Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removal Of Vundo Help, Please!


  • This topic is locked This topic is locked
28 replies to this topic

#1 cedarpointfan

cedarpointfan

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 23 December 2007 - 01:12 AM

Hello!

I would like some help removing the Vundo trojan from my computer, please! I believe I've had problems with this before, but it has come back. The signs were the typical cycling explorer.exe, and the positives I recieved from VundoFix.

I have already run the latest version of VundoFix, but I don't believe it removed everything.

Anyway, my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:56 AM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\FtrakSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ups.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.exe
C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpasieve.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpcore.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Owner\My Documents\VundoFix.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\WINNT\system32\mljjh.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Session MG] c:\windows\wkssvr.exe
O4 - HKLM\..\Run: [MSN] wkssvr.exe
O4 - HKLM\..\RunServices: [Session MG] c:\windows\wkssvr.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MCW Startup] "C:\Program Files\Monitor Calibration Wizard\MCW .exe" /s
O4 - HKCU\..\Run: [Visual Subst] "C:\Documents and Settings\Owner\My Documents\ABS!\Pm_Logger_Script_v1.1_By_Fakhruddin\VSubst_1.0.5-bin\VSubst.exe" /startup
O4 - HKCU\..\Policies\Explorer\Run: [{38021156-09E5-1033-0401-030812040001}] "C:\Program Files\Common Files\{38021156-09E5-1033-0401-030812040001}\Update.exe" mc-110-12-0000272
O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: WFPUser.lnk = C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\Maxthon\config/blacklist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: New Task - res://C:\Program Files\Picture Ace\PictureAce.exe/373
O8 - Extra context menu item: Process Links - res://C:\Program Files\Picture Ace\PictureAce.exe/372
O8 - Extra context menu item: Save Image &Z - res://C:\Program Files\Picture Ace\PictureAce.exe/374
O8 - Extra context menu item: Save Image && Back &X - res://C:\Program Files\Picture Ace\PictureAce.exe/377
O8 - Extra context menu item: Save Image && Close &W - res://C:\Program Files\Picture Ace\PictureAce.exe/378
O8 - Extra context menu item: Save Images - res://C:\Program Files\Picture Ace\PictureAce.exe/375
O8 - Extra context menu item: Save Large Image &Q - res://C:\Program Files\Picture Ace\PictureAce.exe/376
O8 - Extra context menu item: Save Large Images - res://C:\Program Files\Picture Ace\PictureAce.exe/371
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Fleet - http://download2.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.186.207.89/activex/AxisCamControl.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static...h/weblaunch.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab55668.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/w...en/AMClient.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE

--
End of file - 18616 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:09 PM

Posted 23 December 2007 - 04:29 AM

Hello cedarpointfan and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

You have some very nasty infections there. One or more of the identified infections is a backdoor trojan, read here for more info --> Win32/Pushbot.S. This gives hackers full access to everything stored on the computer!

I recommend these actions:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorized transactions

More info can be found here:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

If you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

If you decide not to reformat, follow these steps:

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with the tools we are going to use, or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Step #2

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Step #31. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.
In your next post please include the following reports:
  • SDFix report
  • ComboFix report
  • New HijackThis log (run after ComboFix has finished its work.)
Let me know how the things will go.

Regards,
SNOWHITE
Posted Image

#3 cedarpointfan

cedarpointfan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 23 December 2007 - 11:47 AM

Hello, and thank you for your response! It is greatly appreciated.

I began the removal process with the steps you outlined, but did not get though them all. I ran SDFix in safe mode, and everything went well. The process took about 15 minutes. After, it asked me to restart like normal. I restarted, entered my account, but SDFix did not run again, nor did it generate a report to my clipboard.

Could you please advise futher action?

Thank you!

Edit: I have an additional question. Say in the end, we successfully remove all of the junk that's been identified here. Would it be safe, at that point, to back up my multimedia (pictures, music, videos) and important programs to an external hard drive? I could then reformat XP and upgrade to Vista Business.

Edited by cedarpointfan, 23 December 2007 - 12:51 PM.


#4 cedarpointfan

cedarpointfan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 23 December 2007 - 05:09 PM

Hello again.

I decided to try and run SDFix again. I followed your directions, but instead booted into safe mode after the restart. The safe mode did not solve the problem, so I booted back into regular mode. SDFix ran it's final processes, much to my surprise. The report and subsequent HijackThis report are below. I will now run ComboFix, generate a new HijackThis report, and post again with my results.

SDFix: Version 1.119

Run by Owner on Sun 12/23/2007 at 03:58 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\Owner\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINNT\images.zip - Deleted
C:\WINNT\system32\msnav32.ax - Deleted
C:\WINNT\system32\NTSpool.exe - Deleted
C:\WINNT\system32\zxdnt3d.cfg - Deleted
C:\WINNT\Uninst2.htm - Deleted
C:\WINNT\Unist1.htm - Deleted



Folder C:\Program Files\Network Monitor - Removed

Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 16:34:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\xf9\x2022\xd4w\2]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\Software\Adobe\FeatureSubscriptions\DVAAdobeDocMeta\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\Registered"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\xd8\x2022\x20ac|\xff\xff\xff\xff\22\x2022\x20ac|\xf9\x2022\xd4w\2]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 43


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINNT\\system32\\sessmgr.exe"="C:\\WINNT\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1158028753\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1158028753\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1158028753\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1158028753\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"="C:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe:*:Enabled:Star Wars®: Empire at War™: Forces of Corruption™"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe:*:Enabled:Petroglyph"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe:*:Enabled:World in Conflict"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"C:\\WINNT\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINNT\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 3 Jan 2006 14 A..H. --- "C:\klttd323.dll"
Fri 13 May 2005 217,073 A.SHR --- "C:\WINNT\meta4.exe"
--- 4,263 ..SH. --- "C:\WINNT\windllreg1c.sys"
Sun 2 Sep 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Thu 14 Jul 2005 27,648 A.SHR --- "C:\WINNT\system32\AVSredirect.dll"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINNT\system32\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\WINNT\system32\cygz.dll"
Wed 3 May 2006 163,328 ..SHR --- "C:\WINNT\system32\flvDX.dll"
Sat 24 Jan 2004 70,656 A.SHR --- "C:\WINNT\system32\i420vfw.dll"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINNT\system32\msfDX.dll"
Sat 4 Nov 2006 122,880 A..H. --- "C:\WINNT\system32\NTSecurity.exe"
Mon 28 Feb 2005 240,128 A.SHR --- "C:\WINNT\system32\x.264.exe"
Sat 24 Jan 2004 70,656 A.SHR --- "C:\WINNT\system32\yv12vfw.dll"
Wed 7 Jan 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 20 Apr 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Mon 17 Nov 2003 25,088 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0272.tmp"
Wed 3 Jan 2007 26,112 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1992.tmp"
Sun 31 Oct 2004 26,112 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2367.tmp"
Wed 3 Nov 2004 24,064 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3593.tmp"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Fri 7 Sep 2007 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Fri 11 May 2007 5,375,800 A..H. --- "C:\System Volume Information\_restore{42244806-9664-4B67-AD20-BEC24E890EC9}\RP1492\A0705304.exe"
Mon 17 Dec 2007 189,952 A.SHR --- "C:\System Volume Information\_restore{42244806-9664-4B67-AD20-BEC24E890EC9}\RP1500\A0706683.exe"
Mon 17 Dec 2007 189,952 A.SHR --- "C:\System Volume Information\_restore{42244806-9664-4B67-AD20-BEC24E890EC9}\RP1503\A0707149.exe"
Wed 21 Nov 2007 253,226 ...H. --- "C:\Documents and Settings\Owner\My Documents\ABS!\~WRL1694.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Sun 17 Aug 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Sun 27 Apr 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Sun 27 Apr 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Sun 17 Aug 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Mon 17 Nov 2003 25,088 A..H. --- "C:\Program Files\Maxis\The Sims\My Documents\~WRL0272.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT6.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\1b1d1f51d0e58bc71f561e192422d811\BIT4.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT8.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\3a301a52ece728474b32be567323ab13\BIT2.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\84c17490c3b6e34e2e56da73bd94d728\BIT3.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT1.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT7.tmp"
Wed 19 Sep 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\cc642f40169f98e3642fab98abc47d75\BIT6.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT9.tmp"
Mon 13 Mar 2006 104,960 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0005.tmp"
Tue 24 Feb 2004 64,512 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3542.tmp"
Fri 26 Mar 2004 66,048 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3947.tmp"
Sun 23 Dec 2007 1,745 ...HR --- "C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\securom_v7_01.bak"
Fri 16 Mar 2007 1,298,432 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Pictures\Atlanta Summer 2007\SIV323.tmp"
Fri 16 Mar 2007 1,298,432 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Pictures\TEMPPP\SIV323.tmp"
Tue 8 Oct 2002 106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Mon 19 Nov 2007 23,040 ...H. --- "C:\Documents and Settings\Owner\My Documents\Senior Year\AP History\DBQ's\~WRL0536.tmp"
Mon 19 Nov 2007 22,528 ...H. --- "C:\Documents and Settings\Owner\My Documents\Senior Year\AP History\DBQ's\~WRL2203.tmp"
Mon 19 Nov 2007 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\Senior Year\AP History\DBQ's\~WRL2396.tmp"
Mon 19 Nov 2007 20,992 ...H. --- "C:\Documents and Settings\Owner\My Documents\Senior Year\AP History\DBQ's\~WRL2741.tmp"

Finished!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:22 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\FtrakSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ups.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.exe
C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpasieve.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpcore.exe
C:\WINNT\System32\notepad.exe
C:\Program Files\Mozilla Firefox 3 Beta 1\firefox.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Session MG] c:\windows\wkssvr.exe
O4 - HKLM\..\RunServices: [Session MG] c:\windows\wkssvr.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MCW Startup] "C:\Program Files\Monitor Calibration Wizard\MCW .exe" /s
O4 - HKCU\..\Run: [Visual Subst] "C:\Documents and Settings\Owner\My Documents\ABS!\Pm_Logger_Script_v1.1_By_Fakhruddin\VSubst_1.0.5-bin\VSubst.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: WFPUser.lnk = C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\Maxthon\config/blacklist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: New Task - res://C:\Program Files\Picture Ace\PictureAce.exe/373
O8 - Extra context menu item: Process Links - res://C:\Program Files\Picture Ace\PictureAce.exe/372
O8 - Extra context menu item: Save Image &Z - res://C:\Program Files\Picture Ace\PictureAce.exe/374
O8 - Extra context menu item: Save Image && Back &X - res://C:\Program Files\Picture Ace\PictureAce.exe/377
O8 - Extra context menu item: Save Image && Close &W - res://C:\Program Files\Picture Ace\PictureAce.exe/378
O8 - Extra context menu item: Save Images - res://C:\Program Files\Picture Ace\PictureAce.exe/375
O8 - Extra context menu item: Save Large Image &Q - res://C:\Program Files\Picture Ace\PictureAce.exe/376
O8 - Extra context menu item: Save Large Images - res://C:\Program Files\Picture Ace\PictureAce.exe/371
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Fleet - http://download2.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.186.207.89/activex/AxisCamControl.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static...h/weblaunch.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab55668.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/w...en/AMClient.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE

--
End of file - 17545 bytes



#5 cedarpointfan

cedarpointfan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 23 December 2007 - 05:42 PM

Hello again!

I have successfully run ComboFix as per your instructions. Nothing out of the ordinary happened, and it completed it's task within 10 minutes. Below is the log it generated, and the updated HijackThis report. At this time, I have successfully completed each step you have outlined, and will now wait for further instruction. I would also like to note that the explorer.exe woes are still occurring.

Thank you!!

ComboFix 07-12-21.4 - Owner 2007-12-23 17:19:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.882 [GMT -5:00]
Running from: C:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\searchtoolbarcorp
C:\Program Files\Common Files\{38021~1
C:\WINNT\system32\components
C:\WINNT\system32\hjjlm.ini
C:\WINNT\system32\hjjlm.ini2
C:\WINNT\system32\mljjh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 )))))))))))))))))))))))))))))))
.

2007-12-23 17:14 . 2007-12-23 17:16 1,478,778 --a------ C:\ComboFix.exe
2007-12-23 11:08 . 2007-12-23 11:08 <DIR> d-------- C:\WINNT\ERUNT
2007-12-23 11:02 . 2007-12-23 11:02 1,215,777 --a------ C:\SDFix.exe
2007-12-23 00:39 . 2007-12-23 16:30 337,920 --a------ C:\WINNT\system32\mljjh.exe
2007-12-22 23:15 . 2007-12-22 23:19 <DIR> d-------- C:\Program Files\ExplorerXP
2007-12-22 22:51 . 2003-04-14 15:02 <DIR> d-------- C:\Documents and Settings\Nick2\Application Data\Symantec
2007-12-22 22:51 . 2003-04-14 14:57 <DIR> d-------- C:\Documents and Settings\Nick2\Application Data\InterTrust
2007-12-22 12:44 . 2001-08-17 12:19 747,392 --a------ C:\WINNT\system32\dllcache\adm8830.sys
2007-12-22 12:43 . 2001-08-17 13:28 762,780 --a------ C:\WINNT\system32\dllcache\3cwmcru.sys
2007-12-22 12:43 . 2001-08-17 14:55 689,216 --a------ C:\WINNT\system32\dllcache\3dfxvs.dll
2007-12-22 12:43 . 2001-08-17 22:36 462,848 --a------ C:\WINNT\system32\dllcache\a3dapi.dll
2007-12-22 12:43 . 2002-08-28 23:00 231,552 --a------ C:\WINNT\system32\dllcache\ac97ali.sys
2007-12-22 12:43 . 2001-08-17 12:48 148,352 --a------ C:\WINNT\system32\dllcache\3dfxvsm.sys
2007-12-22 12:43 . 2004-08-04 02:10 48,128 --a------ C:\WINNT\system32\dllcache\61883.sys
2007-12-22 12:43 . 2001-08-17 14:55 38,400 --a------ C:\WINNT\system32\dllcache\8514a.dll
2007-12-22 12:43 . 2001-08-17 13:52 23,552 --a------ C:\WINNT\system32\dllcache\abp480n5.sys
2007-12-22 12:43 . 2004-08-04 02:00 12,288 --a------ C:\WINNT\system32\dllcache\4mmdat.sys
2007-12-22 12:43 . 2001-08-17 14:06 11,264 --a------ C:\WINNT\system32\dllcache\1394vdbg.sys
2007-12-18 21:49 . 2007-12-18 21:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2007-12-18 21:48 . 2007-12-18 21:50 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-12-16 23:42 . 2007-12-16 23:43 3,831,100 --a------ C:\Chevelle - It's No Good.mp3
2007-12-15 15:20 . 2007-12-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 10:05 . 2007-12-15 10:05 118 --a------ C:\WINNT\system32\MRT.INI
2007-12-11 15:43 . 2007-12-11 15:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2007-12-11 15:29 . 2007-12-11 15:45 <DIR> d-------- C:\Program Files\Microsoft Windows Feedback Panel
2007-12-11 15:29 . 2007-12-11 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WFP
2007-12-10 16:56 . 2007-12-10 16:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2007-12-09 14:13 . 2007-12-09 14:13 <DIR> d-------- C:\WINNT\system32\FLIQLO dir
2007-12-09 14:13 . 2007-12-09 14:13 532,480 --a------ C:\WINNT\system32\FLIQLO.scr
2007-12-08 21:44 . 2007-12-08 21:44 <DIR> d-------- C:\HP
2007-12-05 20:25 . 2007-12-05 20:25 <DIR> d-------- C:\Program Files\Crayon Room
2007-12-04 19:24 . 2007-12-04 19:24 <DIR> d-------- C:\Program Files\CoolMon 2
2007-12-04 13:38 . 2007-12-04 13:38 3,596,288 --a------ C:\WINNT\system32\qt-dx331.dll
2007-12-04 13:38 . 2007-12-04 13:38 1,044,480 --a------ C:\WINNT\system32\libdivx.dll
2007-12-04 13:38 . 2007-12-04 13:38 524,288 --a------ C:\WINNT\system32\DivXsm.exe
2007-12-04 13:38 . 2007-12-04 13:38 200,704 --a------ C:\WINNT\system32\ssldivx.dll
2007-12-04 13:38 . 2007-12-04 13:38 4,816 --a------ C:\WINNT\system32\divxsm.tlb
2007-12-04 13:35 . 2007-12-04 13:35 156,992 --a------ C:\WINNT\system32\DivXCodecVersionChecker.exe
2007-12-04 13:35 . 2007-12-04 13:35 12,288 --a------ C:\WINNT\system32\DivXWMPExtType.dll
2007-12-01 17:33 . 2007-12-01 17:33 <DIR> d-------- C:\Program Files\Sierra Entertainment
2007-12-01 17:17 . 2007-12-01 17:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2007-11-27 18:06 . 2007-11-27 18:07 <DIR> d-------- C:\Program Files\Virtual Earth 3D
2007-11-27 15:50 . 2007-11-27 15:50 <DIR> d-------- C:\Program Files\Common Files\Viewpoint
2007-11-26 23:35 . 2007-11-26 23:35 <DIR> d-------- C:\Program Files\Musicnotes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 22:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-12-23 22:15 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2007-12-23 21:30 --------- d-----w C:\Program Files\QuickTime
2007-12-23 21:30 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-23 20:55 --------- d-----w C:\Program Files\Monitor Calibration Wizard
2007-12-23 16:07 --------- d-----w C:\Program Files\iTunes
2007-12-23 06:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 04:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2007-12-23 04:05 1,033,216 ----a-w C:\WINNT\explorer.exe
2007-12-20 00:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ruckus Network
2007-12-19 21:46 --------- d-s---w C:\Program Files\Xfire
2007-12-16 17:29 --------- d-----w C:\Program Files\Last.fm
2007-12-14 12:13 --------- d-----w C:\Program Files\Picasa2
2007-12-11 01:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2007-12-10 21:55 --------- d-----w C:\Program Files\DivX
2007-12-04 14:56 93,264 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-12-01 22:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-01 22:32 --------- d-----w C:\Program Files\StarWarsGalaxies
2007-11-29 02:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-11-27 20:50 --------- d-----w C:\Program Files\Viewpoint
2007-11-27 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELST___.FOT
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELSS___.FOT
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELSM___.FOT
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELSINKI.FOT
2007-11-24 21:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 01:53 --------- d-----w C:\Program Files\Ruckus Player
2007-11-22 01:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\KeePass
2007-11-18 20:03 --------- d-----w C:\Program Files\Kramware
2007-11-18 20:01 --------- d-----w C:\Program Files\BellCommander
2007-11-18 04:20 --------- d-----w C:\Program Files\KeePass Password Safe
2007-11-16 11:53 181,880 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-11-16 04:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\PCF-VLC
2007-11-14 18:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Participatory Culture Foundation
2007-11-14 18:36 --------- d-----w C:\Program Files\Participatory Culture Foundation
2007-11-14 01:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2007-11-13 10:25 20,480 ----a-w C:\WINNT\system32\drivers\secdrv.sys
2007-11-08 01:14 --------- d-----w C:\Program Files\Winamp
2007-11-06 05:43 --------- d-----w C:\Program Files\iPod
2007-11-05 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-11-05 04:06 --------- d-----w C:\Program Files\FOX Video Studio
2007-11-05 04:04 --------- d-----w C:\Program Files\WinMX
2007-11-05 04:03 --------- d-----w C:\Program Files\VoiceMX
2007-11-05 04:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\SmartFTP
2007-11-05 04:01 --------- d-----w C:\Program Files\SmartFTP
2007-11-04 23:46 --------- d-----w C:\Program Files\Kodak
2007-11-04 23:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\TuneUp Software
2007-11-04 23:40 --------- d-----w C:\Program Files\VstPlugins
2007-11-04 23:40 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-04 15:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hamachi
2007-11-03 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-02 20:08 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2007-11-02 18:47 --------- d-----w C:\Program Files\Microsoft Works
2007-11-02 18:47 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-11-02 18:46 --------- d-----w C:\Program Files\Microsoft Expression
2007-10-30 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-30 21:11 --------- d-----w C:\Program Files\AIM6
2007-09-24 03:40 6,106,570 ----a-w C:\IPB2.3.1.zip
2007-01-06 02:25 76 ---ha-w C:\Program Files\Desktop.ini
2006-04-22 19:56 235 ----a-w C:\Program Files\add.html
2003-04-18 01:52 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-05-13 21:12 217,073 --sha-r C:\WINNT\meta4.exe
1757-03-16 10:00 4,263 -csh--w C:\WINNT\windllreg1c.sys
2005-07-14 16:31 27,648 --sha-r C:\WINNT\system32\AVSredirect.dll
2005-06-26 19:32 616,448 --sha-r C:\WINNT\system32\cygwin1.dll
2005-06-22 02:37 45,568 --sha-r C:\WINNT\system32\cygz.dll
2006-05-03 09:06 163,328 --sha-r C:\WINNT\system32\flvDX.dll
2004-01-25 04:00 70,656 --sha-r C:\WINNT\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sha-r C:\WINNT\system32\msfDX.dll
2005-02-28 17:16 240,128 --sha-r C:\WINNT\system32\x.264.exe
2004-01-25 04:00 70,656 --sha-r C:\WINNT\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F59A5413-0A86-42C4-968C-5042E8436467}]
2007-12-23 17:30 334336 --a------ C:\WINNT\system32\mljjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2007-12-23 17:30]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [2007-12-23 17:30]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" []
"MCW Startup"="C:\Program Files\Monitor Calibration Wizard\MCW .exe" []
"Visual Subst"="C:\Documents and Settings\Owner\My Documents\ABS!\Pm_Logger_Script_v1.1_By_Fakhruddin\VSubst_1.0.5-bin\VSubst.exe" [2007-12-23 17:31]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINNT\system32\rundll32.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINNT\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2003-01-27 15:16 C:\WINNT\system32\cthelper.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [2007-12-23 17:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"Session MG"="c:\windows\wkssvr.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Session MG"="c:\windows\wkssvr.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\System32\ctfmon.exe" [2004-08-04 02:56]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 17:38]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-08-17 15:48]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2006-08-11 13:42 C:\WINNT\mididef.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-07-24 13:19:25]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-06 19:05:48]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-04-14 14:58:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 00:20:58]
WFPUser.lnk - C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe [2006-06-13 16:43:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoToolbarsOnTaskbar"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\Program Files\Common Files\Stardock\mcpstub.dll 2003-08-25 10:25 139264 C:\Program Files\Common Files\Stardock\MCPStub.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\mljjh.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\mljjh

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINNT\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=C:\WINNT\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINNT\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINNT\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeScape Media Detector]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 --a------ C:\WINNT\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YPC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SsAAD.exe"=C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
"MSN Webcam Recorder"="C:\Program Files\MSN Webcam Recorder\ml20gui.exe" -silent
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMONTRAY"=C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"tgcmd"=C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Motive SmartBridge"=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys [2002-11-07 15:07]
R2 SIODRV;SIODRV;C:\WINNT\system32\drivers\SIODRV.SYS [2005-05-02 21:16]
R3 smbusp;Intel® SMBus 2.0 Driver;C:\WINNT\system32\DRIVERS\smb.sys [2002-10-23 09:05]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINNT\system32\drivers\WmBEnum.sys [2003-05-14 12:42]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINNT\system32\drivers\WmXlCore.sys [2003-05-14 12:42]
S2 Ca533av;USB PC Camera;C:\WINNT\system32\Drivers\Ca533av.sys [2002-08-22 16:19]
S3 hamachi_oem;PlayLinc Adapter;C:\WINNT\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINNT\system32\Drivers\LCcFltr.Sys [2004-03-03 09:50]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINNT\system32\DRIVERS\motmodem.sys [2006-12-13 16:52]
S3 MuVor;Creative NOMAD MuVo Control Driver;C:\WINNT\system32\Drivers\MuVor.sys [2002-08-15 18:51]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 RivaTuner32;RivaTuner32;C:\Program Files\RivaTuner v2.02\RivaTuner32.sys [2007-07-01 14:20]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINNT\system32\Drivers\StMp3Rec.sys [2003-10-01 11:30]
S3 USBCamera;Bulk USB Device;C:\WINNT\system32\Drivers\Bulk533.sys [2002-07-25 11:19]
S3 WCG200V2XP;Linksys WCG200 ver. 2 Wireless-G Cable Gateway;C:\WINNT\system32\DRIVERS\WCG200V2XP.sys [2004-07-06 03:06]
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINNT\system32\drivers\WmFilter.sys [2003-05-14 12:42]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINNT\system32\drivers\WmVirHid.sys [2003-05-14 12:42]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 12:45:00 C:\WINNT\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-12-21 13:34:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-06-01 03:18:11 C:\WINNT\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1050806001.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2003-04-20 03:45:00 C:\WINNT\Tasks\ISP signup reminder 1.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2003-05-02 20:15:00 C:\WINNT\Tasks\ISP signup reminder 3.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2005-11-18 12:08:52 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2007-12-23 21:34:10 C:\WINNT\Tasks\User_Feed_Synchronization-{ECC5DF2A-0811-41C6-8F34-CA22D888B620}.job"
- C:\WINNT\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 17:29:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\lsass.exe [5.01.2600.2180]
-> C:\WINNT\system32\xfire_lsp_11078.dll

PROCESS: C:\WINNT\explorer.exe [6.00.2900.3156]
-> C:\WINNT\system32\mljjh.dll
.
Completion time: 2007-12-23 17:35:47 - machine was rebooted
.
2007-12-23 03:49:09 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:48 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\FtrakSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.exe
C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpasieve.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpcore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask .exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\WINNT\system32\mljjh.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Session MG] c:\windows\wkssvr.exe
O4 - HKLM\..\RunServices: [Session MG] c:\windows\wkssvr.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MCW Startup] "C:\Program Files\Monitor Calibration Wizard\MCW .exe" /s
O4 - HKCU\..\Run: [Visual Subst] "C:\Documents and Settings\Owner\My Documents\ABS!\Pm_Logger_Script_v1.1_By_Fakhruddin\VSubst_1.0.5-bin\VSubst.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: WFPUser.lnk = C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\Maxthon\config/blacklist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: New Task - res://C:\Program Files\Picture Ace\PictureAce.exe/373
O8 - Extra context menu item: Process Links - res://C:\Program Files\Picture Ace\PictureAce.exe/372
O8 - Extra context menu item: Save Image &Z - res://C:\Program Files\Picture Ace\PictureAce.exe/374
O8 - Extra context menu item: Save Image && Back &X - res://C:\Program Files\Picture Ace\PictureAce.exe/377
O8 - Extra context menu item: Save Image && Close &W - res://C:\Program Files\Picture Ace\PictureAce.exe/378
O8 - Extra context menu item: Save Images - res://C:\Program Files\Picture Ace\PictureAce.exe/375
O8 - Extra context menu item: Save Large Image &Q - res://C:\Program Files\Picture Ace\PictureAce.exe/376
O8 - Extra context menu item: Save Large Images - res://C:\Program Files\Picture Ace\PictureAce.exe/371
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Fleet - http://download2.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.186.207.89/activex/AxisCamControl.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static...h/weblaunch.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab55668.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/w...en/AMClient.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE

--
End of file - 17748 bytes



#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:09 PM

Posted 24 December 2007 - 02:48 PM

Hello cedarpointfan,

No need for sending me private messages that you have posted your reports, I am subscribed to your topic so I always get notification when you reply here :thumbsup:

It appears that a malware had modified some of your applications, lets double check that before we proceed with next steps. Please follow these steps:

1. Go to this website: www.virustotal.com
2. Upload this file by copy(Ctrl+C) and pasting(Ctrl+V) it in to the file box: C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
3. Submit the file and copy/paste the results back into this thread.
4. Repeat the same instructions for the next file too:C:\Program Files\Microsoft ActiveSync\wcescomm .exe
Post back with VirusTotal reports.

Regards,
SNOWHITE
Posted Image

#7 cedarpointfan

cedarpointfan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 24 December 2007 - 03:32 PM

Thank you for your reply! I have successfully submitted both files, and the results are below.

File StyleXP.exe received on 12.24.2007 21:15:58 (CET)
Antivirus;Version;Last Update;Result
AhnLab-V3;2007.12.25.10;2007.12.24;-
AntiVir;7.6.0.46;2007.12.24;HEUR/Malware
Authentium;4.93.8;2007.12.23;-
Avast;4.7.1098.0;2007.12.24;-
AVG;7.5.0.516;2007.12.24;Dropper.Generic.THT
BitDefender;7.2;2007.12.24;-
CAT-QuickHeal;9.00;2007.12.24;-
ClamAV;0.91.2;2007.12.24;W32.Prep-1
DrWeb;4.44.0.09170;2007.12.24;Trojan.Virtumod.253
eSafe;7.0.15.0;2007.12.24;-
eTrust-Vet;31.3.5400;2007.12.24;-
Ewido;4.0;2007.12.24;-
FileAdvisor;1;2007.12.24;-
Fortinet;3.14.0.0;2007.12.24;-
F-Prot;4.4.2.54;2007.12.23;-
F-Secure;6.70.13030.0;2007.12.24;-
Ikarus;T3.1.1.15;2007.12.24;not-a-virus:AdWare.Win32.Virtumonde.cli
Kaspersky;7.0.0.125;2007.12.24;not-a-virus:AdWare.Win32.Virtumonde.cli
McAfee;5192;2007.12.24;-
Microsoft;1.3109;2007.12.24;-
NOD32v2;2745;2007.12.24;-
Norman;5.80.02;2007.12.24;-
Panda;9.0.0.4;2007.12.24;-
Prevx1;V2;2007.12.24;-
Rising;20.24.02.00;2007.12.24;-
Sophos;4.24.0;2007.12.24;-
Sunbelt;2.2.907.0;2007.12.21;-
Symantec;10;2007.12.24;-
TheHacker;6.2.9.168;2007.12.22;-
VBA32;3.12.2.5;2007.12.24;Trojan.Virtumod.253
VirusBuster;4.3.26:9;2007.12.24;Win32.Trats.B
Webwasher-Gateway;6.6.2;2007.12.24;Heuristic.Malware

Additional information
File size: 1675776 bytes
MD5: 48873654cce7861f88569cae5875b798
SHA1: 76de6500da546bdbe2eca5efae98e5f4e6590389
PEiD: -


File wcescomm_.exe received on 12.24.2007 21:31:09 (CET)
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - Dropper.Generic.THT
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - W32.Prep-1
DrWeb - - Trojan.Virtumod.253
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - not-a-virus:AdWare.Win32.Virtumonde.cli
Kaspersky - - not-a-virus:AdWare.Win32.Virtumonde.cli
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - Trojan.Virtumod.253
VirusBuster - - Win32.Trats.B
Webwasher-Gateway - - -
Additional information
MD5: 7b51c347fd8f03eefda92932f9142e51


Edited by cedarpointfan, 24 December 2007 - 04:43 PM.


#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:09 PM

Posted 28 December 2007 - 12:27 PM

Hello cedarpointfan,

Thank you for your reply! I have successfully submitted both files, and the results are below.


Unfortunately you have infection that modifies other legit files. We will deal with this step by step. You will also need to uninstall some programs that are infected and re-install them after the cleaning process is done.

First, download this program:

suspicious files packer

Highlight the files listed below in bold and right-click and selecting copy.

C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to cedarpointfan.cab

Click on this link:
http://www.bleepingcomputer.com/submit-malware.php?channel=29
and fill in the required fields, then Browse for this filename: cedarpointfan.cab
Click on the Send File button.

Thank you!

Next, delete the version of combofix you have, download the latest version and run scan with it.

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply also new HijackThis report.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Regards,
SNOWHITE
Posted Image

#9 cedarpointfan

cedarpointfan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 28 December 2007 - 01:35 PM

Thank you for your reply! Cedarpointfan.cab was submitted as per your instruction with an added note.

Below is the ComboFix Log, and subsequent HijackThis report.

ComboFix 07-12-21.4 - Owner 2007-12-28 13:06:31.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-27 19:17 . 2007-12-27 19:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PCF-VLC
2007-12-27 18:14 . 2007-12-27 18:14 <DIR> d-------- C:\Program Files\Handbrake
2007-12-27 12:46 . 2007-12-27 20:25 54,156 --ah----- C:\WINNT\QTFont.qfn
2007-12-27 12:46 . 2007-12-27 17:36 1,409 --a------ C:\WINNT\QTFont.for
2007-12-27 12:08 . 2007-12-27 12:11 1,905 --a------ C:\WINNT\diagwrn.xml
2007-12-27 12:08 . 2007-12-27 12:11 1,905 --a------ C:\WINNT\diagerr.xml
2007-12-25 07:40 . 2007-12-25 07:59 39,708,812 --a------ C:\MAD_tv_-_Lorraine_Wins_a_Trip.flv.MP4
2007-12-24 14:04 . 2007-12-24 14:04 <DIR> d-------- C:\kazaabegone
2007-12-24 13:57 . 2007-12-24 13:57 75,808 --a------ C:\kazaabegone.zip
2007-12-23 17:14 . 2007-12-23 17:16 1,478,778 --a------ C:\ComboFix.exe
2007-12-23 11:08 . 2007-12-23 11:08 <DIR> d-------- C:\WINNT\ERUNT
2007-12-23 11:02 . 2007-12-23 11:02 1,215,777 --a------ C:\SDFix.exe
2007-12-22 23:15 . 2007-12-22 23:19 <DIR> d-------- C:\Program Files\ExplorerXP
2007-12-22 22:51 . 2003-04-14 15:02 <DIR> d-------- C:\Documents and Settings\Nick2\Application Data\Symantec
2007-12-22 22:51 . 2003-04-14 14:57 <DIR> d-------- C:\Documents and Settings\Nick2\Application Data\InterTrust
2007-12-22 12:44 . 2001-08-17 12:19 747,392 --a------ C:\WINNT\system32\dllcache\adm8830.sys
2007-12-22 12:43 . 2001-08-17 13:28 762,780 --a------ C:\WINNT\system32\dllcache\3cwmcru.sys
2007-12-22 12:43 . 2001-08-17 14:55 689,216 --a------ C:\WINNT\system32\dllcache\3dfxvs.dll
2007-12-22 12:43 . 2001-08-17 22:36 462,848 --a------ C:\WINNT\system32\dllcache\a3dapi.dll
2007-12-22 12:43 . 2002-08-28 23:00 231,552 --a------ C:\WINNT\system32\dllcache\ac97ali.sys
2007-12-22 12:43 . 2001-08-17 12:48 148,352 --a------ C:\WINNT\system32\dllcache\3dfxvsm.sys
2007-12-22 12:43 . 2004-08-04 02:10 48,128 --a------ C:\WINNT\system32\dllcache\61883.sys
2007-12-22 12:43 . 2001-08-17 14:55 38,400 --a------ C:\WINNT\system32\dllcache\8514a.dll
2007-12-22 12:43 . 2001-08-17 13:52 23,552 --a------ C:\WINNT\system32\dllcache\abp480n5.sys
2007-12-22 12:43 . 2004-08-04 02:00 12,288 --a------ C:\WINNT\system32\dllcache\4mmdat.sys
2007-12-22 12:43 . 2001-08-17 14:06 11,264 --a------ C:\WINNT\system32\dllcache\1394vdbg.sys
2007-12-18 21:49 . 2007-12-18 21:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2007-12-18 21:48 . 2007-12-18 21:50 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-12-16 23:42 . 2007-12-27 21:36 3,831,100 --a------ C:\Chevelle - It's No Good.mp3
2007-12-15 15:20 . 2007-12-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 10:05 . 2007-12-15 10:05 118 --a------ C:\WINNT\system32\MRT.INI
2007-12-11 15:43 . 2007-12-11 15:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2007-12-11 15:29 . 2007-12-11 15:45 <DIR> d-------- C:\Program Files\Microsoft Windows Feedback Panel
2007-12-11 15:29 . 2007-12-11 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WFP
2007-12-10 16:56 . 2007-12-10 16:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2007-12-09 14:13 . 2007-12-09 14:13 <DIR> d-------- C:\WINNT\system32\FLIQLO dir
2007-12-09 14:13 . 2007-12-09 14:13 532,480 --a------ C:\WINNT\system32\FLIQLO.scr
2007-12-08 21:44 . 2007-12-08 21:44 <DIR> d-------- C:\HP
2007-12-05 20:25 . 2007-12-05 20:25 <DIR> d-------- C:\Program Files\Crayon Room
2007-12-04 19:24 . 2007-12-04 19:24 <DIR> d-------- C:\Program Files\CoolMon 2
2007-12-04 13:38 . 2007-12-04 13:38 3,596,288 --a------ C:\WINNT\system32\qt-dx331.dll
2007-12-04 13:38 . 2007-12-04 13:38 1,044,480 --a------ C:\WINNT\system32\libdivx.dll
2007-12-04 13:38 . 2007-12-04 13:38 524,288 --a------ C:\WINNT\system32\DivXsm.exe
2007-12-04 13:38 . 2007-12-04 13:38 200,704 --a------ C:\WINNT\system32\ssldivx.dll
2007-12-04 13:38 . 2007-12-04 13:38 4,816 --a------ C:\WINNT\system32\divxsm.tlb
2007-12-04 13:35 . 2007-12-04 13:35 156,992 --a------ C:\WINNT\system32\DivXCodecVersionChecker.exe
2007-12-04 13:35 . 2007-12-04 13:35 12,288 --a------ C:\WINNT\system32\DivXWMPExtType.dll
2007-12-01 17:33 . 2007-12-01 17:33 <DIR> d-------- C:\Program Files\Sierra Entertainment
2007-12-01 17:17 . 2007-12-01 17:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-28 18:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2007-12-28 18:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-12-28 00:37 --------- d-----w C:\Program Files\iTunes
2007-12-27 23:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-27 20:43 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2007-12-24 20:16 --------- d-----w C:\Program Files\Opera
2007-12-24 19:02 --------- d-----w C:\Program Files\QuickTime
2007-12-24 16:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ruckus Network
2007-12-23 20:55 --------- d-----w C:\Program Files\Monitor Calibration Wizard
2007-12-23 06:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 04:05 1,033,216 ----a-w C:\WINNT\explorer.exe
2007-12-19 21:46 --------- d-s---w C:\Program Files\Xfire
2007-12-16 17:29 --------- d-----w C:\Program Files\Last.fm
2007-12-14 12:13 --------- d-----w C:\Program Files\Picasa2
2007-12-11 01:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2007-12-10 21:55 --------- d-----w C:\Program Files\DivX
2007-12-04 14:56 93,264 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-12-01 22:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-01 22:32 --------- d-----w C:\Program Files\StarWarsGalaxies
2007-11-29 02:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-11-27 23:07 --------- d-----w C:\Program Files\Virtual Earth 3D
2007-11-27 20:50 --------- d-----w C:\Program Files\Viewpoint
2007-11-27 20:50 --------- d-----w C:\Program Files\Common Files\Viewpoint
2007-11-27 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELST___.FOT
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELSS___.FOT
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELSM___.FOT
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELSINKI.FOT
2007-11-27 04:35 --------- d-----w C:\Program Files\Musicnotes
2007-11-24 21:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 01:53 --------- d-----w C:\Program Files\Ruckus Player
2007-11-22 01:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\KeePass
2007-11-18 20:03 --------- d-----w C:\Program Files\Kramware
2007-11-18 20:01 --------- d-----w C:\Program Files\BellCommander
2007-11-18 04:20 --------- d-----w C:\Program Files\KeePass Password Safe
2007-11-16 11:53 181,880 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-11-14 18:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Participatory Culture Foundation
2007-11-14 18:36 --------- d-----w C:\Program Files\Participatory Culture Foundation
2007-11-14 01:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2007-11-13 10:25 20,480 ----a-w C:\WINNT\system32\drivers\secdrv.sys
2007-11-08 01:14 --------- d-----w C:\Program Files\Winamp
2007-11-06 05:43 --------- d-----w C:\Program Files\iPod
2007-11-05 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-11-05 04:06 --------- d-----w C:\Program Files\FOX Video Studio
2007-11-05 04:04 --------- d-----w C:\Program Files\WinMX
2007-11-05 04:03 --------- d-----w C:\Program Files\VoiceMX
2007-11-05 04:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\SmartFTP
2007-11-05 04:01 --------- d-----w C:\Program Files\SmartFTP
2007-11-04 23:46 --------- d-----w C:\Program Files\Kodak
2007-11-04 23:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\TuneUp Software
2007-11-04 23:40 --------- d-----w C:\Program Files\VstPlugins
2007-11-04 23:40 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-04 15:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hamachi
2007-11-03 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-02 20:08 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2007-11-02 18:47 --------- d-----w C:\Program Files\Microsoft Works
2007-11-02 18:47 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-11-02 18:46 --------- d-----w C:\Program Files\Microsoft Expression
2007-10-31 19:09 30,464 ----a-w C:\WINNT\system32\drivers\usbaapl.sys
2007-10-30 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-30 21:11 --------- d-----w C:\Program Files\AIM6
2007-01-06 02:25 76 ---ha-w C:\Program Files\Desktop.ini
2006-04-22 19:56 235 ----a-w C:\Program Files\add.html
2003-04-18 01:52 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-05-13 21:12 217,073 --sha-r C:\WINNT\meta4.exe
1757-03-16 10:00 4,263 -csh--w C:\WINNT\windllreg1c.sys
2005-07-14 16:31 27,648 --sha-r C:\WINNT\system32\AVSredirect.dll
2005-06-26 19:32 616,448 --sha-r C:\WINNT\system32\cygwin1.dll
2005-06-22 02:37 45,568 --sha-r C:\WINNT\system32\cygz.dll
2006-05-03 09:06 163,328 --sha-r C:\WINNT\system32\flvDX.dll
2004-01-25 04:00 70,656 --sha-r C:\WINNT\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sha-r C:\WINNT\system32\msfDX.dll
2005-02-28 17:16 240,128 --sha-r C:\WINNT\system32\x.264.exe
2004-01-25 04:00 70,656 --sha-r C:\WINNT\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-23_17.32.43.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-18 23:04:47 102,400 ----a-r C:\WINNT\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
+ 2007-12-27 22:36:26 102,400 ----a-r C:\WINNT\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
- 2007-12-23 22:30:32 334,336 ----a-w C:\WINNT\system32\mljjh.dll
+ 2007-12-28 18:23:59 334,336 ----a-w C:\WINNT\system32\mljjh.dll
- 2007-12-23 22:31:22 337,920 ----a-w C:\WINNT\system32\mljjh.exe
+ 2007-12-28 18:24:22 337,920 ----a-w C:\WINNT\system32\mljjh.exe
+ 2007-12-28 18:20:49 16,384 ----atw C:\WINNT\Temp\Perflib_Perfdata_658.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5FF61C6-5C89-4FB6-A061-5B18F9085F2D}]
2007-12-28 13:23 334336 --a------ C:\WINNT\system32\mljjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" []
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" []
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" []
"MCW Startup"="C:\Program Files\Monitor Calibration Wizard\MCW .exe" []
"Visual Subst"="C:\Documents and Settings\Owner\My Documents\ABS!\Pm_Logger_Script_v1.1_By_Fakhruddin\VSubst_1.0.5-bin\VSubst.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINNT\system32\rundll32.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINNT\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2003-01-27 15:16 C:\WINNT\system32\cthelper.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-28 13:24]
"Session MG"="c:\windows\wkssvr.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Session MG"="c:\windows\wkssvr.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\System32\ctfmon.exe" []
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 17:38]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-08-17 15:48]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2006-08-11 13:42 C:\WINNT\mididef.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-07-24 13:19:25]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-06 19:05:48]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-04-14 14:58:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 00:20:58]
WFPUser.lnk - C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe [2006-06-13 16:43:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoToolbarsOnTaskbar"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\Program Files\Common Files\Stardock\mcpstub.dll 2003-08-25 10:25 139264 C:\Program Files\Common Files\Stardock\MCPStub.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\mljjh.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\mljjh

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINNT\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=C:\WINNT\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINNT\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINNT\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeScape Media Detector]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 --a------ C:\WINNT\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YPC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SsAAD.exe"=C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
"MSN Webcam Recorder"="C:\Program Files\MSN Webcam Recorder\ml20gui.exe" -silent
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMONTRAY"=C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"tgcmd"=C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Motive SmartBridge"=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys [2002-11-07 15:07]
R2 SIODRV;SIODRV;C:\WINNT\system32\drivers\SIODRV.SYS [2005-05-02 21:16]
R3 smbusp;Intel® SMBus 2.0 Driver;C:\WINNT\system32\DRIVERS\smb.sys [2002-10-23 09:05]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINNT\system32\drivers\WmBEnum.sys [2003-05-14 12:42]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINNT\system32\drivers\WmXlCore.sys [2003-05-14 12:42]
S2 Ca533av;USB PC Camera;C:\WINNT\system32\Drivers\Ca533av.sys [2002-08-22 16:19]
S3 hamachi_oem;PlayLinc Adapter;C:\WINNT\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINNT\system32\Drivers\LCcFltr.Sys [2004-03-03 09:50]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINNT\system32\DRIVERS\motmodem.sys [2006-12-13 16:52]
S3 MuVor;Creative NOMAD MuVo Control Driver;C:\WINNT\system32\Drivers\MuVor.sys [2002-08-15 18:51]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 RivaTuner32;RivaTuner32;C:\Program Files\RivaTuner v2.02\RivaTuner32.sys [2007-07-01 14:20]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 10:04]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINNT\system32\Drivers\StMp3Rec.sys [2003-10-01 11:30]
S3 USBAAPL;Apple Mobile USB Driver;C:\WINNT\system32\Drivers\usbaapl.sys [2007-10-31 14:09]
S3 USBCamera;Bulk USB Device;C:\WINNT\system32\Drivers\Bulk533.sys [2002-07-25 11:19]
S3 WCG200V2XP;Linksys WCG200 ver. 2 Wireless-G Cable Gateway;C:\WINNT\system32\DRIVERS\WCG200V2XP.sys [2004-07-06 03:06]
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINNT\system32\drivers\WmFilter.sys [2003-05-14 12:42]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINNT\system32\drivers\WmVirHid.sys [2003-05-14 12:42]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 12:45:00 C:\WINNT\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-12-28 13:34:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-06-01 03:18:11 C:\WINNT\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1050806001.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2003-04-20 03:45:00 C:\WINNT\Tasks\ISP signup reminder 1.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2003-05-02 20:15:00 C:\WINNT\Tasks\ISP signup reminder 3.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2005-11-18 12:08:52 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2007-12-28 18:03:34 C:\WINNT\Tasks\User_Feed_Synchronization-{ECC5DF2A-0811-41C6-8F34-CA22D888B620}.job"
- C:\WINNT\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 13:22:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\mljjh.exe 337920 bytes executable
C:\WINNT\system32\hjjlm.ini 319 bytes
C:\WINNT\system32\hjjlm.ini2 319 bytes
IPC error: 2 The system cannot find the file specified.
scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\lsass.exe [5.01.2600.2180]
-> C:\WINNT\system32\xfire_lsp_11078.dll
.
Completion time: 2007-12-28 13:27:48 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-23 17:35
.
2007-12-23 03:49:09 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:28 PM, on 12/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\FtrakSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.exe
C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpasieve.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpcore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper .exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox 3 Beta 1\firefox.exe
C:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\WINNT\system32\mljjh.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Session MG] c:\windows\wkssvr.exe
O4 - HKLM\..\RunServices: [Session MG] c:\windows\wkssvr.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MCW Startup] "C:\Program Files\Monitor Calibration Wizard\MCW .exe" /s
O4 - HKCU\..\Run: [Visual Subst] "C:\Documents and Settings\Owner\My Documents\ABS!\Pm_Logger_Script_v1.1_By_Fakhruddin\VSubst_1.0.5-bin\VSubst.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: WFPUser.lnk = C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\Maxthon\config/blacklist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: New Task - res://C:\Program Files\Picture Ace\PictureAce.exe/373
O8 - Extra context menu item: Process Links - res://C:\Program Files\Picture Ace\PictureAce.exe/372
O8 - Extra context menu item: Save Image &Z - res://C:\Program Files\Picture Ace\PictureAce.exe/374
O8 - Extra context menu item: Save Image && Back &X - res://C:\Program Files\Picture Ace\PictureAce.exe/377
O8 - Extra context menu item: Save Image && Close &W - res://C:\Program Files\Picture Ace\PictureAce.exe/378
O8 - Extra context menu item: Save Images - res://C:\Program Files\Picture Ace\PictureAce.exe/375
O8 - Extra context menu item: Save Large Image &Q - res://C:\Program Files\Picture Ace\PictureAce.exe/376
O8 - Extra context menu item: Save Large Images - res://C:\Program Files\Picture Ace\PictureAce.exe/371
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Fleet - http://download2.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.186.207.89/activex/AxisCamControl.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static...h/weblaunch.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab55668.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/w...en/AMClient.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE

--
End of file - 17145 bytes


Edited by cedarpointfan, 28 December 2007 - 01:36 PM.


#10 cedarpointfan

cedarpointfan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 28 December 2007 - 03:45 PM

I believe the Trojan has modified another file. iTunesHelper.exe is now showing up as iTunesHelper .exe

#11 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:09 PM

Posted 29 December 2007 - 02:15 PM

Hello cedarpointfan,

Please follow the steps below exactly in the order they are written:

Step #1

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINNT\system32\hjjlm.ini
C:\WINNT\system32\hjjlm.ini2
C:\WINNT\system32\mljjh.dll
C:\WINNT\system32\mljjh.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
C:\WINNT\pss\Think-Adz.lnk

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5FF61C6-5C89-4FB6-A061-5B18F9085F2D}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Step #2

Download and save RenV.exe to Desktop from the following link:

http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Doubleclick RenV.exe.

When finished, it shall produce a new log for you. Post that log in your next reply.

Step #3

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
Post back with combofix report, the contents of the report generated by RenV.exe, Kaspersky scan report and new HijackThis log.

Regards,
SNOWHITE
Posted Image

#12 cedarpointfan

cedarpointfan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 29 December 2007 - 10:42 PM

Hello!

I have completed all of the tasks given, and all results and logs are below.

ComboFix 07-12-21.4 - Owner 2007-12-29 15:19:47.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.792 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
C:\WINNT\pss\Think-Adz.lnk
C:\WINNT\system32\hjjlm.ini
C:\WINNT\system32\hjjlm.ini2
C:\WINNT\system32\mljjh.dll
C:\WINNT\system32\mljjh.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\hjjlm.ini
C:\WINNT\system32\hjjlm.ini2
C:\WINNT\system32\mljjh.dll
C:\WINNT\system32\mljjh.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-29 15:14 . 2007-12-29 15:14 <DIR> d-------- C:\backups
2007-12-29 15:04 . 2007-12-29 15:04 54,156 --ah----- C:\WINNT\QTFont.qfn
2007-12-29 15:04 . 2007-12-29 15:04 1,409 --a------ C:\WINNT\QTFont.for
2007-12-28 13:35 . 2007-12-28 13:35 401,720 --a------ C:\HiJackThis.exe
2007-12-27 19:17 . 2007-12-27 19:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PCF-VLC
2007-12-27 18:14 . 2007-12-27 18:14 <DIR> d-------- C:\Program Files\Handbrake
2007-12-27 12:08 . 2007-12-27 12:11 1,905 --a------ C:\WINNT\diagwrn.xml
2007-12-27 12:08 . 2007-12-27 12:11 1,905 --a------ C:\WINNT\diagerr.xml
2007-12-25 07:40 . 2007-12-25 07:59 39,708,812 --a------ C:\MAD_tv_-_Lorraine_Wins_a_Trip.flv.MP4
2007-12-24 14:04 . 2007-12-24 14:04 <DIR> d-------- C:\kazaabegone
2007-12-24 13:57 . 2007-12-24 13:57 75,808 --a------ C:\kazaabegone.zip
2007-12-23 17:14 . 2007-12-29 14:20 1,478,778 --a------ C:\ComboFix.exe
2007-12-23 11:08 . 2007-12-23 11:08 <DIR> d-------- C:\WINNT\ERUNT
2007-12-23 11:02 . 2007-12-23 11:02 1,215,777 --a------ C:\SDFix.exe
2007-12-22 23:15 . 2007-12-22 23:19 <DIR> d-------- C:\Program Files\ExplorerXP
2007-12-22 22:51 . 2003-04-14 15:02 <DIR> d-------- C:\Documents and Settings\Nick2\Application Data\Symantec
2007-12-22 22:51 . 2003-04-14 14:57 <DIR> d-------- C:\Documents and Settings\Nick2\Application Data\InterTrust
2007-12-22 12:44 . 2001-08-17 12:19 747,392 --a------ C:\WINNT\system32\dllcache\adm8830.sys
2007-12-22 12:43 . 2001-08-17 13:28 762,780 --a------ C:\WINNT\system32\dllcache\3cwmcru.sys
2007-12-22 12:43 . 2001-08-17 14:55 689,216 --a------ C:\WINNT\system32\dllcache\3dfxvs.dll
2007-12-22 12:43 . 2001-08-17 22:36 462,848 --a------ C:\WINNT\system32\dllcache\a3dapi.dll
2007-12-22 12:43 . 2002-08-28 23:00 231,552 --a------ C:\WINNT\system32\dllcache\ac97ali.sys
2007-12-22 12:43 . 2001-08-17 12:48 148,352 --a------ C:\WINNT\system32\dllcache\3dfxvsm.sys
2007-12-22 12:43 . 2004-08-04 02:10 48,128 --a------ C:\WINNT\system32\dllcache\61883.sys
2007-12-22 12:43 . 2001-08-17 14:55 38,400 --a------ C:\WINNT\system32\dllcache\8514a.dll
2007-12-22 12:43 . 2001-08-17 13:52 23,552 --a------ C:\WINNT\system32\dllcache\abp480n5.sys
2007-12-22 12:43 . 2004-08-04 02:00 12,288 --a------ C:\WINNT\system32\dllcache\4mmdat.sys
2007-12-22 12:43 . 2001-08-17 14:06 11,264 --a------ C:\WINNT\system32\dllcache\1394vdbg.sys
2007-12-18 21:49 . 2007-12-18 21:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thunderbird
2007-12-18 21:48 . 2007-12-18 21:50 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-12-16 23:42 . 2007-12-27 21:36 3,831,100 --a------ C:\Chevelle - It's No Good.mp3
2007-12-15 15:20 . 2007-12-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-15 10:05 . 2007-12-15 10:05 118 --a------ C:\WINNT\system32\MRT.INI
2007-12-11 15:43 . 2007-12-11 15:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2007-12-11 15:29 . 2007-12-11 15:45 <DIR> d-------- C:\Program Files\Microsoft Windows Feedback Panel
2007-12-11 15:29 . 2007-12-11 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WFP
2007-12-10 16:56 . 2007-12-10 16:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2007-12-09 14:13 . 2007-12-09 14:13 <DIR> d-------- C:\WINNT\system32\FLIQLO dir
2007-12-09 14:13 . 2007-12-09 14:13 532,480 --a------ C:\WINNT\system32\FLIQLO.scr
2007-12-08 21:44 . 2007-12-08 21:44 <DIR> d-------- C:\HP
2007-12-05 20:25 . 2007-12-05 20:25 <DIR> d-------- C:\Program Files\Crayon Room
2007-12-04 19:24 . 2007-12-04 19:24 <DIR> d-------- C:\Program Files\CoolMon 2
2007-12-04 13:38 . 2007-12-04 13:38 3,596,288 --a------ C:\WINNT\system32\qt-dx331.dll
2007-12-04 13:38 . 2007-12-04 13:38 1,044,480 --a------ C:\WINNT\system32\libdivx.dll
2007-12-04 13:38 . 2007-12-04 13:38 524,288 --a------ C:\WINNT\system32\DivXsm.exe
2007-12-04 13:38 . 2007-12-04 13:38 200,704 --a------ C:\WINNT\system32\ssldivx.dll
2007-12-04 13:38 . 2007-12-04 13:38 4,816 --a------ C:\WINNT\system32\divxsm.tlb
2007-12-04 13:35 . 2007-12-04 13:35 156,992 --a------ C:\WINNT\system32\DivXCodecVersionChecker.exe
2007-12-04 13:35 . 2007-12-04 13:35 12,288 --a------ C:\WINNT\system32\DivXWMPExtType.dll
2007-12-01 17:33 . 2007-12-01 17:33 <DIR> d-------- C:\Program Files\Sierra Entertainment
2007-12-01 17:17 . 2007-12-01 17:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 20:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2007-12-29 20:13 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2007-12-29 20:08 --------- d-----w C:\Program Files\iTunes
2007-12-28 18:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2007-12-27 23:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-24 20:16 --------- d-----w C:\Program Files\Opera
2007-12-24 19:02 --------- d-----w C:\Program Files\QuickTime
2007-12-24 16:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ruckus Network
2007-12-23 20:55 --------- d-----w C:\Program Files\Monitor Calibration Wizard
2007-12-23 06:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-23 04:05 1,033,216 ----a-w C:\WINNT\explorer.exe
2007-12-19 21:46 --------- d-s---w C:\Program Files\Xfire
2007-12-16 17:29 --------- d-----w C:\Program Files\Last.fm
2007-12-14 12:13 --------- d-----w C:\Program Files\Picasa2
2007-12-11 01:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
2007-12-10 21:55 --------- d-----w C:\Program Files\DivX
2007-12-04 14:56 93,264 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-12-01 22:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-01 22:32 --------- d-----w C:\Program Files\StarWarsGalaxies
2007-11-29 02:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2007-11-27 23:07 --------- d-----w C:\Program Files\Virtual Earth 3D
2007-11-27 20:50 --------- d-----w C:\Program Files\Viewpoint
2007-11-27 20:50 --------- d-----w C:\Program Files\Common Files\Viewpoint
2007-11-27 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELST___.FOT
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELSS___.FOT
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELSM___.FOT
2007-11-27 04:35 1,409 ----a-w C:\WINNT\Fonts\HELSINKI.FOT
2007-11-27 04:35 --------- d-----w C:\Program Files\Musicnotes
2007-11-24 21:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 01:53 --------- d-----w C:\Program Files\Ruckus Player
2007-11-22 01:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\KeePass
2007-11-18 20:01 --------- d-----w C:\Program Files\BellCommander
2007-11-18 04:20 --------- d-----w C:\Program Files\KeePass Password Safe
2007-11-16 11:53 181,880 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-11-14 18:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Participatory Culture Foundation
2007-11-14 18:36 --------- d-----w C:\Program Files\Participatory Culture Foundation
2007-11-14 01:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2007-11-13 10:25 20,480 ----a-w C:\WINNT\system32\drivers\secdrv.sys
2007-11-08 01:14 --------- d-----w C:\Program Files\Winamp
2007-11-06 05:43 --------- d-----w C:\Program Files\iPod
2007-11-05 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-11-05 04:06 --------- d-----w C:\Program Files\FOX Video Studio
2007-11-05 04:04 --------- d-----w C:\Program Files\WinMX
2007-11-05 04:03 --------- d-----w C:\Program Files\VoiceMX
2007-11-05 04:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\SmartFTP
2007-11-05 04:01 --------- d-----w C:\Program Files\SmartFTP
2007-11-04 23:46 --------- d-----w C:\Program Files\Kodak
2007-11-04 23:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\TuneUp Software
2007-11-04 23:40 --------- d-----w C:\Program Files\VstPlugins
2007-11-04 23:40 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-04 15:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hamachi
2007-11-03 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-02 20:08 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2007-11-02 18:47 --------- d-----w C:\Program Files\Microsoft Works
2007-11-02 18:47 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-11-02 18:46 --------- d-----w C:\Program Files\Microsoft Expression
2007-10-31 19:09 30,464 ----a-w C:\WINNT\system32\drivers\usbaapl.sys
2007-10-30 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-30 21:11 --------- d-----w C:\Program Files\AIM6
2007-01-06 02:25 76 ---ha-w C:\Program Files\Desktop.ini
2006-04-22 19:56 235 ----a-w C:\Program Files\add.html
2003-04-18 01:52 164 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-05-13 21:12 217,073 --sha-r C:\WINNT\meta4.exe
1757-03-16 10:00 4,263 -csh--w C:\WINNT\windllreg1c.sys
2005-07-14 16:31 27,648 --sha-r C:\WINNT\system32\AVSredirect.dll
2005-06-26 19:32 616,448 --sha-r C:\WINNT\system32\cygwin1.dll
2005-06-22 02:37 45,568 --sha-r C:\WINNT\system32\cygz.dll
2006-05-03 09:06 163,328 --sha-r C:\WINNT\system32\flvDX.dll
2004-01-25 04:00 70,656 --sha-r C:\WINNT\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sha-r C:\WINNT\system32\msfDX.dll
2005-02-28 17:16 240,128 --sha-r C:\WINNT\system32\x.264.exe
2004-01-25 04:00 70,656 --sha-r C:\WINNT\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-23_17.32.43.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-18 23:04:47 102,400 ----a-r C:\WINNT\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
+ 2007-12-27 22:36:26 102,400 ----a-r C:\WINNT\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
+ 2007-12-29 20:34:01 16,384 ----atw C:\WINNT\Temp\Perflib_Perfdata_668.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42F086D2-3360-4632-BB8F-BC2740CB8DEB}]
2007-12-29 15:38 334336 --a------ C:\WINNT\system32\mljjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" []
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" []
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" []
"MCW Startup"="C:\Program Files\Monitor Calibration Wizard\MCW .exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINNT\system32\rundll32.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINNT\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2003-01-27 15:16 C:\WINNT\system32\cthelper.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-29 15:38]
"Session MG"="c:\windows\wkssvr.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Session MG"="c:\windows\wkssvr.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\System32\ctfmon.exe" []
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 17:38]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-08-17 15:48]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2006-08-11 13:42 C:\WINNT\mididef.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-07-24 13:19:25]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-06 19:05:48]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2003-04-14 14:58:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 00:20:58]
WFPUser.lnk - C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe [2006-06-13 16:43:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoToolbarsOnTaskbar"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\Program Files\Common Files\Stardock\mcpstub.dll 2003-08-25 10:25 139264 C:\Program Files\Common Files\Stardock\MCPStub.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINNT\system32\mljjh.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\mljjh

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINNT\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=C:\WINNT\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINNT\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeScape Media Detector]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 --a------ C:\WINNT\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YPC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SsAAD.exe"=C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
"MSN Webcam Recorder"="C:\Program Files\MSN Webcam Recorder\ml20gui.exe" -silent
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMONTRAY"=C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"tgcmd"=C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Motive SmartBridge"=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys [2002-11-07 15:07]
R2 SIODRV;SIODRV;C:\WINNT\system32\drivers\SIODRV.SYS [2005-05-02 21:16]
R3 smbusp;Intel® SMBus 2.0 Driver;C:\WINNT\system32\DRIVERS\smb.sys [2002-10-23 09:05]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINNT\system32\drivers\WmBEnum.sys [2003-05-14 12:42]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINNT\system32\drivers\WmXlCore.sys [2003-05-14 12:42]
S2 Ca533av;USB PC Camera;C:\WINNT\system32\Drivers\Ca533av.sys [2002-08-22 16:19]
S3 hamachi_oem;PlayLinc Adapter;C:\WINNT\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINNT\system32\Drivers\LCcFltr.Sys [2004-03-03 09:50]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINNT\system32\DRIVERS\motmodem.sys [2006-12-13 16:52]
S3 MuVor;Creative NOMAD MuVo Control Driver;C:\WINNT\system32\Drivers\MuVor.sys [2002-08-15 18:51]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 RivaTuner32;RivaTuner32;C:\Program Files\RivaTuner v2.02\RivaTuner32.sys [2007-07-01 14:20]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINNT\system32\Drivers\StMp3Rec.sys [2003-10-01 11:30]
S3 USBAAPL;Apple Mobile USB Driver;C:\WINNT\system32\Drivers\usbaapl.sys [2007-10-31 14:09]
S3 USBCamera;Bulk USB Device;C:\WINNT\system32\Drivers\Bulk533.sys [2002-07-25 11:19]
S3 WCG200V2XP;Linksys WCG200 ver. 2 Wireless-G Cable Gateway;C:\WINNT\system32\DRIVERS\WCG200V2XP.sys [2004-07-06 03:06]
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINNT\system32\drivers\WmFilter.sys [2003-05-14 12:42]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINNT\system32\drivers\WmVirHid.sys [2003-05-14 12:42]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 12:45:00 C:\WINNT\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-12-28 13:34:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-06-01 03:18:11 C:\WINNT\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1050806001.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2003-04-20 03:45:00 C:\WINNT\Tasks\ISP signup reminder 1.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2003-05-02 20:15:00 C:\WINNT\Tasks\ISP signup reminder 3.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2005-11-18 12:08:52 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2007-12-29 20:14:23 C:\WINNT\Tasks\User_Feed_Synchronization-{ECC5DF2A-0811-41C6-8F34-CA22D888B620}.job"
- C:\WINNT\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 15:35:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\hjjlm.ini 319 bytes
C:\WINNT\system32\hjjlm.ini2 319 bytes
IPC error: 2 The system cannot find the file specified.
scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\lsass.exe [5.01.2600.2180]
-> C:\WINNT\system32\xfire_lsp_11078.dll
.
Completion time: 2007-12-29 15:46:23 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-29 15:08
C:\ComboFix3.txt ... 2007-12-28 13:27
.
2007-12-23 03:49:09 --- E O F ---


Ran on Sat 12/29/2007 - 15:47:47.75

----a-w		   100,760 2007-12-23 22:31:00  C:\Documents and Settings\Owner\My Documents\ABS!\Pm_Logger_Script_v1.1_By_Fakhruddin\VSubst_1.0.5-bin\VSubst .exe
----a-w		   267,048 2007-12-29 20:38:12  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		 1,597,440 2007-12-27 23:18:54  C:\Program Files\Microsoft ActiveSync\wcescomm  .exe
----a-w		 1,597,440 2007-12-27 20:59:47  C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w		   651,776 2007-12-23 21:30:54  C:\Program Files\QuickTime\QTTask .exe
----a-w		 1,306,624 2007-12-28 00:28:08  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe

 Entries:				6  (6)
 Directories:			0  Files:			 6
 Bytes:		  5,521,088  Blocks:	   10,784


Attached File  kasperky_report.html   196.2KB   29 downloads

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:03 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\FtrakSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.exe
C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpasieve.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpcore.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox 3 Beta 1\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\WINNT\system32\mljjh.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Session MG] c:\windows\wkssvr.exe
O4 - HKLM\..\RunServices: [Session MG] c:\windows\wkssvr.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MCW Startup] "C:\Program Files\Monitor Calibration Wizard\MCW .exe" /s
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: WFPUser.lnk = C:\Program Files\Microsoft Windows Feedback Panel\wfpuser.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\Maxthon\config/blacklist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: New Task - res://C:\Program Files\Picture Ace\PictureAce.exe/373
O8 - Extra context menu item: Process Links - res://C:\Program Files\Picture Ace\PictureAce.exe/372
O8 - Extra context menu item: Save Image &Z - res://C:\Program Files\Picture Ace\PictureAce.exe/374
O8 - Extra context menu item: Save Image && Back &X - res://C:\Program Files\Picture Ace\PictureAce.exe/377
O8 - Extra context menu item: Save Image && Close &W - res://C:\Program Files\Picture Ace\PictureAce.exe/378
O8 - Extra context menu item: Save Images - res://C:\Program Files\Picture Ace\PictureAce.exe/375
O8 - Extra context menu item: Save Large Image &Q - res://C:\Program Files\Picture Ace\PictureAce.exe/376
O8 - Extra context menu item: Save Large Images - res://C:\Program Files\Picture Ace\PictureAce.exe/371
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_11078.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Fleet - http://download2.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.186.207.89/activex/AxisCamControl.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static...h/weblaunch.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab55668.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/w...en/AMClient.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\WINNT\System32\FtrakSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE

--
End of file - 17219 bytes



#13 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:09 PM

Posted 30 December 2007 - 06:25 AM

Hello cedarpointfan,

I see you have been visiting some sites with illegal contents, it is how your computer got infected so much. Do not visit any sites of this sort any more, do not download cracks keygens and similar, or your computer will get infected again, and who knows next time you might end up with only choice for reformatting.And it is not just the reformatting problem, but also all those backdoors that are already installed on the computer and other spywares that will steal your personal info and banking details. Now thats a problem, anyone that would have access to your computer (and that is what backdoors do, give access to other people to your computer) can sell your personal info and if you do any banking online, they will also steal your credit card numbers online banking accounts etc. and that is not all, they can also use your computer for ddos attacks and similar. Ask your self, is it really worth downloading keygens and visiting this kind of sites?

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Owner\Desktop\cedarpointfan.cab
    C:\Documents and Settings\Owner\My Documents\Azureus Downloads\TuneUp Utilities 2007 + keygen\Keygen.exe
    C:\Documents and Settings\Owner\My Documents\Azureus Downloads\TuneUp Utilities 2007 + keygen
    C:\Documents and Settings\Owner\My Documents\backups\backup-20071222-113745-209.dll
    C:\Documents and Settings\Owner\My Documents\My Music\06 Track 6.wma
    C:\Documents and Settings\Owner\My Documents\My Pictures\Nick's Photography\Emoticons\MSN6.EmoPackV6.zip
    C:\Documents and Settings\Owner\My Documents\My Received Files\103042.exe
    C:\Documents and Settings\Owner\My Documents\My Received Files\avvoicechangersoftwarediamondv4.0.54keygenvirility
    C:\Documents and Settings\Owner\My Documents\My Received Files\avvoicechangersoftwarediamondv4.0.54keygenvirility.zip
    C:\Documents and Settings\Owner\My Documents\My Received Files\avvoicechangersoftwarediamondv4.0.54keygenvirility.zip
    C:\Documents and Settings\Owner\My Documents\My Received Files\MSN-Mood2-Diplsay-Pictures.zip
    C:\Documents and Settings\Owner\My Documents\My Received Files\registry-clean-expert.exe
    C:\Program Files\Adobe\Adobe Photoshop CS2\xfiremusic_12b\xfiremusic.exe
    C:\Program Files\Adobe\Adobe Photoshop CS2\xfiremusic_12b.zip
    C:\Program Files\Maxis\The Sims\My Documents\santafree.exe
    C:\WINDOWS\Temp\Loader.exe
    C:\WINDOWS\Temp\mo467ly.exe
    C:\WINDOWS\Temp\tmp_68e.exe
    C:\WINNT\ab1.exe
    C:\WINNT\astcprup_bp.exe
    C:\WINNT\ast_4_bp.exe
    C:\WINNT\Downloaded Program Files\button.inf
    C:\WINNT\gsi.exe
    C:\WINNT\hancerdoem.exe
    C:\WINNT\PCHealth\HelpCtr\Binaries\OLD54.tmp
    C:\WINNT\system32\cjyrdcn.dll
    C:\WINNT\system32\NTSecurity.exe
    C:\WINNT\system32\qxyeykgg.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next,

Find the log that was generated by RenV.exe and drag it into RenV.exe, like in the screenshot below:


Posted Image

Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Post back with OTMoveIt report, and the new log by RenV.exe.

I will be away for couple of days, probably i will be back tuesday or wednesday, until then i will not have access to computer and i will not be able to reply to you.

Have Happy Holidays,
Regards,
SNOWHITE
Posted Image

#14 cedarpointfan

cedarpointfan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 30 December 2007 - 12:33 PM

Thank you for alerting me about this illegal activity. This is somewhat of a shared computer, and I guess I need to have a talk with the other users.

C:\Documents and Settings\Owner\Desktop\cedarpointfan.cab moved successfully.
C:\Documents and Settings\Owner\My Documents\Azureus Downloads\TuneUp Utilities 2007 + keygen\Keygen.exe moved successfully.
C:\Documents and Settings\Owner\My Documents\Azureus Downloads\TuneUp Utilities 2007 + keygen moved successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Owner\My Documents\backups\backup-20071222-113745-209.dll
C:\Documents and Settings\Owner\My Documents\backups\backup-20071222-113745-209.dll NOT unregistered.
C:\Documents and Settings\Owner\My Documents\backups\backup-20071222-113745-209.dll moved successfully.
C:\Documents and Settings\Owner\My Documents\My Music\06 Track 6.wma moved successfully.
C:\Documents and Settings\Owner\My Documents\My Pictures\Nick's Photography\Emoticons\MSN6.EmoPackV6.zip moved successfully.
C:\Documents and Settings\Owner\My Documents\My Received Files\103042.exe moved successfully.
C:\Documents and Settings\Owner\My Documents\My Received Files\avvoicechangersoftwarediamondv4.0.54keygenvirility moved successfully.
C:\Documents and Settings\Owner\My Documents\My Received Files\avvoicechangersoftwarediamondv4.0.54keygenvirility.zip moved successfully.
File/Folder C:\Documents and Settings\Owner\My Documents\My Received Files\avvoicechangersoftwarediamondv4.0.54keygenvirility.zip not found.
C:\Documents and Settings\Owner\My Documents\My Received Files\MSN-Mood2-Diplsay-Pictures.zip moved successfully.
C:\Documents and Settings\Owner\My Documents\My Received Files\registry-clean-expert.exe moved successfully.
C:\Program Files\Adobe\Adobe Photoshop CS2\xfiremusic_12b\xfiremusic.exe moved successfully.
C:\Program Files\Adobe\Adobe Photoshop CS2\xfiremusic_12b.zip moved successfully.
C:\Program Files\Maxis\The Sims\My Documents\santafree.exe moved successfully.
C:\WINDOWS\Temp\Loader.exe moved successfully.
C:\WINDOWS\Temp\mo467ly.exe moved successfully.
C:\WINDOWS\Temp\tmp_68e.exe moved successfully.
C:\WINNT\ab1.exe moved successfully.
C:\WINNT\astcprup_bp.exe moved successfully.
C:\WINNT\ast_4_bp.exe moved successfully.
C:\WINNT\Downloaded Program Files\button.inf moved successfully.
C:\WINNT\gsi.exe moved successfully.
C:\WINNT\hancerdoem.exe moved successfully.
C:\WINNT\PCHealth\HelpCtr\Binaries\OLD54.tmp moved successfully.
LoadLibrary failed for C:\WINNT\system32\cjyrdcn.dll
C:\WINNT\system32\cjyrdcn.dll NOT unregistered.
C:\WINNT\system32\cjyrdcn.dll moved successfully.
C:\WINNT\system32\NTSecurity.exe moved successfully.
C:\WINNT\system32\qxyeykgg.exe moved successfully.

Created on 12/30/2007 12:12:09


Ran on Sun 12/30/2007 - 12:25:38.82

------w		   267,048 2007-12-29 20:38:12  C:\Program Files\iTunes\iTunesHelper .exe

 Entries:				1  (1)
 Directories:			0  Files:			 1
 Bytes:			267,048  Blocks:		  522

Thank you!
And Happy New Year!

#15 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:09 PM

Posted 03 January 2008 - 10:05 AM

Hello cedarpointfan,


Thank you for alerting me about this illegal activity. This is somewhat of a shared computer, and I guess I need to have a talk with the other users.


You should definitely talk with the others that are using this computer.

Since its been a while until I reply back to you, the reports are now outdated also there is new version of combofix available, so I want you to remove your version of combofix and run scan with the latest one. Follow these steps:

Delete the version of combofix you have on desktop, then download it from one of these links:

Link1
Link2
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post back with combofix report and new HijackThis log.

Regards,
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users