Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Began W/searchus.exe, Now Pop-up Ie Windows And?


  • Please log in to reply
21 replies to this topic

#1 rskerm

rskerm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 December 2007 - 09:00 PM

Thank you in advance!
Read and executed "Prep guide for use before posting..." thank you, well written, wish I found that earlier...

My day began with noticing SearchUs.exe on the desktop and 12 IE windows open and running. I have run ad-aware, spybot, sdfix, combofix, McAfee Stinger, installed and ran Avast anti-virus (which btw keeps asking to restart my op system?). I have disabled still the system restore feature.

When booting, towards the end of the process a command window pops up (at least one, sometimes three or four) with c:\windows\system32\igf[someting, too fast to read] .exe and other exe windows... Then the fun begins.

Last evening before running any tools a reboot would end in the blue screen of death; made progress since then I hope.

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:28 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\troy44.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
C:\WINDOWS\troy44 .exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd .exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apoint\Apoint .exe
C:\WINDOWS\troy44 .exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\RAMAsst.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnm...amp;lcode=en-us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 198.18.0.1:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkklk.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKLM\..\Run: [troy44 ] C:\WINDOWS\troy44 .exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" -scheduler
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: United Airlines Timetable Update Application.lnk = F:\United TravelDesk\United Airlines Timetable Update Application\ua_conduit_en.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMAsst.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178970003953
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12101 bytes

BC AdBot (Login to Remove)

 


m

#2 rskerm

rskerm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 December 2007 - 09:32 PM

Here's the SDFix log file:


SDFix: Version 1.120

Run by rskerm on Sat 12/29/2007 at 09:13 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 21:23:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 1 Jun 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 27 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 27 Dec 2007 45,816 ...H. --- "C:\Documents and Settings\rskerm\My Documents\eFax Messenger 4.2\J2GPlus.exe-BarState"
Mon 6 Aug 2001 105,984 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\~WRL0230.tmp"
Mon 6 Aug 2001 105,984 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\~WRL1897.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BITC.tmp"
Sat 12 May 2007 30,208 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL0005.tmp"
Wed 3 Oct 2007 30,208 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL0444.tmp"
Thu 4 Oct 2007 30,208 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL0620.tmp"
Sun 13 May 2007 30,208 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL2063.tmp"
Mon 2 Jul 2007 30,208 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL2157.tmp"
Sat 20 Oct 2007 30,208 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL2567.tmp"
Mon 2 Oct 2006 31,232 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL2621.tmp"
Tue 28 Aug 2007 0 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL2959.tmp"
Tue 28 Aug 2007 0 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL3334.tmp"
Wed 3 Oct 2007 32,256 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL3908.tmp"
Mon 2 Oct 2006 31,232 ...H. --- "C:\Documents and Settings\rskerm\Application Data\Microsoft\Word\~WRL4028.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\rskerm\Application Data\U3\temp\Launchpad Removal.exe"
Mon 14 May 2007 74,240 ...H. --- "C:\Documents and Settings\rskerm\My Documents\DeltaVeeMotorsports\Advertising\~WRL0318.tmp"
Mon 14 May 2007 74,752 ...H. --- "C:\Documents and Settings\rskerm\My Documents\DeltaVeeMotorsports\Advertising\~WRL0639.tmp"
Mon 14 May 2007 74,240 ...H. --- "C:\Documents and Settings\rskerm\My Documents\DeltaVeeMotorsports\Advertising\~WRL0990.tmp"
Mon 14 May 2007 37,888 ...H. --- "C:\Documents and Settings\rskerm\My Documents\DeltaVeeMotorsports\Advertising\~WRL3429.tmp"
Tue 22 May 2001 22,016 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\Capital Equipment Leasing\~WRL0004.tmp"
Tue 22 May 2001 23,552 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\Capital Equipment Leasing\~WRL2441.tmp"
Fri 7 Jul 2000 36,352 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\Ferrari-Racing stuff\~WRL0004.tmp"
Wed 16 Aug 2000 20,992 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\Ferrari-Racing stuff\~WRL1418.tmp"
Wed 16 Aug 2000 21,504 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\Ferrari-Racing stuff\~WRL3878.tmp"
Tue 28 Aug 2007 37,888 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\Job Career related\~WRL3868.tmp"
Mon 10 Feb 2003 34,816 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\Moriss Dampers\~WRL2327.tmp"
Mon 10 Feb 2003 31,232 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\Moriss Dampers\~WRL4038.tmp"
Thu 16 Nov 2006 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT5D.tmp"
Thu 21 Feb 2002 20,992 A..H. --- "C:\Documents and Settings\rskerm\My Documents\Personal My Documents\Wedding\Wedding stuff\~WRL1774.tmp"
Mon 28 Jun 2004 147,456 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Ride n Drive\Auto Manufacturers\Subaru\~WRL0738.tmp"
Mon 28 Jun 2004 138,752 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Ride n Drive\Auto Manufacturers\Subaru\~WRL0813.tmp"
Mon 28 Jun 2004 138,752 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Ride n Drive\Auto Manufacturers\Subaru\~WRL2018.tmp"
Wed 8 Oct 2003 46,592 A..H. --- "C:\Documents and Settings\rskerm\My Documents\Ride n Drive\e-motion group, inc\Scrips\~WRL3009.tmp"
Wed 8 Oct 2003 47,104 A..H. --- "C:\Documents and Settings\rskerm\My Documents\Ride n Drive\e-motion group, inc\Scrips\~WRL3364.tmp"
Mon 19 Jul 2004 24,064 A..H. --- "C:\Documents and Settings\rskerm\My Documents\Ride n Drive\e-motion group, inc\Testing\~WRL1882.tmp"
Tue 10 Apr 2007 45,056 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Ride n Drive\Auto Manufacturers\DCX\07 Spring\~WRL0003.tmp"
Tue 1 Feb 2005 1,562,624 ...H. --- "C:\Documents and Settings\rskerm\My Documents\Ride n Drive\Auto Manufacturers\Ford\Driving Skills for Life\~WRL3521.tmp"

Finished!

#3 rskerm

rskerm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 December 2007 - 09:48 PM

Here's ComboFix:

ComboFix 07-12-21.4 - rskerm 2007-12-29 21:35:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.560 [GMT -5:00]
Running from: C:\Documents and Settings\rskerm\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-29 21:42 . 2007-12-29 21:42 212,992 --a------ C:\WINDOWS\troy44 .exe
2007-12-29 21:41 . 2007-12-29 21:41 344,576 --------- C:\WINDOWS\system32\jkklk.dll
2007-12-29 21:41 . 2007-12-29 21:44 319 --ahs---- C:\WINDOWS\system32\klkkj.ini
2007-12-29 20:29 . 2007-12-29 20:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 20:21 . 2007-12-29 21:41 463,872 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-29 18:46 . 2007-12-29 18:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-29 18:46 . 2007-12-29 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-29 18:45 . 2007-12-29 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-29 11:01 . 2007-12-29 11:01 21,760 --a------ C:\WINDOWS\Hqy76.sys
2007-12-29 09:07 . 2007-12-29 09:08 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-29 07:46 . 2007-12-29 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-29 07:26 . 2007-12-29 09:36 409,088 --a------ C:\WINDOWS\system32\kjdsrngl.exe
2007-12-29 07:25 . 2007-12-29 21:41 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-29 07:22 . 2007-12-29 07:22 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-29 07:22 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-29 07:22 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-29 07:22 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-29 07:22 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-29 07:22 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-29 07:22 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-29 07:22 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-29 07:22 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-28 20:33 . 2007-12-29 11:57 0 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-28 20:32 . 2007-12-29 21:42 563,200 --a------ C:\WINDOWS\troy44 .exe
2007-12-28 20:32 . 2007-12-29 21:41 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-28 20:32 . 2007-12-29 21:42 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-28 20:31 . 2007-12-29 21:41 443,392 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-28 20:03 . 2007-12-29 21:42 348,160 --a------ C:\WINDOWS\system32\jkklk.exe
2007-12-28 20:00 . 2007-12-28 20:00 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-28 19:59 . 2007-12-29 20:36 <DIR> d-------- C:\Program Files\Spruce
2007-12-28 19:59 . 2007-12-28 19:59 42,496 --a------ C:\329.tmp
2007-12-28 19:57 . 2007-12-28 19:57 58,368 --a------ C:\tsqfy.exe
2007-12-28 19:57 . 2007-12-28 19:57 27,648 --a------ C:\cydgnb.exe
2007-12-28 19:56 . 2007-12-29 19:26 <DIR> d-------- C:\WINDOWS\system32\mr9
2007-12-28 19:56 . 2007-12-28 19:57 <DIR> d-------- C:\WINDOWS\system32\cc9
2007-12-28 19:56 . 2007-12-28 19:56 <DIR> d-------- C:\WINDOWS\system32\ardCo17
2007-12-28 19:56 . 2007-12-29 19:26 <DIR> d-------- C:\WINDOWS\system32\aj2
2007-12-28 19:56 . 2007-12-29 19:26 <DIR> d-------- C:\WINDOWS\cnNrZXJt
2007-12-28 19:56 . 2007-12-28 19:56 <DIR> d-------- C:\Temp\cEeer12
2007-12-22 16:55 . 2007-12-22 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2007-12-19 17:05 . 2007-12-29 21:21 563,200 --a------ C:\WINDOWS\troy44.exe
2007-12-16 11:41 . 2007-12-16 11:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-16 11:41 . 2007-12-16 11:41 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 13:44 . 2007-12-10 13:44 <DIR> d-------- C:\Documents and Settings\rskerm\Application Data\Viewpoint
2007-12-03 12:35 . 2007-12-03 12:35 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-01 13:06 . 2007-12-03 12:39 <DIR> d-------- C:\Documents and Settings\rskerm\Application Data\Roxio
2007-12-01 13:06 . 2007-12-01 13:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-01 12:16 . 2007-12-01 12:16 <DIR> d-------- C:\Documents and Settings\rskerm\Application Data\Blackberry Desktop
2007-12-01 11:09 . 2007-12-01 11:09 <DIR> d-------- C:\Documents and Settings\rskerm\Application Data\Research In Motion
2007-12-01 11:09 . 2007-12-29 21:30 256 --a------ C:\WINDOWS\system32\pool.bin
2007-12-01 11:04 . 2007-12-01 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-01 11:01 . 2007-12-01 11:03 <DIR> d-------- C:\Program Files\Roxio
2007-12-01 11:01 . 2007-12-01 11:03 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-01 11:01 . 2007-12-01 11:02 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2007-12-01 11:01 . 2007-12-01 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-01 10:53 . 2007-12-01 10:53 <DIR> d-------- C:\Program Files\Research In Motion
2007-11-30 16:01 . 2007-11-30 16:01 <DIR> d-------- C:\Documents and Settings\rskerm\Application Data\Smith Micro
2007-11-30 15:55 . 2007-11-30 15:55 <DIR> d-------- C:\Program Files\Verizon Wireless
2007-11-30 15:55 . 2007-11-30 15:55 <DIR> d-------- C:\Program Files\Novatel Wireless
2007-11-30 15:55 . 2007-12-01 10:54 <DIR> d-------- C:\Program Files\Common Files\Research in Motion
2007-11-30 15:55 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2007-11-02 08:23 . 2007-11-02 08:23 <DIR> d-------- C:\Documents and Settings\ang\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 02:42 812,032 ----a-w C:\WINDOWS\system32\igfxpers.exe
2007-12-30 02:42 --------- d-----w C:\Program Files\QuickTime
2007-12-30 02:42 --------- d-----w C:\Program Files\eFax Messenger 4.2
2007-12-30 02:42 --------- d-----w C:\Program Files\Apoint
2007-12-30 02:41 365,056 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-30 02:35 792,576 ----a-w C:\WINDOWS\system32\igfxtray.exe
2007-12-30 02:21 427,008 ----a-w C:\WINDOWS\system32\hkcmd.exe
2007-12-29 13:53 --------- d-----w C:\Documents and Settings\rskerm\Application Data\U3
2007-12-29 01:25 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Azureus
2007-12-29 00:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-27 11:08 --------- d-----w C:\Program Files\Azureus
2007-12-22 10:53 --------- d-----w C:\Program Files\IrfanView
2007-12-20 16:22 --------- d-----w C:\Documents and Settings\rskerm\Application Data\AdobeUM
2007-12-10 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-06 12:08 --------- d-----w C:\Program Files\yEnc32
2007-12-01 16:09 --------- d-----w C:\Documents and Settings\rskerm\Application Data\InstallShield
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 17:44 51,712 ----a-w C:\WINDOWS\runepson.exe
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-06-03 15:54 92,064 ----a-w C:\Documents and Settings\rskerm\mqdmmdm.sys
2007-06-03 15:54 9,232 ----a-w C:\Documents and Settings\rskerm\mqdmmdfl.sys
2007-06-03 15:54 79,328 ----a-w C:\Documents and Settings\rskerm\mqdmserd.sys
2007-06-03 15:54 66,656 ----a-w C:\Documents and Settings\rskerm\mqdmbus.sys
2007-06-03 15:54 6,208 ----a-w C:\Documents and Settings\rskerm\mqdmcmnt.sys
2007-06-03 15:54 5,936 ----a-w C:\Documents and Settings\rskerm\mqdmwhnt.sys
2007-06-03 15:54 4,048 ----a-w C:\Documents and Settings\rskerm\mqdmcr.sys
2007-06-03 15:54 25,600 ----a-w C:\Documents and Settings\rskerm\usbsermptxp.sys
2007-06-03 15:54 22,768 ----a-w C:\Documents and Settings\rskerm\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-29_11.04.44.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-29 14:08:56 9,990,144 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-30 02:11:40 9,920,512 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-12-29 14:08:57 303,104 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-30 02:11:40 303,104 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-29 23:46:56 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-12-29 23:46:56 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-12-29 23:46:56 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-12-29 23:46:56 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
- 2007-12-29 16:03:19 127,035 ----a-w C:\WINDOWS\system32\dla\tfswctrl .exe
+ 2007-12-30 02:42:04 127,035 ----a-w C:\WINDOWS\system32\dla\tfswctrl .exe
- 2007-12-29 14:35:56 501,760 ----a-w C:\WINDOWS\system32\dla\tfswctrl.exe
+ 2007-12-30 02:21:33 501,760 ----a-w C:\WINDOWS\system32\dla\tfswctrl.exe
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2007-12-30 02:41:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6d0.dat
+ 2007-12-30 02:42:59 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b70.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477840F3-BA52-44D9-8E41-38D61CAA010F}]
C:\WINDOWS\system32\egmulhxk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E3ADBB4-2B5A-473C-82C0-BBA884A19C6D}]
C:\Program Files\Messenger\hotehy4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F78CAFFB-86A9-4F2C-A03E-C1FB68E46033}]
2007-12-29 21:41 344576 --------- C:\WINDOWS\system32\jkklk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-29 21:41]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" [2007-12-29 21:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2007-12-29 21:42]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-12-29 21:21]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-29 21:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-29 21:42]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-29 21:21]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset .exe" [2007-12-29 21:42]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-12-29 21:21]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-12-29 21:35]
"ShowLOMControl"="" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2007-12-29 21:42]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-29 21:21]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2007-12-29 21:21]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2007-12-29 21:21]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-12-29 21:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-29 21:42]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" []
"troy44"="C:\WINDOWS\troy44.exe" [2007-12-29 21:21]
"troy44 "="C:\WINDOWS\troy44 .exe" [2007-12-29 21:42]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-29 21:42]
"troy44 "="C:\WINDOWS\troy44 .exe" [2007-12-29 21:42]

C:\Documents and Settings\rskerm\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-08-17 09:14:08]
Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [2007-12-28 19:59:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-30 10:49:58]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-30 10:49:58]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-13 20:53:28]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-10-23 12:55:09]
RAMASST.lnk - C:\WINDOWS\system32\RAMAsst.exe [2007-08-11 15:48:16]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\jkklk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkklk

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hqy76.sys]
@="Driver"

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 16:46]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS [2002-11-26 14:54]
S3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys [2007-02-22 16:26]
S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys [2007-01-12 13:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0536edff-4f06-11dc-b3d8-00166f6af027}]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5814c59-1438-11db-b30f-00166f6af027}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff7e000f-02f1-11dc-b3b5-00166f6af027}]
\Shell\AutoRun\command - D:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-29 16:47:11 C:\WINDOWS\Tasks\User_Feed_Synchronization-{17CEB31D-307D-4643-8C31-AC7354933824}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 21:44:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\klkkj.ini2 6516 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\jkklk.dll
.
Completion time: 2007-12-29 21:46:13 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-29 17:42
C:\ComboFix3.txt ... 2007-12-29 11:05
.
2007-12-15 18:33:46 --- E O F ---

#4 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:07 AM

Posted 06 January 2008 - 02:24 AM

Hi rskerm

Welcome to Bleeping Computer

I will be helping you with your problems.

Please post a fresh Hijackthis log for me to peruse.

DC

#5 rskerm

rskerm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 06 January 2008 - 05:51 AM

Thank you!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:52 AM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd .exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\Apoint\Apoint .exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd .exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\troy44.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\troy44.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\troy44 .exe
C:\WINDOWS\troy44 .exe
C:\WINDOWS\troy44 .exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\RAMAsst.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnm...amp;lcode=en-us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 198.18.0.1:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkklk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINDOWS\system32\egmulhxk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E3ADBB4-2B5A-473C-82C0-BBA884A19C6D} - C:\Program Files\Messenger\hotehy4444.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKLM\..\Run: [troy44 ] C:\WINDOWS\troy44 .exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [troy44 ] C:\WINDOWS\troy44 .exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" -scheduler
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: United Airlines Timetable Update Application.lnk = F:\United TravelDesk\United Airlines Timetable Update Application\ua_conduit_en.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMAsst.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178970003953
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13595 bytes

#6 rskerm

rskerm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 06 January 2008 - 09:49 AM

Here's a new one after researching troy44.exe and removing it:

Thanks again.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:26 AM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\hkcmd .exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apoint .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd .exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\RAMAsst.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnm...amp;lcode=en-us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 198.18.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINDOWS\system32\egmulhxk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E3ADBB4-2B5A-473C-82C0-BBA884A19C6D} - C:\Program Files\Messenger\hotehy4444.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" -scheduler
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: United Airlines Timetable Update Application.lnk = F:\United TravelDesk\United Airlines Timetable Update Application\ua_conduit_en.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMAsst.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178970003953
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13299 bytes

#7 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:07 AM

Posted 06 January 2008 - 03:19 PM

Hi rskerm

Tools like Combofix, Sdfix and Hijackthis should only be used by experts as incorrect use can render your machine unusable and needing a reformat.

Please dont make any system changes other than instructed to i tell you that you are clean.


Please delete any existing copies of combofix that you may have as it is being updated everyday

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


DC

#8 rskerm

rskerm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 06 January 2008 - 11:05 PM

Thank you for your help!

ComboFix 08-01-04.1 - rskerm 2008-01-06 22:46:03.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.583 [GMT -5:00]
Running from: C:\Documents and Settings\rskerm\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM .exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spruce
C:\Program Files\Spruce\Spruce.dll
C:\Program Files\Spruce\Spruce.dll.intermediate.manifest
C:\Program Files\Spruce\Spruce.exe
C:\Program Files\Spruce\Spruce.info
C:\Program Files\Spruce\Spruce.original
C:\Program Files\Spruce\SpruceRg.dll
C:\Program Files\Spruce\un_SpruceSetup_17737.exe
C:\Program Files\Spruce\un_SpruceSetup_17737.txt
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Spruce\X_Spruce.log
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jkklk.exe
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\RCX41.tmp

<pre>
"C:\Program Files\Alwil Software\Avast4\ashDisp .exe" moved to QooBox
"C:\Program Files\Apoint\Apoint .exe" replaces infected copy of "C:\Program Files\Apoint\Apoint.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe" replaces infected copy of "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe" replaces infected copy of "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"C:\Program Files\Dell\QuickSet\quickset .exe" replaces infected copy of "C:\Program Files\Dell\QuickSet\quickset.exe"
"C:\Program Files\eFax Messenger 4.2\J2GDllCmd .exe" replaces infected copy of "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe"
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe" replaces infected copy of "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe" replaces infected copy of "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe" replaces infected copy of "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe"
"C:\Program Files\QuickTime\qttask						  .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
Error moving C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe to C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe: 5.
"C:\WINDOWS\system32\ctfmon .exe" moved to QooBox
"C:\WINDOWS\system32\hkcmd .exe" replaces infected copy of "C:\WINDOWS\system32\hkcmd.exe"
"C:\WINDOWS\system32\igfxpers .exe" replaces infected copy of "C:\WINDOWS\system32\igfxpers.exe"
"C:\WINDOWS\system32\igfxtray  .exe" replaces infected copy of "C:\WINDOWS\system32\igfxtray.exe"
"C:\WINDOWS\system32\dla\tfswctrl .exe" replaces infected copy of "C:\WINDOWS\system32\dla\tfswctrl.exe"
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-06 22:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 08:14 . 2008-01-05 16:52 212,992 --a------ C:\WINDOWS\troy44 .exe
2007-12-30 08:30 . 2008-01-06 22:53 1,126,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-30 08:30 . 2008-01-06 22:51 14,228 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-30 08:25 . 2007-12-30 08:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-30 08:25 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-30 08:25 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-30 08:25 . 2007-12-30 08:28 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-12-30 08:24 . 2007-12-30 08:25 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-12-30 08:24 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-12-30 08:24 . 2008-01-06 22:53 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2007-12-30 08:23 . 2008-01-06 22:42 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-29 20:29 . 2007-12-29 20:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 20:21 . 2008-01-06 22:40 463,872 --a------ C:\WINDOWS\system32\igfxpers.exe
2007-12-29 18:46 . 2007-12-29 18:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-29 18:46 . 2007-12-29 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-29 18:45 . 2007-12-29 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-29 11:01 . 2007-12-29 11:01 21,760 --a------ C:\WINDOWS\Hqy76.sys
2007-12-29 09:07 . 2007-12-29 09:08 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-29 07:46 . 2008-01-06 09:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-29 07:25 . 2008-01-06 22:40 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-29 07:22 . 2007-12-29 07:22 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-29 07:22 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-29 07:22 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-29 07:22 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-29 07:22 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-29 07:22 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-29 07:22 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-29 07:22 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-29 07:22 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-28 20:32 . 2008-01-06 22:40 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-28 20:00 . 2007-12-28 20:00 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-28 19:59 . 2007-12-28 19:59 42,496 --a------ C:\329.tmp
2007-12-28 19:57 . 2007-12-28 19:57 58,368 --a------ C:\tsqfy.exe
2007-12-28 19:57 . 2007-12-28 19:57 27,648 --a------ C:\cydgnb.exe
2007-12-28 19:56 . 2007-12-29 19:26 <DIR> d-------- C:\WINDOWS\system32\mr9
2007-12-28 19:56 . 2007-12-28 19:57 <DIR> d-------- C:\WINDOWS\system32\cc9
2007-12-28 19:56 . 2007-12-28 19:56 <DIR> d-------- C:\WINDOWS\system32\ardCo17
2007-12-28 19:56 . 2007-12-29 19:26 <DIR> d-------- C:\WINDOWS\system32\aj2
2007-12-28 19:56 . 2007-12-29 19:26 <DIR> d-------- C:\WINDOWS\cnNrZXJt
2007-12-28 19:56 . 2007-12-28 19:56 <DIR> d-------- C:\Temp\cEeer12
2007-12-22 16:55 . 2007-12-22 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2007-12-16 11:41 . 2007-12-16 11:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-16 11:41 . 2007-12-16 11:41 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 13:44 . 2007-12-10 13:44 <DIR> d-------- C:\Documents and Settings\rskerm\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 03:52 --------- d-----w C:\Program Files\QuickTime
2008-01-07 03:52 --------- d-----w C:\Program Files\eFax Messenger 4.2
2008-01-07 03:52 --------- d-----w C:\Program Files\Apoint
2008-01-04 16:09 --------- d-----w C:\Program Files\IrfanView
2008-01-02 13:06 --------- d-----w C:\Program Files\WinAce
2007-12-29 13:53 --------- d-----w C:\Documents and Settings\rskerm\Application Data\U3
2007-12-29 01:25 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Azureus
2007-12-29 00:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-27 11:08 --------- d-----w C:\Program Files\Azureus
2007-12-20 16:22 --------- d-----w C:\Documents and Settings\rskerm\Application Data\AdobeUM
2007-12-10 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-06 12:08 --------- d-----w C:\Program Files\yEnc32
2007-12-03 17:39 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Roxio
2007-12-03 17:35 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-01 18:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-01 17:16 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Blackberry Desktop
2007-12-01 16:09 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Research In Motion
2007-12-01 16:09 --------- d-----w C:\Documents and Settings\rskerm\Application Data\InstallShield
2007-12-01 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-01 16:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-01 16:03 --------- d-----w C:\Program Files\Roxio
2007-12-01 16:03 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-12-01 16:02 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-01 15:54 --------- d-----w C:\Program Files\Common Files\Research in Motion
2007-12-01 15:53 --------- d-----w C:\Program Files\Research In Motion
2007-11-30 21:01 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Smith Micro
2007-11-30 20:55 --------- d-----w C:\Program Files\Verizon Wireless
2007-11-30 20:55 --------- d-----w C:\Program Files\Novatel Wireless
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-23 17:44 51,712 ----a-w C:\WINDOWS\runepson.exe
2007-06-03 15:54 92,064 ----a-w C:\Documents and Settings\rskerm\mqdmmdm.sys
2007-06-03 15:54 9,232 ----a-w C:\Documents and Settings\rskerm\mqdmmdfl.sys
2007-06-03 15:54 79,328 ----a-w C:\Documents and Settings\rskerm\mqdmserd.sys
2007-06-03 15:54 66,656 ----a-w C:\Documents and Settings\rskerm\mqdmbus.sys
2007-06-03 15:54 6,208 ----a-w C:\Documents and Settings\rskerm\mqdmcmnt.sys
2007-06-03 15:54 5,936 ----a-w C:\Documents and Settings\rskerm\mqdmwhnt.sys
2007-06-03 15:54 4,048 ----a-w C:\Documents and Settings\rskerm\mqdmcr.sys
2007-06-03 15:54 25,600 ----a-w C:\Documents and Settings\rskerm\usbsermptxp.sys
2007-06-03 15:54 22,768 ----a-w C:\Documents and Settings\rskerm\usbsermpt.sys
.
<pre>
----a-w		   236,016 2007-12-29 12:25:20  C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
----a-w		   919,016 2008-01-07 03:41:08  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
----a-w		   212,992 2008-01-05 21:52:10  C:\WINDOWS\troy44 .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2007-12-29_11.04.44.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-29 14:08:56 9,990,144 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-12-30 02:11:40 9,920,512 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-12-29 14:08:57 303,104 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-30 02:11:40 303,104 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-29 23:46:56 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-12-29 23:46:56 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-12-29 23:46:56 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-12-29 23:46:56 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
- 2007-12-29 14:05:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-05 20:06:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-29 14:05:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-05 20:06:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-05 20:06:11 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-07-19 20:10:28 127,768 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-11-14 21:04:46 796,048 ----a-w C:\WINDOWS\system32\libeay32_0.9.6l.dll
+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2007-12-14 02:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 13:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-11-14 21:04:52 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2007-11-14 21:05:16 394,952 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2007-11-14 21:04:52 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2007-11-14 21:04:52 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2007-11-14 21:04:52 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2007-11-14 21:04:52 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2007-11-14 21:04:54 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2007-11-14 21:04:54 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2007-11-14 21:04:54 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll
+ 2007-11-14 21:04:56 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2007-11-14 21:04:56 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2007-11-14 21:04:44 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-31 05:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 19:47:36 21,568 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 05:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 05:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 05:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 05:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 20:10:32 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 20:10:32 186,128 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-31 05:03:48 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 20:10:28 127,768 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-31 05:03:50 45,056 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
+ 2006-09-20 04:12:14 208,960 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-09-12 02:09:16 274,432 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 23:13:52 1,093,632 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 05:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 05:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 05:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 05:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-09-12 02:09:16 135,168 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 23:13:52 200,704 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2007-11-14 21:04:44 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 17:35:08 813,568 ----a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2007-11-14 21:04:46 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2007-11-14 21:04:46 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2007-11-14 21:04:46 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2007-11-14 21:05:18 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-11-14 21:05:18 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-11-14 21:05:18 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-11-14 21:05:18 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2007-11-14 21:05:20 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2007-11-14 21:06:34 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-11-14 21:06:36 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-10-19 01:18:38 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2007-10-19 01:18:38 787,936 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2007-11-14 21:04:48 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2007-01-11 16:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-10-19 01:18:40 1,500,640 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2007-10-19 01:18:44 51,176 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2007-11-14 21:04:50 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2007-11-14 21:06:36 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-11-14 21:06:36 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 01:59:14 503,875 ----a-w C:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-11 21:50:32 832,984 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2007-11-14 21:05:06 144,936 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-01-11 22:31:06 286,787 ----a-w C:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2007-11-14 21:04:52 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2007-11-14 21:04:52 83,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2007-11-14 21:05:06 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2007-11-14 21:04:52 2,029,032 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2007-11-14 21:04:54 1,361,384 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2007-11-14 21:04:54 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2007-01-11 16:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2007-11-14 21:04:56 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2007-11-14 21:04:56 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2007-11-14 21:04:58 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2007-11-14 21:04:58 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2008-01-07 03:52:36 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7f4.dat
+ 2008-01-07 03:53:22 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_9f4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477840F3-BA52-44D9-8E41-38D61CAA010F}]
C:\WINDOWS\system32\egmulhxk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E3ADBB4-2B5A-473C-82C0-BBA884A19C6D}]
C:\Program Files\Messenger\hotehy4444.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-06 22:41 68856]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-01-06 22:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-06 22:40 86960]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-06 22:40 385024]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-06 22:40 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-06 22:40 463872]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-06 22:40 77824]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2008-01-06 22:40 839680]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-01-06 22:40 176128]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-06 22:40 110592]
"ShowLOMControl"="" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-01-06 22:40 218032]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-06 22:41 1838592]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2008-01-06 22:41 107008]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2008-01-06 22:41 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-06 22:41 127035]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [ ]
"troy44"="C:\WINDOWS\troy44.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-30 10:49:58]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-30 10:49:58]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-13 20:53:28]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-10-23 12:55:09]
RAMASST.lnk - C:\WINDOWS\system32\RAMAsst.exe [2007-08-11 15:48:16]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hqy76.sys]
@="Driver"

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 16:46]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS [2002-11-26 14:54]
S3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys [2007-02-22 16:26]
S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys [2007-01-12 13:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0536edff-4f06-11dc-b3d8-00166f6af027}]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5814c59-1438-11db-b30f-00166f6af027}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff7e000f-02f1-11dc-b3b5-00166f6af027}]
\Shell\AutoRun\command - D:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 02:51:22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{17CEB31D-307D-4643-8C31-AC7354933824}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 22:53:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 22:57:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-07 03:57:30
ComboFix2.txt 2007-12-30 02:46:14
ComboFix3.txt 2007-12-29 22:42:55
ComboFix4.txt 2007-12-29 16:05:47
.
2007-12-15 18:33:46 --- E O F ---







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:51 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\RAMAsst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnm...amp;lcode=en-us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 198.18.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINDOWS\system32\egmulhxk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E3ADBB4-2B5A-473C-82C0-BBA884A19C6D} - C:\Program Files\Messenger\hotehy4444.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: United Airlines Timetable Update Application.lnk = F:\United TravelDesk\United Airlines Timetable Update Application\ua_conduit_en.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMAsst.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178970003953
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12502 bytes

#9 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:07 AM

Posted 08 January 2008 - 04:20 PM

Hi Rskerm

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\egmulhxk.dll
C:\WINDOWS\system32\jpewocmz.ini
C:\tsqfy.exe
C:\cydgnb.exe
C:\329.tmp
C:\WINDOWS\troy44.exe

Folder::
C:\WINDOWS\system32\mr9
C:\WINDOWS\system32\cc9
C:\WINDOWS\system32\ardCo17
C:\WINDOWS\system32\aj2
C:\WINDOWS\cnNrZXJt
C:\Temp\cEeer12
C:\Documents and Settings\rskerm\Application Data\Viewpoint

RENV::
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\WINDOWS\troy44 .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477840F3-BA52-44D9-8E41-38D61CAA010F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"troy44"=-

Save this as CFScript.txt, in the same location as ComboFix.exe.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe.

This will start Combofix scanning.

When finished, please post the contents of the resultant log found at "C:\ComboFix.txt" along with a fresh Hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


DC

#10 rskerm

rskerm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 09 January 2008 - 01:06 AM

ComboFix 08-01-04.1 - rskerm 2008-01-09 0:25:15.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.471 [GMT -5:00]
Running from: C:\Documents and Settings\rskerm\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rskerm\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\329.tmp
C:\cydgnb.exe
C:\tsqfy.exe
C:\WINDOWS\system32\egmulhxk.dll
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\troy44.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\329.tmp
C:\cydgnb.exe
C:\Documents and Settings\rskerm\Application Data\Viewpoint
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1241215004.mtx
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1233786184.mtx
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1355542221.mts
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1071658062.mtj&p2=1&p3=11313948248254473725188814714589&p4=50335505
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\470066618.mtj&p2=1&p3=11313948248254473725188814714589&p4=50335500
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-300154472.mtj&p2=1&p3=11313948248254473725188814714589&p4=50335505
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\rskerm\Application Data\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\tsqfy.exe
C:\WINDOWS\cnNrZXJt
C:\WINDOWS\system32\aj2
C:\WINDOWS\system32\ardCo17
C:\WINDOWS\system32\ardCo17\ardCo172314.exe
C:\WINDOWS\system32\cc9
C:\WINDOWS\system32\cc9\foppzwb91.exe~
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\mr9
C:\WINDOWS\troy44.exe
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-08 22:42 . 2008-01-08 22:42 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-06 22:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 08:30 . 2008-01-09 00:28 1,685,536 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-30 08:30 . 2008-01-06 22:51 14,228 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-30 08:25 . 2007-12-30 08:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-30 08:25 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-30 08:25 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-30 08:25 . 2007-12-30 08:28 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-12-30 08:24 . 2007-12-30 08:25 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-12-30 08:24 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-12-30 08:24 . 2008-01-06 22:53 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2007-12-30 08:23 . 2008-01-09 00:25 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-29 20:29 . 2007-12-29 20:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 20:21 . 2008-01-06 22:40 463,872 --a------ C:\WINDOWS\system32\igfxpers.exe
2007-12-29 18:46 . 2007-12-29 18:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-29 18:46 . 2007-12-29 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-29 18:45 . 2007-12-29 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-29 11:01 . 2007-12-29 11:01 21,760 --a------ C:\WINDOWS\Hqy76.sys
2007-12-29 09:07 . 2007-12-29 09:08 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-29 07:46 . 2008-01-06 09:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-29 07:25 . 2008-01-06 22:40 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-29 07:22 . 2007-12-29 07:22 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-29 07:22 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-29 07:22 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-29 07:22 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-29 07:22 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-29 07:22 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-29 07:22 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-29 07:22 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-29 07:22 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-28 20:32 . 2008-01-06 22:40 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-22 16:55 . 2007-12-22 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2007-12-16 11:41 . 2007-12-16 11:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-16 11:41 . 2007-12-16 11:41 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 05:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-07 03:52 --------- d-----w C:\Program Files\QuickTime
2008-01-07 03:52 --------- d-----w C:\Program Files\eFax Messenger 4.2
2008-01-07 03:52 --------- d-----w C:\Program Files\Apoint
2008-01-04 16:09 --------- d-----w C:\Program Files\IrfanView
2008-01-02 13:06 --------- d-----w C:\Program Files\WinAce
2007-12-29 13:53 --------- d-----w C:\Documents and Settings\rskerm\Application Data\U3
2007-12-29 01:25 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Azureus
2007-12-27 11:08 --------- d-----w C:\Program Files\Azureus
2007-12-20 16:22 --------- d-----w C:\Documents and Settings\rskerm\Application Data\AdobeUM
2007-12-10 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-06 12:08 --------- d-----w C:\Program Files\yEnc32
2007-12-03 17:39 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Roxio
2007-12-03 17:35 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-01 18:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-01 17:16 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Blackberry Desktop
2007-12-01 16:09 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Research In Motion
2007-12-01 16:09 --------- d-----w C:\Documents and Settings\rskerm\Application Data\InstallShield
2007-12-01 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-01 16:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-01 16:03 --------- d-----w C:\Program Files\Roxio
2007-12-01 16:03 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-12-01 16:02 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-01 15:54 --------- d-----w C:\Program Files\Common Files\Research in Motion
2007-12-01 15:53 --------- d-----w C:\Program Files\Research In Motion
2007-11-30 21:01 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Smith Micro
2007-11-30 20:55 --------- d-----w C:\Program Files\Verizon Wireless
2007-11-30 20:55 --------- d-----w C:\Program Files\Novatel Wireless
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 17:44 51,712 ----a-w C:\WINDOWS\runepson.exe
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-03 15:54 92,064 ----a-w C:\Documents and Settings\rskerm\mqdmmdm.sys
2007-06-03 15:54 9,232 ----a-w C:\Documents and Settings\rskerm\mqdmmdfl.sys
2007-06-03 15:54 79,328 ----a-w C:\Documents and Settings\rskerm\mqdmserd.sys
2007-06-03 15:54 66,656 ----a-w C:\Documents and Settings\rskerm\mqdmbus.sys
2007-06-03 15:54 6,208 ----a-w C:\Documents and Settings\rskerm\mqdmcmnt.sys
2007-06-03 15:54 5,936 ----a-w C:\Documents and Settings\rskerm\mqdmwhnt.sys
2007-06-03 15:54 4,048 ----a-w C:\Documents and Settings\rskerm\mqdmcr.sys
2007-06-03 15:54 25,600 ----a-w C:\Documents and Settings\rskerm\usbsermptxp.sys
2007-06-03 15:54 22,768 ----a-w C:\Documents and Settings\rskerm\usbsermpt.sys
.
<pre>
------w		   919,016 2008-01-07 03:41:08  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-06_22.57.07.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-05-17 15:23:38 579,888 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-10-11 19:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E3ADBB4-2B5A-473C-82C0-BBA884A19C6D}]
C:\Program Files\Messenger\hotehy4444.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-06 22:41 68856]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-01-06 22:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-06 22:40 86960]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-06 22:40 385024]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-06 22:40 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-06 22:40 463872]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-06 22:40 77824]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2008-01-06 22:40 839680]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-01-06 22:40 176128]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-06 22:40 110592]
"ShowLOMControl"="" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-01-06 22:40 218032]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-06 22:41 1838592]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2008-01-06 22:41 107008]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2008-01-06 22:41 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-06 22:41 127035]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-12-29 07:25 236016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]

C:\Documents and Settings\rskerm\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-08-17 09:14:08]
Spruce - Auto Update.lnk - C:\qoobox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir [2007-12-28 19:59:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-30 10:49:58]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-30 10:49:58]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-13 20:53:28]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-10-23 12:55:09]
RAMASST.lnk - C:\WINDOWS\system32\RAMAsst.exe [2007-08-11 15:48:16]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hqy76.sys]
@="Driver"

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 16:46]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS [2002-11-26 14:54]
S3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys [2007-02-22 16:26]
S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys [2007-01-12 13:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0536edff-4f06-11dc-b3d8-00166f6af027}]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5814c59-1438-11db-b30f-00166f6af027}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff7e000f-02f1-11dc-b3b5-00166f6af027}]
\Shell\AutoRun\command - D:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-09 03:42:07 C:\WINDOWS\Tasks\User_Feed_Synchronization-{17CEB31D-307D-4643-8C31-AC7354933824}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 00:28:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-09 0:29:55
ComboFix-quarantined-files.txt 2008-01-09 05:29:45
ComboFix2.txt 2008-01-07 03:57:35
ComboFix3.txt 2007-12-30 02:46:14
ComboFix4.txt 2007-12-29 22:42:55
ComboFix5.txt 2007-12-29 16:05:47
.
2007-12-15 18:33:46 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:56 AM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\RAMAsst.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnm...amp;lcode=en-us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 198.18.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E3ADBB4-2B5A-473C-82C0-BBA884A19C6D} - C:\Program Files\Messenger\hotehy4444.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\qoobox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir
O4 - Startup: United Airlines Timetable Update Application.lnk = F:\United TravelDesk\United Airlines Timetable Update Application\ua_conduit_en.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMAsst.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178970003953
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12458 bytes

#11 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:07 AM

Posted 09 January 2008 - 02:05 PM

Hi Rskerm

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

RENV::
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\Program Files\Dell\QuickSet\quickset.exe .exe
C:\Program Files\QuickTime\qttask .exe

Save this as CFScript.txt, in the same location as ComboFix.exe.

Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe.

This will start Combofix scanning.

When finished, reboot into normal mode and please post the contents of the resultant log found at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


****Please do an online scan with Kaspersky WebScanner using Internet Explorer.

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
DC

Edited by Demon Cleaner, 09 January 2008 - 02:06 PM.


#12 rskerm

rskerm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 09 January 2008 - 10:02 PM

Thanks again. Last night I noticed that my ZoneAlarm firewall wasn't up and running; when I clicked on ZoneAlarm in Start:Programs..... it couldn't find zclient.exe. I looked and only found zclient .exe (with a blank space infront of the dot exe) and did then point the program there and it fired up.

What's up with exe files and blank spaces just before the dot exe? Is this a compromised program now?

Also, last night upon boot up a window popped up stating Windows couln't find a progam to execute the file Spruce.exe.vir so I searched for the file and found it and other vir files in C:\qoobox which appears to be part of the progams used to clean up my system. Thoughts on this one?

I'll run your new directive and post below; Cheers!
Rob

#13 rskerm

rskerm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 10 January 2008 - 06:18 PM

ComboFix 08-01-04.1 - rskerm 2008-01-09 22:09:38.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.795 [GMT -5:00]
Running from: C:\Documents and Settings\rskerm\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rskerm\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-06 22:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 08:30 . 2008-01-09 22:05 1,769,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-30 08:30 . 2008-01-09 22:05 22,856 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-30 08:25 . 2007-12-30 08:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-30 08:25 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-12-30 08:25 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-12-30 08:25 . 2007-12-30 08:28 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-12-30 08:24 . 2007-12-30 08:25 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-12-30 08:24 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-12-30 08:24 . 2008-01-09 01:47 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2007-12-30 08:23 . 2008-01-09 21:50 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-29 20:29 . 2007-12-29 20:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-29 20:21 . 2008-01-06 22:40 463,872 --a------ C:\WINDOWS\system32\igfxpers.exe
2007-12-29 18:46 . 2007-12-29 18:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-29 18:46 . 2007-12-29 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-29 18:45 . 2007-12-29 18:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-29 11:01 . 2007-12-29 11:01 21,760 --a------ C:\WINDOWS\Hqy76.sys
2007-12-29 09:07 . 2007-12-29 09:08 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-29 07:46 . 2008-01-06 09:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-29 07:25 . 2008-01-06 22:40 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-12-29 07:22 . 2007-12-29 07:22 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-29 07:22 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-29 07:22 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-29 07:22 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-29 07:22 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-29 07:22 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-29 07:22 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-29 07:22 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-29 07:22 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-28 20:32 . 2008-01-06 22:40 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-12-22 16:55 . 2007-12-22 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2007-12-16 11:41 . 2007-12-16 11:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-16 11:41 . 2007-12-16 11:41 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 03:09 --------- d-----w C:\Program Files\QuickTime
2008-01-09 07:19 --------- d-----w C:\Program Files\IrfanView
2008-01-09 06:35 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Azureus
2008-01-08 05:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-07 03:52 --------- d-----w C:\Program Files\eFax Messenger 4.2
2008-01-07 03:52 --------- d-----w C:\Program Files\Apoint
2008-01-02 13:06 --------- d-----w C:\Program Files\WinAce
2007-12-29 13:53 --------- d-----w C:\Documents and Settings\rskerm\Application Data\U3
2007-12-27 11:08 --------- d-----w C:\Program Files\Azureus
2007-12-20 16:22 --------- d-----w C:\Documents and Settings\rskerm\Application Data\AdobeUM
2007-12-10 18:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-06 12:08 --------- d-----w C:\Program Files\yEnc32
2007-12-03 17:39 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Roxio
2007-12-03 17:35 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-01 18:06 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-01 17:16 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Blackberry Desktop
2007-12-01 16:09 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Research In Motion
2007-12-01 16:09 --------- d-----w C:\Documents and Settings\rskerm\Application Data\InstallShield
2007-12-01 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-01 16:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-01 16:03 --------- d-----w C:\Program Files\Roxio
2007-12-01 16:03 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-12-01 16:02 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-01 15:54 --------- d-----w C:\Program Files\Common Files\Research in Motion
2007-12-01 15:53 --------- d-----w C:\Program Files\Research In Motion
2007-11-30 21:01 --------- d-----w C:\Documents and Settings\rskerm\Application Data\Smith Micro
2007-11-30 20:55 --------- d-----w C:\Program Files\Verizon Wireless
2007-11-30 20:55 --------- d-----w C:\Program Files\Novatel Wireless
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-23 17:44 51,712 ----a-w C:\WINDOWS\runepson.exe
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-03 15:54 92,064 ----a-w C:\Documents and Settings\rskerm\mqdmmdm.sys
2007-06-03 15:54 9,232 ----a-w C:\Documents and Settings\rskerm\mqdmmdfl.sys
2007-06-03 15:54 79,328 ----a-w C:\Documents and Settings\rskerm\mqdmserd.sys
2007-06-03 15:54 66,656 ----a-w C:\Documents and Settings\rskerm\mqdmbus.sys
2007-06-03 15:54 6,208 ----a-w C:\Documents and Settings\rskerm\mqdmcmnt.sys
2007-06-03 15:54 5,936 ----a-w C:\Documents and Settings\rskerm\mqdmwhnt.sys
2007-06-03 15:54 4,048 ----a-w C:\Documents and Settings\rskerm\mqdmcr.sys
2007-06-03 15:54 25,600 ----a-w C:\Documents and Settings\rskerm\usbsermptxp.sys
2007-06-03 15:54 22,768 ----a-w C:\Documents and Settings\rskerm\usbsermpt.sys
.
<pre>
------w		   919,016 2008-01-07 03:41:08  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-06_22.57.07.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-30 16:53:32 360,832 ----a-w C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\updspapi.dll
+ 2007-11-07 09:50:47 727,040 ----a-w C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\updspapi.dll
- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2006-05-17 15:23:38 579,888 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-10-11 19:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E3ADBB4-2B5A-473C-82C0-BBA884A19C6D}]
C:\Program Files\Messenger\hotehy4444.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-06 22:41 68856]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-01-06 22:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-06 22:40 86960]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-01-06 22:40 385024]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-06 22:40 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-06 22:40 463872]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-06 22:40 77824]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2008-01-06 22:40 839680]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-01-06 22:40 176128]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-06 22:40 110592]
"ShowLOMControl"="" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-01-06 22:40 218032]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-06 22:41 1838592]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2008-01-06 22:41 107008]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2008-01-06 22:41 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-06 22:41 127035]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-12-29 07:25 236016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]

C:\Documents and Settings\rskerm\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-08-17 09:14:08]
Spruce - Auto Update.lnk - C:\qoobox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir [2007-12-28 19:59:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-30 10:49:58]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-30 10:49:58]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-13 20:53:28]
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-10-23 12:55:09]
RAMASST.lnk - C:\WINDOWS\system32\RAMAsst.exe [2007-08-11 15:48:16]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hqy76.sys]
@="Driver"

S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 16:46]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS [2002-11-26 14:54]
S3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys [2007-02-22 16:26]
S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys [2007-01-12 13:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0536edff-4f06-11dc-b3d8-00166f6af027}]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5814c59-1438-11db-b30f-00166f6af027}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff7e000f-02f1-11dc-b3b5-00166f6af027}]
\Shell\AutoRun\command - D:\LaunchU3.exe

*Newly Created Service* - PXHELP20
.
Contents of the 'Scheduled Tasks' folder
"2008-01-09 03:42:07 C:\WINDOWS\Tasks\User_Feed_Synchronization-{17CEB31D-307D-4643-8C31-AC7354933824}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 22:14:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-09 22:15:25
ComboFix-quarantined-files.txt 2008-01-10 03:14:58
ComboFix2.txt 2008-01-09 05:29:56
ComboFix3.txt 2008-01-07 03:57:35
ComboFix4.txt 2007-12-30 02:46:14
ComboFix5.txt 2007-12-29 22:42:55
.
2008-01-09 06:45:03 --- E O F ---

#14 rskerm

rskerm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 10 January 2008 - 11:32 PM

Scan
----
Scanned: 298004
Detected: 3
Untreated: 0
Start time: 1/10/2008 9:31:03 PM
Duration: 01:33:13
Finish time: 1/10/2008 11:04:16 PM
Signatures published: 11/19/2007 4:49:09 AM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.Java.OpenStream.y File: C:\Documents and Settings\rskerm\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-1674405-495bd6e0.class
deleted: Trojan program Trojan-Downloader.Java.OpenStream.y File: C:\Documents and Settings\rskerm\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfge.class-2b3d7713-4bd888c1.class
deleted: adware not-a-virus:AdWare.Win32.Agent.co File: C:\qoobox\Quarantine\C\WINDOWS\system32\cc9\foppzwb91.exe~.vir

DID NOT PASTE IN THE GIGANTIC SCANNED FILE LIST.... Do you need to see it, it's huge?



Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------
All objects 298004 3 0 1 0 20187 4857 104 9
My Documents 34893 0 0 0 0 8000 2342 0 0
Mailboxes 3622 0 0 0 0 3056 0 0 0
Local Disk (C:) 259489 3 0 1 0 9131 2515 104 9


Settings
--------
Parameter Value
--------- -----
Security Level High
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats Yes
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Record information about dangerous objects to program statistics Yes

#15 Demon Cleaner

Demon Cleaner

  • Members
  • 1,383 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester uk
  • Local time:07:07 AM

Posted 11 January 2008 - 11:02 PM

Hi Rskerm

I dont need to see the scanned files log.


1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

RENV::
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe

Save this as CFScript.txt, in the same location as ComboFix.exe and then follow the next steps in order.
  • Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.
  • Physically disconnect your PC from the internet by turning your router/modem off or by disconnecting the ethernet cable.
  • If running right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)
  • Right click on the Zone Alarm icon (if running) in the system tray and select "shutdown Zone Alarm"

    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • This will start Combofix scanning.
When finished, reboot into normal mode and please post the contents of the resultant log found at "C:\ComboFix.txt" along with a new Hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


DC




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users