Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Problem


  • This topic is locked This topic is locked
21 replies to this topic

#1 AlleyGator

AlleyGator

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 26 May 2008 - 05:28 AM

It was alot worse but I have tried to clean as much as I could, need some help getting the rest.

Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:38 AM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Nfad.exe
C:\WINDOWS\winself.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\sysxwin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xpress Mail\Personal Edition\XpressMailDesktopClient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcya.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/index.html"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\lpxtga6f.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\lpxtga6f.slt\prefs.js)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Blubster Toolbar - {7EFBC57C-CD57-481F-B794-648FCE9C9116} - C:\Program Files\Blubster Toolbar\v3.2.0.0\Blubster_Toolbar.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SSWPlauncher] C:\PROGRA~1\COMETS~1\Platform\Bin\comet.exe /app:SSWPlauncher
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [APOLLO Printer Registration Reminder] "C:\Program Files\APOLLO\APOLLO P2X00 Series\Register\NAVBrowser.exe" /r /i "C:\Program Files\APOLLO\APOLLO P2X00 Series\Register\NavLoad.ini"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [540591f6] rundll32.exe "C:\WINDOWS\system32\hixmccal.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BM5736a26a] Rundll32.exe "C:\WINDOWS\system32\dwxierfx.dll",s
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: dllhost.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Xpress Mail Personal Edition.lnk = C:\Program Files\Xpress Mail\Personal Edition\XpressMailDesktopClient.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} (FASetupStart Control) - http://a2.ff.fullaudio.com.edgesuite.net/f....0.40/setup.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97702B79-AB7B-4CDF-963D-F02289B02DBA}: NameServer = 85.255.113.106,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.111
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.111
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MsSecurity (MsSecurity1.203.2) - Unknown owner - C:\WINDOWS\Nfad.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\sysxwin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12882 bytes

Edited by AlleyGator, 26 May 2008 - 05:30 AM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:48 AM

Posted 28 May 2008 - 06:42 AM

Hello AlleyGator and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 AlleyGator

AlleyGator
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 28 May 2008 - 07:35 AM

Thanks for the reply Thunder, I appreciate the help.


Before I try the rest of the steps I will say that I have tried to run disk cleanup prior to my post and I just tried again both in normal mode and in safe mode and I keep getting an error that says disk cleanup manager has encountered a problem and needs to close.

Thanks,
AlleyGator

Also it seems that the desktop has disappeared after I rebooted I get no icons or taskbar can't right click and I can't seem to use any keyboard shortcuts.this happens in normal mode and safe mode

Edited by AlleyGator, 28 May 2008 - 08:28 AM.


#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:48 AM

Posted 28 May 2008 - 09:08 AM

Hello AlleyGator,

What option do you still have at your disposal ?

Can you start Explorer.exe from Task Manager ?
(Press Control/Alt/Delete to open Windows Task Manager, when the dialog box appears, go
to Processes, find Explorer.exe highlight it and choose End Process.

Keep the Task Manager open, then select the File menu and then New Task
(Run). When the Create New Task dialog box appears, type in Explorer and
press the OK button. Windows Explorer should restart complete with the
Taskbar and Start button.)

If possible, procede with the procedure described above.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 AlleyGator

AlleyGator
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 28 May 2008 - 09:02 PM

task manager has been disable by admin.....fallout from the spyware I imagine but when I just rebooted into normal mode everything was back so I will get started on the other steps now.


Thanks
AlleyGator

Edited by AlleyGator, 28 May 2008 - 09:14 PM.


#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:48 AM

Posted 29 May 2008 - 04:01 AM

That's good news, AlleyGator :thumbsup:

I guess I'll see your logs shortly then.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 AlleyGator

AlleyGator
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 29 May 2008 - 08:16 AM

Here are the logs...

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 66996
Time elapsed: 1 hour(s), 49 minute(s), 26 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 45
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 9
Files Infected: 111

Memory Processes Infected:
C:\WINDOWS\winself.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\ddcya.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\hixmccal.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74f23477-7f89-41dd-a92f-cdcc72fc79c5} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{74f23477-7f89-41dd-a92f-cdcc72fc79c5} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c111cf13-545f-6ff1-51ac-f623d452c63d} (Spyware.Delf) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{543bd811-f148-4b3a-a0b9-177014555bf9} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f2f95d9-bafd-4769-85a2-4169957db67e} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1f2f95d9-bafd-4769-85a2-4169957db67e} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{1f2f95d9-bafd-4769-85a2-4169957db67e} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{82ea1a55-9cbc-404b-9d0c-e8bfb7eaae9b} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82ea1a55-9cbc-404b-9d0c-e8bfb7eaae9b} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock5.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d6b0c179-6343-442c-8175-9652e200cb55} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6085c562-a306-4e0c-a61c-66dbb0c7c9f8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.203.2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndBlock5.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\540591f6 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM5736a26a (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Vundo) -> Data: c:\windows\system32\ddcya.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcya -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kdmki.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ddcya -> Delete on reboot.

Folders Infected:
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\cidwqepq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qpeqwdic.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcya.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ddcya.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aycdd.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\aycdd.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ecfwbvfl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lfvbwfce.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fdqqteuc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cuetqqdf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gudqwukr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rkuwqdug.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hixmccal.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\laccmxih.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\laccmxih.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\icqnkbup.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pubknqci.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pcwmeuvu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uvuemwcp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qhnomkhv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vhkmonhq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rcakbfvt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tvfbkacr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tmerbqvh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hvqbremt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vskxtupr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rputxksv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtudkpcj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jcpkdutv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wkuyyrux.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xuryyukw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xebivdxn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nxdvibex.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kdmki.exe (Rootkit.DNSChanger) -> Delete on reboot.
C:\WINDOWS\system32\cryper.dll (Spyware.Delf) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\QdrDrive10.dll (Adware.ISM) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\12A0.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bxaoekvj.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctfmonb.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dlitfvlu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dyrixski.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eoxijlgq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eskdkfro.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ghqdjwio.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\guaoufty.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hevtucch.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hsqasxgc.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ictudcek.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\itvvfidw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jnwyxtyx.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kagpnnge.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kfcamblb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\knehrljc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kqfygcoj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\labgtouc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LF4A5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lktehmcs.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lqcjdivg.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvwwkgkm.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ofrghkod.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qendtaak.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qmhfauxq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rbuixwnc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rxsmbmha.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ryrforhc.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuauoktt.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ubwuuixl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ukcomuax.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uwbcfocj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vngotfxa.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vxqlgtef.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wgsvusyp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xvipynfy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yghofulk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\GXgj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\ismtpa11.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\MDL4A9.tmp (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\TMP4E1.tmp (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\qdrloader.exe (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\ISM\ism.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\dic.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\dicy.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\kwd.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule12 .exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule13 .exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule13.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule15 .exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule16 .exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\QdrPack12 .exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\QdrPack12.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\QdrPack15 .exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\QdrPack16 .exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MySearch\bar\Settings\settings.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\WINDOWS\lfn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\winself.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dwxierfx.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\ismtpa15.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\ismtpa16.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


ComboFix 08-05-27.4 - Owner 2008-05-29 1:32:41.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\My Documents\SSTEM~1
C:\WINDOWS\BM5736a26a.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\explore.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aiqqfwit.exe
C:\WINDOWS\system32\areyyqnw.exe
C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\bbpyhjar.ini
C:\WINDOWS\system32\booyoubm.ini
C:\WINDOWS\system32\bpvpccuo.exe
C:\WINDOWS\system32\bqnkngck.ini
C:\WINDOWS\system32\bqwxkloa.dll
C:\WINDOWS\system32\bsihkjjb.dll
C:\WINDOWS\system32\btgiexsp.ini
C:\WINDOWS\system32\cajleqeh.dll
C:\WINDOWS\system32\cbnodnsk.dll
C:\WINDOWS\system32\cdfehkyv.dll
C:\WINDOWS\system32\cdisjdqu.dll
C:\WINDOWS\system32\cemehfhc.ini
C:\WINDOWS\system32\cflftwxf.dll
C:\WINDOWS\system32\cflyimhk.ini
C:\WINDOWS\system32\chckfivi.dll
C:\WINDOWS\system32\clarmkji.dll
C:\WINDOWS\system32\coqfflrh.dll
C:\WINDOWS\system32\cotesyvn.dll
C:\WINDOWS\system32\cqgecobh.dll
C:\WINDOWS\system32\cqonaibf.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cxvfepaw.dll
C:\WINDOWS\system32\cyetyvxn.dll
C:\WINDOWS\system32\dcqdnylk.dll
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\ddqirtoe.dll
C:\WINDOWS\system32\deslsyxd.dll
C:\WINDOWS\system32\detovgvf.ini
C:\WINDOWS\system32\dfolmveq.ini
C:\WINDOWS\system32\dkptkmvy.ini
C:\WINDOWS\system32\dlkkljsn.dll
C:\WINDOWS\system32\dlyycnpy.ini
C:\WINDOWS\system32\dmnxbbdq.dll
C:\WINDOWS\system32\dqevfdxs.dll
C:\WINDOWS\system32\dskyckyi.dll
C:\WINDOWS\system32\dsmvdwrq.ini
C:\WINDOWS\system32\dvrajytb.dll
C:\WINDOWS\system32\dwxierfx.dll
C:\WINDOWS\system32\eathwvjv.ini
C:\WINDOWS\system32\ebodysah.dll
C:\WINDOWS\system32\eceyjkth.dll
C:\WINDOWS\system32\edxcqtpe.ini
C:\WINDOWS\system32\efybpwej.dll
C:\WINDOWS\system32\ejjuxtkw.ini
C:\WINDOWS\system32\emmyrkxp.dll
C:\WINDOWS\system32\enjpjltt.ini
C:\WINDOWS\system32\esbuhbvm.dll
C:\WINDOWS\system32\esrhrnsa.ini
C:\WINDOWS\system32\evxbexyj.dll
C:\WINDOWS\system32\fcdcpfky.dll
C:\WINDOWS\system32\fdilupka.ini
C:\WINDOWS\system32\ffbjhsfq.exe
C:\WINDOWS\system32\fgrxcrww.dll
C:\WINDOWS\system32\flfiuikd.exe
C:\WINDOWS\system32\fpovmkya.ini
C:\WINDOWS\system32\fsigiidv.ini
C:\WINDOWS\system32\fuetpxho.dll
C:\WINDOWS\system32\fuqjrvsl.ini
C:\WINDOWS\system32\gcvoxysk.dll
C:\WINDOWS\system32\gcxurneq.ini
C:\WINDOWS\system32\gdlasnit.dll
C:\WINDOWS\system32\gfgbcyhb.ini
C:\WINDOWS\system32\gikvhmwa.dll
C:\WINDOWS\system32\gmvdeogv.ini
C:\WINDOWS\system32\hbvrclso.exe
C:\WINDOWS\system32\hcyeiwpx.ini
C:\WINDOWS\system32\hebqviol.dll
C:\WINDOWS\system32\hhpexneb.dll
C:\WINDOWS\system32\higmmabd.ini
C:\WINDOWS\system32\hixmccal.dll
C:\WINDOWS\system32\hlqckoar.dll
C:\WINDOWS\system32\hlrrdirn.dll
C:\WINDOWS\system32\htkhqmlc.ini
C:\WINDOWS\system32\htvnhoqt.dll
C:\WINDOWS\system32\hvcvnnkw.ini
C:\WINDOWS\system32\icyvkypq.dll
C:\WINDOWS\system32\icyxefxl.ini
C:\WINDOWS\system32\imakdqyo.ini
C:\WINDOWS\system32\irmglswx.dll
C:\WINDOWS\system32\ivuexeko.dll
C:\WINDOWS\system32\jabmpsmx.exe
C:\WINDOWS\system32\jagxqgia.ini
C:\WINDOWS\system32\jbvljida.ini
C:\WINDOWS\system32\jdmkrcnu.dll
C:\WINDOWS\system32\jgtejjao.dll
C:\WINDOWS\system32\jkhtdjhr.dll
C:\WINDOWS\system32\jrxdioob.ini
C:\WINDOWS\system32\jutliknm.dll
C:\WINDOWS\system32\jxlnqldj.dll
C:\WINDOWS\system32\jyitkaru.dll
C:\WINDOWS\system32\ketrgsvx.dll
C:\WINDOWS\system32\kewpiwmx.dll
C:\WINDOWS\system32\kimmyojw.tmp
C:\WINDOWS\system32\kluajhjn.dll
C:\WINDOWS\system32\kooqehcg.dll
C:\WINDOWS\system32\krsqlhia.ini
C:\WINDOWS\system32\ktcnsuji.dll
C:\WINDOWS\system32\kugagcpa.ini
C:\WINDOWS\system32\laccmxih.tmp
C:\WINDOWS\system32\lbragqew.dll
C:\WINDOWS\system32\lcfqihpj.ini
C:\WINDOWS\system32\lfydjgtl.dll
C:\WINDOWS\system32\lgbfmrjd.dll
C:\WINDOWS\system32\liylorbc.dll
C:\WINDOWS\system32\lkrnqaxb.dll
C:\WINDOWS\system32\lodbddib.ini
C:\WINDOWS\system32\lqgrnekc.dll
C:\WINDOWS\system32\lxtkyhsj.dll
C:\WINDOWS\system32\mbbfqdva.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfiujafa.dll
C:\WINDOWS\system32\misjhjtx.dll
C:\WINDOWS\system32\mjgkjyop.ini
C:\WINDOWS\system32\mkmlcppj.dll
C:\WINDOWS\system32\mphuhsee.dll
C:\WINDOWS\system32\mrihivsa.dll
C:\WINDOWS\system32\muyvhaqj.ini
C:\WINDOWS\system32\mytfdqsx.dll
C:\WINDOWS\system32\ngenxppp.ini
C:\WINDOWS\system32\nggedkmy.ini
C:\WINDOWS\system32\ngjbrjto.exe
C:\WINDOWS\system32\njstyrrw.ini
C:\WINDOWS\system32\nlskckki.dll
C:\WINDOWS\system32\nnkwfkxj.ini
C:\WINDOWS\system32\nstjtkoa.ini
C:\WINDOWS\system32\ntgyvchl.dll
C:\WINDOWS\system32\ofctaniq.dll
C:\WINDOWS\system32\ojwolvwn.ini
C:\WINDOWS\system32\okakoion.ini
C:\WINDOWS\system32\okedutjr.dll
C:\WINDOWS\system32\okkiamow.ini
C:\WINDOWS\system32\opdatjpj.ini
C:\WINDOWS\system32\oqclonao.dll
C:\WINDOWS\system32\oqwwklnp.ini
C:\WINDOWS\system32\osbhbtnl.dll
C:\WINDOWS\system32\ownwoqhx.dll
C:\WINDOWS\system32\oycsaxxa.dll
C:\WINDOWS\system32\peqqmvca.dll
C:\WINDOWS\system32\phbcrjjp.dll
C:\WINDOWS\system32\piwxrtqy.dll
C:\WINDOWS\system32\pktdsdnh.dll
C:\WINDOWS\system32\pmabcuib.dll
C:\WINDOWS\system32\pqkgvobt.dll
C:\WINDOWS\system32\prelolsi.ini
C:\WINDOWS\system32\prhalswh.dll
C:\WINDOWS\system32\prkfrxji.ini
C:\WINDOWS\system32\puyrgfru.dll
C:\WINDOWS\system32\pvtmlhky.ini
C:\WINDOWS\system32\pwfltofd.ini
C:\WINDOWS\system32\qahuyuqu.dll
C:\WINDOWS\system32\qamlarng.ini
C:\WINDOWS\system32\qcfjxnce.dll
C:\WINDOWS\system32\qffqjjnx.dll
C:\WINDOWS\system32\qhcdvwwy.dll
C:\WINDOWS\system32\qhobxyde.ini
C:\WINDOWS\system32\qkrseolp.ini
C:\WINDOWS\system32\qwavegnf.ini
C:\WINDOWS\system32\rbwamnwh.dll
C:\WINDOWS\system32\rhqubrmb.dll
C:\WINDOWS\system32\rierqtie.ini
C:\WINDOWS\system32\rjutxedj.ini
C:\WINDOWS\system32\rlgflptj.dll
C:\WINDOWS\system32\rlwwcrfr.dll
C:\WINDOWS\system32\rpnypspa.ini
C:\WINDOWS\system32\ruvgtllx.dll
C:\WINDOWS\system32\rvywdsve.dll
C:\WINDOWS\system32\ryxcnkgi.dll
C:\WINDOWS\system32\sckgbill.dll
C:\WINDOWS\system32\sigembkb.ini
C:\WINDOWS\system32\slpmbjqs.dll
C:\WINDOWS\system32\sojjpvnv.dll
C:\WINDOWS\system32\sombsonv.dll
C:\WINDOWS\system32\ssgypxix.ini
C:\WINDOWS\system32\stwwkxwt.dll
C:\WINDOWS\system32\sukesgtk.dll
C:\WINDOWS\system32\tjvffajc.ini
C:\WINDOWS\system32\tkajncia.dll
C:\WINDOWS\system32\tkdfjpax.dll
C:\WINDOWS\system32\tkxsheix.dll
C:\WINDOWS\system32\tltgldqu.dll
C:\WINDOWS\system32\tmgtxtok.dll
C:\WINDOWS\system32\tmqjsqhm.dll
C:\WINDOWS\system32\tnjtvrhq.dll
C:\WINDOWS\system32\tnveupet.dll
C:\WINDOWS\system32\twysrbky.dll
C:\WINDOWS\system32\ujxfxbmm.dll
C:\WINDOWS\system32\umerdjfq.dll
C:\WINDOWS\system32\uobqutme.exe
C:\WINDOWS\system32\upukqyhg.exe
C:\WINDOWS\system32\uqeolfxl.dll
C:\WINDOWS\system32\uukcskfa.ini
C:\WINDOWS\system32\uvixpbjn.dll
C:\WINDOWS\system32\uwuogskm.ini
C:\WINDOWS\system32\uywbntru.dll
C:\WINDOWS\system32\vediubor.ini
C:\WINDOWS\system32\vgreuxsr.ini
C:\WINDOWS\system32\vnfdsblt.dll
C:\WINDOWS\system32\vnyyqgqw.dll
C:\WINDOWS\system32\vsawcwwa.dll
C:\WINDOWS\system32\vsjbyene.dll
C:\WINDOWS\system32\weufbsbu.ini
C:\WINDOWS\system32\wiqlfhfv.dll
C:\WINDOWS\system32\wjoymmik.dll
C:\WINDOWS\system32\wkutelsw.dll
C:\WINDOWS\system32\wlvoxxxo.dll
C:\WINDOWS\system32\wptrdtco.dll
C:\WINDOWS\system32\wwrkongk.dll
C:\WINDOWS\system32\wyquoukh.dll
C:\WINDOWS\system32\xcmuwori.ini
C:\WINDOWS\system32\xelyxjht.ini
C:\WINDOWS\system32\xhyalvnq.ini
C:\WINDOWS\system32\xsrctlad.dll
C:\WINDOWS\system32\xyobkijs.exe
C:\WINDOWS\system32\yadbnfje.ini
C:\WINDOWS\system32\yakynwyx.ini
C:\WINDOWS\system32\ybnjkrdn.dll
C:\WINDOWS\system32\ycccukpv.dll
C:\WINDOWS\system32\ydchngxo.dll
C:\WINDOWS\system32\ygrpmcdo.exe
C:\WINDOWS\system32\ykllswnb.dll
C:\WINDOWS\system32\yllfkuwy.ini
C:\WINDOWS\system32\ynyrmpdd.dll
C:\WINDOWS\system32\ypbdsncd.dll
C:\WINDOWS\system32\yqonosjw.ini
C:\WINDOWS\system32\yxepderb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Legacy_SYSREST.SYS


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 01:59 . 2008-05-29 02:00 318 --ahs---- C:\WINDOWS\system32\aycdd.ini
2008-05-29 01:55 . 2008-05-29 01:55 340,992 --a------ C:\WINDOWS\system32\ddcya.exe
2008-05-29 01:55 . 2008-05-29 01:55 337,408 --------- C:\WINDOWS\system32\ddcya.dll
2008-05-29 01:54 . 2008-05-29 01:54 <DIR> d-------- C:\WINDOWS\system32\5075
2008-05-28 23:01 . 2008-05-28 23:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-28 22:59 . 2008-05-28 23:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 22:59 . 2008-05-28 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 22:59 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 22:59 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 10:35 . 2008-05-29 01:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-25 10:35 . 2008-05-29 01:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-25 04:13 . 2008-05-25 04:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\URSoft
2008-05-25 04:12 . 2008-05-26 04:45 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-05-24 23:20 . 2008-05-29 01:55 323,584 --a------ C:\WINDOWS\system32\nwiz .exe
2008-05-24 23:01 . 2008-05-24 23:07 691,200 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-24 20:56 . 2008-05-24 20:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-05-24 20:56 . 2007-07-19 22:42 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-05-24 20:56 . 2007-07-19 22:42 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-05-24 20:56 . 2007-07-19 22:42 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-05-24 20:56 . 2007-07-19 22:42 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2008-05-24 20:54 . 2008-05-24 20:54 <DIR> d-------- C:\Program Files\Webroot
2008-05-24 20:54 . 2008-05-24 20:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-05-24 20:54 . 2008-05-24 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-24 20:54 . 2007-07-19 22:54 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2008-05-24 15:15 . 2008-05-24 15:15 <DIR> d-------- C:\!KillBox
2008-05-24 10:05 . 2008-05-24 10:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-24 05:27 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-05-24 04:52 . 2008-05-24 04:52 30,720 --a------ C:\WINDOWS\loader.exe
2008-05-24 04:52 . 2008-05-24 04:52 19,712 --a------ C:\WINDOWS\mssys.exe
2008-05-24 04:52 . 2008-05-24 04:52 16,640 --a------ C:\WINDOWS\x.exe
2008-05-24 04:52 . 2008-05-24 04:52 10,496 --a------ C:\WINDOWS\notepad32.exe
2008-05-24 04:52 . 2008-05-24 04:52 8,960 --a------ C:\WINDOWS\msupdate.exe
2008-05-24 04:51 . 2008-05-24 04:51 14,592 --a------ C:\WINDOWS\iedll.exe
2008-05-24 04:46 . 2008-05-24 04:46 150 --a------ C:\WINDOWS\wininit.ini
2008-05-23 23:34 . 2008-05-24 04:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 23:32 . 2008-05-26 04:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-23 23:30 . 2003-08-23 09:34 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-23 23:30 . 2003-08-28 22:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-23 23:30 . 2003-08-23 09:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-05-23 23:30 . 2003-08-23 22:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-05-23 23:30 . 2003-08-28 22:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-05-23 23:30 . 2008-05-23 23:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-23 22:27 . 2008-05-24 17:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thinstall
2008-05-23 21:37 . 2004-08-04 02:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-23 21:37 . 2004-08-04 02:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-05-23 21:34 . 2004-08-04 00:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-23 21:34 . 2004-08-04 00:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-23 21:27 . 2008-05-24 21:02 23,040 --a------ C:\WINDOWS\system32\sysrest32 .exe
2008-05-23 21:26 . 2004-08-04 02:56 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-05-23 21:26 . 2004-08-04 02:56 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-05-22 20:49 . 2008-05-22 20:49 103,488 --------- C:\WINDOWS\system32\bobtauwn.dll_old
2008-05-22 06:26 . 2008-05-23 22:18 96,256 --a------ C:\WINDOWS\system32\ctfmona .exe
2008-05-21 21:04 . 2008-05-21 21:04 29,440 --a------ C:\WINDOWS\y.exe
2008-05-21 20:48 . 2008-05-21 20:48 114,688 --a------ C:\WINDOWS\msieexten.exe
2008-05-21 20:48 . 2008-05-21 20:48 59,392 --a------ C:\WINDOWS\system32\winsconfz.dll
2008-05-21 20:48 . 2008-05-21 20:48 50,186 --a------ C:\WINDOWS\antisp32.exe
2008-05-21 20:48 . 2008-05-21 20:48 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-21 20:34 . 2008-05-29 01:09 <DIR> d-------- C:\WINDOWS\system32\6849
2008-05-21 20:33 . 2008-05-21 20:33 55,808 --a------ C:\WINDOWS\sysxwin.exe
2008-05-21 20:33 . 2008-05-21 20:33 19,968 --a------ C:\WINDOWS\Nfad.exe
2008-05-21 20:33 . 2008-05-21 20:33 317 -r-hs---- C:\WINDOWS\mscon.vga
2008-05-21 20:33 . 2008-05-28 20:38 33 -r-hs---- C:\WINDOWS\conlex.eom
2008-05-21 20:33 . 2008-05-29 01:08 12 -r-hs---- C:\WINDOWS\winxd.xc
2008-05-19 18:59 . 2008-05-19 18:59 340,992 --a------ C:\WINDOWS\system32\RCX15.tmp
2008-05-18 20:20 . 2008-05-18 20:20 340,992 --a------ C:\WINDOWS\system32\RCX14.tmp
2008-05-18 14:59 . 2008-05-18 14:59 1,394,261 ---hs---- C:\WINDOWS\system32\jbvljida.tmp
2008-05-18 14:53 . 2008-05-18 14:53 340,992 --a------ C:\WINDOWS\system32\RCX13.tmp
2008-05-17 08:04 . 2008-05-17 08:04 340,992 --a------ C:\WINDOWS\system32\RCX12.tmp
2008-05-15 00:18 . 2008-05-15 00:18 340,992 --a------ C:\WINDOWS\system32\RCX11.tmp
2008-05-13 20:40 . 2008-05-13 20:40 340,992 --a------ C:\WINDOWS\system32\RCX10.tmp
2008-05-10 08:15 . 2008-05-10 08:15 340,992 --a------ C:\WINDOWS\system32\RCXF.tmp
2008-05-09 22:50 . 2008-05-09 22:50 340,992 --a------ C:\WINDOWS\system32\RCXE.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 06:55 --------- d-----w C:\Program Files\QuickTime
2008-05-29 06:03 63,479 ------w C:\WINDOWS\system32\kdmki.exe
2008-05-29 01:40 417,792 ----a-w C:\Program Files\Video.exe
2008-05-29 01:40 417,792 ----a-w C:\Program Files\RCX400.tmp
2008-05-29 01:40 25,214 ----a-w C:\Program Files\B.ico
2008-05-29 01:40 25,214 ----a-w C:\Program Files\A.ico
2008-05-29 01:40 217,699 ----a-w C:\Program Files\b.zip
2008-05-29 01:40 217,699 ----a-w C:\Program Files\a.zip
2008-05-26 10:10 218,599 ----a-w C:\Program Files\c.zip
2008-05-25 02:14 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-24 20:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
2008-05-24 02:26 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2008-05-15 12:39 81,920 ----a-w C:\WINDOWS\system32\ps2 .exe
2008-04-25 02:07 340,992 ----a-w C:\WINDOWS\system32\RCXA4E.tmp
2008-04-19 18:30 992,939 --sh--w C:\WINDOWS\system32\yadbnfje.tmp
2008-04-18 01:11 78 ----a-w C:\semp1.bat
2008-04-18 01:11 128 ----a-w C:\semp2.bat
2008-04-18 00:40 340,992 ----a-w C:\WINDOWS\system32\RCXAC1.tmp
2008-04-16 13:55 340,992 ----a-w C:\WINDOWS\system32\RCXAC0.tmp
2008-04-15 15:39 340,992 ----a-w C:\WINDOWS\system32\RCXAAE.tmp
2008-04-15 15:39 118,784 ----a-w C:\WINDOWS\system32\hkcmd .exe
2008-04-15 03:22 --------- d-----w C:\Program Files\Multimedia Card Reader
2008-04-13 01:15 340,992 ----a-w C:\WINDOWS\system32\RCXA3E.tmp
2008-03-30 20:22 1,393,367 --sha-w C:\WINDOWS\system32\gpqnrcqh.tmp
2008-03-28 20:01 155,648 ----a-w C:\WINDOWS\system32\igfxtray .exe
2008-03-27 00:25 340,992 ----a-w C:\WINDOWS\system32\RCX8B2.tmp
2008-03-25 18:18 340,992 ----a-w C:\WINDOWS\system32\RCX8B9.tmp
2008-03-25 00:45 340,992 ----a-w C:\WINDOWS\system32\RCX8C2.tmp
2008-03-22 22:27 1,248,386 --sha-w C:\WINDOWS\system32\nggedkmy.tmp
.
<pre>
----a-w			53,248 2008-03-14 14:39:42  C:\hp\bin\AUTOTKIT .EXE
----a-w			61,440 2008-03-07 13:20:03  C:\hp\KBD\KBD .EXE
----a-w		 5,980,160 2008-02-05 16:09:57  C:\Program Files\Blubster\Blubster .exe
----a-w		   180,269 2008-03-22 20:51:36  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   110,592 2008-03-28 20:01:11  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w			24,576 2008-02-24 22:26:14  C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify .exe
----a-w			90,112 2008-03-25 18:18:04  C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
----a-w			49,152 2008-03-18 18:53:57  C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
----a-w			49,152 2008-04-28 00:30:15  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w			36,975 2008-04-29 19:15:08  C:\Program Files\Java\jre1.5.0_03\bin\jusched .exe
----a-w		 1,694,208 2008-03-04 14:59:33  C:\Program Files\Messenger\msmsgs .exe
----a-w		 1,699,840 2008-05-24 12:53:50  C:\Program Files\Microsoft ActiveSync\wcescomm													.exe
----a-w		 1,699,840 2008-05-24 03:18:10  C:\Program Files\Microsoft ActiveSync\wcescomm												   .exe
----a-w		 1,699,840 2008-05-24 02:26:56  C:\Program Files\Microsoft ActiveSync\wcescomm												  .exe
----a-w		 1,699,840 2008-05-22 11:43:51  C:\Program Files\Microsoft ActiveSync\wcescomm												 .exe
----a-w		 1,699,840 2008-05-22 01:40:51  C:\Program Files\Microsoft ActiveSync\wcescomm												.exe
----a-w		 1,699,840 2008-05-20 09:35:52  C:\Program Files\Microsoft ActiveSync\wcescomm											   .exe
----a-w		 1,699,840 2008-05-20 02:15:16  C:\Program Files\Microsoft ActiveSync\wcescomm											  .exe
----a-w		 1,699,840 2008-05-19 23:59:03  C:\Program Files\Microsoft ActiveSync\wcescomm											 .exe
----a-w		 1,699,840 2008-05-19 04:49:21  C:\Program Files\Microsoft ActiveSync\wcescomm											.exe
----a-w		 1,699,840 2008-05-19 02:04:33  C:\Program Files\Microsoft ActiveSync\wcescomm										   .exe
----a-w		 1,699,840 2008-05-19 01:20:42  C:\Program Files\Microsoft ActiveSync\wcescomm										  .exe
----a-w		 1,699,840 2008-05-18 19:53:08  C:\Program Files\Microsoft ActiveSync\wcescomm										 .exe
----a-w		 1,699,840 2008-05-17 20:33:43  C:\Program Files\Microsoft ActiveSync\wcescomm										.exe
----a-w		 1,699,840 2008-05-17 13:04:37  C:\Program Files\Microsoft ActiveSync\wcescomm									   .exe
----a-w		 1,699,840 2008-05-16 04:27:06  C:\Program Files\Microsoft ActiveSync\wcescomm									  .exe
----a-w		 1,699,840 2008-05-16 00:39:22  C:\Program Files\Microsoft ActiveSync\wcescomm									 .exe
----a-w		 1,699,840 2008-05-15 12:38:59  C:\Program Files\Microsoft ActiveSync\wcescomm									.exe
----a-w		 1,699,840 2008-05-15 05:18:34  C:\Program Files\Microsoft ActiveSync\wcescomm								   .exe
----a-w		 1,699,840 2008-05-14 01:40:10  C:\Program Files\Microsoft ActiveSync\wcescomm								  .exe
----a-w		 1,699,840 2008-05-11 14:14:16  C:\Program Files\Microsoft ActiveSync\wcescomm								 .exe
----a-w		 1,699,840 2008-05-10 13:15:22  C:\Program Files\Microsoft ActiveSync\wcescomm								.exe
----a-w		 1,699,840 2008-05-10 03:50:52  C:\Program Files\Microsoft ActiveSync\wcescomm							   .exe
----a-w		 1,699,840 2008-05-01 12:49:55  C:\Program Files\Microsoft ActiveSync\wcescomm							  .exe
----a-w		 1,699,840 2008-05-01 02:07:30  C:\Program Files\Microsoft ActiveSync\wcescomm							 .exe
----a-w		 1,699,840 2008-04-30 16:21:11  C:\Program Files\Microsoft ActiveSync\wcescomm							.exe
----a-w		 1,699,840 2008-04-30 15:50:43  C:\Program Files\Microsoft ActiveSync\wcescomm						   .exe
----a-w		 1,699,840 2008-04-30 15:33:42  C:\Program Files\Microsoft ActiveSync\wcescomm						  .exe
----a-w		 1,699,840 2008-04-29 19:14:49  C:\Program Files\Microsoft ActiveSync\wcescomm						 .exe
----a-w		 1,699,840 2008-04-29 00:35:24  C:\Program Files\Microsoft ActiveSync\wcescomm						.exe
----a-w		 1,699,840 2008-04-28 16:27:20  C:\Program Files\Microsoft ActiveSync\wcescomm					   .exe
----a-w		 1,699,840 2008-04-28 00:47:45  C:\Program Files\Microsoft ActiveSync\wcescomm					  .exe
----a-w		 1,699,840 2008-04-28 00:30:06  C:\Program Files\Microsoft ActiveSync\wcescomm					 .exe
----a-w		 1,699,840 2008-04-25 02:06:56  C:\Program Files\Microsoft ActiveSync\wcescomm					.exe
----a-w		 1,699,840 2008-04-23 13:53:15  C:\Program Files\Microsoft ActiveSync\wcescomm				   .exe
----a-w		 1,699,840 2008-04-22 04:30:13  C:\Program Files\Microsoft ActiveSync\wcescomm				  .exe
----a-w		 1,699,840 2008-04-20 23:35:01  C:\Program Files\Microsoft ActiveSync\wcescomm				 .exe
----a-w		 1,699,840 2008-04-20 23:02:45  C:\Program Files\Microsoft ActiveSync\wcescomm				.exe
----a-w		 1,699,840 2008-04-20 12:55:46  C:\Program Files\Microsoft ActiveSync\wcescomm			   .exe
----a-w		 1,699,840 2008-04-19 18:10:08  C:\Program Files\Microsoft ActiveSync\wcescomm			  .exe
----a-w		 1,699,840 2008-04-18 00:39:58  C:\Program Files\Microsoft ActiveSync\wcescomm			 .exe
----a-w		 1,699,840 2008-04-16 13:55:03  C:\Program Files\Microsoft ActiveSync\wcescomm			.exe
----a-w		 1,699,840 2008-04-16 12:22:08  C:\Program Files\Microsoft ActiveSync\wcescomm		   .exe
----a-w		 1,699,840 2008-04-15 15:38:52  C:\Program Files\Microsoft ActiveSync\wcescomm		  .exe
----a-w		 1,699,840 2008-04-15 01:31:27  C:\Program Files\Microsoft ActiveSync\wcescomm		 .exe
----a-w		 1,699,840 2008-04-14 14:28:33  C:\Program Files\Microsoft ActiveSync\wcescomm		.exe
----a-w		 1,699,840 2008-04-13 01:15:15  C:\Program Files\Microsoft ActiveSync\wcescomm	   .exe
----a-w		 1,699,840 2008-04-09 23:52:34  C:\Program Files\Microsoft ActiveSync\wcescomm	  .exe
----a-w		 1,699,840 2008-04-09 23:38:19  C:\Program Files\Microsoft ActiveSync\wcescomm	 .exe
----a-w		 1,699,840 2008-04-06 19:08:09  C:\Program Files\Microsoft ActiveSync\wcescomm	.exe
----a-w		 1,699,840 2008-04-06 02:18:32  C:\Program Files\Microsoft ActiveSync\wcescomm   .exe
----a-w		 1,699,840 2008-04-05 12:43:12  C:\Program Files\Microsoft ActiveSync\wcescomm  .exe
----a-w		 1,699,840 2008-04-03 15:18:47  C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w		   139,264 2008-04-15 01:31:40  C:\Program Files\Multimedia Card Reader\shwicon2k .exe
----a-w			53,248 2008-04-14 14:28:53  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
----a-w		   429,056 2008-03-30 15:46:53  C:\Program Files\QuickTime\qttask									.exe
----a-w		   429,056 2008-03-27 01:08:12  C:\Program Files\QuickTime\qttask								   .exe
----a-w		   429,056 2008-03-27 00:24:56  C:\Program Files\QuickTime\qttask								  .exe
----a-w		   429,056 2008-03-25 18:17:56  C:\Program Files\QuickTime\qttask								 .exe
----a-w		   429,056 2008-03-25 03:12:12  C:\Program Files\QuickTime\qttask								.exe
----a-w		   429,056 2008-03-25 00:45:39  C:\Program Files\QuickTime\qttask							   .exe
----a-w		   429,056 2008-03-22 20:51:26  C:\Program Files\QuickTime\qttask							  .exe
----a-w		   429,056 2008-03-20 12:47:15  C:\Program Files\QuickTime\qttask							 .exe
----a-w		   429,056 2008-03-18 19:04:23  C:\Program Files\QuickTime\qttask							.exe
----a-w		   429,056 2008-03-18 18:40:49  C:\Program Files\QuickTime\qttask						   .exe
----a-w		   429,056 2008-03-17 04:39:12  C:\Program Files\QuickTime\qttask						  .exe
----a-w		   429,056 2008-03-16 02:15:58  C:\Program Files\QuickTime\qttask						 .exe
----a-w		   429,056 2008-03-15 01:39:50  C:\Program Files\QuickTime\qttask						.exe
----a-w		   429,056 2008-03-14 01:21:12  C:\Program Files\QuickTime\qttask					   .exe
----a-w		   429,056 2008-03-08 15:04:51  C:\Program Files\QuickTime\qttask					  .exe
----a-w		   429,056 2008-03-07 13:20:10  C:\Program Files\QuickTime\qttask					 .exe
----a-w		   429,056 2008-05-29 06:55:33  C:\Program Files\QuickTime\qttask					.exe
----a-w		   429,056 2008-05-29 01:43:53  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   429,056 2008-05-28 12:47:27  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   429,056 2008-05-26 01:24:49  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   429,056 2008-05-25 21:43:16  C:\Program Files\QuickTime\qttask				.exe
----a-w		   429,056 2008-05-25 16:26:56  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   429,056 2008-05-25 16:11:46  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   429,056 2008-05-25 09:48:38  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   429,056 2008-05-25 04:07:14  C:\Program Files\QuickTime\qttask			.exe
----a-w		   429,056 2008-05-25 01:54:23  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   429,056 2008-05-24 21:39:25  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   429,056 2008-05-24 14:56:50  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   429,056 2008-05-24 13:48:42  C:\Program Files\QuickTime\qttask		.exe
----a-w		   429,056 2008-05-24 12:06:28  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   429,056 2008-05-24 11:52:05  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   429,056 2008-05-24 11:04:59  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   429,056 2008-05-24 04:44:30  C:\Program Files\QuickTime\qttask	.exe
----a-w		   429,056 2008-05-24 02:27:11  C:\Program Files\QuickTime\qttask   .exe
----a-w		   429,056 2008-05-22 11:44:03  C:\Program Files\QuickTime\qttask  .exe
----a-w		   429,056 2008-05-22 11:22:10  C:\Program Files\QuickTime\qttask .exe
----a-w		 1,003,520 2008-02-16 13:32:15  C:\Program Files\Real\RealOne Player\realplay .exe
----a-w		 5,361,464 2008-05-29 01:40:15  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
----a-w		 5,038,080 2008-02-07 03:53:59  C:\Program Files\Yahoo!\Messenger\YAHOOM~1	 .EXE
----a-w		 5,038,080 2008-02-05 17:52:36  C:\Program Files\Yahoo!\Messenger\YAHOOM~1	.EXE
----a-w		 5,038,080 2008-02-05 16:07:01  C:\Program Files\Yahoo!\Messenger\YAHOOM~1   .EXE
----a-w		 5,038,080 2008-02-05 15:10:34  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
----a-w		 5,038,080 2008-02-05 14:41:45  C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w		   212,992 2008-03-25 00:45:48  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w			52,736 2008-03-22 00:58:31  C:\WINDOWS\system\hpsysdrv .exe
----a-w			15,360 2008-05-24 02:26:46  C:\WINDOWS\system32\ctfmon .exe
----a-w			96,256 2008-05-24 03:18:11  C:\WINDOWS\system32\ctfmona .exe
----a-w		   118,784 2008-04-15 15:39:08  C:\WINDOWS\system32\hkcmd .exe
----a-w		   483,328 2008-02-24 06:18:20  C:\WINDOWS\system32\hphmon05 .exe
----a-w		   155,648 2008-03-28 20:01:20  C:\WINDOWS\system32\igfxtray .exe
----a-w		   323,584 2008-05-29 06:55:21  C:\WINDOWS\system32\nwiz .exe
----a-w			81,920 2008-05-15 12:39:12  C:\WINDOWS\system32\ps2 .exe
----a-w			23,040 2008-05-25 02:02:38  C:\WINDOWS\system32\sysrest32 .exe
----a-w		   188,416 2008-03-20 03:17:08  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07 .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09AA6C75-179E-42E0-82F7-302603339A82}]
2007-12-23 00:18 798720 --a------ C:\Program Files\Blubster Toolbar\v3.2.0.0\Blubster_Toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B521348-D508-4D15-A39C-CE7EF787C21D}]
2008-05-29 01:55 337408 --------- C:\WINDOWS\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0fd4d212-1574-4b27-a0b1-2817660c83b9}]
C:\WINDOWS\system32\bobtauwn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7EFBC57C-CD57-481F-B794-648FCE9C9116}"= "C:\Program Files\Blubster Toolbar\v3.2.0.0\Blubster_Toolbar.dll" [2007-12-23 00:18 798720]

[HKEY_CLASSES_ROOT\clsid\{7efbc57c-cd57-481f-b794-648fce9c9116}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7EFBC57C-CD57-481F-B794-648FCE9C9116}"= C:\Program Files\Blubster Toolbar\v3.2.0.0\Blubster_Toolbar.dll [2007-12-23 00:18 798720]

[HKEY_CLASSES_ROOT\clsid\{7efbc57c-cd57-481f-b794-648fce9c9116}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [ ]
"NVIEW"="nview.dll" [2003-05-03 01:19 835654 C:\WINDOWS\system32\nview.dll]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"RecordNow!"="" []
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [ ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [ ]
"QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ]
"QdrPack16"="C:\Program Files\QdrPack\QdrPack16.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [ ]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [ ]
"KBD"="C:\HP\KBD\KBD.EXE" [ ]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [ ]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2008-05-24 23:07 691200 C:\WINDOWS\system32\nwiz.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [ ]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [ ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"SSWPlauncher"="C:\PROGRA~1\COMETS~1\Platform\Bin\comet.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-05-29 01:55 429056]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [ ]
"APOLLO Printer Registration Reminder"="C:\Program Files\APOLLO\APOLLO P2X00 Series\Register\NAVBrowser.exe" [ ]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [ ]
"Blubster"="C:\Program Files\Blubster\Blubster.exe" [ ]
"sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2008-05-28 07:47:23 394240]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2006-09-07 12:53:02 1114217]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2003-06-13 06:08:16 233472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 21:20:02 53248]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-08-23 22:34:35 16384]
Xpress Mail Personal Edition.lnk - C:\Program Files\Xpress Mail\Personal Edition\XpressMailDesktopClient.exe [2006-08-02 21:46:23 3076704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbxxv]
gebbxxv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 05:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\ddcya.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddcya

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Xpress Mail\\Personal Edition\\XpressMailDesktopClient.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 $sys$cor;$sys$cor;C:\WINDOWS\system32\Drivers\$sys$cor.sys [2004-10-29 05:07]
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 22:42]
R1 $sys$crater;$sys$crater;C:\WINDOWS\system32\$sys$filesystem\crater.sys [2004-11-03 09:28]
R2 $sys$DRMServer;Plug and Play Device Manager;C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe [2004-12-14 04:49]
R2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe [2004-10-07 09:42]
R2 PlugPlayRPC;Plug and Play (RPC);C:\WINDOWS\sysxwin.exe service []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2004-04-28 04:56:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 01:57:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\aycdd.ini 390 bytes
C:\WINDOWS\system32\aycdd.ini2 390 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ddcya.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\WINDOWS\sysxwin.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\TMPA.tmp .exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\TMP7.tmp.DLL
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-05-29 2:11:23 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-29 07:11:02

Pre-Run: 7,095,418,880 bytes free
Post-Run: 9,914,015,744 bytes free

621 --- E O F --- 2007-12-12 08:06:34



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:12 AM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\sysxwin.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Xpress Mail\Personal Edition\XpressMailDesktopClient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcya.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/index.html"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\lpxtga6f.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\lpxtga6f.slt\prefs.js)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Blubster Toolbar - {7EFBC57C-CD57-481F-B794-648FCE9C9116} - C:\Program Files\Blubster Toolbar\v3.2.0.0\Blubster_Toolbar.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SSWPlauncher] C:\PROGRA~1\COMETS~1\Platform\Bin\comet.exe /app:SSWPlauncher
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [APOLLO Printer Registration Reminder] "C:\Program Files\APOLLO\APOLLO P2X00 Series\Register\NAVBrowser.exe" /r /i "C:\Program Files\APOLLO\APOLLO P2X00 Series\Register\NavLoad.ini"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Xpress Mail Personal Edition.lnk = C:\Program Files\Xpress Mail\Personal Edition\XpressMailDesktopClient.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} (FASetupStart Control) - http://a2.ff.fullaudio.com.edgesuite.net/f....0.40/setup.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97702B79-AB7B-4CDF-963D-F02289B02DBA}: NameServer = 85.255.113.106,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.111
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.111
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\sysxwin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11770 bytes


It seems to be ok but I still get a couple of errors on startup
1 says...runner error could not load target dll ("C:\Program files\backweb\backweb client\6.2.3.66\program\backweb.dll',error code 126

and
2 says error in executing callback at end of wizard 'C:\WINDOWS\system32\nwiz

Thanks,
AlleyGator

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:48 AM

Posted 29 May 2008 - 12:46 PM

Hallo AlleyGator,

That's quite a lot of garbage :thumbsup:

I'm wondering if you wouldn't have been better off to format and start a fresh install.

In case you do want to continue :

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the text in the code box below into an empty notepad window:
http://www.bleepingcomputer.com/forums/t/148836/spyware-problem/
Collect::[9]
C:\WINDOWS\system32\ddcya.exe
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\loader.exe
C:\WINDOWS\mssys.exe
C:\WINDOWS\x.exe
C:\WINDOWS\notepad32.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\y.exe
C:\WINDOWS\msieexten.exe
C:\WINDOWS\system32\winsconfz.dll
C:\WINDOWS\antisp32.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\sysxwin.exe
C:\WINDOWS\Nfad.exe
C:\WINDOWS\mscon.vga
C:\WINDOWS\conlex.eom
C:\WINDOWS\winxd.xc
C:\WINDOWS\system32\kdmki.exe
C:\Program Files\Video.exe
File::
C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\RCX15.tmp
C:\WINDOWS\system32\RCX14.tmp
C:\WINDOWS\system32\sysrest32 .exe
C:\WINDOWS\system32\ctfmona .exe
C:\WINDOWS\system32\jbvljida.tmp
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\RCX12.tmp
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\system32\RCXE.tmp
C:\Program Files\RCX400.tmp
C:\Program Files\B.ico
C:\Program Files\A.ico
C:\Program Files\b.zip
C:\Program Files\a.zip
C:\Program Files\c.zip
C:\WINDOWS\system32\RCXA4E.tmp
C:\WINDOWS\system32\yadbnfje.tmp
C:\semp1.bat
C:\semp2.bat
C:\WINDOWS\system32\RCXAC1.tmp
C:\WINDOWS\system32\RCXAC0.tmp
C:\WINDOWS\system32\RCXAAE.tmp
C:\WINDOWS\system32\RCXA3E.tmp
C:\WINDOWS\system32\gpqnrcqh.tmp
C:\WINDOWS\system32\RCX8B2.tmp
C:\WINDOWS\system32\RCX8B9.tmp
C:\WINDOWS\system32\RCX8C2.tmp
C:\WINDOWS\system32\nggedkmy.tmp
Folder::
C:\WINDOWS\system32\6849
C:\Program Files\Blubster Toolbar
RenV::
C:\hp\bin\AUTOTKIT .EXE
C:\hp\KBD\KBD .EXE
C:\Program Files\Blubster\Blubster .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Microsoft ActiveSync\wcescomm													.exe
C:\Program Files\Multimedia Card Reader\shwicon2k .exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
C:\Program Files\QuickTime\qttask									.exe
C:\Program Files\Real\RealOne Player\realplay .exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
C:\Program Files\Yahoo!\Messenger\YAHOOM~1	 .EXE
C:\WINDOWS\SMINST\RECGUARD .EXE
C:\WINDOWS\system\hpsysdrv .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\hphmon05 .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\nwiz .exe
C:\WINDOWS\system32\ps2 .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07 .exe
Driver::
PlugPlayRPC
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09AA6C75-179E-42E0-82F7-302603339A82}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B521348-D508-4D15-A39C-CE7EF787C21D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0fd4d212-1574-4b27-a0b1-2817660c83b9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7EFBC57C-CD57-481F-B794-648FCE9C9116}"=-
[-HKEY_CLASSES_ROOT\clsid\{7efbc57c-cd57-481f-b794-648fce9c9116}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7EFBC57C-CD57-481F-B794-648FCE9C9116}"=-
[-HKEY_CLASSES_ROOT\clsid\{7efbc57c-cd57-481f-b794-648fce9c9116}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Blubster"=-
"sysrest32.exe"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbxxv]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder

Edited by Thunder, 29 May 2008 - 12:50 PM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 AlleyGator

AlleyGator
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 29 May 2008 - 09:30 PM

Well yes I imagine there is a lot of garbage on the pc and if it were mine I probably would have already reformatted but I am fixing it for a friend,
now as far as connecting to the internet I can't get a connection through either my router or directly to my modem on his pc so I don't know how important it is for the next step, is there another way?

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:48 AM

Posted 30 May 2008 - 04:26 AM

Hello AlleyGator,

If the CFScript is run properly, your connection probably will be repaired as well.
So please, continue with the actions described above. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 AlleyGator

AlleyGator
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 30 May 2008 - 09:10 AM

I will tonight when I get home from work.

Thanks

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:48 AM

Posted 30 May 2008 - 09:26 AM

Hello AlleyGator,

I'll be looking forward to your reply. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 AlleyGator

AlleyGator
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 31 May 2008 - 09:27 PM

sorry for the delay, still no on the internet connection.. I did run the script does the log have to be submitted from that pc or can I copy it to my pc and send it to where it needs to go?

#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:48 AM

Posted 01 June 2008 - 12:59 PM

Hello AlleyGator,

You can copy the ComboFix log,
it's the content that matters. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#15 AlleyGator

AlleyGator
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 01 June 2008 - 06:35 PM

ok here it is along with another hijack this log,

ComboFix 08-05-27.4 - Owner 2008-05-30 23:47:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.53 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\A.ico
C:\Program Files\a.zip
C:\Program Files\B.ico
C:\Program Files\b.zip
C:\Program Files\c.zip
C:\Program Files\RCX400.tmp
C:\semp1.bat
C:\semp2.bat
C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\ctfmona .exe
C:\WINDOWS\system32\gpqnrcqh.tmp
C:\WINDOWS\system32\jbvljida.tmp
C:\WINDOWS\system32\nggedkmy.tmp
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\RCX12.tmp
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\RCX14.tmp
C:\WINDOWS\system32\RCX15.tmp
C:\WINDOWS\system32\RCX8B2.tmp
C:\WINDOWS\system32\RCX8B9.tmp
C:\WINDOWS\system32\RCX8C2.tmp
C:\WINDOWS\system32\RCXA3E.tmp
C:\WINDOWS\system32\RCXA4E.tmp
C:\WINDOWS\system32\RCXAAE.tmp
C:\WINDOWS\system32\RCXAC0.tmp
C:\WINDOWS\system32\RCXAC1.tmp
C:\WINDOWS\system32\RCXE.tmp
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\system32\sysrest32 .exe
C:\WINDOWS\system32\yadbnfje.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\A.ico
C:\Program Files\a.zip
C:\Program Files\B.ico
C:\Program Files\b.zip
C:\Program Files\Blubster Toolbar
C:\Program Files\Blubster Toolbar\settings.dat
C:\Program Files\Blubster Toolbar\uninstall.txt
C:\Program Files\Blubster Toolbar\v3.2.0.0\Blubster_Toolbar.dll
C:\Program Files\Blubster Toolbar\v3.2.0.0\installer.ico
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\checkmark.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\go1.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\go1_hot.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\go2.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\go2_hot.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\intro\intro_bg.png
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\intro\intro_feature_bracket.gif
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\intro\intro_logo.gif
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\intro\intro_search_bracket.gif
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\intro\intro_star_bullet.png
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\intro\intro_toolbar.png
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\intro\toolbar_intro.htm
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\popup_blocker_off.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\popup_blocker_on.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\radiodot.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\accuweather.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\amazon.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\dictionary.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\ebay.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\flickr.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\google_groups.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\google_images.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\google_maps.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\google_news.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\shopping.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\technorati.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\wikipedia.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\yahoo.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\yahoo_answers.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\search\youtube.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\searchbg.bmp
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\Thumbs.db
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\Toolbar.js
C:\Program Files\Blubster Toolbar\v3.2.0.0\resources\toolbar_logo.bmp
C:\Program Files\c.zip
C:\Program Files\RCX400.tmp
C:\Program Files\Video.exe
C:\semp1.bat
C:\semp2.bat
C:\WINDOWS\antisp32.exe
C:\WINDOWS\conlex.eom
C:\WINDOWS\iedll.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mscon.vga
C:\WINDOWS\msieexten.exe
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\Nfad.exe
C:\WINDOWS\notepad32.exe
C:\WINDOWS\system32\6849
C:\WINDOWS\system32\6849\~!3205p.spt
C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ctfmona .exe
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\ddcya.exe
C:\WINDOWS\system32\gpqnrcqh.tmp
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\jbvljida.tmp
C:\WINDOWS\system32\kdmki.exe
C:\WINDOWS\system32\nggedkmy.tmp
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\RCX12.tmp
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\RCX14.tmp
C:\WINDOWS\system32\RCX15.tmp
C:\WINDOWS\system32\RCX16.tmp
C:\WINDOWS\system32\RCX8B2.tmp
C:\WINDOWS\system32\RCX8B9.tmp
C:\WINDOWS\system32\RCX8C2.tmp
C:\WINDOWS\system32\RCXA3E.tmp
C:\WINDOWS\system32\RCXA4E.tmp
C:\WINDOWS\system32\RCXAAE.tmp
C:\WINDOWS\system32\RCXAC0.tmp
C:\WINDOWS\system32\RCXAC1.tmp
C:\WINDOWS\system32\RCXE.tmp
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\system32\sysrest32 .exe
C:\WINDOWS\system32\winsconfz.dll
C:\WINDOWS\system32\yadbnfje.tmp
C:\WINDOWS\sysxwin.exe
C:\WINDOWS\winxd.xc
C:\WINDOWS\x.exe
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PLUGPLAYRPC
-------\Service_PlugPlayRPC


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-29 07:52 . 2008-05-29 07:53 <DIR> d-------- C:\WINDOWS\system32\1733
2008-05-29 01:54 . 2008-05-29 01:54 <DIR> d-------- C:\WINDOWS\system32\5075
2008-05-28 23:01 . 2008-05-28 23:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-28 22:59 . 2008-05-28 23:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 22:59 . 2008-05-28 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 22:59 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 22:59 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 10:35 . 2008-05-31 00:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-25 10:35 . 2008-05-30 23:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-25 04:13 . 2008-05-25 04:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\URSoft
2008-05-25 04:12 . 2008-05-26 04:45 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-05-24 23:01 . 2008-05-29 07:53 323,584 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-24 20:56 . 2008-05-24 20:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-05-24 20:56 . 2007-07-19 22:42 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-05-24 20:56 . 2007-07-19 22:42 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-05-24 20:56 . 2007-07-19 22:42 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-05-24 20:56 . 2007-07-19 22:42 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2008-05-24 20:54 . 2008-05-24 20:54 <DIR> d-------- C:\Program Files\Webroot
2008-05-24 20:54 . 2008-05-24 20:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-05-24 20:54 . 2008-05-24 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-24 20:54 . 2007-07-19 22:54 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2008-05-24 15:15 . 2008-05-24 15:15 <DIR> d-------- C:\!KillBox
2008-05-24 10:05 . 2008-05-24 10:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-24 05:27 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-05-24 04:46 . 2008-05-24 04:46 150 --a------ C:\WINDOWS\wininit.ini
2008-05-23 23:34 . 2008-05-24 04:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 23:32 . 2008-05-26 04:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-23 23:30 . 2003-08-23 09:34 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-23 23:30 . 2003-08-28 22:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-23 23:30 . 2003-08-23 09:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-05-23 23:30 . 2003-08-23 22:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-05-23 23:30 . 2003-08-28 22:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-05-23 23:30 . 2008-05-23 23:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-23 22:27 . 2008-05-24 17:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Thinstall
2008-05-23 21:37 . 2004-08-04 02:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-23 21:37 . 2004-08-04 02:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-05-23 21:34 . 2004-08-04 00:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-23 21:34 . 2004-08-04 00:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-22 20:49 . 2008-05-22 20:49 103,488 --------- C:\WINDOWS\system32\bobtauwn.dll_old
2008-04-24 21:07 . 2008-05-29 07:53 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-04-24 21:07 . 2008-05-29 07:53 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 04:47 --------- d-----w C:\Program Files\QuickTime
2008-05-31 04:47 --------- d-----w C:\Program Files\Multimedia Card Reader
2008-05-31 04:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-31 04:47 --------- d-----w C:\Program Files\Blubster
2008-05-24 20:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
.
<pre>
----a-w		 1,699,840 2008-05-24 03:18:10  C:\Program Files\Microsoft ActiveSync\wcescomm												   .exe
----a-w		 1,699,840 2008-05-24 02:26:56  C:\Program Files\Microsoft ActiveSync\wcescomm												  .exe
----a-w		 1,699,840 2008-05-22 11:43:51  C:\Program Files\Microsoft ActiveSync\wcescomm												 .exe
----a-w		 1,699,840 2008-05-22 01:40:51  C:\Program Files\Microsoft ActiveSync\wcescomm												.exe
----a-w		 1,699,840 2008-05-20 09:35:52  C:\Program Files\Microsoft ActiveSync\wcescomm											   .exe
----a-w		 1,699,840 2008-05-20 02:15:16  C:\Program Files\Microsoft ActiveSync\wcescomm											  .exe
----a-w		 1,699,840 2008-05-19 23:59:03  C:\Program Files\Microsoft ActiveSync\wcescomm											 .exe
----a-w		 1,699,840 2008-05-19 04:49:21  C:\Program Files\Microsoft ActiveSync\wcescomm											.exe
----a-w		 1,699,840 2008-05-19 02:04:33  C:\Program Files\Microsoft ActiveSync\wcescomm										   .exe
----a-w		 1,699,840 2008-05-19 01:20:42  C:\Program Files\Microsoft ActiveSync\wcescomm										  .exe
----a-w		 1,699,840 2008-05-18 19:53:08  C:\Program Files\Microsoft ActiveSync\wcescomm										 .exe
----a-w		 1,699,840 2008-05-17 20:33:43  C:\Program Files\Microsoft ActiveSync\wcescomm										.exe
----a-w		 1,699,840 2008-05-17 13:04:37  C:\Program Files\Microsoft ActiveSync\wcescomm									   .exe
----a-w		 1,699,840 2008-05-16 04:27:06  C:\Program Files\Microsoft ActiveSync\wcescomm									  .exe
----a-w		 1,699,840 2008-05-16 00:39:22  C:\Program Files\Microsoft ActiveSync\wcescomm									 .exe
----a-w		 1,699,840 2008-05-15 12:38:59  C:\Program Files\Microsoft ActiveSync\wcescomm									.exe
----a-w		 1,699,840 2008-05-15 05:18:34  C:\Program Files\Microsoft ActiveSync\wcescomm								   .exe
----a-w		 1,699,840 2008-05-14 01:40:10  C:\Program Files\Microsoft ActiveSync\wcescomm								  .exe
----a-w		 1,699,840 2008-05-11 14:14:16  C:\Program Files\Microsoft ActiveSync\wcescomm								 .exe
----a-w		 1,699,840 2008-05-10 13:15:22  C:\Program Files\Microsoft ActiveSync\wcescomm								.exe
----a-w		 1,699,840 2008-05-10 03:50:52  C:\Program Files\Microsoft ActiveSync\wcescomm							   .exe
----a-w		 1,699,840 2008-05-01 12:49:55  C:\Program Files\Microsoft ActiveSync\wcescomm							  .exe
----a-w		 1,699,840 2008-05-01 02:07:30  C:\Program Files\Microsoft ActiveSync\wcescomm							 .exe
----a-w		 1,699,840 2008-04-30 16:21:11  C:\Program Files\Microsoft ActiveSync\wcescomm							.exe
----a-w		 1,699,840 2008-04-30 15:50:43  C:\Program Files\Microsoft ActiveSync\wcescomm						   .exe
----a-w		 1,699,840 2008-04-30 15:33:42  C:\Program Files\Microsoft ActiveSync\wcescomm						  .exe
----a-w		 1,699,840 2008-04-29 19:14:49  C:\Program Files\Microsoft ActiveSync\wcescomm						 .exe
----a-w		 1,699,840 2008-04-29 00:35:24  C:\Program Files\Microsoft ActiveSync\wcescomm						.exe
----a-w		 1,699,840 2008-04-28 16:27:20  C:\Program Files\Microsoft ActiveSync\wcescomm					   .exe
----a-w		 1,699,840 2008-04-28 00:47:45  C:\Program Files\Microsoft ActiveSync\wcescomm					  .exe
----a-w		 1,699,840 2008-04-28 00:30:06  C:\Program Files\Microsoft ActiveSync\wcescomm					 .exe
----a-w		 1,699,840 2008-04-25 02:06:56  C:\Program Files\Microsoft ActiveSync\wcescomm					.exe
----a-w		 1,699,840 2008-04-23 13:53:15  C:\Program Files\Microsoft ActiveSync\wcescomm				   .exe
----a-w		 1,699,840 2008-04-22 04:30:13  C:\Program Files\Microsoft ActiveSync\wcescomm				  .exe
----a-w		 1,699,840 2008-04-20 23:35:01  C:\Program Files\Microsoft ActiveSync\wcescomm				 .exe
----a-w		 1,699,840 2008-04-20 23:02:45  C:\Program Files\Microsoft ActiveSync\wcescomm				.exe
----a-w		 1,699,840 2008-04-20 12:55:46  C:\Program Files\Microsoft ActiveSync\wcescomm			   .exe
----a-w		 1,699,840 2008-04-19 18:10:08  C:\Program Files\Microsoft ActiveSync\wcescomm			  .exe
----a-w		 1,699,840 2008-04-18 00:39:58  C:\Program Files\Microsoft ActiveSync\wcescomm			 .exe
----a-w		 1,699,840 2008-04-16 13:55:03  C:\Program Files\Microsoft ActiveSync\wcescomm			.exe
----a-w		 1,699,840 2008-04-16 12:22:08  C:\Program Files\Microsoft ActiveSync\wcescomm		   .exe
----a-w		 1,699,840 2008-04-15 15:38:52  C:\Program Files\Microsoft ActiveSync\wcescomm		  .exe
----a-w		 1,699,840 2008-04-15 01:31:27  C:\Program Files\Microsoft ActiveSync\wcescomm		 .exe
----a-w		 1,699,840 2008-04-14 14:28:33  C:\Program Files\Microsoft ActiveSync\wcescomm		.exe
----a-w		 1,699,840 2008-04-13 01:15:15  C:\Program Files\Microsoft ActiveSync\wcescomm	   .exe
----a-w		 1,699,840 2008-04-09 23:52:34  C:\Program Files\Microsoft ActiveSync\wcescomm	  .exe
----a-w		 1,699,840 2008-04-09 23:38:19  C:\Program Files\Microsoft ActiveSync\wcescomm	 .exe
----a-w		 1,699,840 2008-04-06 19:08:09  C:\Program Files\Microsoft ActiveSync\wcescomm	.exe
----a-w		 1,699,840 2008-04-06 02:18:32  C:\Program Files\Microsoft ActiveSync\wcescomm   .exe
----a-w		 1,699,840 2008-04-05 12:43:12  C:\Program Files\Microsoft ActiveSync\wcescomm  .exe
----a-w		 1,699,840 2008-04-03 15:18:47  C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w		   429,056 2008-03-27 01:08:12  C:\Program Files\QuickTime\qttask								   .exe
----a-w		   429,056 2008-03-27 00:24:56  C:\Program Files\QuickTime\qttask								  .exe
----a-w		   429,056 2008-03-25 18:17:56  C:\Program Files\QuickTime\qttask								 .exe
----a-w		   429,056 2008-03-25 03:12:12  C:\Program Files\QuickTime\qttask								.exe
----a-w		   429,056 2008-03-25 00:45:39  C:\Program Files\QuickTime\qttask							   .exe
----a-w		   429,056 2008-03-22 20:51:26  C:\Program Files\QuickTime\qttask							  .exe
----a-w		   429,056 2008-03-20 12:47:15  C:\Program Files\QuickTime\qttask							 .exe
----a-w		   429,056 2008-03-18 19:04:23  C:\Program Files\QuickTime\qttask							.exe
----a-w		   429,056 2008-03-18 18:40:49  C:\Program Files\QuickTime\qttask						   .exe
----a-w		   429,056 2008-03-17 04:39:12  C:\Program Files\QuickTime\qttask						  .exe
----a-w		   429,056 2008-03-16 02:15:58  C:\Program Files\QuickTime\qttask						 .exe
----a-w		   429,056 2008-03-15 01:39:50  C:\Program Files\QuickTime\qttask						.exe
----a-w		   429,056 2008-03-14 01:21:12  C:\Program Files\QuickTime\qttask					   .exe
----a-w		   429,056 2008-03-08 15:04:51  C:\Program Files\QuickTime\qttask					  .exe
----a-w			77,824 2008-05-29 12:53:33  C:\Program Files\QuickTime\qttask					 .exe
----a-w		   429,056 2008-05-29 12:53:25  C:\Program Files\QuickTime\qttask					.exe
----a-w		   429,056 2008-05-29 01:43:53  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   429,056 2008-05-28 12:47:27  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   429,056 2008-05-26 01:24:49  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   429,056 2008-05-25 21:43:16  C:\Program Files\QuickTime\qttask				.exe
----a-w		   429,056 2008-05-25 16:26:56  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   429,056 2008-05-25 16:11:46  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   429,056 2008-05-25 09:48:38  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   429,056 2008-05-25 04:07:14  C:\Program Files\QuickTime\qttask			.exe
----a-w		   429,056 2008-05-25 01:54:23  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   429,056 2008-05-24 21:39:25  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   429,056 2008-05-24 14:56:50  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   429,056 2008-05-24 13:48:42  C:\Program Files\QuickTime\qttask		.exe
----a-w		   429,056 2008-05-24 12:06:28  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   429,056 2008-05-24 11:52:05  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   429,056 2008-05-24 11:04:59  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   429,056 2008-05-24 04:44:30  C:\Program Files\QuickTime\qttask	.exe
----a-w		   429,056 2008-05-24 02:27:11  C:\Program Files\QuickTime\qttask   .exe
----a-w		   429,056 2008-05-22 11:44:03  C:\Program Files\QuickTime\qttask  .exe
----a-w		   429,056 2008-05-22 11:22:10  C:\Program Files\QuickTime\qttask .exe
----a-w		 5,361,464 2008-05-29 01:40:15  C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI .exe
----a-w		 5,038,080 2008-02-05 17:52:36  C:\Program Files\Yahoo!\Messenger\YAHOOM~1	.EXE
----a-w		 5,038,080 2008-02-05 16:07:01  C:\Program Files\Yahoo!\Messenger\YAHOOM~1   .EXE
----a-w		 5,038,080 2008-02-05 15:10:34  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
----a-w		 5,038,080 2008-02-05 14:41:45  C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2008-02-24 17:26 24576]
"NVIEW"="nview.dll" [2003-05-03 01:19 835654 C:\WINDOWS\system32\nview.dll]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-03-04 09:59 1694208]
"RecordNow!"="" []
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2008-02-16 08:32 1003520]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [ ]
"QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ]
"QdrPack16"="C:\Program Files\QdrPack\QdrPack16.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-05-29 07:53 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2008-03-21 19:58 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-04-15 10:39 118784]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2008-03-25 13:18 90112]
"HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2008-03-18 13:53 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2008-02-24 01:18 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2008-03-07 08:20 61440]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2008-03-14 09:39 53248]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-03-24 19:45 212992]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2008-05-29 07:53 323584 C:\WINDOWS\system32\nwiz.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2008-04-14 20:31 139264]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2008-05-15 07:39 81920]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2008-03-19 22:17 188416]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-03-28 15:01 110592]
"SSWPlauncher"="C:\PROGRA~1\COMETS~1\Platform\Bin\comet.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-22 15:51 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-05-29 07:53 77824]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2008-04-14 09:28 53248]
"APOLLO Printer Registration Reminder"="C:\Program Files\APOLLO\APOLLO P2X00 Series\Register\NAVBrowser.exe" [ ]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-28 15:01 155648]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-04-27 19:30 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2008-04-29 14:15 36975]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2008-05-28 07:47:23 394240]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 09:11:14 27136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2006-09-07 12:53:02 1114217]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2003-06-13 06:08:16 233472]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 21:20:02 53248]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-08-23 22:34:35 16384]
Xpress Mail Personal Edition.lnk - C:\Program Files\Xpress Mail\Personal Edition\XpressMailDesktopClient.exe [2006-08-02 21:46:23 3076704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 05:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\GameHouse\\GemDrop\\GemDrop.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Xpress Mail\\Personal Edition\\XpressMailDesktopClient.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 $sys$cor;$sys$cor;C:\WINDOWS\system32\Drivers\$sys$cor.sys [2004-10-29 05:07]
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 22:42]
R1 $sys$crater;$sys$crater;C:\WINDOWS\system32\$sys$filesystem\crater.sys [2004-11-03 09:28]
R2 $sys$DRMServer;Plug and Play Device Manager;C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe [2004-12-14 04:49]
R2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe [2004-10-07 09:42]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2004-04-28 04:56:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 00:01:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\HP\HP Software Update\HPWUCli.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\BalloonMsg.exe
.
**************************************************************************
.
Completion time: 2008-05-31 0:16:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-31 05:16:29
ComboFix2.txt 2008-05-29 07:11:28

Pre-Run: 9,956,962,304 bytes free
Post-Run: 9,943,805,952 bytes free

409 --- E O F --- 2007-12-12 08:06:34



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:58 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Xpress Mail\Personal Edition\XpressMailDesktopClient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/index.html"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\lpxtga6f.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\lpxtga6f.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SSWPlauncher] C:\PROGRA~1\COMETS~1\Platform\Bin\comet.exe /app:SSWPlauncher
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [APOLLO Printer Registration Reminder] "C:\Program Files\APOLLO\APOLLO P2X00 Series\Register\NAVBrowser.exe" /r /i "C:\Program Files\APOLLO\APOLLO P2X00 Series\Register\NavLoad.ini"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Xpress Mail Personal Edition.lnk = C:\Program Files\Xpress Mail\Personal Edition\XpressMailDesktopClient.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B4F4FA8-814A-11D7-B31B-0002A500B281} (FASetupStart Control) - http://a2.ff.fullaudio.com.edgesuite.net/f....0.40/setup.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97702B79-AB7B-4CDF-963D-F02289B02DBA}: NameServer = 85.255.113.106,85.255.112.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.111
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.106 85.255.112.111
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12328 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users