Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus: Troj Vundo.bmf


  • This topic is locked This topic is locked
9 replies to this topic

#1 austinjim

austinjim

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:07:17 AM

Posted 22 April 2008 - 06:34 PM

Tried several attempts with your examples and no luck. Thanks for the help.

Tuesday, April 22, 2008 6:12:08 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/04/2008
Kaspersky Anti-Virus database records: 721742


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 70408
Number of viruses found 8
Number of infected objects 15
Number of suspicious objects 0
Duration of the scan process 01:07:14

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\4514.tmp Infected: Trojan-Downloader.Win32.Delf.gpm skipped

C:\Deckard\System Scanner\backup\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\A62D-tmp.exe Infected: Trojan-Downloader.Win32.Delf.gpm skipped

C:\Deckard\System Scanner\backup\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\ddcktprt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pim skipped

C:\Deckard\System Scanner\backup\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\ewqteiqf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pik skipped

C:\Deckard\System Scanner\backup\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\ifhnofrw.dll Infected: Packed.Win32.Monder.gen skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\systemindex.3.Crwl Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\systemindex.3.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.ci Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wsb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\systemindex.Ntfy5.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf4.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf5.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_81c.dat Object is locked skipped

C:\Documents and Settings\Jim Harrison\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-52e38f31-69c0cc21.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Documents and Settings\Jim Harrison\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-52e38f31-69c0cc21.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Documents and Settings\Jim Harrison\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-52e38f31-69c0cc21.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Documents and Settings\Jim Harrison\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-52e38f31-69c0cc21.zip ZIP: infected - 3 skipped

C:\Documents and Settings\Jim Harrison\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jim Harrison\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jim Harrison\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jim Harrison\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jim Harrison\Local Settings\Temporary Internet Files\Content.IE5\7ASVNTK1\count[1].htm Infected: Exploit.HTML.Agent.x skipped

C:\Documents and Settings\Jim Harrison\Local Settings\Temporary Internet Files\Content.IE5\EZO5APQD\AccessMediaSetup[1].exe Infected: Trojan-Downloader.Win32.Delf.gpm skipped

C:\Documents and Settings\Jim Harrison\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jim Harrison\ntuser.dat Object is locked skipped

C:\Documents and Settings\Jim Harrison\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_dc4.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_91.trc Object is locked skipped

C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\ntmfxufa.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP820\change.log Object is locked skipped

C:\twuf.exe Infected: Trojan-Clicker.Win32.Costrat.fl skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\QB GDS P.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\hgGaaayW.dll Infected: Packed.Win32.Monder.gen skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\zeqbqwp.sys Object is locked skipped

Scan process completed.

Deckard's System Scanner v20071014.68
Run by Jim Harrison on 2008-04-22 15:35:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-04-22 20:36:31 UTC - RP820 - Deckard's System Scanner Restore Point
2: 2008-04-17 15:34:05 UTC - RP819 - Software Distribution Service 3.0
1: 2008-04-17 12:36:16 UTC - RP818 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Jim Harrison.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:14 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Documents and Settings\Jim Harrison\Desktop\dss.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jim Harrison.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: {54faa3d3-53aa-c079-b174-51224f8b2420} - {0242b8f4-2215-471b-970c-aa353d3aaf45} - C:\WINDOWS\system32\kiamsqmg.dll (file missing)
O2 - BHO: (no name) - {0a6ca6ff-5e0a-4807-8283-58c6207a41be} - C:\WINDOWS\system32\hgGaaayW.dll
O2 - BHO: (no name) - {e45b12a3-3687-4ceb-b0f5-f2cf3b901c6c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47/skillgam/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinner.com/games/v46/share...GamesLoader.cab
O16 - DPF: {30FEDFBF-391B-45F7-8AFF-796E8A532869} (PCRHTML3.HTML1) - http://mst.pcrecruiter.com/pcrimg/PCRHTML.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - http://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181058224718
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8FAC20B4-0B1D-4BAC-BCE0-59DA519DEE67} (PCRALM.ALARM1) - http://mst.pcrecruiter.com/pcrimg/PCRALM.CAB
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v44/royal/royal.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v47/wwspades/wwspades.cab
O16 - DPF: {F8E159B1-2433-478A-B82E-9CCC87A7FAFB} (PCRRTF4.RTF4) - http://mst.pcrecruiter.com/pcrimg/MS.CAB
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FAF0294-88A0-42E8-A3C0-84AD11FC275B}: NameServer = 24.93.40.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{5FAF0294-88A0-42E8-A3C0-84AD11FC275B}: NameServer = 24.93.40.75
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9951 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080422-081209-982 O2 - BHO: (no name) - {f352055d-89a1-4b48-89cd-bb4c9fef3475} - C:\WINDOWS\system32\hgGaaayW.dll

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe %1
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>
R2 CdaD10BA - c:\windows\system32\drivers\cdad10ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
R2 tmmbd (Trend Micro MBD Driver) - c:\windows\system32\drivers\tm_mbd_c.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>

S3 PCAMPR5 (PCAMPR5 NDIS Protocol Driver) - d:\ppp\pcampr5.sys (file missing)
S3 PCANDIS5 (PCANDIS5 NDIS Protocol Driver) - d:\ppp\pcandis5.sys (file missing)
S3 RSC4_A02 (U.S. Robotics Wireless USB Adapter Driver) - c:\windows\system32\drivers\rsc4usb.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Inc.; Trend Micro Internet Security>
R2 QBCFMonitorService (QuickBooks Database Manager Service) - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe"
R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Inc.; Trend Micro Internet Security>
R2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>
R2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 3.0>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
R3 PcScnSrv (Trend Micro Protection Against Spyware ) - "c:\progra~1\trendm~1\intern~1\pcscnsrv.exe" <Not Verified; Trend Micro Inc.; Trend Micro Internet Security>

S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-12 20:04:01 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-04-12 08:29:00 274 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job


-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-22 06:56:11 0 d-------- C:\WINDOWS\CSC
2008-04-16 10:26:47 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-04-16 08:42:00 0 d-------- C:\VundoFix Backups
2008-04-15 17:02:24 0 d-------- C:\Documents and Settings\Jim Harrison\Application Data\AdwareAlert
2008-04-13 06:54:27 410141 --ahs---- C:\WINDOWS\system32\WyaaaGgh.ini2
2008-04-13 06:54:17 272896 --a------ C:\WINDOWS\system32\hgGaaayW.dll
2008-04-12 16:50:58 52 --a------ C:\smp.bat
2008-04-12 14:15:19 6584 --ahs---- C:\WINDOWS\system32\mmoWyyay.ini2
2008-04-12 14:09:18 2 --a------ C:\1354958793
2008-04-12 14:09:04 55218 --a------ C:\WINDOWS\zeqbqwp.sys
2008-04-12 14:08:51 58880 --a------ C:\twuf.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-22 07:35:38 0 d-------- C:\Program Files\Trend Micro
2008-04-17 07:18:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-16 15:16:06 38482 --a------ C:\Documents and Settings\Jim Harrison\Application Data\Microsoft Excel 97-2003.ADR
2008-03-17 05:44:44 0 d-------- C:\Program Files\Java
2008-03-12 08:31:27 0 d-------- C:\Documents and Settings\Jim Harrison\Application Data\Mozilla


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0242b8f4-2215-471b-970c-aa353d3aaf45}]
C:\WINDOWS\system32\kiamsqmg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0a6ca6ff-5e0a-4807-8283-58c6207a41be}]
04/13/2008 06:54 AM 272896 --a------ C:\WINDOWS\system32\hgGaaayW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e45b12a3-3687-4ceb-b0f5-f2cf3b901c6c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 07:42 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 04:19 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/18/2005 03:11 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 04:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"dlbxmon.exe"="C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" [08/27/2004 02:29 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 02:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 02:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 02:50 PM]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [01/17/2006 01:03 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [08/25/2006 11:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/24/2006 11:37 AM]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [08/18/2006 01:06 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/02/2007 05:11 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 05:45 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [10/22/2007 09:58 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 03:39 PM 294400]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGaaayW


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f01acef-60ee-11da-9e90-0013204499d5}]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-04-22 15:47:49 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:17 PM

Posted 23 April 2008 - 01:16 PM

Hello Austinjim and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 austinjim

austinjim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:07:17 AM

Posted 24 April 2008 - 07:57 AM

Thunder, Thanks for the super quick reply and assistance. I have included the combofix report and a new Hijack this log as well (not sure where i read to do that.)

ComboFix 08-04-22.5 - Jim Harrison 2008-04-24 7:29:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.228 [GMT -5:00]
Running from: C:\Documents and Settings\Jim Harrison\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jim Harrison\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\MyWebEx
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\hgGaaayW.dll
C:\WINDOWS\system32\ikitrufn.dll
C:\WINDOWS\system32\jvobjrkm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mkrjbovj.dll
C:\WINDOWS\system32\mmoWyyay.ini
C:\WINDOWS\system32\mmoWyyay.ini2
C:\WINDOWS\system32\vnadnssr.ini
C:\WINDOWS\system32\WyaaaGgh.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 06:57 . 2008-04-24 06:57 <DIR> d-------- C:\Documents and Settings\Jim Harrison\Application Data\Malwarebytes
2008-04-24 06:56 . 2008-04-24 06:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 06:56 . 2008-04-24 06:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 15:59 . 2008-04-22 15:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-22 15:59 . 2008-04-22 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-22 15:35 . 2008-04-22 15:35 <DIR> d-------- C:\Deckard
2008-04-16 10:26 . 2008-04-16 10:26 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-16 08:42 . 2008-04-17 08:35 <DIR> d-------- C:\VundoFix Backups
2008-04-13 06:56 . 2008-04-16 07:11 101,091 --a------ C:\WINDOWS\BM53f034fa.xml
2008-04-12 16:50 . 2008-04-12 16:50 52 --a------ C:\smp.bat
2008-04-12 14:09 . 2008-04-12 14:09 2 --a------ C:\1354958793
2008-04-12 14:08 . 2008-04-12 14:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 14:08 . 2008-04-12 14:08 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 12:35 --------- d-----w C:\Program Files\Trend Micro
2008-04-17 12:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 08:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-17 10:44 --------- d-----w C:\Program Files\Java
2005-07-27 15:58 89 ----a-w C:\Program Files\Untitled Attachment
2005-07-18 18:16 4,077,184 ----a-w C:\Program Files\winzip90.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37 7094272]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 13:06 315392]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 17:11 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 09:58 1885464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-18 15:11 98304]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"dlbxmon.exe"="C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" [2004-08-27 14:29 417792]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 11:25 3112960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\dlbxcoms.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 18:50]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
S1 zeqbqwp;zeqbqwp;C:\WINDOWS\zeqbqwp.sys []
S3 RSC4_A02;U.S. Robotics Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\RSC4USB.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f01acef-60ee-11da-9e90-0013204499d5}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 13:29:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-04-13 01:04:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 07:32:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [192] 0x81CA3DA0

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\vmgrremok.exe 98380 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\vmpremov.exe 61440 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\vobkcyfw.dll 91648 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\dotnetfx
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\dotnetfx\dotnetchk.exe 61632 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\install.log 4878 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\Office2003PIA
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\Office2003PIA\PIACheck.exe 45056 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\setup[1].exe 500224 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\dotnetfx
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\dotnetfx\dotnetchk.exe 61632 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\eula.txt 3526 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\install.log 5151 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\Office2003PIA
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\Office2003PIA\PIACheck.exe 45056 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\setup[1].exe 500224 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\warning.gif 358 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\wecerr.txt 74 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER0e22.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER0e22.dir00\OUTLOOK.EXE.hdmp 60130510 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER0e22.dir00\OUTLOOK.EXE.mdmp 2196469 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER16d3.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER16d3.dir00\appcompat.txt 134586 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER16d3.dir00\WINWORD.EXE.hdmp 27965634 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER16d3.dir00\WINWORD.EXE.mdmp 145762 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER18b5.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER18b5.dir00\ICQ.exe.hdmp 0 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER18b5.dir00\ICQ.exe.mdmp 238581 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER1e8b.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER1e8b.dir00\OUTLOOK.EXE.hdmp 60130510 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER1e8b.dir00\OUTLOOK.EXE.mdmp 2196469 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER4e14.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER4e14.dir00\WINWORD.EXE.hdmp 0 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER4e14.dir00\WINWORD.EXE.mdmp 913059 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERa0e2.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERa0e2.dir00\OUTLOOK.EXE.hdmp 60130510 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERa0e2.dir00\OUTLOOK.EXE.mdmp 2196469 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt5e85.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt625e.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt6626.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt672b.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt6c8e.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7bcc.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7c60.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7f1b.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7f85.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Z974IVO0.emf 20352 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\ZO9EBMTD.emf 372 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{60274F91-088B-4C45-98BD-0F81B9F23DDB}
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{AC76BA86-7AD7-1033-7B44-A81000000003}
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{AC76BA86-7AD7-1033-7B44-A81000000003}\RunTime.msi 7680 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{F9F84BD8-48AD-4250-A234-09C6BAF38E67}
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF11A0.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF12B2.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF142E.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF147F.tmp 512 bytes
C:\DOCUME~1\JIMHcatchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
AR~1\LOCALS~1\Temp\~DF339D.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF33B0.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF33BD.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF475A.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF4E69.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF4E76.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF644C.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF6E25.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF7047.tmp 65536 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF70C8.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF731D.tmp 311296 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VBE
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VBE\MSForms.exd 147268 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Word8.0
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Word8.0\MSForms.exd 166724 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt5d48.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\zuma.dll 2146304 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF7338.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\weuwdgyb.dll 96256 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\wgsjyoin.dll 96768 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WinSAT_DX.etl 1048576 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WinSAT_KernelLog.etl 6291456 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\wmplog00.sqm 1460 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF80C4.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF90AF.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFC1C8.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFC3F8.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFC422.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFD220.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFD29F.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFD9B1.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFDAA8.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFDAB7.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFF9CF.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFF9E1.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFFC09.tmp 114688 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~e5d141.tmp 34304 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~nsu.tmp
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRF0000.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRF0001.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRF0005.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRS0000.tmp 34324 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRS0002.tmp 88108 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\689211B7.TMP 183 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Av-test.txt 72 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Google Toolbar
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\jusched.log 346 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\KAV Updater update files
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Perflib_Perfdata__754 800 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Perflib_Perfdata__755 60416 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Twain001.Mtx 3 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Twunk001.MTX 156 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Twunk002.MTX 0 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WPDNSE
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WQO64KO3.emf 369008 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt01bd.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt01ec.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt0771.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt0c52.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt140f.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1512.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt19be.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1b5c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1ea5.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1ed4.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt21f1.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2275.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt23c4.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Tcatchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
emp\xprt23c8.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt23e9.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2405.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2747.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2f1a.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3023.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3131.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt381c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3b72.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3ca0.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3cc2.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3ede.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt463c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt4f6c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt51ff.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt56f7.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt5b88.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERbc30.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERbc30.dir00\appcompat.txt 136206 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERbc30.dir00\WINWORD.EXE.hdmp 27965634 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERbc30.dir00\WINWORD.EXE.mdmp 145762 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERd933.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERd933.dir00\OUTLOOK.EXE.mdmp 0 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERe828.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERe828.dir00\IEXPLORE.EXE.mdmp 0 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERea0e.dir00

scan completed successfully
hidden files: 153

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
.
**************************************************************************
.
Completion time: 2008-04-24 7:39:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 12:39:05

Pre-Run: 56,856,399,872 bytes free
Post-Run: 56,790,753,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

295 --- E O F --- 2008-04-17 15:36:05

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:20 AM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47/skillgam/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinner.com/games/v46/share...GamesLoader.cab
O16 - DPF: {30FEDFBF-391B-45F7-8AFF-796E8A532869} (PCRHTML3.HTML1) - http://mst.pcrecruiter.com/pcrimg/PCRHTML.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - http://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181058224718
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://www.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8FAC20B4-0B1D-4BAC-BCE0-59DA519DEE67} (PCRALM.ALARM1) - http://mst.pcrecruiter.com/pcrimg/PCRALM.CAB
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v44/royal/royal.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v47/wwspades/wwspades.cab
O16 - DPF: {F8E159B1-2433-478A-B82E-9CCC87A7FAFB} (PCRRTF4.RTF4) - http://mst.pcrecruiter.com/pcrimg/MS.CAB
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FAF0294-88A0-42E8-A3C0-84AD11FC275B}: NameServer = 24.93.40.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{5FAF0294-88A0-42E8-A3C0-84AD11FC275B}: NameServer = 24.93.40.75
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9713 bytes

Again, appreciate all the help and look forward to any next suggestions. :thumbsup:

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:17 PM

Posted 26 April 2008 - 06:08 AM

Hello Jim,

Open Notepad and copy and paste the bold, blue text below in it:@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\vmgrremok.exe
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\vmpremov.exe
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\vobkcyfw.dll) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt


Save this as del.bat. Choose to save as "all files" and place it on your Desktop.
Doubleclick on it and post the content of the log file that opens in your next reply.

Did you notice this :

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


It's important to always use the latest version of ComboFix !!
Please run it now and post the log in your next reply. :thumbsup:

Greetings,
Thunder

Edited by Thunder, 26 April 2008 - 06:09 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 austinjim

austinjim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:07:17 AM

Posted 27 April 2008 - 08:52 AM

Thunder, I hope you are well. Thanks for your continued support. :thumbsup:

Posting the following as requested:

del.bat results:

Deleting files
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\vmgrremok.exe not found
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\vmpremov.exe not found
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\vobkcyfw.dll not found

Combofix results:

ComboFix 08-04-22.5 - Jim Harrison 2008-04-27 8:35:54.2 - NTFSx86
Running from: C:\Documents and Settings\Jim Harrison\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-24 06:57 . 2008-04-24 06:57 <DIR> d-------- C:\Documents and Settings\Jim Harrison\Application Data\Malwarebytes
2008-04-24 06:56 . 2008-04-24 06:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 06:56 . 2008-04-24 06:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 15:59 . 2008-04-22 15:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-22 15:59 . 2008-04-22 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-22 15:35 . 2008-04-22 15:35 <DIR> d-------- C:\Deckard
2008-04-16 10:26 . 2008-04-16 10:26 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-16 08:42 . 2008-04-17 08:35 <DIR> d-------- C:\VundoFix Backups
2008-04-13 06:56 . 2008-04-16 07:11 101,091 --a------ C:\WINDOWS\BM53f034fa.xml
2008-04-12 16:50 . 2008-04-12 16:50 52 --a------ C:\smp.bat
2008-04-12 14:09 . 2008-04-12 14:09 2 --a------ C:\1354958793
2008-04-12 14:08 . 2008-04-12 14:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 14:08 . 2008-04-12 14:08 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 13:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-24 13:32 --------- d-----w C:\Program Files\Coupons
2008-04-24 13:32 --------- d-----w C:\Program Files\CenterStage
2008-04-22 12:35 --------- d-----w C:\Program Files\Trend Micro
2008-04-09 08:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-17 10:44 --------- d-----w C:\Program Files\Java
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2005-07-27 15:58 89 ----a-w C:\Program Files\Untitled Attachment
2005-07-18 18:16 4,077,184 ----a-w C:\Program Files\winzip90.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_ 7.38.50.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 12:32:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 13:23:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_PerfCounter.dll
+ 2008-04-27 13:25:27 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37 7094272]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 13:06 315392]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 17:11 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 09:58 1885464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-18 15:11 98304]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 11:25 3112960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 18:50]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
S1 zeqbqwp;zeqbqwp;C:\WINDOWS\zeqbqwp.sys []
S3 RSC4_A02;U.S. Robotics Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\RSC4USB.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f01acef-60ee-11da-9e90-0013204499d5}]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 13:29:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-04-13 01:04:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 08:41:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\dotnetfx
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\dotnetfx\dotnetchk.exe 61632 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\install.log 4878 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\Office2003PIA
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\Office2003PIA\PIACheck.exe 45056 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD5.tmp\setup[1].exe 500224 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\dotnetfx
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\dotnetfx\dotnetchk.exe 61632 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\eula.txt 3526 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\install.log 5151 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\Office2003PIA
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\Office2003PIA\PIACheck.exe 45056 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VSDD7.tmp\setup[1].exe 500224 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\warning.gif 358 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\wecerr.txt 74 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER0e22.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER0e22.dir00\OUTLOOK.EXE.hdmp 60130510 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER0e22.dir00\OUTLOOK.EXE.mdmp 2196469 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER16d3.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER16d3.dir00\appcompat.txt 134586 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER16d3.dir00\WINWORD.EXE.hdmp 27965634 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER16d3.dir00\WINWORD.EXE.mdmp 145762 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER18b5.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER18b5.dir00\ICQ.exe.hdmp 0 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER18b5.dir00\ICQ.exe.mdmp 238581 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER1e8b.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER1e8b.dir00\OUTLOOK.EXE.hdmp 60130510 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER1e8b.dir00\OUTLOOK.EXE.mdmp 2196469 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER4e14.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER4e14.dir00\WINWORD.EXE.hdmp 0 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WER4e14.dir00\WINWORD.EXE.mdmp 913059 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERa0e2.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERa0e2.dir00\OUTLOOK.EXE.hdmp 60130510 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERa0e2.dir00\OUTLOOK.EXE.mdmp 2196469 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt5e85.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt625e.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt6626.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt672b.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt6c8e.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7bcc.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7c60.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7f1b.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7f85.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Z974IVO0.emf 20352 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\ZO9EBMTD.emf 372 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{60274F91-088B-4C45-98BD-0F81B9F23DDB}
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{AC76BA86-7AD7-1033-7B44-A81000000003}
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{AC76BA86-7AD7-1033-7B44-A81000000003}\RunTime.msi 7680 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{F9F84BD8-48AD-4250-A234-09C6BAF38E67}
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF11A0.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF12B2.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF142E.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF147F.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF339D.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF33B0.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF33BD.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF475A.tmp 32768 bycatchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF4E69.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF4E76.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF644C.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF6E25.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF7047.tmp 65536 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF70C8.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF731D.tmp 311296 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VBE
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\VBE\MSForms.exd 147268 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Word8.0
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Word8.0\MSForms.exd 166724 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt5d48.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\zuma.dll 2146304 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF7338.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\weuwdgyb.dll 96256 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\wgsjyoin.dll 96768 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WinSAT_DX.etl 1048576 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WinSAT_KernelLog.etl 6291456 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\wmplog00.sqm 1460 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF80C4.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF90AF.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFC1C8.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFC3F8.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFC422.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFD220.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFD29F.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFD9B1.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFDAA8.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFDAB7.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFF9CF.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFF9E1.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFFC09.tmp 114688 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~e5d141.tmp 34304 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~nsu.tmp
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRF0000.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRF0001.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRF0005.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRS0000.tmp 34324 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRS0002.tmp 88108 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\689211B7.TMP 183 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Av-test.txt 72 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Google Toolbar
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\jusched.log 865 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\KAV Updater update files
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\log.txt 18489 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Perflib_Perfdata__754 800 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Perflib_Perfdata__755 60416 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Photo AIO Printer 962_app.log 23267 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\set54.tmp 58115 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\setup.log 173 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Twain001.Mtx 3 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Twunk001.MTX 156 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Twunk002.MTX 0 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\uninstall.iss 511 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WPDNSE
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WQO64KO3.emf 369008 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt01bd.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt01ec.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt0771.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt0c52.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt140f.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1512.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt19be.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1b5c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1ea5.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1ed4.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt21f1.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2275.ico 4catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt23c4.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt23c8.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt23e9.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2405.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2747.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2f1a.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3023.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3131.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt381c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3b72.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3ca0.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3cc2.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3ede.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt463c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt4f6c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt51ff.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt56f7.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt5b88.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERbc30.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERbc30.dir00\appcompat.txt 136206 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERbc30.dir00\WINWORD.EXE.hdmp 27965634 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERbc30.dir00\WINWORD.EXE.mdmp 145762 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERd933.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERd933.dir00\OUTLOOK.EXE.mdmp 0 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERe828.dir00
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERe828.dir00\IEXPLORE.EXE.mdmp 0 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERea0e.dir00

scan completed successfully
hidden files: 155

**************************************************************************
.
Completion time: 2008-04-27 8:43:56
ComboFix-quarantined-files.txt 2008-04-27 13:43:20
ComboFix2.txt 2008-04-24 12:39:11

Pre-Run: 56,741,224,448 bytes free
Post-Run: 56,742,518,784 bytes free

280 --- E O F --- 2008-04-24 14:18:15

Have a terrific day!

AustinJim

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:17 PM

Posted 28 April 2008 - 09:37 AM

Hello Jim,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\WINDOWS\system32\VundoFixSVC.exe
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\weuwdgyb.dll
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\wgsjyoin.dll
Folder::
C:\VundoFix Backups
Driver::
zeqbqwp

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 austinjim

austinjim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:07:17 AM

Posted 29 April 2008 - 07:33 AM

Thunder, I hope you are well. Thanks for staying with me on this issue. The system is "much" better however does seem to be just a little slow. Also getting warnings (5 different ) during the combofix run and/or on start up that read:
1. This application failed to start msidcrl.dll
2. The file or directory C:/$mft is corrupt...
3. Vfind.exe corrupt
4. CF28741.exe is corrupt
5. c:/docume~/jimhar~1/locals~1/temp/werca0e.drr

COMBOFIX LOG

ComboFix 08-04-22.5 - Jim Harrison 2008-04-29 7:02:53.3 - NTFSx86
Running from: C:\Documents and Settings\Jim Harrison\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jim Harrison\Desktop\CFScript.txt

FILE ::
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\weuwdgyb.dll
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\wgsjyoin.dll
C:\WINDOWS\system32\VundoFixSVC.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\weuwdgyb.dll
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\wgsjyoin.dll
C:\VundoFix Backups
C:\WINDOWS\system32\VundoFixSVC.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_zeqbqwp


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-24 06:57 . 2008-04-24 06:57 <DIR> d-------- C:\Documents and Settings\Jim Harrison\Application Data\Malwarebytes
2008-04-24 06:56 . 2008-04-24 06:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 06:56 . 2008-04-24 06:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 15:59 . 2008-04-22 15:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-22 15:59 . 2008-04-22 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-22 15:35 . 2008-04-22 15:35 <DIR> d-------- C:\Deckard
2008-04-13 06:56 . 2008-04-16 07:11 101,091 --a------ C:\WINDOWS\BM53f034fa.xml
2008-04-12 16:50 . 2008-04-12 16:50 52 --a------ C:\smp.bat
2008-04-12 14:09 . 2008-04-12 14:09 2 --a------ C:\1354958793
2008-04-12 14:08 . 2008-04-12 14:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 14:08 . 2008-04-12 14:08 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-27 14:16 --------- d-----w C:\Program Files\MUSICMATCH
2008-04-24 13:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-24 13:32 --------- d-----w C:\Program Files\Coupons
2008-04-24 13:32 --------- d-----w C:\Program Files\CenterStage
2008-04-22 12:35 --------- d-----w C:\Program Files\Trend Micro
2008-03-17 10:44 --------- d-----w C:\Program Files\Java
2005-07-27 15:58 89 ----a-w C:\Program Files\Untitled Attachment
2005-07-18 18:16 4,077,184 ----a-w C:\Program Files\winzip90.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_ 7.38.50.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-06-21 18:49:14 248,632 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
+ 2008-04-27 15:33:52 251,272 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
- 2007-06-21 18:49:14 781,104 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
+ 2008-04-27 15:33:14 783,744 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
- 2008-04-24 12:32:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 12:07:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2006-10-27 00:49:48 1,011,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\MSDAIPP.DLL
+ 2006-10-27 00:49:46 970,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109010090400000000000F01FEC\12.0.4518\MSONSEXT.DLL
+ 2006-10-27 01:12:58 396,592 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.4518\MOC.EXE
+ 2006-10-27 20:18:36 1,658,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.4518\OGL.DLL
+ 2006-10-27 20:00:12 1,751,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACECORE.DLL
+ 2006-10-27 20:00:10 576,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEDAO.DLL
+ 2006-10-27 20:00:06 47,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEERR.DLL
+ 2006-10-27 20:00:08 191,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEES.DLL
+ 2006-10-27 01:13:34 338,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEEXCH.DLL
+ 2006-10-27 01:13:44 629,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEEXCL.DLL
+ 2006-10-27 01:13:28 207,736 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACELTS.DLL
+ 2006-10-27 01:13:32 279,352 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEODBC.DLL
+ 2006-10-27 01:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEODDBS.DLL
+ 2006-10-27 01:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEODEXL.DLL
+ 2006-10-27 01:13:08 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEODPDX.DLL
+ 2006-10-27 01:13:12 15,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEODTXT.DLL
+ 2006-10-27 20:00:06 387,960 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEOLEDB.DLL
+ 2006-10-27 01:13:38 392,048 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEPDE.DLL
+ 2006-10-27 01:13:30 260,976 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACER2X.DLL
+ 2006-10-27 01:13:32 289,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACER3X.DLL
+ 2006-10-27 01:13:20 56,120 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACERCLR.DLL
+ 2006-10-27 01:13:38 551,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEREP.DLL
+ 2006-10-27 01:13:30 224,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACETXT.DLL
+ 2006-10-27 01:13:34 371,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ACEXBE.DLL
+ 2006-10-27 20:41:04 399,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\CDLMSO.DLL
+ 2006-10-27 00:59:24 205,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\CLVIEW.EXE
+ 2006-10-27 02:30:42 65,312 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\COLLIMP.DLL
+ 2006-10-27 01:12:52 189,760 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\CONTACTPICKER.DLL
+ 2006-10-27 00:48:14 439,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\DWDCW20.DLL
+ 2006-10-26 19:10:08 1,190,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\FM20.DLL
+ 2006-10-27 00:21:24 1,682,232 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\FPSRVUTL.DLL
+ 2006-10-27 20:09:36 983,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\FPWEC.DLL
+ 2006-10-27 01:02:12 2,526,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\GRAPH.EXE
+ 2006-10-27 01:12:52 173,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\IEAWSDC.DLL
+ 2006-10-27 20:10:10 5,281,592 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\IPEDITOR.DLL
+ 2006-10-27 00:55:10 828,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MEDCAT.DLL
+ 2006-10-27 20:04:08 497,504 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MORPH9.DLL
+ 2006-10-26 18:58:14 117,552 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSCONV97.DLL
+ 2006-10-27 19:59:06 161,080 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSOCF.DLL
+ 2006-10-27 00:48:12 14,664 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSOCFU.DLL
+ 2006-10-27 01:12:58 428,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSODCW.DLL
+ 2006-10-27 02:13:36 26,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSOEURO.DLL
+ 2006-10-27 01:00:08 6,635,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSORES.DLL
+ 2006-10-26 18:56:36 436,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSORUN.DLL
+ 2006-10-27 00:50:04 672,024 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSQRY32.EXE
+ 2006-10-26 18:56:40 505,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSSOAP30.DLL
+ 2006-10-27 00:55:12 832,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSTORDB.EXE
+ 2006-10-27 00:55:06 538,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\MSTORES.DLL
+ 2006-10-27 01:12:30 65,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\NAME.DLL
+ 2006-10-27 20:14:34 14,151,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\OART.DLL
+ 2006-10-27 01:06:54 232,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\ODEPLOY.EXE
+ 2006-10-27 01:14:06 7,033,152 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\OFFOWC.DLL
+ 2006-10-27 01:00:08 274,744 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\OIS.EXE
+ 2006-10-27 01:00:12 998,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\OISAPP.DLL
+ 2006-10-27 01:00:10 285,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\OISGRAPH.DLL
+ 2006-10-27 01:07:04 6,536,992 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\OSETUP.DLL
+ 2006-07-26 23:53:56 459,080 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\OUTLFLTR.DLL
+ 2006-10-27 02:30:44 482,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\PORTCONN.DLL
+ 2006-10-27 20:04:06 465,200 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\POWERPNT.EXE
+ 2006-10-27 20:04:06 7,980,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\PPCORE.DLL
+ 2007-06-21 18:49:14 248,632 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\PPTPIA.DLL
+ 2006-10-27 00:52:10 2,012,480 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\PPTVIEW.EXE
+ 2006-10-27 01:09:36 136,008 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\PRTF9.DLL
+ 2006-10-27 20:04:06 624,456 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\PTXT9.DLL
+ 2006-10-27 02:13:38 38,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\REFEDIT.DLL
+ 2006-10-27 01:13:00 503,624 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\SELFCERT.EXE
+ 2006-10-27 01:06:58 439,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\SETUP.EXE
+ 2006-07-28 20:21:58 277,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\SSGEN.DLL
+ 2006-10-27 19:57:08 2,330,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\STSLIST.DLL
+ 2006-09-30 05:42:56 2,583,344 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\VBE6.DLL
+ 2006-10-27 03:58:38 3,732,792 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\VVIEWER.DLL
+ 2006-10-27 20:23:04 347,432 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\WINWORD.EXE
+ 2007-06-21 18:49:14 781,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.4518\WORDPIA.DLL
+ 2007-09-15 02:45:58 16,901,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.6215\MSO.DLL
+ 2007-10-03 00:51:22 8,436,776 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.6215\OARTCONV.DLL
+ 2007-08-29 05:19:24 1,654,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.6215\OGL.DLL
+ 2007-09-06 23:03:02 4,280,176 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.6215\WRD12CNV.DLL
+ 2007-08-29 05:07:58 24,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119AC0000000000000000F01FEC\12.0.6215\WRD12EXE.EXE
+ 2005-03-17 21:40:49 231,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90404A0900063D11C8EF10054038389C\11.0.8003\MSCDM.DLL
+ 2005-11-01 20:03:04 8,058,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90404A0900063D11C8EF10054038389C\11.0.8003\OWC11.DLL
- 2008-03-12 08:10:32 35,600 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-04-27 15:22:34 35,600 ----a-r C:\WINDOWS\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2007-06-21 20:58:02 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2008-04-27 15:39:15 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2007-06-21 19:05:07 135,168 ----a-r C:\WINDOWS\Installer\{90A40409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-04-27 15:20:35 135,168 ----a-r C:\WINDOWS\Installer\{90A40409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-04-09 08:10:55 20,240 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-04-27 15:34:15 20,240 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-09 08:10:54 217,864 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\misc.exe
+ 2008-04-27 15:34:14 217,864 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-09 08:10:55 18,704 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-04-27 15:34:15 18,704 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-09 08:10:55 35,088 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-04-27 15:34:16 35,088 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-09 08:10:54 845,584 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-04-27 15:34:14 845,584 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\outicon.exe
- 2008-04-09 08:10:54 922,384 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-04-27 15:34:14 922,384 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-09 08:10:54 272,648 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-04-27 15:34:15 272,648 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\pubs.exe
- 2008-04-09 08:10:55 888,080 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-04-27 15:34:15 888,080 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-09 08:10:53 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-04-27 15:34:13 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-00CA-0000-0000-0000000FF1CE}\xlicons.exe
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1204\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1204\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1204\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1204\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1204\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1204\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1204\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1204\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1204\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1204\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1464\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1488\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1488\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1488\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1488\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1488\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1488\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1488\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1488\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1488\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1488\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1748\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1748\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1748\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1748\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1748\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1748\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1748\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1748\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1748\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1748\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2328\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2328\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2328\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2328\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2328\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2328\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2328\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2328\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2328\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2328\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2608\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2608\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2608\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2608\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2608\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2608\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2608\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2608\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2608\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2608\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2936\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2936\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2936\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2936\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2936\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2936\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2936\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2936\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2936\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2936\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3912\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3912\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3912\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3912\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3912\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3912\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3912\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3912\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3912\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3912\_PerfCounter.dll
- 2006-10-26 19:10:08 1,190,688 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2007-08-23 06:03:38 1,195,888 ----a-w C:\WINDOWS\system32\FM20.DLL
- 2007-04-24 16:32:06 1,485,696 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2008-03-20 23:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-08-23 05:18:08 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2007-08-23 05:18:08 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2007-08-23 05:18:08 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2007-08-23 05:18:08 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2007-08-23 05:18:08 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2007-08-23 05:18:08 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2007-08-23 05:18:08 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2007-08-23 05:18:08 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2007-08-23 05:18:08 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2007-08-23 05:18:08 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2007-08-23 05:18:08 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2007-08-23 05:18:08 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2007-08-23 05:18:08 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2007-08-23 05:18:08 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2007-08-23 05:18:08 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2007-08-23 05:18:08 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2007-08-23 05:18:08 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37 7094272]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-08-18 13:06 315392]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 17:11 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-18 15:11 98304]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-08-25 11:25 3112960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

S3 RSC4_A02;U.S. Robotics Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\RSC4USB.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f01acef-60ee-11da-9e90-0013204499d5}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 13:29:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-04-13 01:04:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 07:07:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt5e85.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt625e.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt6626.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt672b.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt6c8e.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7bcc.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7c60.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7f1b.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt7f85.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Z974IVO0.emf 20352 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\ZO9EBMTD.emf 372 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{60274F91-088B-4C45-98BD-0F81B9F23DDB}
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{AC76BA86-7AD7-1033-7B44-A81000000003}
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{AC76BA86-7AD7-1033-7B44-A81000000003}\RunTime.msi 7680 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\{F9F84BD8-48AD-4250-A234-09C6BAF38E67}
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF11A0.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF12B2.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF142E.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF147F.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF339D.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF33B0.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF33BD.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF475A.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF4E69.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF4E76.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF644C.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF6E25.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF7047.tmp 65536 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF70C8.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF731D.tmp 311296 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Word8.0
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Word8.0\MSForms.exd 166724 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt5d48.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\zuma.dll 2146304 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF7338.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WinSAT_DX.etl 1048576 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WinSAT_KernelLog.etl 6291456 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\wmplog00.sqm 1460 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF80C4.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DF90AF.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFC1C8.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFC3F8.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFC422.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFD220.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFD29F.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFD9B1.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFDAA8.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFDAB7.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFF9CF.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFF9E1.tmp 512 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~DFFC09.tmp 114688 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~e5d141.tmp 34304 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~nsu.tmp
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRF0000.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRF0001.tmp 32768 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRF0005.tmp 16384 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRS0000.tmp 34324 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\~WRS0002.tmp 88108 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WPDNSE
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WQO64KO3.emf 369008 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt01bd.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt01ec.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt0771.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt0c52.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt140f.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1512.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt19be.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1b5c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1ea5.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt1ed4.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt21f1.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2275.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt23c4.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt23c8.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt23e9.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2405.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2747.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt2f1a.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3023.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3131.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt381c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3b72.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3ca0.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3cc2.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt3ede.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt463c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt4f6c.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt51ff.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt56f7.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\xprt5b88.ico 4286 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Perflib_Perfdata__754 800 bytes
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\Perflib_Perfdata__755 60416 bytes executable
C:\DOCUME~1\JIMHAR~1\LOCALS~1\Temp\WERea0e.dir00

scan completed successfully
hidden files: 94

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
.
**************************************************************************
.
Completion time: 2008-04-29 7:15:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 12:15:38
ComboFix2.txt 2008-04-27 13:43:57
ComboFix3.txt 2008-04-24 12:39:11

Pre-Run: 55,336,226,816 bytes free
Post-Run: 55,602,286,592 bytes free

437 --- E O F --- 2008-04-28 23:07:51

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:03 AM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1181058224718
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FAF0294-88A0-42E8-A3C0-84AD11FC275B}: NameServer = 24.93.40.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{5FAF0294-88A0-42E8-A3C0-84AD11FC275B}: NameServer = 24.93.40.75
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6858 bytes

P.S. What is up with the diet Coke plus Mentos = great fun in Belgium? LOL Saw this news item on Yahoo. Looks like fun... Thanks again and have a terrific day. Look forward to finishing this up.

Regards,
Jim in Austin, TX

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:17 PM

Posted 30 April 2008 - 08:10 AM

Hello Jim,

We like coke fountains in Belgium :blink:

Is your MSN Messenger still working as it should ?
If you keep having those errors, I'd reinstall it. :thumbsup:

1. Reconfigure Windows XP to show hidden files:Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the Hide protected operating system files (recommended) option.
Uncheck the Hide file extensions for known file types option.
Click Yes to confirm. Click OK.
[/list]2. Using Windows Explorer, search and empty, DO NOT REMOVE, these folders (only the one in bold!):C:\Documents and Settings\Jim Harrison\Local Settings\Temp
C:\Documents and Settings\All users\Local Settings\Temp
C:\Windows\Temp
3. Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

4. Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Reboot your system.
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 austinjim

austinjim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin, TX
  • Local time:07:17 AM

Posted 30 April 2008 - 02:11 PM

:thumbsup: THUNDER :blink:

Everything seems to be working normally now! :wacko: Should I keep all software that was downloaded in the repair of the computer? I'm using trend micro as you know and it scans clean.

I appreciate all of your help and patience and while I am sure it is not much I will be donating some $ to the cause... If you are ever in Austin, TX or would like to ask me any questions do not hesitate in giving me a shout.

Thanks again and have a terrific day.

Best Regards,
Jim

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:17 PM

Posted 30 April 2008 - 04:35 PM

Glad we could help, Jim :thumbsup:

You can remove all used tools and folders created in the process.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users