09-28 22:58]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 04:30:09 C:\WINDOWS\Tasks\shutdown.job"
- C:\WINDOWS\system32\shutdown.exe
"2007-12-22 14:00:09 C:\WINDOWS\Tasks\SyncBackSE Abit_C_backups.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-22 08:02:08 C:\WINDOWS\Tasks\SyncBackSE Abit_Documents and Settings backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-22 07:37:41 C:\WINDOWS\Tasks\SyncBackSE DeskPro_Documents and Settings Backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-22 07:00:37 C:\WINDOWS\Tasks\SyncBackSE Our Documents backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-22 08:30:09 C:\WINDOWS\Tasks\SyncBackSE Our Documents external backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 16:13:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-22 16:16:17
C:\ComboFix2.txt ... 2007-12-21 20:13
.
2007-12-09 22:11:32 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:49 PM, on 22-Dec-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: SyncBackSE.lnk = C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwnb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173148968882
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://activation.sympatico.ca/wizlet/Symp...nadaActiveX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...177/mcfscan.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6304 bytes

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 AM

Posted 22 December 2007 - 05:56 PM

Hi KC750,

We will kill those files with ComboFix. :thumbsup:

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000004-005A1102}.BAK
C:\WINDOWS\system32\aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
C:\WINDOWS\system32\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 22 December 2007 - 05:59 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 KC750

KC750
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 December 2007 - 08:22 PM

ComboFix completed with the new script. I'm no expert, but it looks to me like the 2 files we're trying to get rid of returned. Maybe I got it wrong... I hope.

KC

ComboFix 07-12-21.4 - Kirk 2007-12-22 18:45:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.205 [GMT -5:00]
Running from: C:\Documents and Settings\Kirk\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kirk\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000004-005A1102}.BAK
C:\WINDOWS\system32\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
C:\WINDOWS\system32\aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000004-005A1102}.BAK

.
((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-21 18:25 . 2007-12-21 18:25 <DIR> d-------- C:\Program Files\CCleaner
2007-12-20 22:06 . 2007-12-20 22:06 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-19 00:20 . 2007-12-19 00:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-19 00:09 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-19 00:01 . 2007-12-19 00:05 <DIR> d-------- C:\Documents and Settings\Kirk\.SunDownloadManager
2007-12-18 22:46 . 2007-12-18 22:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 12:46 . 2007-12-18 19:51 <DIR> d-------- C:\Documents and Settings\Kirk\.housecall6.6
2007-12-18 10:27 . 2007-12-18 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-18 10:23 . 2007-12-18 10:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-15 09:29 . 2007-12-15 09:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-15 08:20 . 2007-12-15 08:20 <DIR> d-------- C:\Deckard
2007-12-14 22:34 . 2007-12-14 22:34 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-14 22:20 . 2007-12-14 22:22 <DIR> d-------- C:\Fix
2007-12-14 20:29 . 2007-12-14 20:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-13 23:02 . 2007-12-13 23:02 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-10 00:10 . 2007-12-22 11:54 <DIR> d-------- C:\Program Files\a-squared Free
2007-12-09 14:09 . 1997-12-17 18:33 304,128 --a------ C:\WINDOWS\IsUninst.exe
2007-12-09 14:01 . 2007-12-09 14:02 <DIR> d-------- C:\temp\FPL75
2007-12-04 22:17 . 2007-12-04 22:17 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-04 17:50 . 2007-12-04 17:50 <DIR> d-------- C:\cygwin
2007-12-04 17:15 . 2007-12-04 17:15 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-12-04 16:09 . 2007-12-04 17:00 <DIR> d-------- C:\Vdefs
2007-12-03 06:27 . 2007-12-04 12:52 69,632 --ahs---- C:\WINDOWS\system32\aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
2007-12-02 21:39 . 2007-12-02 22:18 70,103 --ahs---- C:\WINDOWS\system32\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
2007-12-01 11:57 . 2007-12-22 18:52 1,644,576 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-01 11:57 . 2007-12-22 16:35 23,072 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-01 11:39 . 2007-12-01 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 19:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]
"MpsOnn"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2002-07-04 09:45]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

C:\Documents and Settings\Kirk\Start Menu\Programs\Startup\
CoolMon.lnk - C:\Program Files\CoolMon\CoolMon.exe [2007-02-23 22:07:57]
SyncBackSE.lnk - C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2005-11-02 22:55:27]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\WinFax\WfxSeh32.Dll [1998-07-27 03:54 38400]

R0 stwlfbus;stwlfbus;C:\WINDOWS\system32\DRIVERS\stwlfbus.sys [2003-04-27 11:39]
R2 cis1284;cis1284;C:\WINDOWS\system32\drivers\cis1284.sys [2000-09-05 10:10]
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\system32\Drivers\PGPsdk.sys [2002-11-26 15:05]
R2 PGPsdkServ;PGPsdkService;C:\WINDOWS\system32\PGPsdkServ.exe [2002-11-26 15:05]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-09-22 16:44]
R3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys [2004-08-03 21:41]
R3 st3wolf;st3wolf;C:\WINDOWS\system32\DRIVERS\st3wolf.sys [2003-04-27 10:43]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2005-04-12 19:21]
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2005-04-12 19:21]
R3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys [2005-04-12 19:21]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2005-04-12 19:21]
S0 mpegport;mpegport;C:\WINDOWS\system32\DRIVERS\mpegport.sys []
S2 713xTVCard;SAA7130 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-15 12:00]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys []
S2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-11-19 07:57]
S2 rmdvd;RM DVD helper;C:\WINDOWS\system32\DRIVERS\rmdvd.sys []
S2 WDMTVTuner;Universal WDM TV Tuner;C:\WINDOWS\system32\drivers\WDMTuner.sys [2004-11-30 11:00]
S3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-11-19 07:57]
S3 rmquasar;Hollywood Plus MiniDriver;C:\WINDOWS\system32\DRIVERS\rmquasar.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 STV673;STV0673 Camera;C:\WINDOWS\system32\drivers\STV673.sys [2000-09-15 13:24]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys [2005-04-12 19:21]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-09-28 22:58]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 04:30:09 C:\WINDOWS\Tasks\shutdown.job"
- C:\WINDOWS\system32\shutdown.exe
"2007-12-22 14:00:09 C:\WINDOWS\Tasks\SyncBackSE Abit_C_backups.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-22 08:02:08 C:\WINDOWS\Tasks\SyncBackSE Abit_Documents and Settings backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-22 07:37:41 C:\WINDOWS\Tasks\SyncBackSE DeskPro_Documents and Settings Backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-22 07:00:37 C:\WINDOWS\Tasks\SyncBackSE Our Documents backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-22 08:30:09 C:\WINDOWS\Tasks\SyncBackSE Our Documents external backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 18:52:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-22 18:55:13
C:\ComboFix2.txt ... 2007-12-22 16:16
C:\ComboFix3.txt ... 2007-12-21 20:13
.
2007-12-09 22:11:32 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:40 PM, on 22-Dec-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: SyncBackSE.lnk = C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwnb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173148968882
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://activation.sympatico.ca/wizlet/Symp...nadaActiveX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...177/mcfscan.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6305 bytes

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 AM

Posted 22 December 2007 - 10:19 PM

We will try manually deleting them.



Please boot into Safe Mode

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/


Using Windows Explorer, delete the following files/folders in bold


C:\WINDOWS\system32\aaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb


C:\WINDOWS\system32\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


Reboot your computer and see if they are gone. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 KC750

KC750
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 23 December 2007 - 09:08 AM

I was able to rempve them manually and they did not reappear on restarting. Here are the new logs.

Thanks again :-)

KC

ComboFix 07-12-21.4 - Kirk 2007-12-23 7:59:58.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.205 [GMT -5:00]
Running from: C:\Documents and Settings\Kirk\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 )))))))))))))))))))))))))))))))
.

2007-12-23 07:31 . 2007-12-23 07:31 3,162,278 --a------ C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000004-005A1102}.BAK
2007-12-21 18:25 . 2007-12-21 18:25 <DIR> d-------- C:\Program Files\CCleaner
2007-12-20 22:06 . 2007-12-20 22:06 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-19 00:20 . 2007-12-19 00:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-19 00:09 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-19 00:01 . 2007-12-19 00:05 <DIR> d-------- C:\Documents and Settings\Kirk\.SunDownloadManager
2007-12-18 22:46 . 2007-12-18 22:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 12:46 . 2007-12-18 19:51 <DIR> d-------- C:\Documents and Settings\Kirk\.housecall6.6
2007-12-18 10:27 . 2007-12-18 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-18 10:23 . 2007-12-18 10:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-15 09:29 . 2007-12-15 09:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-15 08:20 . 2007-12-15 08:20 <DIR> d-------- C:\Deckard
2007-12-14 22:34 . 2007-12-14 22:34 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-14 22:20 . 2007-12-14 22:22 <DIR> d-------- C:\Fix
2007-12-14 20:29 . 2007-12-14 20:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-13 23:02 . 2007-12-13 23:02 1,158 --a------ C:\WINDOWS\mozver.dat
2007-12-10 00:10 . 2007-12-22 11:54 <DIR> d-------- C:\Program Files\a-squared Free
2007-12-09 14:09 . 1997-12-17 18:33 304,128 --a------ C:\WINDOWS\IsUninst.exe
2007-12-09 14:01 . 2007-12-09 14:02 <DIR> d-------- C:\temp\FPL75
2007-12-04 22:17 . 2007-12-04 22:17 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-04 17:50 . 2007-12-04 17:50 <DIR> d-------- C:\cygwin
2007-12-04 17:15 . 2007-12-04 17:15 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-12-04 16:09 . 2007-12-04 17:00 <DIR> d-------- C:\Vdefs
2007-12-01 11:57 . 2007-12-23 08:05 1,708,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-01 11:57 . 2007-12-23 07:32 24,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-01 11:39 . 2007-12-01 11:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 22:57 --------- d-----w C:\Program Files\Java
2007-12-20 04:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-18 15:27 --------- d-----w C:\Program Files\Lavasoft
2007-12-10 23:04 --------- d-----w C:\Program Files\ElcomSoft
2007-12-04 23:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-04 23:58 --------- d-----w C:\Program Files\Belkin Bulldog
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-21 04:16 --------- d-----w C:\Documents and Settings\Kirk\Application Data\uTorrent
2007-11-21 03:20 --------- d-----w C:\Program Files\MagicISO
2007-11-14 21:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 21:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-09-18 02:02 47,360 ----a-w C:\Documents and Settings\Kirk\Application Data\pcouffin.sys
2007-06-18 15:00 22,439,313 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-03-20 04:39 24,192 ----a-w C:\Documents and Settings\Kirk\usbsermptxp.sys
2007-03-20 04:39 22,768 ----a-w C:\Documents and Settings\Kirk\usbsermpt.sys
2007-02-17 01:11 103,787 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_16_06_41_56_small.dmp.zip
2006-11-10 04:16 92,064 ----a-w C:\Documents and Settings\Kirk\mqdmmdm.sys
2006-11-10 04:16 9,232 ----a-w C:\Documents and Settings\Kirk\mqdmmdfl.sys
2006-11-10 04:16 79,328 ----a-w C:\Documents and Settings\Kirk\mqdmserd.sys
2006-11-10 04:16 66,656 ----a-w C:\Documents and Settings\Kirk\mqdmbus.sys
2006-11-10 04:16 6,208 ----a-w C:\Documents and Settings\Kirk\mqdmcmnt.sys
2006-11-10 04:16 5,936 ----a-w C:\Documents and Settings\Kirk\mqdmwhnt.sys
2006-11-10 04:16 4,048 ----a-w C:\Documents and Settings\Kirk\mqdmcr.sys
2006-06-29 10:59 23,736,165 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_06_24_23_39_30_full.dmp.zip
2006-06-29 10:57 23,569,960 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_06_22_21_26_00_full.dmp.zip
2006-06-16 11:00 23,616,729 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_06_14_23_32_09_full.dmp.zip
2006-06-15 02:32 23,715,149 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_05_29_23_05_36_full.dmp.zip
2006-06-15 02:29 23,661,544 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_05_27_22_14_49_full.dmp.zip
2006-05-26 10:24 23,621,750 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_05_25_21_10_35_full.dmp.zip
2006-05-16 11:41 23,532,039 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_05_15_21_56_56_full.dmp.zip
2006-05-16 01:50 23,724,957 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_05_15_21_19_50_full.dmp.zip
2006-05-16 01:48 23,690,547 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_05_08_22_11_04_full.dmp.zip
.

((((((((((((((((((((((((((((( snapshot@2007-12-21_20.10.43.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 04:56:44 132,608 ----a-w C:\WINDOWS\system32\Setup\fxsocm.dll
+ 2004-08-04 04:56:44 505,344 ----a-w C:\WINDOWS\system32\Setup\iis.dll
+ 2001-08-23 12:00:00 115,712 ----a-w C:\WINDOWS\system32\Setup\imsinsnt.dll
+ 2004-08-04 04:56:44 16,896 ----a-w C:\WINDOWS\system32\Setup\medctroc.dll
+ 2001-08-23 12:00:00 82,432 ----a-w C:\WINDOWS\system32\Setup\msdtcstp.dll
+ 2004-08-04 04:56:44 15,360 ----a-w C:\WINDOWS\system32\Setup\msgrocm.dll
+ 2004-08-04 04:56:44 169,984 ----a-w C:\WINDOWS\system32\Setup\msmqocm.dll
+ 2002-08-28 22:57:36 126,976 ----a-w C:\WINDOWS\system32\Setup\netfxocm.dll
+ 2004-08-04 04:56:46 77,312 ----a-w C:\WINDOWS\system32\Setup\netoc.dll
+ 2004-08-04 04:56:46 62,976 ----a-w C:\WINDOWS\system32\Setup\ntoc.dll
+ 2004-08-04 04:56:46 15,872 ----a-w C:\WINDOWS\system32\Setup\ocgen.dll
+ 2004-08-04 04:56:46 17,408 ----a-w C:\WINDOWS\system32\Setup\ocmsn.dll
+ 2004-08-04 04:56:46 101,376 ----a-w C:\WINDOWS\system32\Setup\setupqry.dll
+ 2004-08-04 04:56:48 33,792 ----a-w C:\WINDOWS\system32\Setup\tabletoc.dll
+ 2004-08-04 04:56:48 121,856 ----a-w C:\WINDOWS\system32\Setup\tsoc.dll
+ 2001-08-23 12:00:00 8,261 ----a-w C:\WINDOWS\system32\Setup\zoneoc.dll
+ 2005-05-26 08:16:30 41,240 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\5.8.0.2469\wups.dll
+ 2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374\wups.dll
+ 2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
+ 2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.374\wups2.dll
+ 2007-07-30 23:19:12 43,352 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
+ 2006-07-14 20:36:33 176,128 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\2\J2GEKM42.dll
+ 2006-07-14 20:36:20 182,272 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\2\J2GEUM42.dll
+ 2001-03-15 09:22:48 454,336 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\2\PDFDD.DLL
+ 2001-03-15 09:20:30 156,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\2\PDFDDUI.DLL
+ 2001-03-15 09:19:16 15,296 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\2\PDFKD.DLL
+ 2000-09-29 03:47:58 105,792 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\2\WFXDNT40.DLL
+ 2000-09-29 03:48:18 22,240 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\2\WFXDNTHQ.DLL
+ 2000-09-29 03:58:38 26,624 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\2\wfxunt40.dll
+ 2001-03-15 09:26:36 9,734 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\AD2KREPI.DLL
+ 2001-03-15 09:23:56 77,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\AD2KUIPI.DLL
+ 2002-07-09 18:03:34 40,960 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CVIMG32.DLL
+ 2001-04-06 05:00:00 98,816 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_H13UIW.DLL
+ 2001-02-07 05:10:00 56,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S01C00.EXE
+ 2000-05-10 05:00:00 32,768 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S01CE0.DLL
+ 2001-01-19 07:00:00 68,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE
+ 2001-02-22 07:00:00 98,816 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10MT2.EXE
+ 2001-01-19 07:00:00 68,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10RN2.EXE
+ 2001-04-12 07:00:00 261,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S190C2.DLL
+ 2001-03-15 07:00:00 161,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S1E0C2.DLL
+ 2001-02-23 07:00:00 3,145 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S1K0C2.DAT
+ 2001-02-22 07:00:00 93,696 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S1T0A2.EXE
+ 2001-02-22 07:00:00 65,024 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SECK32.DLL
+ 2001-01-29 07:00:00 52,736 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SPSU01.EXE
+ 2000-10-05 06:06:00 127,488 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
+ 2001-03-06 07:10:00 787,442 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\EB_SET06.EXE
+ 2001-08-18 03:34:26 136,192 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpcfont.dll
+ 2001-08-18 03:34:26 8,192 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpcstr.dll
+ 2001-08-18 02:36:16 435,200 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPF900AL.DLL
+ 2001-08-18 02:36:16 1,853,952 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFIMG50.DLL
+ 2004-08-04 04:56:44 87,552 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFUD50.DLL
+ 2001-08-18 02:36:16 32,768 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPFUI50.DLL
+ 2002-07-09 18:03:40 65,536 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\IMLIB32.DLL
+ 2002-07-09 18:04:46 45,056 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\MPASSMON.DLL
+ 2002-02-19 22:00:50 92,638 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\MPS1K.DLL
+ 2002-07-04 14:28:56 294,319 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\MPS1UIK.DLL
+ 2000-04-19 20:00:00 90,084 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\MPSHT.BIN
+ 2002-07-04 14:45:22 22,528 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\MPSONN.EXE
+ 2002-07-09 18:05:10 53,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\MPSPL32.DLL
+ 2000-12-20 14:21:02 47,616 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\MPSRENN.DLL
+ 2002-07-09 18:06:52 45,056 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mpsset32.dll
+ 2004-08-04 05:56:24 676,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PCL5ERES.DLL
+ 2005-12-11 05:22:22 15,360 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\pdf995ui5.DLL
+ 2005-12-11 05:22:21 135,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\ps5ui.dll
+ 2005-12-11 05:22:20 470,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\pscript5.dll
+ 2002-07-09 18:03:28 32,768 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\PSFEMT32.DLL
+ 2004-08-04 05:56:48 264,704 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
+ 2004-08-04 05:56:48 197,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
+ 2004-08-04 05:56:36 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
+ 2001-03-15 09:26:36 9,734 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\ad2krepi.dll
+ 2001-03-15 09:23:56 77,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\ad2kuipi.dll
+ 2002-07-09 17:03:34 40,960 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\CVIMG32.DLL
+ 2002-07-09 17:03:40 65,536 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\IMLIB32.DLL
+ 2002-07-09 17:04:46 45,056 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\MPASSMON.DLL
+ 2002-02-19 21:00:50 92,638 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\MPS1K.DLL
+ 2002-07-04 13:28:56 294,319 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\MPS1UIK.DLL
+ 2000-04-19 19:00:00 90,084 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\MPSHT.BIN
+ 2002-07-04 13:45:22 22,528 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\MPSONN.EXE
+ 2002-07-09 17:05:10 53,248 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\MPSPL32.DLL
+ 2000-12-20 13:21:02 47,616 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\MPSRENN.DLL
+ 2002-07-09 17:06:52 45,056 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\mpsset32.dll
+ 2002-07-09 17:03:28 32,768 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\canonfaxphone_l75107d\PSFEMT32.DLL
+ 2001-04-06 05:00:00 98,816 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_H13UIW.DLL
+ 2001-02-07 05:10:00 56,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_S01C00.EXE
+ 2000-05-10 05:00:00 32,768 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_S01CE0.DLL
+ 2001-01-19 07:00:00 68,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_S10IC2.EXE
+ 2001-02-22 07:00:00 98,816 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_S10MT2.EXE
+ 2001-01-19 07:00:00 68,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_S10RN2.EXE
+ 2001-04-12 07:00:00 261,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_S190C2.DLL
+ 2001-03-15 07:00:00 161,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_S1E0C2.DLL
+ 2001-02-23 07:00:00 3,145 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_S1K0C2.DAT
+ 2001-02-22 07:00:00 93,696 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_S1T0A2.EXE
+ 2001-02-22 07:00:00 65,024 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_SECK32.DLL
+ 2001-01-29 07:00:00 52,736 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_SPSU01.EXE
+ 2000-10-05 06:06:00 127,488 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\E_SRCV02.EXE
+ 2001-03-06 07:10:00 787,442 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\EB_SET06.EXE
+ 2000-05-29 18:00:00 299,008 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DCON02.DLL
+ 2001-04-05 19:00:00 3,224 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DD13CE.DAT
+ 2001-03-14 19:00:00 40,394 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DDSP13.DLL
+ 2001-03-21 18:00:00 143,872 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DHE3R0.DLL
+ 2001-03-27 18:00:00 102,912 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DHMM01.DLL
+ 2001-03-29 18:00:00 887,808 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DI03AE.DLL
+ 2001-03-14 18:00:00 352,768 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DJB303.DLL
+ 2001-03-22 19:00:00 79,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DMAI13.DLL
+ 1999-03-08 17:00:00 148,992 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DMSG00.EXE
+ 2001-03-14 18:00:00 142,336 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DPPE03.EXE
+ 2001-03-14 18:00:00 509,440 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DPUI03.DLL
+ 2001-05-17 18:00:00 1,260,032 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DST0CE.DLL
+ 2001-04-11 19:00:00 264,467 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DU13AE.DLL
+ 2001-02-23 18:00:00 76,288 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_DUMW01.DLL
+ 2001-05-15 15:00:00 598,016 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_H190C2.DLL
+ 2001-04-06 15:00:00 70,144 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_H1E0C2.DLL
+ 2000-05-16 16:00:00 60,416 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\E_S00RP2.EXE
+ 2001-02-22 18:00:00 28,160 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\EPIBSR30.EXE
+ 2001-02-23 18:00:00 52,224 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\EPIPGI10.DLL
+ 1999-06-09 15:07:00 54,272 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\EPSET32.DLL
+ 2001-03-08 19:43:00 386,976 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\EPUPDATE.EXE
+ 2001-05-15 20:06:00 112,640 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\EPUTIX24.DLL
+ 2001-03-16 20:05:00 45,056 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\EPUTIX24.EXE
+ 2001-03-08 19:43:00 48,128 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c60f848\SETUP32.DLL
+ 2001-03-08 18:43:00 386,976 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\EPUPDATE.EXE
+ 2006-07-14 20:36:33 176,128 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\J2GEKM42.dll
+ 2006-07-14 20:36:20 182,272 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\J2GEUM42.dll
+ 2005-12-11 05:22:15 218,816 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\Pdf995ui.dll
+ 2005-12-11 05:22:22 15,360 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\pdf995ui5.DLL
+ 2001-03-15 09:22:48 454,336 ------w C:\WINDOWS\system32\spool\drivers\w32x86\pdfdd.dll
+ 2001-03-15 09:20:30 156,704 ------w C:\WINDOWS\system32\spool\drivers\w32x86\pdfddui.dll
+ 2001-03-15 09:19:16 15,296 ------w C:\WINDOWS\system32\spool\drivers\w32x86\pdfkd.dll
+ 2001-02-26 14:39:38 135,248 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\ps5ui.dll
+ 2005-12-11 05:22:14 225,648 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\Pscript.dll
+ 2001-02-26 14:39:50 470,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\pscript5.dll
+ 2004-01-15 11:20:42 831,468 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6.DLL
+ 2004-01-05 07:22:13 6,014 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6cp.DAT
+ 2004-01-05 07:12:04 6,042 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6ct.DAT
+ 2004-01-05 05:54:11 7,190 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6dn.DAT
+ 2004-01-05 05:54:27 7,423 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6dt.DAT
+ 2004-01-05 05:54:45 6,912 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6en.DAT
+ 2004-01-05 05:55:16 7,230 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6fi.DAT
+ 2004-01-05 05:55:34 7,786 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6fn.DAT
+ 2003-12-04 02:18:14 7,660 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6gr.DAT
+ 2004-01-05 05:56:12 7,286 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6hu.DAT
+ 2004-01-05 05:56:33 7,458 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6it.DAT
+ 2004-01-05 05:50:10 6,683 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6kr.DAT
+ 2004-01-05 05:57:14 7,124 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6nr.DAT
+ 2004-01-05 05:57:57 6,901 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6po.DAT
+ 2003-12-04 02:11:06 7,650 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6pt.DAT
+ 2004-01-05 07:02:20 7,402 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6ru.DAT
+ 2004-01-05 05:59:31 7,764 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6sp.DAT
+ 2003-12-15 01:09:52 1,028,096 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6SU.DLL
+ 2004-01-05 05:59:55 7,239 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6sw.DAT
+ 2004-01-15 11:20:42 118,132 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6UI.DLL
+ 2004-01-05 00:27:20 237,568 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\samsungml_1740db3f\ssgb6UM.DLL
+ 2001-03-08 18:43:00 48,128 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\SETUP32.DLL
+ 2000-09-29 03:47:58 105,792 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\WFXDNT40.DLL
+ 2000-09-29 03:48:18 22,240 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\WFXDNTHQ.DLL
+ 2000-09-29 03:58:38 26,624 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\WFXUNT40.DLL
+ 2000-09-29 03:58:38 12,800 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\WFXPNT40.DLL
+ 2003-02-21 00:06:20 282,624 ----a-w C:\WINDOWS\system32\URTTemp\fusion.dll
+ 2003-02-21 00:06:24 155,648 ----a-w C:\WINDOWS\system32\URTTemp\mscoree.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\system32\URTTemp\mscorsn.dll
+ 2003-02-21 00:08:32 2,482,176 ----a-w C:\WINDOWS\system32\URTTemp\mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\system32\URTTemp\msvcr71.dll
+ 2003-02-21 10:16:08 49,152 ----a-w C:\WINDOWS\system32\URTTemp\regtlib.exe
+ 2005-04-27 23:15:36 17,920 ------w C:\WINDOWS\system32\usmt\cobramsg.dll
+ 2005-04-28 19:16:29 133,120 ----a-w C:\WINDOWS\system32\usmt\guitrn.dll
+ 2004-08-04 04:56:44 108,544 ----a-w C:\WINDOWS\system32\usmt\guitrn_a.dll
+ 2005-04-28 19:16:29 115,200 ------w C:\WINDOWS\system32\usmt\guitrna.dll
+ 2005-04-28 19:16:29 19,968 ----a-w C:\WINDOWS\system32\usmt\log.dll
+ 2005-04-28 19:16:29 274,432 ----a-w C:\WINDOWS\system32\usmt\migism.dll
+ 2004-08-04 04:56:44 192,512 ----a-w C:\WINDOWS\system32\usmt\migism_a.dll
+ 2005-04-28 17:16:30 261,120 ------w C:\WINDOWS\system32\usmt\migisma.dll
+ 2005-04-28 00:12:58 103,424 ----a-w C:\WINDOWS\system32\usmt\migload.exe
+ 2005-04-28 00:12:57 245,248 ----a-w C:\WINDOWS\system32\usmt\migwiz.exe
+ 2004-08-04 04:56:52 236,032 ----a-w C:\WINDOWS\system32\usmt\migwiz_a.exe
+ 2005-04-28 00:12:57 241,152 ------w C:\WINDOWS\system32\usmt\migwiza.exe
+ 2005-04-28 19:16:29 215,552 ----a-w C:\WINDOWS\system32\usmt\script.dll
+ 2004-08-04 04:56:46 188,416 ----a-w C:\WINDOWS\system32\usmt\script_a.dll
+ 2005-04-28 19:16:29 199,680 ------w C:\WINDOWS\system32\usmt\scripta.dll
+ 2005-04-28 19:16:29 193,024 ----a-w C:\WINDOWS\system32\usmt\sysmod.dll
+ 2004-08-04 04:56:48 155,648 ----a-w C:\WINDOWS\system32\usmt\sysmod_a.dll
+ 2005-04-28 19:16:29 173,568 ------w C:\WINDOWS\system32\usmt\sysmoda.dll
+ 2004-08-04 04:56:42 1,352,192 ----a-w C:\WINDOWS\system32\wbem\cimwin32.dll
+ 2004-08-04 04:56:44 45,568 ----a-w C:\WINDOWS\system32\wbem\cmdevtgprov.dll
+ 2001-08-23 12:00:00 120,320 ----a-w C:\WINDOWS\system32\wbem\dsprov.dll
+ 2004-08-04 04:56:44 247,808 ----a-w C:\WINDOWS\system32\wbem\esscli.dll
+ 2004-08-04 04:56:44 22,016 ----a-w C:\WINDOWS\system32\wbem\evntrprv.dll
+ 2004-08-04 04:56:44 472,064 ----a-w C:\WINDOWS\system32\wbem\fastprox.dll
+ 2004-08-04 04:56:44 185,856 ----a-w C:\WINDOWS\system32\wbem\framedyn.dll
+ 2001-08-23 12:00:00 53,248 ----a-w C:\WINDOWS\system32\wbem\fwdprov.dll
+ 2004-08-04 04:56:44 24,576 ----a-w C:\WINDOWS\system32\wbem\krnlprov.dll
+ 2004-08-04 04:56:52 16,384 ----a-w C:\WINDOWS\system32\wbem\mofcomp.exe
+ 2004-08-04 04:56:44 123,904 ----a-w C:\WINDOWS\system32\wbem\mofd.dll
+ 2001-08-23 12:00:00 273,920 ----a-w C:\WINDOWS\system32\wbem\msiprov.dll
+ 2004-08-04 04:56:46 47,104 ----a-w C:\WINDOWS\system32\wbem\ncprov.dll
+ 2004-08-04 04:56:46 212,992 ----a-w C:\WINDOWS\system32\wbem\ntevt.dll
+ 2004-08-04 04:56:46 92,672 ----a-w C:\WINDOWS\system32\wbem\policman.dll
+ 2004-08-04 04:56:46 237,056 ----a-w C:\WINDOWS\system32\wbem\provthrd.dll
+ 2004-08-04 04:56:46 177,152 ----a-w C:\WINDOWS\system32\wbem\repdrvfs.dll
+ 2004-08-04 04:56:56 36,864 ----a-w C:\WINDOWS\system32\wbem\scrcons.exe
+ 2001-08-23 12:00:00 40,960 ----a-w C:\WINDOWS\system32\wbem\smtpcons.dll
+ 2004-08-04 04:56:46 86,528 ----a-w C:\WINDOWS\system32\wbem\stdprov.dll
+ 2001-08-23 12:00:00 61,952 ----a-w C:\WINDOWS\system32\wbem\tmplprov.dll
+ 2001-08-23 12:00:00 59,904 ----a-w C:\WINDOWS\system32\wbem\trnsprov.dll
+ 2001-08-23 12:00:00 16,896 ----a-w C:\WINDOWS\system32\wbem\unsecapp.exe
+ 2001-08-23 12:00:00 116,224 ----a-w C:\WINDOWS\system32\wbem\updprov.dll
+ 2004-08-04 04:56:48 131,584 ----a-w C:\WINDOWS\system32\wbem\viewprov.dll
+ 2001-08-23 12:00:00 12,288 ----a-w C:\WINDOWS\system32\wbem\wbemads.dll
+ 2004-08-04 04:56:48 196,608 ----a-w C:\WINDOWS\system32\wbem\wbemcntl.dll
+ 2004-08-04 04:56:48 214,528 ----a-w C:\WINDOWS\system32\wbem\wbemcomn.dll
+ 2004-08-04 04:56:48 71,680 ----a-w C:\WINDOWS\system32\wbem\wbemcons.dll
+ 2004-08-04 04:56:48 530,944 ----a-w C:\WINDOWS\system32\wbem\wbemcore.dll
+ 2004-08-04 04:56:48 178,176 ----a-w C:\WINDOWS\system32\wbem\wbemdisp.dll
+ 2004-08-04 04:56:48 273,920 ----a-w C:\WINDOWS\system32\wbem\wbemess.dll
+ 2004-08-04 04:56:48 43,008 ----a-w C:\WINDOWS\system32\wbem\wbemperf.dll
+ 2004-08-04 04:56:48 18,944 ----a-w C:\WINDOWS\system32\wbem\wbemprox.dll
+ 2004-08-04 04:56:48 43,520 ----a-w C:\WINDOWS\system32\wbem\wbemsvc.dll
+ 2004-08-04 04:56:58 116,224 ----a-w C:\WINDOWS\system32\wbem\wbemtest.exe
+ 2004-08-04 04:56:48 197,120 ----a-w C:\WINDOWS\system32\wbem\wbemupgd.dll
+ 2001-08-23 12:00:00 13,312 ----a-w C:\WINDOWS\system32\wbem\winmgmt.exe
+ 2001-08-23 12:00:00 16,384 ----a-w C:\WINDOWS\system32\wbem\winmgmtr.dll
+ 2004-08-04 04:56:58 196,608 ----a-w C:\WINDOWS\system32\wbem\wmiadap.exe
+ 2004-08-04 04:56:36 6,656 ----a-w C:\WINDOWS\system32\wbem\wmiapres.dll
+ 2004-08-04 04:56:48 89,088 ----a-w C:\WINDOWS\system32\wbem\wmiaprpl.dll
+ 2004-08-04 04:56:58 126,464 ----a-w C:\WINDOWS\system32\wbem\wmiapsrv.exe
+ 2004-08-04 04:56:58 358,912 ----a-w C:\WINDOWS\system32\wbem\wmic.exe
+ 2004-08-04 04:56:48 60,928 ----a-w C:\WINDOWS\system32\wbem\wmicookr.dll
+ 2004-08-04 04:56:48 140,800 ----a-w C:\WINDOWS\system32\wbem\wmidcprv.dll
+ 2001-08-23 12:00:00 61,440 ----a-w C:\WINDOWS\system32\wbem\wmimsg.dll
+ 2004-08-04 04:56:48 156,672 ----a-w C:\WINDOWS\system32\wbem\wmipcima.dll
+ 2004-08-04 04:56:48 132,096 ----a-w C:\WINDOWS\system32\wbem\wmipdskq.dll
+ 2001-08-23 12:00:00 75,264 ----a-w C:\WINDOWS\system32\wbem\wmipicmp.dll
+ 2004-08-04 04:56:48 62,464 ----a-w C:\WINDOWS\system32\wbem\wmipiprt.dll
+ 2004-08-04 04:56:48 62,976 ----a-w C:\WINDOWS\system32\wbem\wmipjobj.dll
+ 2004-08-04 04:56:48 144,896 ----a-w C:\WINDOWS\system32\wbem\wmiprov.dll
+ 2004-08-04 04:56:48 437,248 ----a-w C:\WINDOWS\system32\wbem\wmiprvsd.dll
+ 2004-08-04 04:56:58 218,112 ----a-w C:\WINDOWS\system32\wbem\wmiprvse.exe
+ 2004-08-04 04:56:48 41,472 ----a-w C:\WINDOWS\system32\wbem\wmipsess.dll
+ 2004-08-04 04:56:48 144,896 ----a-w C:\WINDOWS\system32\wbem\wmisvc.dll
+ 2001-08-23 12:00:00 52,224 ----a-w C:\WINDOWS\system32\wbem\wmitimep.dll
+ 2004-08-04 04:56:48 95,232 ----a-w C:\WINDOWS\system32\wbem\wmiutils.dll
+ 2001-08-23 12:00:00 45,568 ----a-w C:\WINDOWS\system32\wbem\xml\wmi2xml.dll
+ 2007-11-14 21:04:44 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-31 05:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 19:47:36 21,568 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 05:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 05:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 05:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 05:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 20:10:32 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 20:10:32 186,128 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-31 05:03:48 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 20:10:28 127,768 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-31 05:03:50 45,056 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
+ 2006-09-20 04:12:14 208,960 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-09-12 02:09:16 274,432 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 23:13:52 1,093,632 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 05:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 05:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 05:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 05:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-09-12 02:09:16 135,168 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 23:13:52 200,704 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2007-11-14 21:04:44 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 17:35:08 813,568 ----a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2007-11-14 21:04:46 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2007-11-14 21:04:46 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2007-11-14 21:04:46 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2007-11-14 21:05:18 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-11-14 21:05:18 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-11-14 21:05:18 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-11-14 21:05:18 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2007-11-14 21:05:20 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2007-11-14 21:06:34 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-11-14 21:06:36 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-10-19 01:18:38 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2007-10-19 01:18:38 787,936 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2007-09-06 21:14:00 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\SCHEDU~1.DLL
+ 2007-11-14 21:04:48 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2007-01-11 16:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-10-19 01:18:40 1,500,640 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2007-10-19 01:18:44 51,176 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2007-11-14 21:04:50 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2007-11-14 21:06:36 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-11-14 21:06:36 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 01:59:14 503,875 ----a-w C:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-11 21:50:32 832,984 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2007-11-14 21:05:06 144,936 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-01-11 22:31:06 286,787 ----a-w C:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2007-11-14 21:04:52 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2007-11-14 21:04:52 83,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2007-11-14 21:05:06 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2007-11-14 21:04:52 2,029,032 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2007-11-14 21:04:54 1,361,384 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2007-11-14 21:04:54 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2007-01-11 16:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2007-11-14 21:04:56 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2007-11-14 21:04:56 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2007-11-14 21:04:58 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2007-11-14 21:04:58 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2006-08-24 04:38:18 1,087,480 ----a-w C:\WINDOWS\system32\ZoneLabs\zpy.dll
+ 2007-12-23 12:52:59 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_690.dat
+ 1999-04-28 15:23:34 36,352 ----a-w C:\WINDOWS\twain_32\ScanWiz\ASPI32.dll
+ 1995-06-02 05:00:00 22,528 ----a-w C:\WINDOWS\twain_32\ScanWiz\DSPIMG.DLL
+ 1996-02-27 13:36:52 20,992 ----a-w C:\WINDOWS\twain_32\ScanWiz\DSPIMG32.DLL
+ 1996-01-16 18:40:54 43,008 ----a-w C:\WINDOWS\twain_32\ScanWiz\FILEIO.DLL
+ 1997-04-03 21:09:12 88,064 ----a-w C:\WINDOWS\twain_32\ScanWiz\FILEIO32.DLL
+ 1996-12-05 20:57:56 33,792 ----a-w C:\WINDOWS\twain_32\ScanWiz\HR132.DLL
+ 1997-02-11 14:53:34 32,768 ----a-w C:\WINDOWS\twain_32\ScanWiz\Jupi32.dll
+ 1996-05-03 22:26:42 30,208 ----a-w C:\WINDOWS\twain_32\ScanWiz\LARRY32.DLL
+ 1996-06-10 23:03:00 45,568 ----a-w C:\WINDOWS\twain_32\ScanWiz\LOUISA32.DLL
+ 1997-03-10 22:35:08 33,280 ----a-w C:\WINDOWS\twain_32\ScanWiz\mary32.dll
+ 1996-02-26 16:28:38 23,040 ----a-w C:\WINDOWS\twain_32\ScanWiz\MAVERI32.DLL
+ 1990-11-30 22:55:38 25,798 ----a-w C:\WINDOWS\twain_32\ScanWiz\MICOMP.DLL
+ 1997-08-28 21:56:06 65,536 ----a-w C:\WINDOWS\twain_32\ScanWiz\miscan32.dll
+ 1999-12-15 13:19:18 30,720 ----a-w C:\WINDOWS\twain_32\ScanWiz\Mphase32.dll
+ 1999-11-25 13:36:14 61,952 ----a-w C:\WINDOWS\twain_32\ScanWiz\Msgd32.dll
+ 2000-01-24 14:06:00 52,224 ----a-w C:\WINDOWS\twain_32\ScanWiz\Msmgr32.dll
+ 2000-03-14 16:00:50 40,960 ----a-w C:\WINDOWS\twain_32\ScanWiz\MSSTI.dll
+ 1999-12-15 13:35:32 34,816 ----a-w C:\WINDOWS\twain_32\ScanWiz\Msusb32.dll
+ 1997-01-23 21:25:58 79,360 ----a-w C:\WINDOWS\twain_32\ScanWiz\Negat_32.dll
+ 1996-02-27 14:39:12 88,064 ----a-w C:\WINDOWS\twain_32\ScanWiz\PCTREE32.DLL
+ 1996-08-27 19:11:42 68,608 ----a-w C:\WINDOWS\twain_32\ScanWiz\POSIT_32.DLL
+ 1996-04-30 03:53:08 59,904 ----a-w C:\WINDOWS\twain_32\ScanWiz\RAVEN32.DLL
+ 1999-04-22 15:10:48 120,832 ----a-w C:\WINDOWS\twain_32\ScanWiz\Scan32.exe
+ 1999-01-11 19:02:46 72,704 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm5932.dll
+ 1997-11-13 15:18:00 41,472 ----a-w C:\WINDOWS\twain_32\ScanWiz\SM7032.dll
+ 1997-11-13 15:25:40 41,472 ----a-w C:\WINDOWS\twain_32\ScanWiz\SM7132.dll
+ 1999-04-19 21:16:20 61,440 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm8132.dll
+ 1997-09-24 13:59:18 66,560 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm8332.dll
+ 1999-04-19 21:12:58 61,440 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm8732.dll
+ 1998-11-27 14:36:26 72,192 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm8932.dll
+ 2000-01-07 16:14:26 65,024 ----a-w C:\WINDOWS\twain_32\ScanWiz\SM8A32.dll
+ 1998-07-01 17:45:42 42,496 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm8c32.dll
+ 1997-08-28 20:28:20 65,536 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm8d32.dll
+ 1997-12-30 15:38:26 40,448 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm8f32.dll
+ 1997-08-29 14:47:12 65,536 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm9032.dll
+ 1999-05-19 16:23:28 54,784 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm9132.dll
+ 1997-11-19 20:54:20 41,472 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm9232.dll
+ 1997-11-11 01:41:34 41,472 ----a-w C:\WINDOWS\twain_32\ScanWiz\sm9332.dll
+ 1999-04-19 21:14:04 68,608 ----a-w C:\WINDOWS\twain_32\ScanWiz\SM9432.dll
+ 1999-04-19 21:13:14 57,344 ----a-w C:\WINDOWS\twain_32\ScanWiz\SM9532.dll
+ 1999-04-19 21:15:50 95,232 ----a-w C:\WINDOWS\twain_32\ScanWiz\SM9A32.dll
+ 1999-04-19 21:19:00 61,440 ----a-w C:\WINDOWS\twain_32\ScanWiz\SM9C32.dll
+ 1999-04-19 21:18:28 61,440 ----a-w C:\WINDOWS\twain_32\ScanWiz\SM9E32.dll
+ 1999-04-19 21:15:16 68,608 ----a-w C:\WINDOWS\twain_32\ScanWiz\SMA032.dll
+ 1999-11-03 21:15:52 62,464 ----a-w C:\WINDOWS\twain_32\ScanWiz\SMA332.dll
+ 1999-03-23 17:13:26 61,952 ----a-w C:\WINDOWS\twain_32\ScanWiz\SMAF32.dll
+ 1997-08-11 16:02:38 45,568 ----a-w C:\WINDOWS\twain_32\ScanWiz\xray32.dll
+ 2007-05-17 19:03:39 219,046 ----a-w C:\WINDOWS\Vertical\uninstall vertical_ss_1024.exe
+ 2007-05-17 19:02:14 220,586 ----a-w C:\WINDOWS\Vertical\uninstall verticalmag_ss_1280.exe
+ 2007-05-17 19:03:39 3,852,278 ----a-w C:\WINDOWS\Vertical\vertical_ss_1024.scr
+ 2007-05-17 19:02:14 5,723,889 ----a-w C:\WINDOWS\Vertical\verticalmag_ss_1280.scr
+ 2001-08-23 12:00:00 74,802 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\atl.dll
+ 2001-08-23 12:00:00 995,383 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\mfc42.dll
+ 2001-08-23 12:00:00 995,384 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\mfc42u.dll
+ 2001-08-23 12:00:00 401,462 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\msvcp60.dll
+ 2007-01-19 20:15:24 74,802 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
+ 2007-01-19 20:15:24 995,383 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42.dll
+ 2007-01-19 20:15:24 1,011,774 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42u.dll
+ 2007-01-19 20:15:24 401,462 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\msvcp60.dll
+ 2006-06-05 18:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 18:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 18:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
+ 2006-11-01 19:25:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2006-11-01 19:25:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2006-11-01 19:25:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
+ 2001-08-23 12:00:00 921,088 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
+ 2002-08-29 03:41:32 921,600 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
+ 2004-04-16 21:56:04 921,600 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1515_x-ww_7bb98b8a\comctl32.dll
+ 2004-08-04 04:57:02 1,050,624 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
+ 2006-08-25 15:45:55 1,054,208 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
+ 2001-08-23 12:00:00 50,688 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcirt.dll
+ 2001-08-23 12:00:00 322,560 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
+ 2002-08-29 03:41:32 50,688 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.10.0_x-ww_d8862ba3\msvcirt.dll
+ 2002-08-29 03:41:32 323,072 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.10.0_x-ww_d8862ba3\msvcrt.dll
+ 2004-08-04 04:57:02 54,784 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll
+ 2004-08-04 04:57:02 343,040 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
+ 2001-08-23 12:00:00 1,700,352 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
+ 2002-08-29 03:41:32 1,703,936 ----a-r C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
+ 2004-08-04 04:57:00 1,712,128 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
+ 2004-08-04 04:57:00 853,504 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll
+ 2004-08-04 04:57:00 991,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll
+ 2004-08-04 04:55:58 132,096 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll
+ 2007-07-14 02:42:40 258,048 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2007-07-14 02:42:40 114,176 ----a-w C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 19:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]
"MpsOnn"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2002-07-04 09:45]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

C:\Documents and Settings\Kirk\Start Menu\Programs\Startup\
CoolMon.lnk - C:\Program Files\CoolMon\CoolMon.exe [2007-02-23 22:07:57]
SyncBackSE.lnk - C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2005-11-02 22:55:27]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\WinFax\WfxSeh32.Dll [1998-07-27 03:54 38400]

R0 stwlfbus;stwlfbus;C:\WINDOWS\system32\DRIVERS\stwlfbus.sys [2003-04-27 11:39]
R2 cis1284;cis1284;C:\WINDOWS\system32\drivers\cis1284.sys [2000-09-05 10:10]
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\system32\Drivers\PGPsdk.sys [2002-11-26 15:05]
R2 PGPsdkServ;PGPsdkService;C:\WINDOWS\system32\PGPsdkServ.exe [2002-11-26 15:05]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-09-22 16:44]
R3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys [2004-08-03 21:41]
R3 st3wolf;st3wolf;C:\WINDOWS\system32\DRIVERS\st3wolf.sys [2003-04-27 10:43]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2005-04-12 19:21]
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2005-04-12 19:21]
R3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys [2005-04-12 19:21]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2005-04-12 19:21]
S0 mpegport;mpegport;C:\WINDOWS\system32\DRIVERS\mpegport.sys []
S2 713xTVCard;SAA7130 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-15 12:00]
S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys []
S2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-11-19 07:57]
S2 rmdvd;RM DVD helper;C:\WINDOWS\system32\DRIVERS\rmdvd.sys []
S2 WDMTVTuner;Universal WDM TV Tuner;C:\WINDOWS\system32\drivers\WDMTuner.sys [2004-11-30 11:00]
S3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-11-19 07:57]
S3 rmquasar;Hollywood Plus MiniDriver;C:\WINDOWS\system32\DRIVERS\rmquasar.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 STV673;STV0673 Camera;C:\WINDOWS\system32\drivers\STV673.sys [2000-09-15 13:24]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys [2005-04-12 19:21]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-09-28 22:58]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 04:30:17 C:\WINDOWS\Tasks\shutdown.job"
- C:\WINDOWS\system32\shutdown.exe
"2007-12-22 14:00:09 C:\WINDOWS\Tasks\SyncBackSE Abit_C_backups.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-23 08:01:42 C:\WINDOWS\Tasks\SyncBackSE Abit_Documents and Settings backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-23 07:37:41 C:\WINDOWS\Tasks\SyncBackSE DeskPro_Documents and Settings Backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-23 07:00:38 C:\WINDOWS\Tasks\SyncBackSE Our Documents backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
"2007-12-23 08:30:09 C:\WINDOWS\Tasks\SyncBackSE Our Documents external backup.job"
- C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 08:06:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-23 8:09:37
C:\ComboFix2.txt ... 2007-12-22 18:55
C:\ComboFix3.txt ... 2007-12-22 16:16
.
2007-12-09 22:11:32 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:34 AM, on 23-Dec-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: SyncBackSE.lnk = C:\Program Files\2BrightSparks\SyncBackSE\SyncBackSE.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwnb.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173148968882
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://activation.sympatico.ca/wizlet/Symp...nadaActiveX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...177/mcfscan.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6059 bytes

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:57 AM

Posted 23 December 2007 - 03:11 PM

Hi KC750,

Your log looks clean! :blink: Good job on the cleanup! :thumbsup:

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users