Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nephew Infected My Computer! Highjack This Log


  • This topic is locked This topic is locked
16 replies to this topic

#1 Jaboomba

Jaboomba

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 30 May 2008 - 11:30 PM

Hello Everyone,

First off I wanted to thank EVERYONE who contributes to this site!!! My nephew stayed with us for over a month and all though he is gone he left us with a major computer issue on our desktop. I have been dealing with the with the blue desktop saying... "Warning Spyware threat has been detected on your PC..." for over a week & a co worker told me about bleepingcomputer.com and suggested I search & read the forums. I spent hours reading the forums and decided to tackle this with the help of many of the experts on this site... Luckily for me there were lots of posts concerning the same thing so I just followed all of the directions step by step and everything appears to be cleared up. (This site helped me feel comfortable working with SDfix & Combofix!!! Or at least I just followed every instruction without deviation!! LOL)

I see that people have posted there highjack this log for follow up... I am including it here and hope that someone can take a look at it for me... (It all looks like jibberish to me!!!)

I really do appreciate anyones help & time!!!


Warmest Regards,


Jim


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:18, on 2008-05-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://primerica.gosolo.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\xnet6ufj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\xnet6ufj.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "c:\Program Files\Lexmark 7100 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Vtf3] c:\documents and settings\owner\local settings\temp\Vtf3.exe
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RA] c:\documents and settings\owner\local settings\temp\RA.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [2u7] C:\documents and settings\owner\local settings\temp\2u7.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Firstmeow] C:\DOCUME~1\Owner\APPLIC~1\ONLINE~1\bolt idol.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\PPATCH~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9835 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 AM

Posted 31 May 2008 - 01:12 AM

Hello Jim,

Welcome to Bleeping Computer :thumbsup:

Could you please post the last ComboFix log you got? I need to see what was removed and what remains. Some of those entries in your HijackThis logs may be orphans, and I don't want to have you go through anything more unnecessarily. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Jaboomba

Jaboomba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 31 May 2008 - 02:04 AM

Hi Tea,

Thank you so much for your quick reply!!! I have noticed my nephew has download limewire, utorrent, & some other stuff on our desktop so I am eager to get rid of everything that looks like it led to this infestation!!! Hahaha

For whatever reason I went to c:\combofix.txt and it was pretty much blank. I will include what it has below, but I decided to include the results from the SDfix. I apologize for the combofix log.... I assume it must not have been saved.. (Sorry)

This is all from the Combofix.txt

ComboFix 08-05-29.1 - Owner 2008-05-30 0:40:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.275 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.


Here is the SDfix log


SDFix: Version 1.186
Run by Owner on Fri 05/30/2008 at 12:21 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\OWNER\YTGUPPQF.EXE - Deleted
C:\DOCUME~1\OWNER\YTGUPPQF.EXE - Deleted
C:\WINDOWS\system32\System.exe.exe - Deleted
C:\Program Files\ISM\Uninstall.exe - Deleted
C:\Program Files\QdrDrive\qdrloader.exe - Deleted
C:\Program Files\QdrPack\dicts.gz - Deleted
C:\Program Files\QdrPack\trgts.gz - Deleted
C:\Program Files\QdrModule\dic.gz - Deleted
C:\Program Files\QdrModule\dicy.gz - Deleted
C:\Program Files\QdrModule\kwd.gz - Deleted
C:\Program Files\QdrModule\QdrModule15.exe - Deleted
C:\WINDOWS\system32\000070.exe - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\2020search.dll - Deleted
C:\WINDOWS\2020search2.dll - Deleted
C:\WINDOWS\apphelp32.dll - Deleted
C:\WINDOWS\asferror32.dll - Deleted
C:\WINDOWS\asycfilt32.dll - Deleted
C:\WINDOWS\athprxy32.dll - Deleted
C:\WINDOWS\ati2dvaa32.dll - Deleted
C:\WINDOWS\ati2dvag32.dll - Deleted
C:\WINDOWS\audiosrv32.dll - Deleted
C:\WINDOWS\autodisc32.dll - Deleted
C:\WINDOWS\avifile32.dll - Deleted
C:\WINDOWS\avisynthex32.dll - Deleted
C:\WINDOWS\aviwrap32.dll - Deleted
C:\WINDOWS\bjam.dll - Deleted
C:\WINDOWS\bokja.exe - Deleted
C:\WINDOWS\browserad.dll - Deleted
C:\WINDOWS\cdsm32.dll - Deleted
C:\WINDOWS\changeurl_30.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\didduid.ini - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msa64chk.dll - Deleted
C:\WINDOWS\msapasrc.dll - Deleted
C:\WINDOWS\mspphe.dll - Deleted
C:\WINDOWS\mssvr.exe - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\ntnut.exe - Deleted
C:\WINDOWS\saiemod.dll - Deleted
C:\WINDOWS\shdocpe.dll - Deleted
C:\WINDOWS\shdocpl.dll - Deleted
C:\WINDOWS\stcloader.exe - Deleted
C:\WINDOWS\system32\msupdate.exe - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\textos.txt - Deleted
C:\WINDOWS\voiceip.dll - Deleted
C:\WINDOWS\winsb.dll - Deleted



Folder C:\Program Files\ISM - Removed
Folder C:\Program Files\QdrDrive - Removed
Folder C:\Program Files\QdrPack - Removed
Folder C:\Program Files\QdrModule - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 00:33:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:fe,74,76,80,1d,dc,cb,17,56,b3,08,a2,af,0e,9f,7c,31,6e,cc,fe,03,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e6,2b,b8,cc,6f,26,62,82,52,2e,d3,43,76,31,ff,db,88,..
"khjeh"=hex:61,d1,1c,f8,35,54,62,45,57,ac,9b,bf,29,32,f6,3d,0e,a2,a6,0d,68,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:18,e0,85,12,e9,61,08,84,63,9d,75,10,1d,b4,9e,44,71,41,ac,5c,11,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:fe,74,76,80,1d,dc,cb,17,56,b3,08,a2,af,0e,9f,7c,31,6e,cc,fe,03,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e6,2b,b8,cc,6f,26,62,82,52,2e,d3,43,76,31,ff,db,88,..
"khjeh"=hex:61,d1,1c,f8,35,54,62,45,57,ac,9b,bf,29,32,f6,3d,0e,a2,a6,0d,68,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:18,e0,85,12,e9,61,08,84,63,9d,75,10,1d,b4,9e,44,71,41,ac,5c,11,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\PFS\\callatl\\rteng8.exe"="C:\\PFS\\callatl\\rteng8.exe:*:Enabled:Adaptive Server Anywhere Network Server"
"C:\\Program Files\\Call of Duty\\CoDMP.exe"="C:\\Program Files\\Call of Duty\\CoDMP.exe:*:Enabled:CoDMP"
"C:\\Program Files\\StreamRipper32\\StreamRipper32.exe"="C:\\Program Files\\StreamRipper32\\StreamRipper32.exe:*:Enabled:SRipper"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Kazaa Gold\\Kazaa Gold\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Gold\\Kazaa Gold\\KazaaLite.kpp:*:Enabled:Kazaa Gold"
"C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe:*:Enabled:P2P Networking"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Disabled:TrueVector Service"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe"="C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe:*:Disabled:Medal of Honor Pacific Assault™"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\WINDOWS\\system32\\lxbxcoms.exe"="C:\\WINDOWS\\system32\\lxbxcoms.exe:*:Enabled:7100 Series Server"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxbxPSWX.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxbxPSWX.EXE:*:Enabled:7100 Series Printer Status"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\system32\\msupdate.exe"="C:\\WINDOWS\\system32\\msupdate.exe:*:Disabled:msupdate"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\DOCUME~1\Owner\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 25 May 2004 196 A.SHR --- "C:\BOOT.BAK"
Mon 22 Oct 2007 24 ..SH. --- "C:\WINDOWS\S1E893560.tmp"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 15 Sep 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Tue 24 Aug 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 24 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 4 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT3.tmp"
Fri 20 Jan 2006 44,032 A..H. --- "C:\Documents and Settings\All Users\Documents\Business\Business Documents\~WRL0001.tmp"
Fri 29 Sep 2006 38,400 A..H. --- "C:\Documents and Settings\All Users\Documents\Business\Business Documents\~WRL1947.tmp"
Fri 2 Jun 2006 37,376 A..H. --- "C:\Documents and Settings\All Users\Documents\Business\Business Documents\~WRL2749.tmp"
Fri 21 Jul 2006 36,864 A..H. --- "C:\Documents and Settings\All Users\Documents\Business\Business Documents\~WRL3566.tmp"
Sun 23 Jul 2006 35,328 A..H. --- "C:\Documents and Settings\All Users\Documents\Business\Business Documents\~WRL3734.tmp"
Tue 15 Apr 2008 958,464 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0495.tmp"
Thu 2 Mar 2006 20,992 A..H. --- "C:\Documents and Settings\All Users\Documents\Business\Business Documents\Securities\~WRL0003.tmp"

Finished!



Thanks again for any advice... Everything seem to be running fine, but I wanted to have that nice warmy & fuzzy feeling!!


Reagrds,


Jim


PS -- My nephews told me tonight that it wasn't him he only want to download some stuff for a friend at school!!!! No more kids on the computer!!! Haha

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 AM

Posted 31 May 2008 - 02:17 AM

Hi Jim,

Thanks for looking, and for posting the SDFix log. :thumbsup:

How about another run with ComboFix then please? :) It will still tell me what I need to know. I can't let you get the warm fuzzies quite yet.

A suggestion for the future : Set up a limited account for the next time nephew, or anyone else comes to visit. That way if this happens again it will be contained in that account and won't (normally) infect the entire computer.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Jaboomba

Jaboomba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 31 May 2008 - 11:29 AM

Thanks Tea!!!

I also appreciate the advice on setting up another account for my nephew & I will definitely follow through with that.


Here is my combofix log: (How you can make sense of this amazes me!!! Haha)


ComboFix 08-05-29.1 - Owner 2008-05-31 12:12:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.329 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\g2mdlhlpx.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\FiikQqru.ini
C:\WINDOWS\system32\FiikQqru.ini2
D:\Autorun.inf
.
---- Previous Run -------
.
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\RcvSystem
C:\Program Files\ymbols~1
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\ppatch~1
C:\WINDOWS\ppatch~1\??pPatch\
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\wnsapicc.exe
C:\WINDOWS\wintst32.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 19:34 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-30 18:29 . 2008-05-30 19:42 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-30 00:53 . 2008-05-30 00:53 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-30 00:15 . 2008-05-30 00:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-30 00:13 . 2008-05-27 03:12 <DIR> d-------- C:\SDFix
2008-05-17 03:02 . 2008-05-17 03:02 285 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-28 02:31 . 2008-04-28 02:35 6,664 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-27 16:23 . 2002-08-29 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-27 16:22 . 2008-04-27 16:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-06 12:50 . 2008-04-06 12:50 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\7100Series
2008-04-05 18:39 . 2008-05-29 22:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-05 18:39 . 2008-04-05 18:39 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 05:37 --------- d-----w C:\Program Files\QuickTime
2008-05-30 05:37 --------- d-----w C:\Program Files\Common Files\Real
2008-05-30 05:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 05:31 --------- d-----w C:\Program Files\Java
2008-05-30 05:29 --------- d-----w C:\Program Files\Viewpoint
2008-05-30 05:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-30 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-30 03:52 --------- d-----w C:\Program Files\RogueRemover FREE
2008-04-28 06:29 --------- d-----w C:\Program Files\IE PassView
2008-04-23 15:51 --------- d-----w C:\Program Files\Lx_cats
2008-04-22 04:11 106,496 ----a-w C:\WINDOWS\DUMP606f.tmp
2008-04-15 21:45 --------- d-----w C:\Program Files\Yahoo!
2008-04-15 21:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-04-15 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-05 22:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-31 02:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Viewpoint
2005-07-08 22:07 45,448 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2002-07-26 21:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2001-07-26 21:58 47 ----a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 17:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 16:39 53,248 ----a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 21:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-04-23 19:22 1,437 ----a-w C:\Program Files\gtx73.ini
2001-02-22 14:54 768 ----a-w C:\Program Files\x73_lut.dat
2004-09-15 15:58 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49 4662776]
"updateMgr"="C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\AdobeUpdateManager.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 15:44 196608]
"Firstmeow"="C:\DOCUME~1\Owner\APPLIC~1\ONLINE~1\bolt idol.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 12:41 223984]
"Notn"="C:\WINDOWS\PPATCH~1\cmd.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 10:43 196608]
"FaxCenterServer4_in_1"="c:\Program Files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 11:53 286720]
"EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 13:24 61440]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [ ]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-09-26 10:49 35328]
"VTTimer"="VTTimer.exe" []
"Vtf3"="c:\documents and settings\owner\local settings\temp\Vtf3.exe" [ ]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2004-04-23 11:00 192512]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2004-04-06 19:05 61440]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11 139264]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"RA"="c:\documents and settings\owner\local settings\temp\RA.exe" [ ]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57 81920]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [ ]
"PPMemCheck"="c:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [ ]
"PestPatrol Control Center"="c:\PROGRA~1\PESTPA~1\PPControl.exe" [ ]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 12:22 86016]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"LTMSG"="LTMSG.exe" [2003-07-14 20:52 40960 C:\WINDOWS\ltmsg.exe]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 16:14 217088]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 16:24 458752]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 05:55 483328]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [ ]
"eFax 4.1"="C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" [ ]
"CookiePatrol"="c:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"2u7"="C:\documents and settings\owner\local settings\temp\2u7.exe" [ ]
"LXBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 16:08 69632]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 12:41 223984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 17:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-07-06 03:37:33 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.1.lnk
backup=C:\WINDOWS\pss\eFax 4.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 18:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\WINDOWS\\system32\\lxbxcoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxbxPSWX.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 10:50]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys [2001-10-05 15:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 16:21:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 12:18:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\HNPsSdk.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-31 12:23:52 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-31 16:23:47

Pre-Run: 67,722,919,936 bytes free
Post-Run: 67,966,771,200 bytes free

245 --- E O F --- 2008-05-30 14:52:59

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 AM

Posted 31 May 2008 - 11:56 AM

Hi Jim,

You're welcome. :thumbsup:

With what I see in The ComboFix log and this statement :

I have noticed my nephew has download limewire, utorrent, & some other stuff on our desktop so I am eager to get rid of everything that looks like it led to this infestation!!!

I'd like to see an uninstall list so we can get rid of all those things. That will give you back some speed and some space, as well as help get rid of the LOP infection I see present.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Jaboomba

Jaboomba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 31 May 2008 - 12:16 PM

Thanks... I haven't uninstalled any limewire or utorrent yet since I didn't want to make any changes to the system once I posted my first log. If you would like me to uninstall I would be glad to do so.

Here is the list you requested from Highjack This!

Ad-Aware 2007
Adobe Acrobat 7.0 Professional
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
AnyDVD
avast! Antivirus
CDex extraction audio
DVD Decrypter (Remove Only)
DVD Shrink 3.2
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Deskjet Preloaded Printer Drivers
Image Resizer Powertoy for Windows XP
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java Web Start
Java™ 6 Update 5
Java™ 6 Update 6
Lexmark 7100 Series
Lexmark 7100 Series Fax Solutions
Logitech iTouch Software
Logitech MouseWare 9.79.1
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Shockwave Player
Malwarebytes' RogueRemover
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft ActiveSync 3.7
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Windows Journal Viewer
Microsoft WSE 2.0 SP3 Runtime
Move Networks Player for Internet Explorer
Mozilla Firefox (2.0.0.4)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Multimedia Card Reader
Nero 7
Netscape (7.2)
NVIDIA Display Driver
NVIDIA Drivers
palmOne
PC-Doctor for Windows
PCFriendly
Photosmart 140,240,7200,7600,7700,7900 Series
Point
PowerDVD
PowerISO
powerOne Personal v2.1.1 for Handhelds
PS2
QuickBooks Premier: Professional Services Edition 2007
Quicken 2007
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
SpywareBlaster 4.0
toolkit
Trillian
TurboTax Business 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Updates from HP
Viewpoint Manager (Remove Only)
ViewSonic Monitor Drivers
WexTech AnswerWorks
Winamp (remove only)
Windows Communication Foundation
Windows Defender
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZix version 2.0
Yahoo! Address AutoComplete
Yahoo! Anti-Spy
Yahoo! Browser Services
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Toolbar





You are a god send!!!

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 AM

Posted 31 May 2008 - 12:38 PM

Hi there,

They must have been uninstalled since they aren't in that list. The Folders probably remain, and we'll get to those. :thumbsup:

For now, please uninstall the following via Add/Remove Programs :

J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 5
Viewpoint Manager (Remove Only)


Reboot your computer.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
C:\Documents and Settings\Owner\Application Data\uTorrent
C:\Documents and Settings\Owner\Application Data\Viewpoint
C:\WINDOWS\PPATCH~1
C:\Program Files\BitTorrent
C:\\Program Files\\utorrent
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Jaboomba

Jaboomba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 31 May 2008 - 02:02 PM

Here is everything you asked me to do..... When I talked with my nephew today he admitted he has been downloading stuff all year for friends at school... I asked him why and he said he has DSL and our connection was so much faster. What is really sad is that he told me that when we travel, since we trust him to take care of the animals, he leaves the computer downloading stuff nonstop. He told me thought since he was putting everything on CD then earsing it I would never find out & there would be no damage. He told me to check the wife's laptop also!!! OH BOY!!! I did check it out and it seems to be running slow, but I don't know if it is because of the computer or that it is filled with spyware crap. Th virus scan says All Clean.

Well let me know on the desktop & once we are done with that I can post the highjack this log for the laptop!!!! Is it wrong with me wanting to tar & feather my Nephew!!! He will be cutting my grass for WEEKS!!! LOL


Here is the newest combofix log

ComboFix 08-05-29.1 - Owner 2008-05-31 14:41:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\\Program Files\\utorrent\utorrent.exe
C:\Documents and Settings\Owner\Application Data\uTorrent
C:\Documents and Settings\Owner\Application Data\uTorrent\ Microsoft Windows Key Gen. 2003 or XP Pro or Office-XP keygen(1).zip.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\1408 (2007) FuZe PROPER CAM KvCD Hockney(TUS Release).torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\1408[2007]DvDrip[Eng]-aXXo.avi.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Bob Marley - Complete Discography From 1967 To 2002 [33 Full Albums] (Mp3 256Kbps).torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\dht.dat
C:\Documents and Settings\Owner\Application Data\uTorrent\Early Simmons - DMX - Discografia Completa - 18 Albums.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Evan Almighty 2007 CAMERA CAM KvCD Jamgood(TUS Release).torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Evan Almighty[2007]DvDrip[Eng]-aXXo.avi.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Fluid.Mask.3.v2.100.1.RC1.Cracked-iNViSiBLE.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Halloween Music - Halloween Sound Effects.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Halloween Music - Screeches Clanks and Howls.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\halloween songs from films and some sound effects from halloween , so a happy and scary halloween.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Hostel 2 2007 PUKKA DVD WORKPRINT KvCD Jamgood(TUS Release).torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Hostel.2.DVD.WORKPRINT.XViD-PUKKA.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Knocked Up (2007) CAMERA CAM KvCD Hockney(TUS Release).torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Lara Croft Tomb Raider Anniversary [PC-BONUS DVD][Multi5 SP-EN-FR-IT-GE][www.newpct.com].torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Microsoft Keygen (office xp, windows xp and 2003 server edition).torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Microsoft Office 2003 Professional (Word, Excel, Powerpoint, Access, Frontpage, Outlook, Infopath, Visio, Project).iso.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Microsoft Office 2007 Activation Crack.zip.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Microsoft Office 2007 Complete Third Edition.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Microsoft Office Enterprise 2007 + Keygen.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Microsoft_Office_2007_Professional.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Nancy.Drew(2007)PUKKA.TELESYNC.KVCD.BluX(TUS.Release).torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Nancy.Drew.Curse.of.Blackmoor.Manor.zip.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Nero 7 Ultra Edition Enhanced XP & Vista + Keygen [ScottayB].torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\PCDVD S.T.A.L.K.E.R. Shadow of Chernobyl [Multi4] [www.torrentspain.com].iso.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Pirates.of.the.Caribbean.At.Worlds.End.TS.XViD-mVs [ www.torrentat.org ].torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\PowerISO v3.7 With Keygen by FFF torrent by matt14.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Quickbooks 2006 Premiere Idiot Proof Installation.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\QuickBooks.Premier.2007-rG.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Quicken Premier 2007.rar.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Quicken.2007.R1.Deluxe.rar.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\REAL MS Office 2003 Keygen.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Resident Evil 4 [PCDVD][Multi5-SP-EN-FR-IT-DE][www.newpct.com].torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\resume.dat
C:\Documents and Settings\Owner\Application Data\uTorrent\resume.dat.old
C:\Documents and Settings\Owner\Application Data\uTorrent\RussianOrgy.avi.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\settings.dat
C:\Documents and Settings\Owner\Application Data\uTorrent\settings.dat.old
C:\Documents and Settings\Owner\Application Data\uTorrent\Shaggy - Intoxicaton (Retail 2007) - Dance Hall [www.zonatorrent.com].rar.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Shaggy.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Sicko.2007.DVDrip.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Transformers - The Movie.avi.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Turbo Tax 2006 Home & Business.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Turbo Tax Premier 2006.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\TurboTax-Home-and-Business-2007 (FULL!).zip.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\utorrent.lng
C:\Documents and Settings\Owner\Application Data\Viewpoint
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1701357120.mtx
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\537440385.mtj&p2=1&p3=14213893205722992211147617625812&p4=50335500
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1756024299.mtx
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\258787578.mts
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-316708865.mtj&p2=1&p3=14213893205722992211147617625812&p4=50335505
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\914509310.mtj&p2=1&p3=14213893205722992211147617625812&p4=50335505
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\Owner\Application Data\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
C:\Program Files\BitTorrent
C:\Program Files\BitTorrent\addrmap.dat
C:\Program Files\BitTorrent\credits-l10n.txt
C:\Program Files\BitTorrent\etc\gtk-2.0\gdk-pixbuf.loaders
C:\Program Files\BitTorrent\etc\gtk-2.0\gtkrc
C:\Program Files\BitTorrent\etc\pango\pango.aliases
C:\Program Files\BitTorrent\etc\pango\pango.modules
C:\Program Files\BitTorrent\plugin.inf
C:\Program Files\BitTorrent\share\themes\wimp\gtk-2.0\gtkrc
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\bg_287.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\bg_370blue.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\bg_370white.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\bg_455.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\customize.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\download_skins.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\downloadcom.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\header.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\howitwork1.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\howitwork2.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\logo_black.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\logo_white.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\nospy.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\s.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\shadow.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\title_287.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\title_370.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\title_455.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\images\top.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar\stylesheets\styles.css
C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarInstaller.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 19:34 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-30 18:29 . 2008-05-30 19:42 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-05-30 00:53 . 2008-05-30 00:53 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-30 00:15 . 2008-05-30 00:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-30 00:13 . 2008-05-27 03:12 <DIR> d-------- C:\SDFix
2008-05-17 03:02 . 2008-05-17 03:02 285 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-28 02:31 . 2008-04-28 02:35 6,664 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-27 16:23 . 2002-08-29 08:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-27 16:22 . 2008-04-27 16:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-06 12:50 . 2008-04-06 12:50 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\7100Series
2008-04-05 18:39 . 2008-05-29 22:27 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-05 18:39 . 2008-04-05 18:39 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 18:42 --------- d-----w C:\Program Files\utorrent
2008-05-31 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-31 18:07 --------- d-----w C:\Program Files\Java
2008-05-30 05:37 --------- d-----w C:\Program Files\QuickTime
2008-05-30 05:37 --------- d-----w C:\Program Files\Common Files\Real
2008-05-30 05:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-30 03:52 --------- d-----w C:\Program Files\RogueRemover FREE
2008-04-28 06:29 --------- d-----w C:\Program Files\IE PassView
2008-04-23 15:51 --------- d-----w C:\Program Files\Lx_cats
2008-04-22 04:11 106,496 ----a-w C:\WINDOWS\DUMP606f.tmp
2008-04-15 21:45 --------- d-----w C:\Program Files\Yahoo!
2008-04-15 21:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-04-15 21:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2005-07-08 22:07 45,448 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2002-07-26 21:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2001-07-26 21:58 47 ----a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 17:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-11 16:39 53,248 ----a-w C:\Program Files\ACMonitor_X73.exe
2001-05-08 21:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-04-23 19:22 1,437 ----a-w C:\Program Files\gtx73.ini
2001-02-22 14:54 768 ----a-w C:\Program Files\x73_lut.dat
2004-09-15 15:58 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-31_12.23.33.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-31 16:17:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-31 18:45:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
+ 2008-05-31 16:58:27 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-05-31 18:46:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_630.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"updateMgr"="C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\AdobeUpdateManager.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 15:44 196608]
"Firstmeow"="C:\DOCUME~1\Owner\APPLIC~1\ONLINE~1\bolt idol.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 12:41 223984]
"Notn"="C:\WINDOWS\PPATCH~1\cmd.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 10:43 196608]
"FaxCenterServer4_in_1"="c:\Program Files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 11:53 286720]
"EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 13:24 61440]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [ ]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-09-26 10:49 35328]
"VTTimer"="VTTimer.exe" []
"Vtf3"="c:\documents and settings\owner\local settings\temp\Vtf3.exe" [ ]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2004-04-23 11:00 192512]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2004-04-06 19:05 61440]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11 139264]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"RA"="c:\documents and settings\owner\local settings\temp\RA.exe" [ ]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57 81920]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [ ]
"PPMemCheck"="c:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [ ]
"PestPatrol Control Center"="c:\PROGRA~1\PESTPA~1\PPControl.exe" [ ]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 12:22 86016]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"LTMSG"="LTMSG.exe" [2003-07-14 20:52 40960 C:\WINDOWS\ltmsg.exe]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 16:14 217088]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 16:24 458752]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 05:55 483328]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [ ]
"eFax 4.1"="C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" [ ]
"CookiePatrol"="c:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"2u7"="C:\documents and settings\owner\local settings\temp\2u7.exe" [ ]
"LXBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 16:08 69632]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 12:41 223984]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 17:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-07-06 03:37:33 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax 4.1.lnk
backup=C:\WINDOWS\pss\eFax 4.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 18:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\WINDOWS\\system32\\lxbxcoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxbxPSWX.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 10:50]
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys [2001-10-05 15:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 18:49:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 14:47:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\HNPsSdk.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-31 14:52:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-31 18:52:32
ComboFix2.txt 2008-05-31 16:23:53

Pre-Run: 68,134,395,904 bytes free
Post-Run: 68,122,402,816 bytes free

306 --- E O F --- 2008-05-30 14:52:59



Here is the newest Highjack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:26 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://primerica.gosolo.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\xnet6ufj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\xnet6ufj.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "c:\Program Files\Lexmark 7100 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Vtf3] c:\documents and settings\owner\local settings\temp\Vtf3.exe
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RA] c:\documents and settings\owner\local settings\temp\RA.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [2u7] C:\documents and settings\owner\local settings\temp\2u7.exe
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Firstmeow] C:\DOCUME~1\Owner\APPLIC~1\ONLINE~1\bolt idol.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\PPATCH~1\cmd.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 10187 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 AM

Posted 31 May 2008 - 03:45 PM

Hi Jim,

No, it's not wrong......and I think you should have a serious talk with him. I have to snitch on him. He has downloaded illegal copies of Windows, Microsoft Office, Nero, QuickBooks, TurboTax, all the cracks and keygens for them, as well as porn, and a host of movies and music. This is just from utorrent. No telling what he got from Limewire. Go look up the retail prices of those programs to see how much all those are worth. :) You're actually very lucky you didn't lose this computer all together after seeing all that. You might also let him know that if I can find all this out without ever setting eyes on the computer.....what else could we find if we really looked?

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. I believe we're done with this one. :thumbsup: Post me just a HijackThis log from your wife's laptop and we'll go through it.

Make that all summer that he mows. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Jaboomba

Jaboomba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 31 May 2008 - 04:12 PM

WOW!!!! He told me he downloaded a some songs & a couple movies!!! The PORN is the most shocking.... My brother, his father, is the youth minister for our church..... OUCH!!!

I just had him come over and read your enitre post and showed him the amount of time & headache this has caused me..... Not to mention I could get in a lot of trouble for him doing that from my house & our computers... He now knows that becuase of my security clearance I could loose my job over something like this not to mention the legal issues I would have to deal with also.... The kid was in tears & after I speak to my brother he will never do that again... He tried to deny it, but once I told him you were able to see all of this & never step into my house he was freaking out. I told him there might be some law enforcement involvement, so he is scared to death... I will let him sit there and worried about that for a week or so. It is scary to think a 13 yr old boy knows how to find all of this stuff!!!


My wife is out right now visiting a client, but will be home in a few hours.... Jason (my nephew) admitted that he used her laptop from his bedroom since they live right next door and although I have secured my wifi with her laptop he could get on. Lord help us what we will find on there!!!


Thanks so much for all of your help on this one and I will post my wife's logs once she gets home tonight.

You are AMAZING!!! I can't thank you enough.



Jim

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 AM

Posted 31 May 2008 - 06:25 PM

I'm really sorry, but you had to know. :thumbsup: Post the log when you're ready. I'm still here off and on for several hours yet. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Jaboomba

Jaboomba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 31 May 2008 - 09:02 PM

Sorry for taking so long to get this to you. Here is the highjack this log for the wifes computer. Jason said he only used it a little bit, but I guess it is better safe than sorry. I know she runs Ad-aware atleast once a week, but the computer just seems to run so slow.

I also ran AVAST just a couple days ago and it came up clear.

I did notice that he had limewire on this computer, but I couldn't find the "utorrent" program that was on the other computer.



Here it is:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:48 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk2/downloads/sysinfo.cab
O16 - DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} (Pictometry Viewer Control) - http://www.brevardpropertyappraiser.com/pi...ImageCtrl30.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u...ows-i586-jc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://72.236.171.74:8181/activex/AxisCamControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLoan/1...PtClickLoan.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.2.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 14716 bytes



Let's hope her laptop doesn't have the same issues as the desktop.


-- Thank god my computer works PERFETLY!!! then again I don't download ANYTHING!!

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 AM

Posted 31 May 2008 - 09:13 PM

Hello again,

This one looks good! :thumbsup: Did you already uninstall Limewire? If so, be sure to delete the Limewire folder in Program Files also. If you don't use it, you can uninstall the AskToolbar while you're in Add/Remove Programs. :)

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

The following are not malware, but fixing them with HijackThis will improve your system's speed. None are necessary at startup, and may be started manually at any time. This is up to you. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Let me know if that helps. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Jaboomba

Jaboomba
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 31 May 2008 - 11:58 PM

Teacup

Thank you so much for all of your help. Not only did you save my computer, but you helped teach my nephew a leason!!


You are a REAL Godsend!!!


Thank you for all of your help!!



Have a WONDERFUL weekend!!



Jim




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users