Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan That Won't Go Away


  • This topic is locked This topic is locked
28 replies to this topic

#1 Edward1978

Edward1978

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 09 January 2008 - 03:47 PM

I assume this is a Vundo Trojan. My virus software is popping up with "trojan.dropper" and "win32.agent.dgo" on several of it's messages attempting to disinfect. When the virus first got into my computer, it took away the control panel, administrative access and my ability to boot in safe mode. I have since restored the control panel and administrative controls and sucessfully manually deleted the winrzf32 file. I still cannot boot in safe mode. Recently I have run Xoftspy, RegCure, Vundo Fix and Virtmundobegone. All will at some point claim the computer is clean, even after several reboots. Maybe an hour or so later, I'll start getting pop-ups and error messages of files containing malitious codes. It's quite entertaining that one of the pop-ups is for Xoftspy and RegCure! In attacking files, this virus seems to mainly go after yahoo messenger, autorun (which I assume prevents me from using a startup disk), findfast, shell.exe, pmkhf.exe, tracks eraser pro (which I attempted to use in deleting all my temp files), ctfmon.exe, etc. Most recently it seems to be going after my system sounds. I have noticed in my registry that there are several mentions of windows nt, which is strange since I am using XP. The most recent XoftSpy operation removed a registry key with the name of Juan. Also to note in the Hijackthis log, .exe files shown as .0xe are from my virus software attempting to disinfect the files. One last thing: I notice when windows starts that the screen shows "windows is starting up". I don't remember it ever using that phrasing. I always thought it just said "windows is starting".

The hijackthis log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:26 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon .exe
C:\PROGRA~1\WILDBL~1\4247706\Program\SERVIC~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Anti-Virus\fsgk32st.exe
C:\Program Files\WildBlue Security Center\4247706\program\fsbwsys.exe
C:\Program Files\Anti-Virus\FSGK32.EXE
C:\Program Files\Anti-Virus\fssm32.exe
C:\Program Files\Common\FSMA32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common\FCH32.EXE
C:\Program Files\Anti-Virus\fsqh.exe
C:\Program Files\Common\FAMEH32.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Anti-Virus\fsrw.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WildBlue Security Center\4247706\Program\fspex.exe
C:\Program Files\Anti-Virus\fsav32.exe
C:\Program Files\FWES\Program\fsdfwd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkhf.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: FINDFAST .0XE
O4 - Startup: FINDFAST .0XE
O4 - Global Startup: AUTORUN.0XE
O4 - Global Startup: WildBlue Service Center.lnk = C:\Program Files\WildBlue Security Center\4247706\Program\fspex.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Block this popup - C:\Program Files\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Anti-Spyware\ieshield.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\CarbonPoker\Poker.exe (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: WildBlue Service Center (BackWeb Plug-in - 4247706) - BackWeb Technologies Inc. - C:\PROGRA~1\WILDBL~1\4247706\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\WildBlue Security Center\4247706\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8251 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 11 January 2008 - 04:55 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Edward1978
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Edward1978

Edward1978
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 January 2008 - 12:23 PM

Richie, thanks for any help you are able to provide in advance! Here's the combofix and hijacker logs. Keep in mind that in the couple days that have past since I posted on here, I have been searching forums and attempting just about any virus removal process that seemed to be like mine. The folks at XoftSpy have aslo had me run a few unsucessful tries with alternate programs. Figured you should be aware in case the original HijackThis log posted differs from the recent one posted below.

ComboFix 08-01-09.2 - Compaq_Owner 2008-01-11 14:57:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.121 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\edgaovbx.dll
C:\WINDOWS\system32\eyitaaju.ini
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\RCX5F.tmp
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 14:58 . 2008-01-11 14:58 3,584 --a------ C:\WINDOWS\system32\pmkhf.exe
2008-01-11 14:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-11 07:31 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-11 07:25 . 2008-01-11 07:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-10 18:49 . 2008-01-11 14:22 340,480 --a------ C:\WINDOWS\system32\PMKHF.0XE
2008-01-10 13:04 . 2006-05-19 16:46 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-10 13:04 . 2006-05-19 16:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-01-09 20:41 . 2004-08-04 00:56 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-09 20:41 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-09 20:41 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-09 20:41 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-09 20:41 . 2004-08-03 22:29 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-01-09 20:41 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-09 20:41 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-09 20:41 . 2004-08-03 22:29 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-01-09 20:41 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2008-01-09 20:41 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-09 20:39 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-09 20:38 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2008-01-09 20:37 . 2004-08-03 21:00 571,392 --a------ C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-01-09 20:36 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-09 20:35 . 2001-08-17 14:56 147,200 --a------ C:\WINDOWS\system32\dllcache\smidispb.dll
2008-01-09 20:34 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2008-01-09 20:33 . 2001-08-17 22:36 386,560 --a------ C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-01-09 20:32 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-09 20:31 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-09 20:30 . 2004-08-03 21:00 482,304 --a------ C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-01-09 20:29 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-01-09 20:28 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-01-09 20:27 . 2004-08-04 00:56 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-01-09 20:26 . 2004-08-03 21:00 1,875,968 --a------ C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-09 20:25 . 2004-08-03 21:00 1,158,818 --a------ C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-01-09 20:24 . 2001-08-17 22:36 242,176 --a------ C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-01-09 20:23 . 2004-08-03 21:00 811,064 --a------ C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-01-09 20:22 . 2004-08-03 21:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-09 20:21 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-09 20:20 . 2001-08-17 13:28 595,647 --a------ C:\WINDOWS\system32\dllcache\es56cvmp.sys
2008-01-09 20:19 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-01-09 20:18 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-09 20:17 . 2004-08-03 21:00 1,677,824 --a------ C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-09 20:16 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-09 20:15 . 2004-08-04 00:56 870,784 --a------ C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2008-01-09 20:14 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-09 20:14 . 2001-08-17 14:55 689,216 --a------ C:\WINDOWS\system32\dllcache\3dfxvs.dll
2008-01-09 20:14 . 2001-08-17 12:48 148,352 --a------ C:\WINDOWS\system32\dllcache\3dfxvsm.sys
2008-01-09 20:14 . 2001-08-17 22:36 98,304 --a------ C:\WINDOWS\system32\dllcache\a3d.dll
2008-01-09 20:14 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-09 20:14 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\dllcache\1394bus.sys
2008-01-09 20:14 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\dllcache\61883.sys
2008-01-09 20:14 . 2001-08-17 14:55 38,400 --a------ C:\WINDOWS\system32\dllcache\8514a.dll
2008-01-09 20:14 . 2004-08-03 23:00 12,288 --a------ C:\WINDOWS\system32\dllcache\4mmdat.sys
2008-01-09 20:14 . 2001-08-17 14:06 11,264 --a------ C:\WINDOWS\system32\dllcache\1394vdbg.sys
2008-01-09 17:42 . 2008-01-09 17:42 118,842 -r------- C:\WINDOWS\bwUnin-6.3.2.123-4247706L.exe
2008-01-09 12:20 . 2008-01-09 12:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 10:35 . 2008-01-09 10:35 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-08 20:09 . 2008-01-09 18:34 <DIR> d-------- C:\VundoFix Backups
2008-01-08 18:54 . 2008-01-09 15:23 <DIR> d-------- C:\Program Files\RegCure
2008-01-08 18:33 . 2008-01-09 15:23 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-08 15:51 . 2008-01-08 15:51 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2008-01-08 14:15 . 2008-01-10 16:21 0 --a------ C:\WINDOWS\win.ini
2008-01-08 14:15 . 2008-01-11 15:03 0 --a------ C:\WINDOWS\system.ini
2008-01-08 13:12 . 2008-01-11 14:44 <DIR> d-------- C:\Program Files\TNB
2008-01-08 13:12 . 2008-01-11 13:36 <DIR> d-------- C:\Program Files\FWES
2008-01-08 13:12 . 2008-01-11 14:44 <DIR> d-------- C:\Program Files\FSGUI
2008-01-08 13:12 . 2008-01-11 13:36 <DIR> d-------- C:\Program Files\DAAS
2008-01-08 13:12 . 2008-01-11 15:03 <DIR> d-------- C:\Program Files\Anti-Virus
2008-01-08 13:12 . 2008-01-11 13:36 <DIR> d-------- C:\Program Files\Anti-Spyware
2008-01-08 13:12 . 2008-01-08 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-08 13:12 . 2005-05-30 18:21 360,448 --a------ C:\Program Files\fsuninst.exe
2008-01-08 13:12 . 2008-01-11 13:35 229,376 --a------ C:\Program Files\fsisu.dll
2008-01-08 13:12 . 2005-05-30 18:16 151,552 --a------ C:\Program Files\fsdeph.dll
2008-01-08 13:12 . 2008-01-11 13:35 135,168 --a------ C:\Program Files\fsisuNT.dll
2008-01-08 13:12 . 2005-04-28 07:00 94,258 --a------ C:\Program Files\fsld32.dll
2008-01-08 13:12 . 2005-11-18 08:04 70,896 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-08 13:12 . 2005-11-18 08:04 33,584 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-08 13:09 . 2008-01-11 14:44 <DIR> d-------- C:\Program Files\Common
2008-01-08 13:00 . 2008-01-08 13:00 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-08 13:00 . 2008-01-08 13:00 917,504 --a------ C:\WINDOWS\system32\FLASH.OCX
2008-01-08 12:26 . 2008-01-08 12:26 18 --ah----- C:\SYSREST
2008-01-08 11:57 . 2008-01-09 10:33 17,920 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-08 11:43 . 2008-01-11 14:22 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-08 11:30 . 2008-01-08 11:30 0 --a------ C:\Install

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 20:36 1,171 ----a-w C:\Program Files\install.ini
2008-01-11 14:31 --------- d-----w C:\Program Files\Java
2008-01-11 01:46 --------- d-----w C:\Program Files\Winamp
2008-01-11 01:46 --------- d-----w C:\Program Files\QuickTime
2008-01-10 23:36 15,360 -csha-w C:\Program Files\Thumbs.db
2008-01-10 23:33 169,984 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2008-01-10 17:36 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\U3
2008-01-08 21:47 --------- d-----w C:\Program Files\WildBlue
2008-01-08 20:09 --------- d-----w C:\Program Files\WildBlue Security Center
2008-01-08 18:58 --------- d-----w C:\Program Files\DivX
2008-01-08 18:38 --------- d-----w C:\Program Files\ADSTech DVD Xpress DX2
2007-12-26 01:55 --------- d-----w C:\Program Files\Pool Station
2007-12-08 20:20 --------- d-----w C:\Program Files\Trillian
2007-12-02 17:47 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\DivX
2007-12-02 16:49 --------- d-----w C:\Program Files\LimeWire
2007-11-30 15:35 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\ArcSoft
2007-11-30 01:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-30 01:57 --------- d-----w C:\Program Files\Common Files\ArcSoft
2007-11-30 01:57 --------- d-----w C:\Program Files\ArcSoft
2007-11-30 01:56 --------- d-----w C:\Program Files\ADSTech
2007-11-30 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-30 01:55 --------- d-----w C:\Program Files\Ulead Systems
2007-11-30 01:55 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-02-03 19:05 142 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-12-07 20:23 754 -c--a-w C:\Program Files\jptemp.html
2006-12-07 20:17 28,284 -c--a-w C:\Program Files\100_1327.JPG
2006-12-07 20:17 26,387 -c--a-w C:\Program Files\overhang.JPG
2006-10-01 01:08 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2006-08-09 02:36 12,090,992 -c--a-w C:\Program Files\ysitebuilder.exe
2006-02-19 10:28 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
2005-05-31 01:25 126,976 ----a-w C:\Program Files\fsuninst.ENG
1999-01-11 23:34 1,520 -c--a-w C:\Program Files\Pixelator3.class
1999-01-11 23:08 4,608 -c--a-w C:\Program Files\ImageFade2ech.class
.
<pre>
----a-w		 1,331,200 2008-01-08 22:08:13  C:\Program Files\Acesoft\Tracks Eraser Pro\te .exe
----a-w		   122,929 2008-01-11 21:22:23  C:\Program Files\Common\FSM32 .EXE
----a-w		   180,269 2008-01-08 22:08:00  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   245,760 2008-01-08 22:51:11  C:\Program Files\Creative\Shared Files\CAMTRAY .EXE
----a-w		   372,736 2008-01-11 21:22:24  C:\Program Files\FSGUI\FSSW .EXE
----a-w		   356,352 2008-01-11 21:22:25  C:\Program Files\FSGUI\ispnews .exe
----a-w			49,152 2008-01-08 22:07:59  C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe
----a-w		   132,496 2008-01-11 21:22:24  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		   700,416 2008-01-11 21:22:25  C:\Program Files\TNB\TNBUtil .exe
----a-w		 4,670,704 2008-01-11 21:18:26  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
----a-w		   169,984 2008-01-10 23:33:00  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-11 21:22:26  C:\WINDOWS\system32\ctfmon .exe
----a-w		   155,648 2008-01-08 22:51:09  C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134}]
C:\WINDOWS\system32\urqnnnk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-07 21:54 16010240 C:\WINDOWS\RTHDCPL.EXE]
"F-Secure Manager"="C:\Program Files\Common\FSM32.exe" [ ]
"F-Secure TNB"="C:\Program Files\TNB\TNBUtil.exe" [ ]
"F-Secure Startup Wizard"="C:\Program Files\FSGUI\FSSW.exe" [ ]
"News Service"="C:\Program Files\FSGUI\ispnews.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-19 15:59:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WildBlue Security Center.lnk - C:\Program Files\WildBlue Security Center\4247706\Program\fspex.exe [2008-01-10 19:00:07]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134}"= C:\WINDOWS\system32\urqnnnk.dll [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=C:\WINDOWS\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^FINDFAST .0XE]

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^FINDFAST .0XE]

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^FINDFAST.0XE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
C:\WINDOWS\system32\drvcat.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Startup Wizard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsass]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracks Eraser Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-01-11 14:18 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-11-18 08:04]
R2 BackWeb Plug-in - 4247706;WildBlue Security Center;C:\PROGRA~1\WILDBL~1\4247706\Program\SERVIC~1.EXE [2008-01-11 13:34]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 08:14]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Anti-Virus\Win2K\FSgk.sys [2005-02-21 10:49]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Anti-Virus\Win2K\FSrec.sys [2004-06-01 02:03]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-03 21:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-03 21:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-03 21:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-03 21:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2006-11-18 03:10:11 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1155606749.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-01-11 22:03:43 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-10 15:30:26 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-11 00:03:31 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\ANTI-V~1\fsav.exeQ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\ANTI-V~1\report.txt
"2008-01-11 22:03:48 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-09 01:33:26 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 15:03:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-11 15:04:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 22:04:51

and the HijackThis log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:24 AM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\WILDBL~1\4247706\Program\SERVIC~1.EXE
C:\Program Files\Anti-Virus\fsgk32st.exe
C:\Program Files\Anti-Virus\FSGK32.EXE
C:\Program Files\WildBlue Security Center\4247706\program\fsbwsys.exe
C:\Program Files\Anti-Virus\fssm32.exe
C:\Program Files\Common\FSMA32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WildBlue Security Center\4247706\Program\fspex.exe
C:\Program Files\Common\FCH32.EXE
C:\Program Files\Anti-Virus\fsqh.exe
C:\Program Files\Common\FAMEH32.EXE
C:\Program Files\Anti-Virus\fsrw.exe
C:\Program Files\FWES\Program\fsdfwd.exe
C:\Program Files\Anti-Virus\fsav32.exe
C:\PROGRA~1\ANTI-S~1\fsaw.exe
C:\Program Files\FSGUI\fsguidll.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\urqnnnk.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: WildBlue Security Center.lnk = C:\Program Files\WildBlue Security Center\4247706\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Anti-Spyware\ieshield.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\CarbonPoker\Poker.exe (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: WildBlue Security Center (BackWeb Plug-in - 4247706) - BackWeb Technologies Inc. - C:\PROGRA~1\WILDBL~1\4247706\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\WildBlue Security Center\4247706\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8656 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 12 January 2008 - 12:32 PM

Download RenV.exe to your desktop,double click to run it:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
When its finished it will produce a Log.
Please post the contents of that Log into your next reply.
Posted Image
Posted Image

#5 Edward1978

Edward1978
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 January 2008 - 12:47 PM

Ran on Sat 01/12/2008 - 10:45:17.43



----a-w		 1,331,200 2008-01-08 22:08:13  C:\Program Files\Acesoft\Tracks Eraser Pro\te .exe

----a-w		   122,929 2008-01-11 21:22:23  C:\Program Files\Common\FSM32 .EXE

----a-w		   180,269 2008-01-08 22:08:00  C:\Program Files\Common Files\Real\Update_OB\realsched .exe

----a-w		   245,760 2008-01-08 22:51:11  C:\Program Files\Creative\Shared Files\CAMTRAY .EXE

----a-w		   372,736 2008-01-11 21:22:24  C:\Program Files\FSGUI\FSSW .EXE

----a-w		   356,352 2008-01-11 21:22:25  C:\Program Files\FSGUI\ispnews .exe

----a-w			49,152 2008-01-08 22:07:59  C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe

----a-w		   132,496 2008-01-11 21:22:24  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe

----a-w		   700,416 2008-01-11 21:22:25  C:\Program Files\TNB\TNBUtil .exe

----a-w		 4,670,704 2008-01-11 21:18:26  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe

----a-w		   169,984 2008-01-10 23:33:00  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe

----a-w			15,360 2008-01-11 21:22:26  C:\WINDOWS\system32\ctfmon .exe

----a-w		   155,648 2008-01-08 22:51:09  C:\WINDOWS\system32\NeroCheck .exe



 Entries:			   13  (13)

 Directories:			0  Files:			13

 Bytes:		  8,503,006  Blocks:	   16,610


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 12 January 2008 - 12:48 PM

Posted Image
Refering to the picture above, drag Log.txt into RenV.exe
When finished, it shall produce a new log for you.
Post that log in your next reply.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html
Posted Image
Posted Image

#7 Edward1978

Edward1978
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 January 2008 - 02:50 PM

Ran on Sat 01/12/2008 - 10:52:17.25

----a-w		 1,331,200 2008-01-08 22:08:13  C:\Program Files\Acesoft\Tracks Eraser Pro\te .exe
----a-w		   122,929 2008-01-11 21:22:23  C:\Program Files\Common\FSM32 .EXE
----a-w		   180,269 2008-01-08 22:08:00  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   245,760 2008-01-08 22:51:11  C:\Program Files\Creative\Shared Files\CAMTRAY .EXE
----a-w		   372,736 2008-01-11 21:22:24  C:\Program Files\FSGUI\FSSW .EXE
----a-w		   356,352 2008-01-11 21:22:25  C:\Program Files\FSGUI\ispnews .exe
----a-w			49,152 2008-01-08 22:07:59  C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe
----a-w		   132,496 2008-01-11 21:22:24  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		   700,416 2008-01-11 21:22:25  C:\Program Files\TNB\TNBUtil .exe
----a-w		 4,670,704 2008-01-11 21:18:26  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
----a-w		   169,984 2008-01-10 23:33:00  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-11 21:22:26  C:\WINDOWS\system32\ctfmon .exe
----a-w		   155,648 2008-01-08 22:51:09  C:\WINDOWS\system32\NeroCheck .exe

 Entries:			   13  (13)
 Directories:			0  Files:			13
 Bytes:		  8,503,006  Blocks:	   16,610

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 12, 2008 12:47:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/01/2008
Kaspersky Anti-Virus database records: 475467
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 77287
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:25:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\MSHist012008011220080113\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Anti-Virus\dbupdate.log Object is locked skipped
C:\Program Files\Anti-Virus\Qrt.log Object is locked skipped
C:\Program Files\Common\admin.pub Object is locked skipped
C:\Program Files\Common\policy.bpf Object is locked skipped
C:\Program Files\Common\policy.ipf Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\fsbwupst.log Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\L0000004.FCS Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\WildBlue Security Center\4247706\Users\Default\Data\storydb.idx Object is locked skipped
C:\sti.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{00EFF98B-5705-4D9A-BA78-7681A60AFB54}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_22c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 12 January 2008 - 02:56 PM

Lets do this again please.
Download RenV.exe to your desktop,double click to run it:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
When its finished it will produce a Log.
Please post the contents of that Log into your next reply.
Posted Image
Posted Image

#9 Edward1978

Edward1978
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 January 2008 - 04:18 PM

Ran on Sat 01/12/2008 - 14:17:20.48



----a-w		 1,331,200 2008-01-08 22:08:13  C:\Program Files\Acesoft\Tracks Eraser Pro\te .exe

----a-w		   122,929 2008-01-11 21:22:23  C:\Program Files\Common\FSM32 .EXE

----a-w		   180,269 2008-01-08 22:08:00  C:\Program Files\Common Files\Real\Update_OB\realsched .exe

----a-w		   245,760 2008-01-08 22:51:11  C:\Program Files\Creative\Shared Files\CAMTRAY .EXE

----a-w		   372,736 2008-01-11 21:22:24  C:\Program Files\FSGUI\FSSW .EXE

----a-w		   356,352 2008-01-11 21:22:25  C:\Program Files\FSGUI\ispnews .exe

----a-w			49,152 2008-01-08 22:07:59  C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe

----a-w		   132,496 2008-01-11 21:22:24  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe

----a-w		   700,416 2008-01-11 21:22:25  C:\Program Files\TNB\TNBUtil .exe

----a-w		 4,670,704 2008-01-11 21:18:26  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe

----a-w		   169,984 2008-01-10 23:33:00  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe

----a-w			15,360 2008-01-11 21:22:26  C:\WINDOWS\system32\ctfmon .exe

----a-w		   155,648 2008-01-08 22:51:09  C:\WINDOWS\system32\NeroCheck .exe



 Entries:			   13  (13)

 Directories:			0  Files:			13

 Bytes:		  8,503,006  Blocks:	   16,610


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 12 January 2008 - 04:21 PM

Posted Image
Refering to the picture above, drag Log.txt into RenV.exe
When finished, it shall produce a new log for you.
Post that log in your next reply.
Posted Image
Posted Image

#11 Edward1978

Edward1978
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 January 2008 - 04:26 PM

Ran on Sat 01/12/2008 - 14:25:44.40



----a-w		 1,331,200 2008-01-08 22:08:13  C:\Program Files\Acesoft\Tracks Eraser Pro\te .exe

----a-w		   122,929 2008-01-11 21:22:23  C:\Program Files\Common\FSM32 .EXE

----a-w		   180,269 2008-01-08 22:08:00  C:\Program Files\Common Files\Real\Update_OB\realsched .exe

----a-w		   245,760 2008-01-08 22:51:11  C:\Program Files\Creative\Shared Files\CAMTRAY .EXE

----a-w		   372,736 2008-01-11 21:22:24  C:\Program Files\FSGUI\FSSW .EXE

----a-w		   356,352 2008-01-11 21:22:25  C:\Program Files\FSGUI\ispnews .exe

----a-w			49,152 2008-01-08 22:07:59  C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe

----a-w		   132,496 2008-01-11 21:22:24  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe

----a-w		   700,416 2008-01-11 21:22:25  C:\Program Files\TNB\TNBUtil .exe

----a-w		 4,670,704 2008-01-11 21:18:26  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe

----a-w		   169,984 2008-01-10 23:33:00  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe

----a-w			15,360 2008-01-11 21:22:26  C:\WINDOWS\system32\ctfmon .exe

----a-w		   155,648 2008-01-08 22:51:09  C:\WINDOWS\system32\NeroCheck .exe



 Entries:			   13  (13)

 Directories:			0  Files:			13

 Bytes:		  8,503,006  Blocks:	   16,610


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 12 January 2008 - 04:29 PM

Close any open browsers.
Double click on Combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#13 Edward1978

Edward1978
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 January 2008 - 05:04 PM

I don't know if it matters, but I did have to reboot after ComboFix ran. For whatever reason, I had no ability to access the internet to post the log. Rebooted and internet was fine.

ComboFix 08-01-09.2 - Compaq_Owner 2008-01-12 14:48:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.68 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-12 11:18 . 2008-01-12 14:33 630,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-12 11:18 . 2008-01-12 14:32 6,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-12 11:18 . 2008-01-12 11:18 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-12 11:18 . 2008-01-12 11:18 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-12 11:09 . 2008-01-12 11:09 <DIR> d-------- C:\KAV
2008-01-11 15:35 . 2008-01-11 15:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-11 15:35 . 2008-01-12 11:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 15:21 . 2008-01-11 15:21 <DIR> d-------- C:\Program Files\CCleaner
2008-01-11 14:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-11 07:31 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-11 07:25 . 2008-01-11 07:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-10 13:04 . 2006-05-19 16:46 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-10 13:04 . 2006-05-19 16:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-01-09 20:41 . 2004-08-04 00:56 116,224 --a------ C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-09 20:41 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-09 20:41 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-09 20:41 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-09 20:41 . 2004-08-03 22:29 19,455 --a------ C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-01-09 20:41 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-09 20:41 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-09 20:41 . 2004-08-03 22:29 12,063 --a------ C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-01-09 20:41 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\dllcache\wshirda.dll
2008-01-09 20:41 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-09 20:39 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-09 20:38 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2008-01-09 20:37 . 2004-08-03 21:00 571,392 --a------ C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-01-09 20:36 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-09 20:35 . 2001-08-17 14:56 147,200 --a------ C:\WINDOWS\system32\dllcache\smidispb.dll
2008-01-09 20:34 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2008-01-09 20:33 . 2001-08-17 22:36 386,560 --a------ C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-01-09 20:32 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-09 20:31 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-09 20:30 . 2004-08-03 21:00 482,304 --a------ C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-01-09 20:29 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-01-09 20:28 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-01-09 20:27 . 2004-08-04 00:56 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-01-09 20:26 . 2004-08-03 21:00 1,875,968 --a------ C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-09 20:25 . 2004-08-03 21:00 1,158,818 --a------ C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-01-09 20:24 . 2001-08-17 22:36 242,176 --a------ C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-01-09 20:23 . 2004-08-03 21:00 811,064 --a------ C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-01-09 20:22 . 2004-08-03 21:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-09 20:21 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-09 20:20 . 2001-08-17 13:28 595,647 --a------ C:\WINDOWS\system32\dllcache\es56cvmp.sys
2008-01-09 20:19 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-01-09 20:18 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-09 20:17 . 2004-08-03 21:00 1,677,824 --a------ C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-09 20:16 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-09 20:15 . 2004-08-04 00:56 870,784 --a------ C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2008-01-09 20:14 . 2001-08-17 13:28 762,780 --a------ C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-09 20:14 . 2001-08-17 14:55 689,216 --a------ C:\WINDOWS\system32\dllcache\3dfxvs.dll
2008-01-09 20:14 . 2001-08-17 12:48 148,352 --a------ C:\WINDOWS\system32\dllcache\3dfxvsm.sys
2008-01-09 20:14 . 2001-08-17 22:36 98,304 --a------ C:\WINDOWS\system32\dllcache\a3d.dll
2008-01-09 20:14 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-09 20:14 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\dllcache\1394bus.sys
2008-01-09 20:14 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\dllcache\61883.sys
2008-01-09 20:14 . 2001-08-17 14:55 38,400 --a------ C:\WINDOWS\system32\dllcache\8514a.dll
2008-01-09 20:14 . 2004-08-03 23:00 12,288 --a------ C:\WINDOWS\system32\dllcache\4mmdat.sys
2008-01-09 20:14 . 2001-08-17 14:06 11,264 --a------ C:\WINDOWS\system32\dllcache\1394vdbg.sys
2008-01-09 17:42 . 2008-01-09 17:42 118,842 -r------- C:\WINDOWS\bwUnin-6.3.2.123-4247706L.exe
2008-01-09 12:20 . 2008-01-09 12:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 10:35 . 2008-01-09 10:35 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-08 18:54 . 2008-01-09 15:23 <DIR> d-------- C:\Program Files\RegCure
2008-01-08 18:33 . 2008-01-09 15:23 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-08 15:51 . 2008-01-08 15:51 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2008-01-08 14:15 . 2008-01-10 16:21 0 --a------ C:\WINDOWS\win.ini
2008-01-08 14:15 . 2008-01-12 14:51 0 --a------ C:\WINDOWS\system.ini
2008-01-08 13:12 . 2008-01-11 19:10 <DIR> d-------- C:\Program Files\TNB
2008-01-08 13:12 . 2008-01-11 19:08 <DIR> d-------- C:\Program Files\FWES
2008-01-08 13:12 . 2008-01-11 19:08 <DIR> d-------- C:\Program Files\FSGUI
2008-01-08 13:12 . 2008-01-11 19:08 <DIR> d-------- C:\Program Files\DAAS
2008-01-08 13:12 . 2008-01-12 14:47 <DIR> d-------- C:\Program Files\Anti-Virus
2008-01-08 13:12 . 2008-01-11 19:08 <DIR> d-------- C:\Program Files\Anti-Spyware
2008-01-08 13:12 . 2008-01-08 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-08 13:12 . 2005-05-30 18:21 360,448 --a------ C:\Program Files\fsuninst.exe
2008-01-08 13:12 . 2008-01-11 19:07 229,376 --a------ C:\Program Files\fsisu.dll
2008-01-08 13:12 . 2005-05-30 18:16 151,552 --a------ C:\Program Files\fsdeph.dll
2008-01-08 13:12 . 2008-01-11 19:07 135,168 --a------ C:\Program Files\fsisuNT.dll
2008-01-08 13:12 . 2005-04-28 07:00 94,258 --a------ C:\Program Files\fsld32.dll
2008-01-08 13:12 . 2005-11-18 08:04 70,896 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-08 13:12 . 2005-11-18 08:04 33,584 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-08 13:09 . 2008-01-11 19:10 <DIR> d-------- C:\Program Files\Common
2008-01-08 13:00 . 2008-01-08 13:00 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-08 13:00 . 2008-01-08 13:00 917,504 --a------ C:\WINDOWS\system32\FLASH.OCX
2008-01-08 12:26 . 2008-01-08 12:26 18 --ah----- C:\SYSREST
2008-01-08 11:57 . 2008-01-09 10:33 17,920 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-08 11:43 . 2008-01-11 14:22 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-08 11:30 . 2008-01-08 11:30 0 --a------ C:\Install

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 02:08 1,171 ----a-w C:\Program Files\install.ini
2008-01-11 14:31 --------- d-----w C:\Program Files\Java
2008-01-11 01:46 --------- d-----w C:\Program Files\Winamp
2008-01-11 01:46 --------- d-----w C:\Program Files\QuickTime
2008-01-10 23:36 15,360 -csha-w C:\Program Files\Thumbs.db
2008-01-10 23:33 169,984 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2008-01-10 17:36 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\U3
2008-01-08 21:47 --------- d-----w C:\Program Files\WildBlue
2008-01-08 20:09 --------- d-----w C:\Program Files\WildBlue Security Center
2008-01-08 18:58 --------- d-----w C:\Program Files\DivX
2008-01-08 18:38 --------- d-----w C:\Program Files\ADSTech DVD Xpress DX2
2007-12-26 01:55 --------- d-----w C:\Program Files\Pool Station
2007-12-08 20:20 --------- d-----w C:\Program Files\Trillian
2007-12-02 17:47 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\DivX
2007-12-02 16:49 --------- d-----w C:\Program Files\LimeWire
2007-11-30 15:35 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\ArcSoft
2007-11-30 01:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-30 01:57 --------- d-----w C:\Program Files\Common Files\ArcSoft
2007-11-30 01:57 --------- d-----w C:\Program Files\ArcSoft
2007-11-30 01:56 --------- d-----w C:\Program Files\ADSTech
2007-11-30 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-30 01:55 --------- d-----w C:\Program Files\Ulead Systems
2007-11-30 01:55 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-02-03 19:05 142 -c--a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2006-12-07 20:23 754 -c--a-w C:\Program Files\jptemp.html
2006-12-07 20:17 28,284 -c--a-w C:\Program Files\100_1327.JPG
2006-12-07 20:17 26,387 -c--a-w C:\Program Files\overhang.JPG
2006-10-01 01:08 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2006-08-09 02:36 12,090,992 -c--a-w C:\Program Files\ysitebuilder.exe
2006-02-19 10:28 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
2005-05-31 01:25 126,976 ----a-w C:\Program Files\fsuninst.ENG
1999-01-11 23:34 1,520 -c--a-w C:\Program Files\Pixelator3.class
1999-01-11 23:08 4,608 -c--a-w C:\Program Files\ImageFade2ech.class
.
<pre>
----a-w		 1,331,200 2008-01-08 22:08:13  C:\Program Files\Acesoft\Tracks Eraser Pro\te .exe
----a-w		   122,929 2008-01-11 21:22:23  C:\Program Files\Common\FSM32 .EXE
----a-w		   180,269 2008-01-08 22:08:00  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   245,760 2008-01-08 22:51:11  C:\Program Files\Creative\Shared Files\CAMTRAY .EXE
----a-w		   372,736 2008-01-11 21:22:24  C:\Program Files\FSGUI\FSSW .EXE
----a-w		   356,352 2008-01-11 21:22:25  C:\Program Files\FSGUI\ispnews .exe
----a-w			49,152 2008-01-08 22:07:59  C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe
----a-w		   132,496 2008-01-11 21:22:24  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		   700,416 2008-01-11 21:22:25  C:\Program Files\TNB\TNBUtil .exe
----a-w		 4,670,704 2008-01-11 21:18:26  C:\Program Files\Yahoo!\Messenger\YahooMessenger  .exe
----a-w		   169,984 2008-01-10 23:33:00  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-11 21:22:26  C:\WINDOWS\system32\ctfmon .exe
----a-w		   155,648 2008-01-08 22:51:09  C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134}]
C:\WINDOWS\system32\urqnnnk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-07 21:54 16010240 C:\WINDOWS\RTHDCPL.EXE]
"F-Secure Manager"="C:\Program Files\Common\FSM32.exe" [2005-10-25 18:51 122929]
"F-Secure TNB"="C:\Program Files\TNB\TNBUtil.exe" [2005-07-18 07:51 700416]
"F-Secure Startup Wizard"="C:\Program Files\FSGUI\FSSW.exe" [2005-10-18 01:29 372736]
"News Service"="C:\Program Files\FSGUI\ispnews.exe" [2005-05-31 05:45 356352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-05-19 15:59:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WildBlue Security Center.lnk - C:\Program Files\WildBlue Security Center\4247706\Program\fspex.exe [2008-01-10 19:00:07]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134}"= C:\WINDOWS\system32\urqnnnk.dll [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=C:\WINDOWS\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^FINDFAST .0XE]

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^FINDFAST .0XE]

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^FINDFAST.0XE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
C:\WINDOWS\system32\drvcat.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 21:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Startup Wizard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsass]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\News Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracks Eraser Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-01-11 14:18 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-11-18 08:04]
R2 BackWeb Plug-in - 4247706;WildBlue Security Center;C:\PROGRA~1\WILDBL~1\4247706\Program\SERVIC~1.EXE [2008-01-11 19:07]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 08:14]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Anti-Virus\Win2K\FSgk.sys [2005-02-21 10:49]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Anti-Virus\Win2K\FSrec.sys [2004-06-01 02:03]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-03 21:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-03 21:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-03 21:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-03 21:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2006-11-18 03:10:11 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1155606749.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-01-12 21:47:54 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-10 15:30:26 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-12 00:00:43 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\ANTI-V~1\fsav.exeQ /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\ANTI-V~1\report.txt
"2008-01-12 21:47:54 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-09 01:33:26 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 14:51:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12 14:52:48
ComboFix2.txt 2008-01-11 22:04:55


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:59 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\WILDBL~1\4247706\Program\SERVIC~1.EXE
C:\Program Files\Anti-Virus\fsgk32st.exe
C:\Program Files\Anti-Virus\FSGK32.EXE
C:\Program Files\WildBlue Security Center\4247706\program\fsbwsys.exe
C:\Program Files\Common\FSMA32.EXE
C:\Program Files\Anti-Virus\fssm32.exe
C:\Program Files\Common\FSMB32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\WildBlue Security Center\4247706\Program\fspex.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common\FCH32.EXE
C:\Program Files\Anti-Virus\fsqh.exe
C:\Program Files\Common\FAMEH32.EXE
C:\Program Files\Anti-Virus\fsrw.exe
C:\Program Files\Anti-Virus\fsav32.exe
C:\Program Files\FWES\Program\fsdfwd.exe
C:\PROGRA~1\ANTI-S~1\fsaw.exe
C:\Program Files\FSGUI\fsguidll.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\urqnnnk.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: WildBlue Security Center.lnk = C:\Program Files\WildBlue Security Center\4247706\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Anti-Spyware\ieshield.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\CarbonPoker\Poker.exe (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: WildBlue Security Center (BackWeb Plug-in - 4247706) - BackWeb Technologies Inc. - C:\PROGRA~1\WILDBL~1\4247706\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\WildBlue Security Center\4247706\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8582 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 12 January 2008 - 05:22 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the information into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134}"=-
[-HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^FINDFAST .0XE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]



Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#15 Edward1978

Edward1978
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 January 2008 - 08:29 PM

The computer seems to be working fine with one minor exception: Booting into safe mode takes forever. The computer hangs at mup.sys. When this problem first started, I thought I could not get into safe mode because of the freez-up at mup.sys. A few days ago when the problem first started, I just forgot about the computer and accidentally left it where it was frozen. Took about 20 minutes of just sitting there and then just went into safe mode. Shutting down from safe mode is the same... it takes about 20 minutes.

What do I do about all of the files that different virus programs deleted? Is there a process to reinstall them? I was smart enough to write down every file name I noticed to be deleted. Do I just take the files from my office computer?

Anyway, here's the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/12/2008 at 06:00 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Complete Scan
Total Scan Time : 01:33:52

Memory items scanned : 158
Memory threats detected : 0
Registry items scanned : 5858
Registry threats detected : 0
File items scanned : 37966
File threats detected : 0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:22 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\WILDBL~1\4247706\Program\SERVIC~1.EXE
C:\Program Files\Anti-Virus\fsgk32st.exe
C:\Program Files\Anti-Virus\FSGK32.EXE
C:\Program Files\WildBlue Security Center\4247706\program\fsbwsys.exe
C:\Program Files\Anti-Virus\fssm32.exe
C:\Program Files\Common\FSMA32.EXE
C:\Program Files\Common\FSMB32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WildBlue Security Center\4247706\Program\fspex.exe
C:\Program Files\Common\FCH32.EXE
C:\Program Files\Common\FAMEH32.EXE
C:\Program Files\Anti-Virus\fsqh.exe
C:\Program Files\Anti-Virus\fsrw.exe
C:\Program Files\Anti-Virus\fsav32.exe
C:\Program Files\FWES\Program\fsdfwd.exe
C:\PROGRA~1\ANTI-S~1\fsaw.exe
C:\Program Files\FSGUI\fsguidll.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\urqnnnk.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: WildBlue Security Center.lnk = C:\Program Files\WildBlue Security Center\4247706\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Anti-Spyware\ieshield.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\CarbonPoker\Poker.exe (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: WildBlue Security Center (BackWeb Plug-in - 4247706) - BackWeb Technologies Inc. - C:\PROGRA~1\WILDBL~1\4247706\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\WildBlue Security Center\4247706\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8784 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users