Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kindly Check To See I'm Free Of Worms.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Violated

Violated

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 16 June 2008 - 04:30 PM

Firstly, my apologies for taking matters into my own hands - using 'Combo-fix' before being instructed to do so.

Doh! And 'Fixwareout' & 'Erunt'. In my defense, they were sent by a well intentioned friend. Only LATER did I read here that I should wait. I'm a bit embarrassed to say that I didn't even realise that there were a bunch of anti-virus guardian angels out there.

It seems to have brought my computer back from the edge of disaster - at least keeping the problems at bay. The machine was in a really bad way, to the point that most of the anti-virus programs had been rendered useless and the machine had been lost. As you'll appreciate, the infection begins gradually and rapidly escalates - as does one's panic levels. Anyway, not unsurprisingly, my actions also did some damage to my system - which I'll come to next.

I think it was 'Erunt' that said it couldn't restore 'windows/system 32/config default', after running Combo. Also, upon booting, a message 'Windows root system/32 hall.dll can't be found' appears and says that it can't start the computer; however, when I press enter it seems that the XP system restore kicks in and the machine springs to life. And a few more! I'll tackle that later; for now I just want to secure the computer and its content.

As I confessed that I self-medicated and ran the software, I may well send you my 'patient history'. I'm not at all convinced that I've got rid of everything. If you could take a look I would be hugely grateful. Thanks in advance.


Bests,

Richard








This is the Combo-Fix log. Erm, did I mention I did it twice? :-( So, in the order that the tests were run .....


ComboFix 08-06-12.2 - Richard Henderson 2008-06-15 19:35:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.138 [GMT 7:00]
Running from: C:\Documents and Settings\Richard Henderson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Richard Henderson\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Richard Henderson\Application Data\inst.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\msvrc20.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-15 19:49 . 792,723,456 C:\pagefile.sys
2008-06-15 19:34 . 2008-06-15 19:35 <DIR> d-------- C:\cmdcons
2008-06-15 19:27 . 2008-06-15 19:35 <DIR> d-------- C:\QooBox
2008-06-15 19:27 . 2008-06-15 19:59 <DIR> d-------- C:\ComboFix
2008-06-15 00:51 . 2008-06-15 01:32 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\Comodo
2008-06-15 00:51 . 2008-06-15 00:50 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-06-15 00:51 . 2008-06-15 00:50 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-06-15 00:50 . 2008-06-15 00:50 <DIR> d-------- C:\Program Files\COMODO
2008-06-14 22:42 . 2008-06-15 00:47 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\VersionTracker Pro
2008-06-14 12:56 . 2008-06-15 18:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\comodo
2008-06-14 09:25 . 2008-06-14 09:25 <DIR> d-------- C:\Program Files\Common Files\Intel
2008-06-14 08:06 . 2007-01-13 09:45 172,032 -ra------ C:\WINDOWS\system32\igfxres.dll
2008-06-14 06:54 . 2008-06-14 06:54 <DIR> d--h----- C:\Documents and Settings\Default User.WINDOWS.0
2008-06-14 06:54 . 2008-06-14 06:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0
2008-06-14 04:37 . 2008-05-01 16:35 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2008-06-14 04:18 . 2008-06-14 04:18 <DIR> d-------- C:\Program Files\Intel Corporation
2008-06-13 23:41 . 2008-06-13 23:41 1,880,856 --a------ C:\WINDOWS\system32\AutoPartNt.exe
2008-06-13 23:41 . 2008-06-14 00:31 1,024 --a------ C:\WINDOWS\system32\AutoPartNt.let
2008-06-13 21:00 . 2008-06-13 21:00 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-06-13 20:11 . 2008-06-13 20:30 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2008-06-13 17:30 . 2008-06-13 20:31 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\Vso
2008-06-13 17:30 . 2008-06-13 17:30 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-13 17:30 . 2008-06-13 20:31 47,360 --a------ C:\Documents and Settings\Richard Henderson\Application Data\pcouffin.sys
2008-06-13 16:10 . 2008-06-13 16:10 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\CDBurnerXP_Soft
2008-06-13 16:09 . 2008-06-13 23:23 <DIR> d-------- C:\Program Files\CDBurnerXP
2008-06-12 14:35 . 2008-06-12 14:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-06-12 14:35 . 2008-06-12 14:40 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-12 14:34 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-06-12 11:40 . 2008-06-12 11:41 <DIR> d-------- C:\Huh
2008-06-12 11:40 . 2008-06-12 11:41 <DIR> d-------- C:\Huh
2008-06-12 10:37 . 2008-06-12 11:00 <DIR> d-------- C:\Program Files\a-squared Free
2008-06-11 18:21 . 2008-06-11 18:21 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\Malwarebytes
2008-06-11 18:20 . 2008-06-11 18:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 18:20 . 2008-06-11 18:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-11 18:20 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-11 18:20 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-11 15:17 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-11 10:55 . 2008-06-11 10:55 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Acronis
2008-06-10 14:53 . 2008-06-14 21:26 <DIR> d-------- C:\Documents and Settings\The Administrator\Application Data\Skype
2008-06-10 14:50 . 2008-06-15 18:24 <DIR> d-------- C:\Documents and Settings\The Administrator
2008-06-10 12:20 . 2008-06-12 12:00 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-10 12:20 . 2008-06-12 12:00 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-10 08:03 . 2008-03-23 04:37 113,896 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-06-10 07:17 . 2008-06-15 18:48 5,632 --ahs---- C:\WINDOWS\Thumbs.db
2008-06-10 06:17 . 2008-06-14 08:11 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-10 06:17 . 2008-06-10 06:17 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-10 06:17 . 2008-06-10 06:17 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-10 06:17 . 2008-06-10 06:17 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-06-10 06:17 . 2008-06-10 06:17 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-10 06:16 . 2008-06-10 06:16 <DIR> d-------- C:\Program Files\AVG
2008-06-10 06:16 . 2008-06-10 06:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-06-10 04:26 . 2008-06-13 13:05 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Acronis
2008-06-10 04:25 . 2008-06-10 04:25 441,760 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-06-10 04:25 . 2008-06-10 04:25 44,384 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-06-10 04:24 . 2008-06-10 04:24 368,736 --a------ C:\WINDOWS\system32\drivers\tdrpman.sys
2008-06-10 04:24 . 2008-06-10 04:24 129,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-06-10 04:22 . 2008-06-10 04:23 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-06-10 04:22 . 2008-06-10 04:22 <DIR> d-------- C:\Program Files\Acronis
2008-06-10 02:49 . 2008-06-13 03:30 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-06-09 14:18 . 2008-06-09 14:21 6,416,408 --a------ C:\Program Files\SUPERAntiSpywarePro.exe
2008-06-09 10:54 . 2008-06-09 10:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 12:51 . 2008-06-08 12:51 <DIR> d-------- C:\Program Files\Reader 8.0
2008-06-07 15:06 . 2008-06-07 15:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-07 15:05 . 2008-06-12 11:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-07 15:05 . 2008-06-07 15:05 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\SUPERAntiSpyware.com
2008-06-05 20:54 . 2008-06-05 20:54 <DIR> d-------- C:\Program Files\CCleaner
2008-06-04 20:07 . 2008-06-04 20:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-04 20:07 . 2008-06-04 21:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-06-04 11:45 . 2008-06-11 15:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 08:17 . 2008-06-03 08:17 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-03 08:16 . 2008-06-03 08:16 <DIR> d-------- C:\Program Files\Real
2008-06-03 08:16 . 2008-06-03 08:17 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-30 08:41 . 2008-05-30 08:41 <DIR> d-------- C:\Program Files\Alien Skin
2008-05-30 04:09 . 2008-05-30 04:09 <DIR> d-------- C:\Program Files\Bonjour
2008-05-30 03:48 . 2008-05-30 03:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-26 16:30 . 2008-05-26 16:32 <DIR> d-------- C:\Program Files\ACW
2008-05-26 09:55 . 2008-05-26 09:55 <DIR> d-------- C:\Program Files\ePaperPress
2008-05-26 09:38 . 2004-03-29 17:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-25 20:32 . 2008-05-25 20:32 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\Imagenomic
2008-05-25 17:31 . 2008-05-25 17:31 <DIR> d-------- C:\Program Files\Paint Shop Pro
2008-05-25 17:24 . 2008-05-25 17:36 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-25 04:14 . 2008-05-25 17:55 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-23 15:52 . 2008-05-23 15:56 <DIR> d-------- C:\D
2008-05-23 15:52 . 2008-05-23 15:56 <DIR> d-------- C:\D
2008-05-23 15:47 . 2008-06-14 00:46 <DIR> d-------- C:\kkk
2008-05-23 15:47 . 2008-06-14 00:46 <DIR> d-------- C:\kkk
2008-05-23 13:45 . 2008-05-23 13:45 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-05-23 08:26 . 2008-05-23 13:45 <DIR> d-------- C:\Program Files\Avira
2008-05-22 18:20 . 2008-05-22 18:20 <DIR> d-------- C:\Program Files\LimeWire
2008-05-22 18:20 . 2008-05-22 18:20 <DIR> d-------- C:\Program Files\Ipod Video Converter
2008-05-22 18:17 . 2008-05-22 18:17 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\InstallShield Installation Information
2008-05-22 18:17 . 2008-05-22 18:17 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\GRETECH
2008-05-22 18:17 . 2008-05-22 18:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\GRETECH
2008-05-22 18:16 . 2008-06-03 01:47 <DIR> d-------- C:\Program Files\AVIConverter
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 11:22 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-15 01:00 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\Skype
2008-06-14 09:29 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\WinPatrol
2008-06-11 08:17 --------- d-----w C:\Program Files\Java
2008-06-09 19:38 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\BitTyrant
2008-06-09 06:33 --------- d-----w C:\Program Files\FastStone Capture
2008-06-09 01:10 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\uTorrent
2008-06-07 22:19 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-07 22:19 --------- d-----w C:\Program Files\Windows Media Connect
2008-06-07 22:19 --------- d-----w C:\Program Files\SP31763
2008-06-07 22:18 --------- d-----w C:\Program Files\DivX
2008-06-07 22:18 --------- d-----w C:\Program Files\Altiris
2008-06-07 09:31 --------- d-----w C:\Program Files\MediaCoder
2008-05-29 21:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-26 18:28 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\Shutterfly
2008-05-26 10:06 --------- d-----w C:\Program Files\Windows Live Writer
2008-05-26 10:06 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\IObit
2008-05-25 14:00 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\Alien Skin
2008-05-22 11:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 11:17 --------- d-----w C:\Program Files\GRETECH
2008-05-22 11:17 --------- d-----w C:\Program Files\ConTEXT
2008-05-22 11:17 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\CoffeeCup Software
2008-05-22 11:16 --------- d-----w C:\Program Files\Riva
2008-05-20 08:11 --------- d-----w C:\Program Files\Canon
2008-05-08 12:53 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\YouSendIt
2008-05-03 18:23 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-05-03 05:48 --------- d-----w C:\Program Files\BitTyrant
2008-05-03 04:31 --------- d-----w C:\Program Files\IObit
2008-04-29 04:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 04:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 04:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-17 09:19 90,668 ----a-w C:\WINDOWS\system32\vobis32.dll
2008-04-16 01:00 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\DATECOM(2)
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-04-03 19:10 82 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2005-02-16 18:06 218,112 -c--a-w C:\Program Files\HijackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@={747E722C-CB46-4A9D-BDFE-192AAD5099B1}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-01-05 06:47 2389296 --a------ C:\Program Files\Mozy\mozyshell1.dll

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-01-05 06:47 2389296 --a------ C:\Program Files\Mozy\mozyshell1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE" [2007-09-14 02:52 2595480]
"AcronisTimounterMonitor"="C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE" [2007-09-14 03:02 905056]
"Acronis Scheduler2 Service"="C:\PROGRAM FILES\COMMON FILES\Acronis\SCHEDULE2\schedhlp.exe" [2007-09-14 02:55 140568]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47 163840]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47 131072]



FIXWAREOUT


Username "Richard Henderson" - 06/16/2008 14:53:25 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Could not flush the DNS Resolver Cache: Function failed during execution.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"TrueImageMonitor.exe"="C:\\PROGRAM FILES\\Acronis\\TRUEIMAGEHOME\\TRUEIMAGEMONITOR.EXE"
"AcronisTimounterMonitor"="C:\\PROGRAM FILES\\Acronis\\TRUEIMAGEHOME\\TIMOUNTERMONITOR.EXE"
"Acronis Scheduler2 Service"="C:\\PROGRAM FILES\\COMMON FILES\\Acronis\\SCHEDULE2\\schedhlp.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~









COMBOFIX #2



ComboFix 08-06-12.2 - Richard Henderson 2008-06-16 14:28:17.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.174 [GMT 7:00]
Running from: C:\Documents and Settings\Richard Henderson\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-15 00:51 . 2008-06-15 01:32 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\Comodo
2008-06-15 00:51 . 2008-06-15 00:50 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-06-15 00:51 . 2008-06-15 00:50 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-06-15 00:50 . 2008-06-15 00:50 <DIR> d-------- C:\Program Files\COMODO
2008-06-14 22:42 . 2008-06-15 00:47 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\VersionTracker Pro
2008-06-14 12:56 . 2008-06-15 18:33 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\comodo
2008-06-14 09:25 . 2008-06-14 09:25 <DIR> d-------- C:\Program Files\Common Files\Intel
2008-06-14 08:06 . 2007-01-13 09:45 172,032 -ra------ C:\WINDOWS\system32\igfxres.dll
2008-06-14 06:54 . 2008-06-14 06:54 <DIR> d--h----- C:\Documents and Settings\Default User.WINDOWS.0
2008-06-14 06:54 . 2008-06-14 06:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0
2008-06-14 04:37 . 2008-05-01 16:35 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2008-06-14 04:18 . 2008-06-14 04:18 <DIR> d-------- C:\Program Files\Intel Corporation
2008-06-13 23:41 . 2008-06-13 23:41 1,880,856 --a------ C:\WINDOWS\system32\AutoPartNt.exe
2008-06-13 23:41 . 2008-06-14 00:31 1,024 --a------ C:\WINDOWS\system32\AutoPartNt.let
2008-06-13 21:00 . 2008-06-13 21:00 <DIR> d-------- C:\Program Files\Innovative Solutions
2008-06-13 20:11 . 2008-06-13 20:30 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2008-06-13 17:30 . 2008-06-13 20:31 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\Vso
2008-06-13 17:30 . 2008-06-13 17:30 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-13 17:30 . 2008-06-13 20:31 47,360 --a------ C:\Documents and Settings\Richard Henderson\Application Data\pcouffin.sys
2008-06-13 16:10 . 2008-06-13 16:10 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\CDBurnerXP_Soft
2008-06-13 16:09 . 2008-06-13 23:23 <DIR> d-------- C:\Program Files\CDBurnerXP
2008-06-12 14:35 . 2008-06-12 14:35 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-06-12 14:35 . 2008-06-12 14:40 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-12 14:34 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-06-12 11:40 . 2008-06-12 11:41 <DIR> d-------- C:\Huh
2008-06-12 10:37 . 2008-06-12 11:00 <DIR> d-------- C:\Program Files\a-squared Free
2008-06-11 18:21 . 2008-06-11 18:21 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\Malwarebytes
2008-06-11 18:20 . 2008-06-11 18:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 18:20 . 2008-06-11 18:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-11 18:20 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-11 18:20 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-11 15:17 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-11 10:55 . 2008-06-11 10:55 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Acronis
2008-06-10 14:53 . 2008-06-14 21:26 <DIR> d-------- C:\Documents and Settings\The Administrator\Application Data\Skype
2008-06-10 14:50 . 2008-06-15 18:24 <DIR> d-------- C:\Documents and Settings\The Administrator
2008-06-10 12:20 . 2008-06-12 12:00 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-10 08:03 . 2008-03-23 04:37 113,896 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-06-10 07:17 . 2008-06-16 00:01 5,632 --ahs---- C:\WINDOWS\Thumbs.db
2008-06-10 06:17 . 2008-06-16 09:45 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-10 06:17 . 2008-06-10 06:17 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-10 06:17 . 2008-06-10 06:17 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-10 06:17 . 2008-06-10 06:17 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-06-10 06:17 . 2008-06-10 06:17 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-10 06:16 . 2008-06-10 06:16 <DIR> d-------- C:\Program Files\AVG
2008-06-10 06:16 . 2008-06-10 06:16 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-06-10 04:26 . 2008-06-13 13:05 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Acronis
2008-06-10 04:25 . 2008-06-10 04:25 441,760 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-06-10 04:25 . 2008-06-10 04:25 44,384 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-06-10 04:24 . 2008-06-10 04:24 368,736 --a------ C:\WINDOWS\system32\drivers\tdrpman.sys
2008-06-10 04:24 . 2008-06-10 04:24 129,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-06-10 04:22 . 2008-06-10 04:23 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-06-10 04:22 . 2008-06-10 04:22 <DIR> d-------- C:\Program Files\Acronis
2008-06-10 02:49 . 2008-06-13 03:30 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-06-09 14:18 . 2008-06-09 14:21 6,416,408 --a------ C:\Program Files\SUPERAntiSpywarePro.exe
2008-06-09 10:54 . 2008-06-09 10:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 12:51 . 2008-06-08 12:51 <DIR> d-------- C:\Program Files\Reader 8.0
2008-06-07 15:06 . 2008-06-07 15:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-07 15:05 . 2008-06-12 11:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-07 15:05 . 2008-06-07 15:05 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\SUPERAntiSpyware.com
2008-06-05 20:54 . 2008-06-05 20:54 <DIR> d-------- C:\Program Files\CCleaner
2008-06-04 20:07 . 2008-06-04 20:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-04 20:07 . 2008-06-04 21:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-06-04 11:45 . 2008-06-11 15:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 08:17 . 2008-06-03 08:17 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-03 08:16 . 2008-06-03 08:16 <DIR> d-------- C:\Program Files\Real
2008-06-03 08:16 . 2008-06-03 08:17 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-30 08:41 . 2008-05-30 08:41 <DIR> d-------- C:\Program Files\Alien Skin
2008-05-30 04:09 . 2008-05-30 04:09 <DIR> d-------- C:\Program Files\Bonjour
2008-05-30 03:48 . 2008-05-30 03:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-26 16:30 . 2008-05-26 16:32 <DIR> d-------- C:\Program Files\ACW
2008-05-26 09:55 . 2008-05-26 09:55 <DIR> d-------- C:\Program Files\ePaperPress
2008-05-26 09:38 . 2004-03-29 17:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-25 20:32 . 2008-05-25 20:32 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\Imagenomic
2008-05-25 17:31 . 2008-05-25 17:31 <DIR> d-------- C:\Program Files\Paint Shop Pro
2008-05-25 17:24 . 2008-05-25 17:36 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-25 04:14 . 2008-05-25 17:55 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-23 15:52 . 2008-05-23 15:56 <DIR> d-------- C:\D
2008-05-23 15:47 . 2008-06-14 00:46 <DIR> d-------- C:\kkk
2008-05-23 13:45 . 2008-06-16 12:52 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-05-22 18:20 . 2008-05-22 18:20 <DIR> d-------- C:\Program Files\LimeWire
2008-05-22 18:20 . 2008-05-22 18:20 <DIR> d-------- C:\Program Files\Ipod Video Converter
2008-05-22 18:17 . 2008-05-22 18:17 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\InstallShield Installation Information
2008-05-22 18:17 . 2008-05-22 18:17 <DIR> d-------- C:\Documents and Settings\Richard Henderson\Application Data\GRETECH
2008-05-22 18:17 . 2008-05-22 18:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\GRETECH
2008-05-22 18:16 . 2008-06-03 01:47 <DIR> d-------- C:\Program Files\AVIConverter
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 11:22 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-15 01:00 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\Skype
2008-06-14 09:29 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\WinPatrol
2008-06-11 08:17 --------- d-----w C:\Program Files\Java
2008-06-09 19:38 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\BitTyrant
2008-06-09 06:33 --------- d-----w C:\Program Files\FastStone Capture
2008-06-09 01:10 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\uTorrent
2008-06-07 22:19 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-07 22:19 --------- d-----w C:\Program Files\Windows Media Connect
2008-06-07 22:19 --------- d-----w C:\Program Files\SP31763
2008-06-07 22:18 --------- d-----w C:\Program Files\DivX
2008-06-07 22:18 --------- d-----w C:\Program Files\Altiris
2008-06-07 09:31 --------- d-----w C:\Program Files\MediaCoder
2008-05-29 21:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-26 18:28 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\Shutterfly
2008-05-26 10:06 --------- d-----w C:\Program Files\Windows Live Writer
2008-05-26 10:06 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\IObit
2008-05-25 14:00 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\Alien Skin
2008-05-22 11:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 11:17 --------- d-----w C:\Program Files\GRETECH
2008-05-22 11:17 --------- d-----w C:\Program Files\ConTEXT
2008-05-22 11:17 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\CoffeeCup Software
2008-05-22 11:16 --------- d-----w C:\Program Files\Riva
2008-05-20 08:11 --------- d-----w C:\Program Files\Canon
2008-05-08 12:53 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\YouSendIt
2008-05-03 18:23 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-05-03 05:48 --------- d-----w C:\Program Files\BitTyrant
2008-05-03 04:31 --------- d-----w C:\Program Files\IObit
2008-04-29 04:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 04:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 04:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-16 01:00 --------- d-----w C:\Documents and Settings\Richard Henderson\Application Data\DATECOM(2)
2007-04-03 19:10 82 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2005-02-16 18:06 218,112 -c--a-w C:\Program Files\HijackThis.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-15_20.03.34.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 12:50:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 07:31:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 07:33:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_698.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@={747E722C-CB46-4A9D-BDFE-192AAD5099B1}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-01-05 06:47 2389296 --a------ C:\Program Files\Mozy\mozyshell1.dll

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-01-05 06:47 2389296 --a------ C:\Program Files\Mozy\mozyshell1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE" [2007-09-14 02:52 2595480]
"AcronisTimounterMonitor"="C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE" [2007-09-14 03:02 905056]
"Acronis Scheduler2 Service"="C:\PROGRAM FILES\COMMON FILES\Acronis\SCHEDULE2\schedhlp.exe" [2007-09-14 02:55 140568]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47 163840]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\Installer\\{3A34E57B-CE24-4A7F-AD20-4C8B62029D5E}\\_69525f90.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\BitTyrant\\Azureus.exe"=
"C:\\Downloads\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\True\\hi-Speed Navigator\\hi-speed Navigator.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13854:TCP"= 13854:TCP:*:Disabled:BitComet 13854 TCP
"13854:UDP"= 13854:UDP:*:Disabled:BitComet 13854 UDP
"25753:TCP"= 25753:TCP:*:Disabled:BitComet 25753 TCP
"25753:UDP"= 25753:UDP:*:Disabled:BitComet 25753 UDP

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-06-10 06:17]
R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-06-10 04:24]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-10 06:17]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-06-15 00:50]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-06-15 00:50]
R1 mozyFilter;mozyFilter;C:\WINDOWS\system32\DRIVERS\mozy.sys [2008-01-05 06:47]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-10 06:16]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-10 06:17]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 23:26]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2008-03-23 04:37]
S2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 04:01]
S4 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 14:34:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Mozy\mozyshell1.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Mozy\mozybackup.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-06-16 14:40:02 - machine was rebooted [Richard Henderson]
ComboFix-quarantined-files.txt 2008-06-16 07:39:56
ComboFix2.txt 2008-06-16 06:00:47

Pre-Run: 4,788,858,880 bytes free
Post-Run: 4,772,519,936 bytes free

233 --- E O F --- 2008-06-09 00:14:46






---------------------------------------------------------------------

DECKHARDS:

---------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Richard Henderson on 2008-06-17 01:53:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Richard Henderson.exe) -----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:32 AM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Mozy\mozybackup.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
C:\PROGRAM FILES\COMMON FILES\Acronis\SCHEDULE2\schedhlp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\True\hi-Speed Navigator\hi-speed Navigator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Richard Henderson\Desktop\dss.exe
C:\PROGRA~1\Trend Micro\HijackThis\RICHAR~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\PROGRAM FILES\COMMON FILES\Acronis\SCHEDULE2\schedhlp.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3477D98-744B-4A1F-B617-4EF1491899E8}: NameServer = 203.144.207.29 203.144.207.49
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - AppInit_DLLs: ,
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 5271 bytes

-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-16 23:40:57 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-16 23:40:56 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\skypePM
2008-06-16 23:23:29 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\Skype
2008-06-16 23:22:29 0 d-------- C:\Program Files\Skype
2008-06-16 23:22:29 0 d-------- C:\Program Files\Common Files\Skype
2008-06-16 23:21:42 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Skype
2008-06-16 23:07:16 0 d-------- C:\327882R2FWJFW
2008-06-16 17:33:00 0 dr-h----- C:\Documents and Settings\Richard Henderson\Recent
2008-06-15 19:34:47 0 d-------- C:\cmdcons
2008-06-15 19:27:24 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 19:27:24 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 19:27:24 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-15 19:27:24 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:27:24 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:27:24 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 19:27:24 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 19:27:24 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 01:25:50 843776 --a------ C:\Documents and Settings\The Administrator\ntuser.dat
2008-06-15 01:25:48 12582912 --a------ C:\Documents and Settings\Richard Henderson\ntuser.dat
2008-06-15 01:25:47 229376 --a------ C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat
2008-06-15 00:51:08 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\Comodo
2008-06-15 00:50:58 0 d-------- C:\Program Files\COMODO
2008-06-14 22:42:04 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\VersionTracker Pro
2008-06-14 12:56:04 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\comodo
2008-06-14 09:25:09 0 d-------- C:\Program Files\Common Files\Intel
2008-06-14 08:00:00 389120 -ra------ C:\WINDOWS\system32\igxpun.exe <Not Verified; Intel® Corporation; Intel® Graphics Media Accelerator Driver>
2008-06-14 04:37:15 53248 --a------ C:\WINDOWS\system32\CSVer.dll <Not Verified; Windows XP Bundled build C-Centric Single User; Windows XP Bundled build C-Centric Single User CSVer>
2008-06-14 04:18:14 0 d-------- C:\Program Files\Intel Corporation
2008-06-13 21:00:36 0 d-------- C:\Program Files\Innovative Solutions
2008-06-13 20:11:31 0 d-------- C:\Program Files\Digital Locker Assistant
2008-06-13 17:30:13 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-06-13 17:30:13 47360 --a------ C:\Documents and Settings\Richard Henderson\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-06-13 17:30:12 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\Vso
2008-06-13 16:10:27 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\CDBurnerXP_Soft
2008-06-13 16:09:30 0 d-------- C:\Program Files\CDBurnerXP
2008-06-12 14:35:59 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-06-12 14:35:36 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-12 14:34:54 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-06-12 11:40:34 0 d-------- C:\Huh
2008-06-12 10:37:38 0 d-------- C:\Program Files\a-squared Free
2008-06-11 18:21:00 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\Malwarebytes
2008-06-11 18:20:52 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-11 18:20:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 10:55:01 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Acronis
2008-06-10 14:51:12 0 d-------- C:\Documents and Settings\The Administrator\Application Data\Identities
2008-06-10 14:50:25 0 d--h----- C:\Documents and Settings\The Administrator\Templates
2008-06-10 14:50:25 0 dr------- C:\Documents and Settings\The Administrator\Start Menu
2008-06-10 14:50:25 0 dr-h----- C:\Documents and Settings\The Administrator\SendTo
2008-06-10 14:50:25 0 dr-h----- C:\Documents and Settings\The Administrator\Recent
2008-06-10 14:50:25 0 d--h----- C:\Documents and Settings\The Administrator\PrintHood
2008-06-10 14:50:25 0 d--h----- C:\Documents and Settings\The Administrator\NetHood
2008-06-10 14:50:25 0 dr------- C:\Documents and Settings\The Administrator\My Documents
2008-06-10 14:50:25 0 d--h----- C:\Documents and Settings\The Administrator\Local Settings
2008-06-10 14:50:25 0 dr------- C:\Documents and Settings\The Administrator\Favorites
2008-06-10 14:50:25 0 d-------- C:\Documents and Settings\The Administrator\Desktop
2008-06-10 14:50:25 0 d--hs---- C:\Documents and Settings\The Administrator\Cookies
2008-06-10 14:50:25 0 dr-h----- C:\Documents and Settings\The Administrator\Application Data
2008-06-10 14:50:25 0 d---s---- C:\Documents and Settings\The Administrator\Application Data\Microsoft
2008-06-10 12:20:35 0 d--h----- C:\$AVG8.VAULT$
2008-06-10 06:17:08 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-10 06:16:48 0 d-------- C:\Program Files\AVG
2008-06-10 06:16:47 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-06-10 04:26:15 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Acronis
2008-06-10 04:22:42 0 d-------- C:\Program Files\Common Files\Acronis
2008-06-10 04:22:42 0 d-------- C:\Program Files\Acronis
2008-06-10 02:49:28 0 d-------- C:\WINDOWS\Internet Logs
2008-06-09 10:54:43 0 d-------- C:\Program Files\Trend Micro
2008-06-09 09:07:42 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Adobe
2008-06-08 12:51:11 0 d-------- C:\Program Files\Reader 8.0
2008-06-07 15:06:49 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-07 15:05:59 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-07 15:05:58 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\SUPERAntiSpyware.com
2008-06-05 20:54:36 0 d-------- C:\Program Files\CCleaner
2008-06-04 20:07:45 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-06-04 11:45:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 08:17:21 0 d-------- C:\Program Files\Common Files\xing shared
2008-06-03 08:16:45 0 d-------- C:\Program Files\Real
2008-06-03 08:16:39 0 d-------- C:\Program Files\Common Files\Real
2008-06-03 08:16:35 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\Real
2008-05-30 08:41:00 0 d-------- C:\Program Files\Alien Skin
2008-05-30 04:09:36 0 d-------- C:\Program Files\Bonjour
2008-05-30 03:48:05 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-26 16:30:42 0 d-------- C:\Program Files\ACW
2008-05-26 09:55:16 0 d-------- C:\Program Files\ePaperPress
2008-05-26 09:38:22 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-05-25 20:32:00 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\Imagenomic
2008-05-25 17:31:23 0 d-------- C:\Program Files\Paint Shop Pro
2008-05-25 17:24:42 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-25 04:14:18 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-23 15:52:58 0 d-------- C:\D
2008-05-23 15:47:52 0 d-------- C:\kkk
2008-05-23 13:45:47 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-05-22 18:20:05 0 d-------- C:\Program Files\LimeWire
2008-05-22 18:20:05 0 d-------- C:\Program Files\Ipod Video Converter
2008-05-22 18:17:22 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\InstallShield Installation Information
2008-05-22 18:17:08 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\GRETECH
2008-05-22 18:17:07 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\GRETECH
2008-05-22 18:16:51 0 d-------- C:\Program Files\AVIConverter


-- Find3M Report ---------------------------------------------------------------

2008-06-16 23:22:29 0 d-------- C:\Program Files\Common Files
2008-06-14 16:29:40 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\WinPatrol
2008-06-13 20:31:55 33 --a------ C:\Documents and Settings\Richard Henderson\Application Data\pcouffin.log
2008-06-13 20:31:52 7887 --a------ C:\Documents and Settings\Richard Henderson\Application Data\pcouffin.cat
2008-06-13 20:31:51 1144 --a------ C:\Documents and Settings\Richard Henderson\Application Data\pcouffin.inf
2008-06-12 10:10:50 1368 --a----c- C:\WINDOWS\mozver.dat
2008-06-12 09:52:40 0 d-------- C:\Program Files\Online Services
2008-06-12 09:52:10 0 d-------- C:\Program Files\Windows NT
2008-06-11 15:17:03 0 d-------- C:\Program Files\Java
2008-06-10 02:38:33 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\BitTyrant
2008-06-09 13:33:22 0 d-------- C:\Program Files\FastStone Capture
2008-06-09 08:10:37 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\uTorrent
2008-06-08 05:19:04 0 d-------- C:\Program Files\Windows Media Connect
2008-06-08 05:19:04 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-08 05:19:02 0 d-------- C:\Program Files\SP31763
2008-06-08 05:19:01 0 d-------- C:\Program Files\Messenger
2008-06-08 05:18:59 0 d-------- C:\Program Files\DivX
2008-06-08 05:18:57 0 d-------- C:\Program Files\Altiris
2008-06-07 16:31:59 0 d-------- C:\Program Files\MediaCoder
2008-06-05 00:31:45 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\Mozilla
2008-05-30 04:09:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-27 04:56:41 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\Adobe
2008-05-27 01:28:33 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\Shutterfly
2008-05-26 17:06:51 0 d-------- C:\Program Files\Windows Live Writer
2008-05-26 17:06:50 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\IObit
2008-05-25 21:00:11 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\Alien Skin
2008-05-24 04:24:48 0 d-------- C:\Program Files\Movie Maker
2008-05-22 18:17:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-22 18:17:22 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\CoffeeCup Software
2008-05-22 18:17:18 0 d-------- C:\Program Files\ConTEXT
2008-05-22 18:17:08 0 d-------- C:\Program Files\GRETECH
2008-05-22 18:16:43 0 d-------- C:\Program Files\Riva
2008-05-20 15:11:01 0 d-------- C:\Program Files\Canon
2008-05-08 19:53:17 0 d-------- C:\Documents and Settings\Richard Henderson\Application Data\YouSendIt
2008-05-03 12:48:13 0 d-------- C:\Program Files\BitTyrant
2008-05-03 11:31:53 0 d-------- C:\Program Files\IObit
2008-04-17 16:19:32 90668 --a------ C:\WINDOWS\system32\vobis32.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE" [09/14/2007 02:52 AM]
"AcronisTimounterMonitor"="C:\PROGRAM FILES\Acronis\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE" [09/14/2007 03:02 AM]
"Acronis Scheduler2 Service"="C:\PROGRAM FILES\COMMON FILES\Acronis\SCHEDULE2\schedhlp.exe" [09/14/2007 02:55 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [01/13/2007 09:46 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/13/2007 09:47 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/13/2007 09:47 AM]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [06/17/2008 12:22 AM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [04/26/2008 12:31 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=,




-- End of Deckard's System Scanner: finished at 2008-06-17 01:55:13 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:07 PM

Posted 06 July 2008 - 12:57 PM

Hello Violated,

Welcome to Bleeping Computer :)

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:07 PM

Posted 20 July 2008 - 03:19 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users