Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Trojan Help Needed-many Popups In I.e, I Use Firefox!


  • This topic is locked This topic is locked
9 replies to this topic

#1 jessemanzo

jessemanzo

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 29 January 2008 - 09:59 PM

I come to these boards in search of help/ I have tried EVERYTHING-Spybot S&D, AVG, and various other programs. I use firefox, but I get these incessant pop-ups that eventually make my computer go very slow. I will post the Hi-Jack this log in hopes that some brave soul will help me with this-please help!!!!!!!!!!!!!!!!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:08 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\wuoryg.html

--
End of file - 7818 bytes

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:09 AM

Posted 30 January 2008 - 05:05 AM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 jessemanzo

jessemanzo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 30 January 2008 - 11:47 AM

Thank you so much!

#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:09 AM

Posted 30 January 2008 - 07:12 PM

Hi jessemanzo


:blink: Please download Navilog1 by IL-MAFIOSO:
http://pagesperso-orange.fr/il.mafioso/Navifix/Navilog1.exe
(*Alternate download location Here)

* Save it to your Desktop.
* Double-click on Navilog1.exe to install the program.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double-click on the Navilog1 shortcut on your Desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time).
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)


:thumbsup: Download ComboFix by sUBs from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.

:wacko: In your next reply please post:
  • The results from Navilog1 (step 1)
  • The results from ComboFix (step 2)
  • A new HijackThis log.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:09 AM

Posted 30 January 2008 - 07:13 PM

edit

Edited by lusitano, 30 January 2008 - 07:14 PM.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 jessemanzo

jessemanzo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 30 January 2008 - 10:12 PM

1.navi-log
Search Navipromo version 3.4.2 began on Wed 01/30/2008 at 18:38:52.29

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Updated on 27.01.2008 at 17h00 by IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 7.0.5730.13
Filesystem type : NTFS

Done in normal mode

*** Searching for installed Software ***




*** Search folders in C:\WINDOWS ***



*** Search folders in C:\Program Files ***



*** Search folders in C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1 ***




*** Search folders in "C:\Documents and Settings\Jesse Manzo\application data" ***



*** Search folders in "C:\Documents and Settings\Jesse Manzo\local settings\application data" ***



*** Search folders in "C:\Documents and Settings\Jesse Manzo\STARTM~1\Programs" ***


*** Search folders in C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

No file found



*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in C:\WINDOWS\system32 *

* Scan in "C:\Documents and Settings\Jesse Manzo\local settings\application data" *



*** Search files ***




*** Search specific Registry keys ***


*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :


2)Heuristic Search :

* In C:\WINDOWS\system32 :


* In "C:\Documents and Settings\Jesse Manzo\local settings\application data" :


3)Certificates Search :

Egroup certificate not found !

4)Search known files :

C:\WINDOWS\system32\cdeeg.ini2 found ! Possible Vundo infection, not cleaned with this tool !
C:\WINDOWS\system32\ghkmp.ini2 found ! Possible Vundo infection, not cleaned with this tool !
C:\WINDOWS\system32\ijkmp.ini2 found ! Possible Vundo infection, not cleaned with this tool !
C:\WINDOWS\system32\rrutv.ini2 found ! Possible Vundo infection, not cleaned with this tool !


*** Search completed on Wed 01/30/2008 at 18:43:47.95 ***



2) Combo fix log:
ComboFix 08-01-31.1 - Jesse Manzo 2008-01-30 18:48:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.348 [GMT -8:00]
Running from: C:\Documents and Settings\Jesse Manzo\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\rqrpolj.dll
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\ecurit~1\?ecurity\
C:\Program Files\Common Files\wuoryg.html
C:\Program Files\curity~1
C:\Program Files\Router
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\PerfInfo
C:\WINDOWS\system32\byxvutq.dll
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\ghkmp.ini
C:\WINDOWS\system32\ghkmp.ini2
C:\WINDOWS\system32\hbwjvqaq.ini
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqrpolj.dll
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\rrutv.ini2
C:\WINDOWS\system32\x64
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 18:53 . 2008-01-30 18:53 <DIR> d-------- C:\Temp\tn3
2008-01-30 18:37 . 2008-01-30 18:45 <DIR> d-------- C:\Program Files\Navilog1
2008-01-29 18:43 . 2008-01-30 18:53 1,202,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 18:43 . 2008-01-30 18:52 15,116 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 18:39 . 2008-01-29 18:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-01-29 18:39 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-29 18:39 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-29 18:39 . 2008-01-29 18:40 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-01-29 18:25 . 2008-01-29 18:25 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-29 17:33 . 2008-01-29 17:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 17:33 . 2008-01-29 17:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-28 19:32 . 2008-01-28 19:32 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-01-28 15:09 . 2008-01-28 15:09 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-01-28 15:09 . 2008-01-28 15:09 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\Sunbelt Software
2008-01-28 15:09 . 2008-01-28 15:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sunbelt Software
2008-01-28 11:14 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-28 11:14 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-28 11:14 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-28 11:14 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-28 11:14 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-28 11:14 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-28 11:14 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-28 11:14 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-28 10:56 . 2008-01-28 10:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-28 10:56 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-01-28 10:47 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-27 23:40 . 2008-01-27 23:40 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\PrevxCSI
2008-01-27 23:40 . 2008-01-27 23:40 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-01-27 15:42 . 2008-01-27 15:42 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-01-27 14:56 . 2008-01-28 15:49 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-27 14:48 . 2008-01-27 14:48 <DIR> d--hs---- C:\TrustedAntivirus
2008-01-27 14:48 . 2008-01-27 14:48 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMon
2008-01-27 14:47 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-27 14:43 . 2008-01-28 15:49 <DIR> d-------- C:\WINDOWS\system32\wnis6
2008-01-27 14:43 . 2008-01-28 11:40 <DIR> d-------- C:\WINDOWS\system32\nip4
2008-01-27 14:43 . 2008-01-28 20:03 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-27 14:43 . 2008-01-28 15:49 <DIR> d-------- C:\WINDOWS\system32\ets1
2008-01-27 14:43 . 2008-01-28 15:39 <DIR> d--hs---- C:\WINDOWS\SmVzc2UgTWFuem8
2008-01-27 14:43 . 2008-01-27 14:43 <DIR> d-------- C:\Temp\gTiis19
2008-01-27 14:43 . 2008-01-27 14:43 <DIR> d-------- C:\Temp\cXzz9
2008-01-27 14:43 . 2008-01-30 18:53 <DIR> d-------- C:\Temp
2008-01-27 14:43 . 2008-01-27 14:43 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-27 14:43 . 2008-01-27 14:43 86,016 --a------ C:\WINDOWS\system32\drivers\msfss.sys
2008-01-25 21:51 . 2008-01-25 21:51 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\.jpi_cache
2008-01-25 21:51 . 2008-01-25 21:51 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\.java
2008-01-25 17:47 . 2008-01-28 10:53 <DIR> d-------- C:\Program Files\Cain
2008-01-25 14:07 . 2008-01-25 14:07 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-01-25 13:31 . 2008-01-25 13:31 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\DivX
2008-01-25 13:17 . 2008-01-25 13:17 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\DivX
2008-01-24 17:45 . 2008-01-24 17:45 <DIR> d-------- C:\Program Files\Java Web Start
2008-01-24 17:45 . 2008-01-24 17:45 <DIR> d-------- C:\Program Files\gs
2008-01-24 17:45 . 2008-01-24 17:45 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\.javaws
2008-01-24 17:45 . 2003-12-07 22:54 229,487 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-01-24 17:44 . 2008-01-24 17:44 <DIR> d-------- C:\Program Files\PlotSoft
2008-01-24 17:44 . 2004-06-06 20:17 53,248 --a------ C:\WINDOWS\system32\uninstpw.exe
2008-01-24 17:44 . 2005-05-07 14:15 24,576 --a------ C:\WINDOWS\system32\custsave.exe
2008-01-24 12:29 . 2008-01-24 12:29 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-01-23 00:27 . 2008-01-23 07:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-22 20:06 . 2008-01-22 20:06 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\Template
2008-01-22 20:00 . 2008-01-22 20:00 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-22 18:39 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-22 18:39 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-22 18:39 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-22 11:17 . 2003-12-11 11:15 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-01-22 11:17 . 2003-12-11 11:15 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-01-22 11:17 . 2003-12-11 11:15 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-01-22 11:17 . 2003-12-11 11:15 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-01-22 11:16 . 2008-01-22 11:16 <DIR> d-------- C:\Program Files\HP
2008-01-22 11:16 . 2008-01-22 11:17 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-22 11:16 . 2008-01-22 11:16 208,140 --a------ C:\WINDOWS\hpdj3740.hi1
2008-01-22 11:16 . 2008-01-22 11:16 9,077 --a------ C:\WINDOWS\hpdj3740.bu1
2008-01-22 11:12 . 2008-01-22 11:17 146,049 --a------ C:\WINDOWS\hpdj3740.his
2008-01-22 11:12 . 2008-01-22 11:17 10,568 --a------ C:\WINDOWS\hpdj3740.ini
2008-01-22 09:40 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-01-22 09:37 . 2008-01-22 09:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-01-22 06:51 . 2007-10-10 15:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-22 06:51 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-22 06:51 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-22 06:51 . 2007-10-10 15:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-22 06:51 . 2007-10-10 15:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-22 06:51 . 2007-10-10 15:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-22 06:51 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-22 06:51 . 2007-10-10 15:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-22 06:51 . 2007-10-10 02:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-21 21:30 . 2008-01-30 10:30 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\uTorrent
2008-01-21 20:25 . 2008-01-30 10:54 336 --a------ C:\Documents and Settings\Jesse Manzo\Application Data\wklnhst.dat
2008-01-21 19:43 . 2008-01-21 19:43 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\CyberLink
2008-01-21 16:48 . 2008-01-21 16:48 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-21 16:39 . 2008-01-21 16:39 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\Apple Computer
2008-01-21 16:39 . 2008-01-30 18:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-21 16:39 . 2008-01-21 16:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-21 16:38 . 2008-01-21 16:38 <DIR> d-------- C:\Program Files\Bonjour
2008-01-21 16:38 . 2008-01-21 16:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-01-21 16:38 . 2008-01-21 16:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-01-21 16:21 . 2008-01-22 09:13 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 2
2008-01-21 16:21 . 2008-01-21 16:21 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-21 16:18 . 2008-01-21 23:52 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Roxio
2008-01-21 16:18 . 2008-01-27 09:47 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\Roxio
2008-01-21 16:18 . 2008-01-21 16:18 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-21 16:18 . 2008-01-21 16:18 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 02:54 34,360 ----a-w C:\WINDOWS\system32\drivers\sbapifs.sys
2008-01-29 20:37 16,512 ----a-w C:\WINDOWS\system32\drivers\raspti.sys
2008-01-28 19:13 246 ----a-w C:\Program Files\Common Files\sajur
2008-01-27 22:51 10 ----a-w C:\Program Files\.autoreg
2008-01-21 23:48 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-01-04 21:58 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0EF68911-EE90-4F68-9D36-17653DD30FDF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24992238-AA7F-4485-B98C-DF525EB7E710}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{454F7B1C-EA3E-45C7-A060-16DB6939B6C0}]
C:\WINDOWS\system32\pmkji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6586DB96-2168-46EB-9234-F59EDBE3257C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA76533D-C335-4E85-9ADD-8C289DC70128}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB04F3D5-C7D6-4C6F-9247-DBC72D12AD04}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE1490AE-F28F-45CE-8449-039E8D3D54A4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 14:27 16132608 C:\WINDOWS\RTHDCPL.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-04-16 19:51 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-04-16 19:51 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-04-16 19:51 138008]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 11:56 124200]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 11:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 11:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 11:22 221184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-22 19:25 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-07-22 19:25 49152]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-12-21 15:30 698864]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhdtacrz]
dhdtacrz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpolj]

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-01-28 19:32]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2007-02-08 20:05]
R1 msfss;msfss;C:\WINDOWS\system32\drivers\msfss.sys [2008-01-27 14:43]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 06:01:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 18:53:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2008-01-30 18:55:48 - machine was rebooted [Jesse Manzo]
ComboFix-quarantined-files.txt 2008-01-31 02:55:46
.
2008-01-23 04:00:12 --- E O F ---

3.) Hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:42 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {454F7B1C-EA3E-45C7-A060-16DB6939B6C0} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O20 - Winlogon Notify: dhdtacrz - dhdtacrz.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7965 bytes

#7 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:09 AM

Posted 01 February 2008 - 02:13 PM

Hello,

Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

TrustedAntivirus
- TrustedAntivirus is a misleading application that may give exaggerated reports of system performance problems on the computer.
Read about that software here <-


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0EF68911-EE90-4F68-9D36-17653DD30FDF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24992238-AA7F-4485-B98C-DF525EB7E710}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{454F7B1C-EA3E-45C7-A060-16DB6939B6C0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6586DB96-2168-46EB-9234-F59EDBE3257C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA76533D-C335-4E85-9ADD-8C289DC70128}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB04F3D5-C7D6-4C6F-9247-DBC72D12AD04}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE1490AE-F28F-45CE-8449-039E8D3D54A4}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dhdtacrz]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpolj]

Dirlook::
C:\WINDOWS\SmVzc2UgTWFuem8
C:\Program Files\Common Files\sajur

Folder::
C:\WINDOWS\system32\wnis6
C:\TrustedAntivirus
C:\WINDOWS\system32\nGpxx01
C:\Temp\gTiis19
C:\Temp

File::
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\dhdtacrz.dll
C:\WINDOWS\system32\rqrpolj.dll
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
  • C:\WINDOWS\system32\drivers\msfss.sys
  • Please post back the results of the scan in your next post.
  • You can try the same at Virustotal: http://www.virustotal.com/

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 jessemanzo

jessemanzo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 03 February 2008 - 01:08 PM

Trusted antivirus didnt come up on my add/remove programs list-should that be happening?

Hi-Jack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:31 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E1BACF55-35E1-4E47-9247-2D48660E5545} - (no file)
O3 - Toolbar: (no name) - {E1BACF55-35E1-4E47-9247-2D48660E5545} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7927 bytes

**** Combo fix Log:

ComboFix 08-01-31.1 - Jesse Manzo 2008-02-03 9:49:35.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.544 [GMT -8:00]
Running from: C:\Documents and Settings\Jesse Manzo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jesse Manzo\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\dhdtacrz.dll
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\rqrpolj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 00:08 . 2008-02-03 00:08 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-02-02 23:47 . 2008-02-02 23:47 4,116 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-02 18:44 . 2008-02-02 18:45 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\Walgreens
2008-02-02 17:51 . 2008-02-03 00:05 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\WeatherDPA
2008-01-31 11:37 . 2008-01-31 11:37 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\MySpace
2008-01-30 19:55 . 2008-01-30 19:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SupportSoft
2008-01-30 19:51 . 2008-01-30 19:51 <DIR> d--h----- C:\Documents and Settings\Jesse Manzo\Application Data\GTek
2008-01-30 19:51 . 2007-06-08 01:10 876,544 --a------ C:\WINDOWS\system32\TEACico2.dll
2008-01-30 19:50 . 2008-01-30 19:50 <DIR> d-------- C:\Program Files\DellAutomatedPCTuneUp
2008-01-30 19:50 . 2008-01-30 19:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Gtek
2008-01-30 18:37 . 2008-01-30 18:45 <DIR> d-------- C:\Program Files\Navilog1
2008-01-29 18:43 . 2008-02-03 09:52 5,404,704 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 18:43 . 2008-02-03 09:51 64,364 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 18:39 . 2008-01-29 18:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-01-29 18:39 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-29 18:39 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-29 18:39 . 2008-01-29 18:40 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-01-29 18:25 . 2008-01-29 18:25 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-29 17:33 . 2008-01-29 17:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 17:33 . 2008-01-29 17:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-28 15:09 . 2008-01-28 15:09 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\Sunbelt Software
2008-01-28 11:14 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-28 11:14 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-28 11:14 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-28 11:14 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-28 11:14 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-28 11:14 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-28 11:14 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-28 11:14 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-28 10:56 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-01-28 10:47 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-27 23:40 . 2008-01-27 23:40 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\PrevxCSI
2008-01-27 23:40 . 2008-01-27 23:40 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-01-27 15:42 . 2008-01-27 15:42 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-01-27 14:56 . 2008-01-28 15:49 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-27 14:48 . 2008-01-27 14:48 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SalesMon
2008-01-27 14:47 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-27 14:43 . 2008-01-28 11:40 <DIR> d-------- C:\WINDOWS\system32\nip4
2008-01-27 14:43 . 2008-01-28 15:49 <DIR> d-------- C:\WINDOWS\system32\ets1
2008-01-27 14:43 . 2008-01-28 15:39 <DIR> d--hs---- C:\WINDOWS\SmVzc2UgTWFuem8
2008-01-27 14:43 . 2008-01-27 14:43 86,016 --a------ C:\WINDOWS\system32\drivers\msfss.sys
2008-01-25 21:51 . 2008-01-25 21:51 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\.jpi_cache
2008-01-25 21:51 . 2008-01-25 21:51 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\.java
2008-01-25 17:47 . 2008-01-28 10:53 <DIR> d-------- C:\Program Files\Cain
2008-01-25 14:07 . 2008-01-25 14:07 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-01-25 13:31 . 2008-01-25 13:31 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\DivX
2008-01-25 13:17 . 2008-01-25 13:17 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\DivX
2008-01-24 17:45 . 2008-01-24 17:45 <DIR> d-------- C:\Program Files\Java Web Start
2008-01-24 17:45 . 2008-01-24 17:45 <DIR> d-------- C:\Program Files\gs
2008-01-24 17:45 . 2008-01-24 17:45 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\.javaws
2008-01-24 17:45 . 2003-12-07 22:54 229,487 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-01-24 17:44 . 2008-01-24 17:44 <DIR> d-------- C:\Program Files\PlotSoft
2008-01-24 17:44 . 2004-06-06 20:17 53,248 --a------ C:\WINDOWS\system32\uninstpw.exe
2008-01-24 17:44 . 2005-05-07 14:15 24,576 --a------ C:\WINDOWS\system32\custsave.exe
2008-01-24 12:29 . 2008-01-24 12:29 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-01-23 00:27 . 2008-01-23 07:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-22 20:06 . 2008-01-22 20:06 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\Template
2008-01-22 20:00 . 2008-01-22 20:00 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-22 18:39 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-22 18:39 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-22 18:39 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-22 11:17 . 2003-12-11 11:15 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-01-22 11:17 . 2003-12-11 11:15 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-01-22 11:17 . 2003-12-11 11:15 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-01-22 11:17 . 2003-12-11 11:15 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-01-22 11:16 . 2008-01-22 11:16 <DIR> d-------- C:\Program Files\HP
2008-01-22 11:16 . 2008-01-22 11:17 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-22 11:16 . 2008-01-22 11:16 208,140 --a------ C:\WINDOWS\hpdj3740.hi1
2008-01-22 11:16 . 2008-01-22 11:16 9,077 --a------ C:\WINDOWS\hpdj3740.bu1
2008-01-22 11:12 . 2008-01-22 11:17 146,049 --a------ C:\WINDOWS\hpdj3740.his
2008-01-22 11:12 . 2008-01-22 11:17 10,568 --a------ C:\WINDOWS\hpdj3740.ini
2008-01-22 09:40 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-01-22 09:37 . 2008-01-22 09:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-01-22 06:51 . 2007-10-10 15:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-22 06:51 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-22 06:51 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-22 06:51 . 2007-10-10 15:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-22 06:51 . 2007-10-10 15:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-22 06:51 . 2007-10-10 15:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-22 06:51 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-22 06:51 . 2007-10-10 15:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-22 06:51 . 2007-10-10 02:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-21 21:30 . 2008-02-02 06:56 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\uTorrent
2008-01-21 20:25 . 2008-02-01 11:31 336 --a------ C:\Documents and Settings\Jesse Manzo\Application Data\wklnhst.dat
2008-01-21 19:43 . 2008-01-21 19:43 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\CyberLink
2008-01-21 16:48 . 2008-01-21 16:48 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-21 16:39 . 2008-01-21 16:39 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\Apple Computer
2008-01-21 16:39 . 2008-02-03 09:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-21 16:39 . 2008-01-21 16:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-21 16:38 . 2008-01-21 16:38 <DIR> d-------- C:\Program Files\Bonjour
2008-01-21 16:38 . 2008-01-21 16:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-01-21 16:38 . 2008-01-21 16:38 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-01-21 16:21 . 2008-01-22 09:13 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 2
2008-01-21 16:21 . 2008-01-21 16:21 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-21 16:18 . 2008-01-21 23:52 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Roxio
2008-01-21 16:18 . 2008-01-27 09:47 <DIR> d-------- C:\Documents and Settings\Jesse Manzo\Application Data\Roxio
2008-01-21 16:18 . 2008-01-21 16:18 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-21 16:18 . 2008-01-21 16:18 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-21 16:07 . 2006-07-21 11:21 99,176 --a------ C:\WINDOWS\system32\drivers\DRVMCDB.SYS
2008-01-21 16:07 . 2006-10-26 16:21 92,920 --a------ C:\WINDOWS\DLA.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 03:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 02:36 --------- d-----w C:\Program Files\Trend Micro
2008-01-29 20:37 16,512 ----a-w C:\WINDOWS\system32\drivers\raspti.sys
2008-01-28 19:13 246 ----a-w C:\Program Files\Common Files\sajur
2008-01-27 22:51 10 ----a-w C:\Program Files\.autoreg
2008-01-25 01:45 --------- d-----w C:\Program Files\Java
2008-01-22 00:38 --------- d-----w C:\Program Files\QuickTime
2008-01-22 00:38 --------- d-----w C:\Program Files\iTunes
2008-01-22 00:12 --------- d-----w C:\Program Files\Microsoft Works
2008-01-21 23:53 --------- d-----w C:\Program Files\Intel
2008-01-21 23:48 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-01-21 23:44 --------- d-----w C:\Program Files\Dell
2008-01-19 17:32 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-04 21:58 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:58 129,784 ----a-w C:\WINDOWS\system32\PxAFS.DLL
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-02 08:12 --------- d-----w C:\Program Files\uTorrent
2008-01-02 00:36 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-12-30 22:44 --------- d-----w C:\Program Files\Lavasoft
2007-12-30 17:12 --------- d-----w C:\Program Files\DNA
2007-12-29 21:40 --------- d-----w C:\Program Files\iDump
2007-12-28 05:05 --------- d-----w C:\Program Files\Yahoo!
2007-12-28 04:56 --------- d-----w C:\Program Files\America Online 9.0
2007-12-27 17:47 --------- d-----w C:\Program Files\Google
2007-12-27 17:47 --------- d-----w C:\Program Files\DAEMON Tools Pro
2007-12-23 20:28 --------- d-----w C:\Program Files\XBox 360 Controller for Windows Software
2007-12-21 22:30 --------- d-----w C:\Program Files\BitTorrent
2007-12-20 03:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-12-15 17:27 --------- d-----w C:\Program Files\SECUREMAKER
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-14 18:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-14 06:00 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-14 05:59 --------- d-----w C:\Program Files\Windows Live Favorites
2007-12-14 05:59 --------- d-----w C:\Program Files\Windows Live
2007-12-14 05:58 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-14 05:56 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-12 20:57 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-12 03:03 --------- d-----w C:\Program Files\Shareaza
2007-12-11 21:55 --------- d-----w C:\Program Files\Apple Software Update
2007-12-11 21:54 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-11 21:04 --------- d-----w C:\Program Files\MySpace
2007-12-08 18:39 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Roxio
2007-12-08 18:39 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-08 18:37 --------- d-----w C:\Program Files\EarthLink Setup
2007-12-08 18:36 --------- d-----w C:\Program Files\Viewpoint
2007-12-08 18:36 --------- d-----w C:\Program Files\Learn2.com
2007-12-08 18:36 --------- d-----w C:\Program Files\Common Files\aolshare
2007-12-08 18:36 --------- d-----w C:\Program Files\AOL Companion
2007-12-08 18:35 --------- d-----w C:\Program Files\Real
2007-12-08 18:35 --------- d-----w C:\Program Files\Microsoft Plus! Photo Story 2 LE
2007-12-08 18:35 --------- d-----w C:\Program Files\Common Files\Real
2007-12-08 18:35 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-08 18:35 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-08 18:34 --------- d-----w C:\Program Files\MUSICMATCH
2007-12-08 18:34 --------- d-----w C:\Program Files\Microsoft Plus! Digital Media Edition
2007-12-08 18:33 --------- d-----w C:\Program Files\Dell Support Center
2007-12-08 18:33 --------- d-----w C:\Program Files\Dell DataSafe Online
2007-12-08 18:33 --------- d-----w C:\Program Files\Common Files\supportsoft
2007-12-08 18:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-08 18:30 --------- d-----w C:\Program Files\CyberLink
2007-12-08 18:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-08 18:26 --------- d-----w C:\Program Files\NetZeroInstallers
2007-12-08 18:26 --------- d-----w C:\Program Files\NetWaiting
2007-12-08 18:25 --------- d-----w C:\Program Files\Digital Line Detect
2007-12-08 18:23 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield
2007-12-08 18:23 --------- d-----w C:\Program Files\Modem Diagnostic Tool
2007-12-08 18:21 --------- d-----w C:\Program Files\Common Files\Java
2007-12-08 18:20 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-08 18:10 --------- d-----w C:\Program Files\CONEXANT
2007-11-15 00:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\Common Files\sajur ----

C:\Program Files\Common Files\sajur\

---- Directory of C:\WINDOWS\SmVzc2UgTWFuem8 ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BACF55-35E1-4E47-9247-2D48660E5545}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"DellAutomatedPCTuneUp"="C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 09:49 465136]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 14:27 16132608 C:\WINDOWS\RTHDCPL.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-04-16 19:51 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-04-16 19:51 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-04-16 19:51 138008]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 11:56 124200]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 11:35 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 11:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 11:22 221184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-22 19:25 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-07-22 19:25 49152]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 17:47 8720384]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@=""

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2007-02-08 20:05]
R1 msfss;msfss;C:\WINDOWS\system32\drivers\msfss.sys [2008-01-27 14:43]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;C:\WINDOWS\system32\DRIVERS\datunidr.sys [2007-08-23 18:29]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
S3 DellAMBrokerService;DellAMBrokerService;"C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe" [2007-10-11 09:49]
S3 PTproct;PTproct;C:\Program Files\DellAutomatedPCTuneUp\GTAction\triggers\PTproct.sys [2006-10-05 16:07]
S3 yeddef;YEDDEF driver;C:\WINDOWS\system32\Drivers\yeddef.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 06:01:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 09:53:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-03 9:55:19 - machine was rebooted [Jesse Manzo]
ComboFix-quarantined-files.txt 2008-02-03 17:55:14
ComboFix2.txt 2008-02-01 19:35:50
ComboFix3.txt 2008-01-31 02:55:48
.
2008-01-23 04:00:12 --- E O F ---

**** Jotti scan- this is what I got:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I followed all instructions-turned off my firewall, antivirus, everything.

also: the pop ups are getting worse-I counted 20 in a 15 minute period

#9 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:09 AM

Posted 04 February 2008 - 11:41 AM

Hello,

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\system32\TEACico2.dll
  • Click on the submit button
  • Please post the results in your next reply.
  • Please repeat for this file:
    • C:\WINDOWS\system32\Drivers\yeddef.sys
Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/128408/unknown-trojan-help-needed-many-popups-in-ie-i-use-firefox/
Suspect::[4]
C:\WINDOWS\system32\TEACico2.dll
C:\WINDOWS\system32\Drivers\yeddef.sys
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\msfss.sys
Folder::
C:\Documents and Settings\Jesse Manzo\Application Data\WeatherDPA
Driver::
msfss
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file.
Download Avg anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded Avg anti-spyware, locate the icon Posted Image on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run Avg and update the definition files.
  • On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
Donít run it yet Close Avg anti-spyware .

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here <--link to tutorial
  • Lauch Avg-anti-spyware by double-clicking the icon Posted Image on your desktop.IMPORTANT: Do not open any other windows or programs while Avg is scanning, it may interfere with the scanning proccess.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  • Avg will now begin the scanning process, be patient this may take a little time.
  • Avg will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Avg will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Avg.
IMPORTANT: Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button

Reboot back to normal mode.
Please post back:

1) The Avg report
2) The Combofix report
3) The Jotti results
4) New HijackThis log
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#10 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:12:09 AM

Posted 09 February 2008 - 12:15 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users