Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not Sure Of What I Have....


  • This topic is locked This topic is locked
15 replies to this topic

#1 StatusTray

StatusTray

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 27 June 2008 - 04:48 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:39 PM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Pamela\Pamela.exe
C:\Program Files\Secway\SimpPro 2.2\SimpPro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FlashFXP\FlashFXP.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {03739204-C89C-4009-9F0F-5A7F0278563F} - C:\WINDOWS\system32\xxyvsTkH.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: (no name) - {28554485-68D5-4A09-9DAD-A6B709F4674C} - C:\WINDOWS\system32\jkkIAqnl.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7B84D0EF-DCEE-4D3E-9C89-F49BF879527B} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84942194-3512-4FAC-A724-73CC96A74AD4} - C:\WINDOWS\system32\iiffEuUN.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E1BB680-A86E-461A-8C96-9A689D05874F} - C:\WINDOWS\system32\fcccBqRl.dll (file missing)
O2 - BHO: (no name) - {ACED1C9F-2718-4512-9F69-F4E28C1F484F} - C:\WINDOWS\system32\iifgfCRj.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E31CE47F-C268-41ba-897B-B415E613947D} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ChoiceMail] "C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe"
O4 - HKCU\..\Run: [pamela.exe] "C:\Program Files\Pamela\Pamela.exe"
O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpPro 2.2\SimpPro.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3169] command /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5916] cmd /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C1355F7F-DF8F-4131-BAF2-2F36DE80E4C3} (SoundRecorder Class) - http://vm.ainweb.net/applet/soundrec.cab
O16 - DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} (InstallerCtrl Class) - http://www.tellmemore-online.com/bin/tol7inst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC560636-BE92-4FD4-BB64-D666779CF68F}: NameServer = 68.87.74.162,68.87.68.162
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: iifgfCRj - iifgfCRj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 12921 bytes

BC AdBot (Login to Remove)

 


#2 StatusTray

StatusTray
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 08 July 2008 - 07:05 PM

Hmmm.... I see my thread has 19 views and I posted this back on 6/27/2008 but haven't received any replies just as yet. Is one of the moderators looking over this post?

Thanks in advance.

Regards,
Statustray

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 18 July 2008 - 04:34 AM

Hello StatusTray,

I apologise for the delay, the forum is too busy.
----------------------------------------------
RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#4 StatusTray

StatusTray
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 18 July 2008 - 09:18 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:20 AM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pamela\Pamela.exe
C:\Program Files\Secway\SimpPro 2.2\SimpPro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FlashFXP\FlashFXP.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {03739204-C89C-4009-9F0F-5A7F0278563F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: (no name) - {28554485-68D5-4A09-9DAD-A6B709F4674C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7B84D0EF-DCEE-4D3E-9C89-F49BF879527B} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84942194-3512-4FAC-A724-73CC96A74AD4} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E1BB680-A86E-461A-8C96-9A689D05874F} - (no file)
O2 - BHO: (no name) - {ACED1C9F-2718-4512-9F69-F4E28C1F484F} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E31CE47F-C268-41ba-897B-B415E613947D} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA578] command /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3166] cmd /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ChoiceMail] "C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe"
O4 - HKCU\..\Run: [pamela.exe] "C:\Program Files\Pamela\Pamela.exe"
O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpPro 2.2\SimpPro.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3169] command /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5916] cmd /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C1355F7F-DF8F-4131-BAF2-2F36DE80E4C3} (SoundRecorder Class) - http://vm.ainweb.net/applet/soundrec.cab
O16 - DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} (InstallerCtrl Class) - http://www.tellmemore-online.com/bin/tol7inst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC560636-BE92-4FD4-BB64-D666779CF68F}: NameServer = 68.87.74.162,68.87.68.162
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: iifgfCRj - iifgfCRj.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 13779 bytes

#5 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 18 July 2008 - 03:12 PM

Hello StatusTray,

Is Comcast Cable Communications, Inc. your Internet Provider?
----------------------------------------------
Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
----------------------------------------------
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Answer to my question about Comcast Cable Communications, Inc.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#6 StatusTray

StatusTray
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 19 July 2008 - 05:54 AM

Combofix log file is attached.
HijackThis log file is attached.
My ISP is: Comcast Cable Communications, Inc.

Attached Files



#7 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 19 July 2008 - 10:01 AM

Hello StatusTray,

Please do not post again reports as attachments, unless i ask you too.
----------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

C:\WINDOWS\system32\tvbqolmy.avf

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
----------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C:\sqmdata19.sqm
    C:\sqmnoopt19.sqm
    C:\sqmdata18.sqm
    C:\sqmnoopt18.sqm
    C:\sqmdata17.sqm
    C:\sqmnoopt17.sqm
    C:\sqmdata16.sqm
    C:\sqmnoopt16.sqm
    C:\sqmdata15.sqm
    C:\sqmnoopt15.sqm
    C:\sqmdata14.sqm
    C:\sqmnoopt14.sqm
    C:\sqmdata13.sqm
    C:\sqmnoopt13.sqm
    C:\sqmdata12.sqm
    C:\sqmnoopt12.sqm
    C:\sqmdata11.sqm
    C:\sqmnoopt11.sqm
    C:\sqmdata10.sqm
    C:\sqmnoopt10.sqm
    C:\sqmdata09.sqm
    C:\sqmnoopt09.sqm
    C:\sqmdata08.sqm
    C:\sqmnoopt08.sqm
    C:\sqmdata07.sqm
    C:\sqmnoopt07.sqm
    C:\sqmdata06.sqm
    C:\sqmnoopt06.sqm
    C:\sqmdata05.sqm
    C:\sqmnoopt05.sqm
    C:\sqmdata04.sqm
    C:\sqmnoopt04.sqm
    C:\Program Files\Download Direct\DLD.exe
    C:\WINDOWS\TEMP\3c1da7f4-fd05-45b9-a086-b47600e1f407.tmp
    
    Registry::
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "DLD.EXE"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Jotti results.
Combofix report.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#8 StatusTray

StatusTray
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 19 July 2008 - 12:46 PM

File: tvbqolmy.avf
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b94f95bd59cbc1870ff80b8f13f2d711
Packers detected:
-
Scan taken on 19 Jul 2008 17:17:37 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Vundo.EWS.18
ArcaVir
Found Trojan.Monder.Dm
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found Generic10.ATQF
BitDefender
Found Trojan.Vundo.EWS
ClamAV
Found Trojan.Vundo-4979
CPsecure
Found Troj.Dropper.W32.Agent.tdp
Dr.Web
Found Trojan.Virtumod.based.21
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan.Win32.Monderc.gen
Fortinet
Found Virtum!tr
Ikarus
Found Trojan.Win32.Monderc
Kaspersky Anti-Virus
Found Trojan.Win32.Monderc.gen
NOD32
Found Win32/Adware.Virtumonde application
Norman Virus Control
Found Vundo.gen192
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found Trojan.Win32.Monderc.gen


ComboFix 08-07-18.1 - frederic.ducksworth 2008-07-19 13:29:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.274 [GMT -4:00]
Running from: C:\Documents and Settings\frederic.ducksworth\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\frederic.ducksworth\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Download Direct\DLD.exe
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata15.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm
C:\WINDOWS\TEMP\3c1da7f4-fd05-45b9-a086-b47600e1f407.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmdata12.sqm
C:\sqmdata13.sqm
C:\sqmdata14.sqm
C:\sqmdata15.sqm
C:\sqmdata16.sqm
C:\sqmdata17.sqm
C:\sqmdata18.sqm
C:\sqmdata19.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\sqmnoopt12.sqm
C:\sqmnoopt13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt16.sqm
C:\sqmnoopt17.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt19.sqm

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-16 09:42 . 2008-07-16 09:42 <DIR> d-------- C:\Program Files\iTunes
2008-07-16 09:41 . 2008-07-16 09:41 <DIR> d-------- C:\Program Files\Bonjour
2008-07-15 21:13 . 2008-07-15 21:16 <DIR> d-------- C:\Program Files\Passage Express
2008-07-15 21:13 . 2008-07-15 21:16 <DIR> d-------- C:\Documents and Settings\frederic.ducksworth\Application Data\Passage Express
2008-07-14 22:59 . 2008-07-14 22:59 <DIR> d-------- C:\Documents and Settings\frederic.ducksworth\Application Data\Millennia
2008-07-14 22:06 . 2008-07-14 22:06 <DIR> d-------- C:\Documents and Settings\frederic.ducksworth\Application Data\HP
2008-07-14 22:04 . 2008-07-14 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-07-14 22:03 . 2008-07-14 22:03 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-14 22:03 . 2008-07-14 22:05 <DIR> d-------- C:\Program Files\Common Files\HP
2008-07-14 22:03 . 2008-07-14 22:03 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 22:02 . 2008-07-14 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-14 22:01 . 2007-08-17 21:29 118,272 --a------ C:\WINDOWS\system32\hpz3l4x6.dll
2008-07-14 22:01 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-07-14 22:01 . 2001-08-17 13:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-07-14 21:58 . 2008-07-14 21:58 <DIR> d-------- C:\WINDOWS\carrier
2008-07-14 21:58 . 2008-07-14 22:05 <DIR> d-------- C:\Program Files\HP
2008-07-14 21:58 . 2007-07-04 22:49 892,928 --a------ C:\WINDOWS\system32\hpwtiop2.dll
2008-07-14 21:58 . 2007-07-04 22:49 675,840 --a------ C:\WINDOWS\system32\hpwwiax2.dll
2008-07-14 21:58 . 2007-07-04 22:48 364,544 --a------ C:\WINDOWS\system32\hppldcoi.dll
2008-07-14 21:58 . 2007-07-04 22:49 294,912 --a------ C:\WINDOWS\system32\hpovst11.dll
2008-07-14 21:58 . 2007-07-04 23:42 258,048 --a------ C:\WINDOWS\system32\hpzids01.dll
2008-07-14 21:58 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-14 21:58 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-14 21:56 . 2008-07-14 22:07 150,274 --a------ C:\WINDOWS\hpwins05.dat
2008-07-14 21:52 . 2008-07-14 22:17 <DIR> d-------- C:\ScannedImages
2008-07-14 21:50 . 2007-07-04 23:42 1,275,480 --a------ C:\WINDOWS\hpzshl01.exe
2008-07-14 21:50 . 2007-07-04 23:42 1,132,120 --a------ C:\WINDOWS\hpzmsi01.exe
2008-07-14 21:49 . 2007-09-14 12:11 16,050 --a------ C:\WINDOWS\hpwscr05.dat
2008-07-14 21:49 . 2007-09-14 12:10 4,785 --a------ C:\WINDOWS\hpwmdl05.dat
2008-07-10 00:08 . 2008-07-10 00:08 <DIR> d-------- C:\Program Files\BCL Technologies
2008-07-10 00:05 . 2008-07-10 00:05 <DIR> d-------- C:\Program Files\Microsoft WSE
2008-07-10 00:05 . 2008-07-10 00:08 <DIR> d-------- C:\Program Files\Family Tree Maker 2008
2008-06-29 21:51 . 2008-06-29 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\N2Edit
2008-06-29 21:46 . 2008-07-18 20:48 <DIR> d-------- C:\StarGatePortal
2008-06-28 21:04 . 2008-07-09 19:50 <DIR> d-------- C:\Movies
2008-06-27 23:05 . 2008-06-28 18:07 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-27 23:05 . 2008-06-27 23:05 <DIR> d-------- C:\Documents and Settings\frederic.ducksworth\Application Data\PC Tools
2008-06-27 23:05 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-27 23:05 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-27 23:05 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-27 23:05 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-27 17:43 . 2008-06-27 17:43 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-27 17:38 . 2008-06-27 17:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 20:37 . 2008-07-14 05:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 20:37 . 2008-06-26 20:37 <DIR> d-------- C:\Documents and Settings\frederic.ducksworth\Application Data\Malwarebytes
2008-06-26 20:37 . 2008-06-26 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 20:37 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 20:37 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 17:39 . 2008-06-26 17:40 <DIR> d-------- C:\Images
2008-06-25 18:22 . 2008-06-26 00:02 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-25 18:20 . 2008-07-18 23:38 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-25 18:20 . 2008-06-25 18:20 <DIR> d-------- C:\Program Files\AVG
2008-06-25 18:20 . 2008-06-25 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-25 18:20 . 2008-07-03 22:02 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-25 18:20 . 2008-06-25 18:20 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old
2008-06-25 18:20 . 2008-07-03 22:02 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-25 10:43 . 2008-06-25 17:43 15 --a------ C:\WINDOWS\system32\getfile.dat
2008-06-25 10:23 . 2008-06-25 18:14 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-25 05:44 . 2008-06-25 05:44 91,136 --a------ C:\WINDOWS\system32\tvbqolmy.avf
2008-06-24 19:46 . 2008-06-24 19:46 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-24 19:45 . 2008-06-28 19:40 <DIR> d-------- C:\temp
2008-06-24 19:41 . 2006-11-13 02:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2008-06-24 19:41 . 2006-11-13 02:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2008-06-24 19:41 . 2006-11-13 02:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2008-06-24 17:23 . 2008-06-24 17:23 268 --ah----- C:\sqmdata03.sqm
2008-06-24 17:23 . 2008-06-24 17:23 244 --ah----- C:\sqmnoopt03.sqm
2008-06-23 17:37 . 2008-07-07 19:29 268 --ah----- C:\sqmdata02.sqm
2008-06-23 17:37 . 2008-07-07 19:29 244 --ah----- C:\sqmnoopt02.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 17:35 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\Skype
2008-07-19 12:06 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\skypePM
2008-07-19 09:53 --------- d-----w C:\Program Files\LogMeIn
2008-07-18 14:36 --------- d-----w C:\Program Files\FlashFXP
2008-07-16 16:04 --------- d-----w C:\Program Files\QuickTime
2008-07-16 13:42 --------- d-----w C:\Program Files\iPod
2008-07-14 09:30 --------- d-----w C:\Program Files\Java
2008-07-13 12:55 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\Kermit 95
2008-07-11 01:45 --------- d-----w C:\Program Files\Trillian
2008-07-10 20:29 --------- d-----w C:\Program Files\Safari
2008-07-10 04:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-10 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-01 21:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 20:15 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\Tyre
2008-06-29 01:18 --------- d-----w C:\Program Files\Tyre
2008-06-29 01:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tyre
2008-06-28 19:13 --------- d-----w C:\Program Files\Keyfinder Advanced 2007 (Trial Version)
2008-06-28 03:09 --------- d-----w C:\Program Files\TomTom HOME 2
2008-06-26 02:54 --------- d-----w C:\Program Files\Pamela
2008-06-25 22:15 --------- d-----w C:\Program Files\Common Files\Softwin
2008-06-24 23:00 --------- dc-h--w C:\Documents and Settings\All Users\Application Data\{44935D27-4C56-4F98-8549-DDBD99A95EBC}
2008-06-23 20:34 --------- d-----w C:\Program Files\DVDFab 5
2008-06-23 20:34 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\Vso
2008-06-22 18:03 --------- d-----w C:\Program Files\ttGps Center
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 13:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-06-15 13:37 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\TomTom
2008-06-15 13:35 --------- d-----w C:\Program Files\TomTom DesktopSuite
2008-06-13 18:33 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-26 11:18 --------- d-----w C:\Program Files\NewsLeecher
2008-05-24 23:46 --------- d-----w C:\Program Files\BulletProof FTP Client v2.6
2008-05-24 23:46 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\BPFTP
2008-05-22 02:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-05-19 19:24 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-05-19 19:23 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2008-05-19 19:23 24,608 ----a-w C:\WINDOWS\system32\LMIport.dll
2008-05-19 19:23 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2008-05-19 19:23 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 13:28 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-13 01:05 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-01 22:18 30,524 ----a-w C:\Documents and Settings\frederic.ducksworth\Application Data\Pamela_Crash_472A50D0.zip
2007-06-10 18:20 47,360 ----a-w C:\Documents and Settings\frederic.ducksworth\Application Data\pcouffin.sys
2008-02-28 18:30 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 18:33 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-19_ 6.35.09.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-19 10:16:49 75,458 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-19 11:03:57 75,458 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-19 10:16:49 456,804 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-19 11:03:57 456,804 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChoiceMail"="C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe" [2005-04-25 19:10 3518464]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-06-24 11:49 67128]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"pamela.exe"="C:\Program Files\Pamela\Pamela.exe" [2008-02-13 19:57 6451200]
"Simp"="C:\Program Files\Secway\SimpPro 2.2\SimpPro.exe" [2007-08-28 20:10 2347008]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 04:42 202088]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3169"="command" [X]
"SpybotDeletingD5916"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 10:47 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 10:47 163840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54 127022]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 18:32 155648]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 18:31 61440]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 10:20 63048]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 15:21 57344]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 22:02 1232152]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]

C:\Documents and Settings\frederic.ducksworth\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11 01:00:00 1873280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-06-24 11:49:02 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgfCRj]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mxmc"= MimicICM.DLL
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"MSVideo1"= CSvidcap.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Tunebite"=C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
"ConferencingNow Launcher"="C:\Documents and Settings\frederic.ducksworth\Application Data\ConferencingNow\TrayLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\IT\\officejet7800\\setup\\HPZnui01.exe"=
"C:\\IT\\officejet7800\\setup\\hponicifs01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 22:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 22:02]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R3 IMmirror;IMmirror;C:\WINDOWS\system32\DRIVERS\IMmirror.sys [2007-11-16 18:29]
S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys []
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 10:05]
S3 CV2K1;CommView Network Monitor;C:\WINDOWS\system32\DRIVERS\cv2k1.sys []
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 17:53]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 09:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-17 13:39:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{03739204-C89C-4009-9F0F-5A7F0278563F} - (no file)
BHO-{28554485-68D5-4A09-9DAD-A6B709F4674C} - (no file)
BHO-{7B84D0EF-DCEE-4D3E-9C89-F49BF879527B} - (no file)
BHO-{84942194-3512-4FAC-A724-73CC96A74AD4} - (no file)
BHO-{9E1BB680-A86E-461A-8C96-9A689D05874F} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 13:34:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-19 13:41:57
ComboFix-quarantined-files.txt 2008-07-19 17:41:27
ComboFix2.txt 2008-07-19 10:35:37

Pre-Run: 153,062,629,376 bytes free
Post-Run: 153,048,223,744 bytes free

344 --- E O F --- 2008-07-14 10:59:17

#9 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 19 July 2008 - 03:58 PM

Hello StatusTray,

COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/154660/not-sure-of-what-i-have/
    
    Collect::
    C:\WINDOWS\system32\tvbqolmy.avf
    
    File::
    C:\sqmdata03.sqm
    C:\sqmnoopt03.sqm
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgfCRj]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#10 StatusTray

StatusTray
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 20 July 2008 - 07:46 AM

ComboFix 08-07-18.1 - frederic.ducksworth 2008-07-20 8:17:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.398 [GMT -4:00]
Running from: C:\Documents and Settings\frederic.ducksworth\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\frederic.ducksworth\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\WINDOWS\system32\tvbqolmy.avf

.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-16 09:42 . 2008-07-16 09:42 <DIR> d-------- C:\Program Files\iTunes
2008-07-16 09:41 . 2008-07-16 09:41 <DIR> d-------- C:\Program Files\Bonjour
2008-07-15 21:13 . 2008-07-15 21:16 <DIR> d-------- C:\Program Files\Passage Express
2008-07-15 21:13 . 2008-07-15 21:16 <DIR> d-------- C:\Documents and Settings\frederic.ducksworth\Application Data\Passage Express
2008-07-14 22:59 . 2008-07-14 22:59 <DIR> d-------- C:\Documents and Settings\frederic.ducksworth\Application Data\Millennia
2008-07-14 22:06 . 2008-07-14 22:06 <DIR> d-------- C:\Documents and Settings\frederic.ducksworth\Application Data\HP
2008-07-14 22:04 . 2008-07-14 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-07-14 22:03 . 2008-07-14 22:03 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-14 22:03 . 2008-07-14 22:05 <DIR> d-------- C:\Program Files\Common Files\HP
2008-07-14 22:03 . 2008-07-14 22:03 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-14 22:02 . 2008-07-14 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-14 22:01 . 2007-08-17 21:29 118,272 --a------ C:\WINDOWS\system32\hpz3l4x6.dll
2008-07-14 22:01 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-07-14 22:01 . 2001-08-17 13:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-07-14 21:58 . 2008-07-14 21:58 <DIR> d-------- C:\WINDOWS\carrier
2008-07-14 21:58 . 2008-07-14 22:05 <DIR> d-------- C:\Program Files\HP
2008-07-14 21:58 . 2007-07-04 22:49 892,928 --a------ C:\WINDOWS\system32\hpwtiop2.dll
2008-07-14 21:58 . 2007-07-04 22:49 675,840 --a------ C:\WINDOWS\system32\hpwwiax2.dll
2008-07-14 21:58 . 2007-07-04 22:48 364,544 --a------ C:\WINDOWS\system32\hppldcoi.dll
2008-07-14 21:58 . 2007-07-04 22:49 294,912 --a------ C:\WINDOWS\system32\hpovst11.dll
2008-07-14 21:58 . 2007-07-04 23:42 258,048 --a------ C:\WINDOWS\system32\hpzids01.dll
2008-07-14 21:58 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-14 21:58 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-14 21:56 . 2008-07-14 22:07 150,274 --a------ C:\WINDOWS\hpwins05.dat
2008-07-14 21:52 . 2008-07-14 22:17 <DIR> d-------- C:\ScannedImages
2008-07-14 21:50 . 2007-07-04 23:42 1,275,480 --a------ C:\WINDOWS\hpzshl01.exe
2008-07-14 21:50 . 2007-07-04 23:42 1,132,120 --a------ C:\WINDOWS\hpzmsi01.exe
2008-07-14 21:49 . 2007-09-14 12:11 16,050 --a------ C:\WINDOWS\hpwscr05.dat
2008-07-14 21:49 . 2007-09-14 12:10 4,785 --a------ C:\WINDOWS\hpwmdl05.dat
2008-07-10 00:08 . 2008-07-10 00:08 <DIR> d-------- C:\Program Files\BCL Technologies
2008-07-10 00:05 . 2008-07-10 00:05 <DIR> d-------- C:\Program Files\Microsoft WSE
2008-07-10 00:05 . 2008-07-10 00:08 <DIR> d-------- C:\Program Files\Family Tree Maker 2008
2008-06-29 21:51 . 2008-06-29 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\N2Edit
2008-06-29 21:46 . 2008-07-18 20:48 <DIR> d-------- C:\StarGatePortal
2008-06-28 21:04 . 2008-07-09 19:50 <DIR> d-------- C:\Movies
2008-06-27 23:05 . 2008-06-28 18:07 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-27 23:05 . 2008-06-27 23:05 <DIR> d-------- C:\Documents and Settings\frederic.ducksworth\Application Data\PC Tools
2008-06-27 23:05 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-27 23:05 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-27 23:05 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-27 23:05 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-27 17:43 . 2008-06-27 17:43 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-27 17:38 . 2008-06-27 17:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 20:37 . 2008-07-14 05:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 20:37 . 2008-06-26 20:37 <DIR> d-------- C:\Documents and Settings\frederic.ducksworth\Application Data\Malwarebytes
2008-06-26 20:37 . 2008-06-26 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 20:37 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 20:37 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 17:39 . 2008-06-26 17:40 <DIR> d-------- C:\Images
2008-06-25 18:22 . 2008-06-26 00:02 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-25 18:20 . 2008-07-19 13:56 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-25 18:20 . 2008-06-25 18:20 <DIR> d-------- C:\Program Files\AVG
2008-06-25 18:20 . 2008-06-25 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-25 18:20 . 2008-07-03 22:02 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-25 18:20 . 2008-06-25 18:20 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old
2008-06-25 18:20 . 2008-07-03 22:02 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-25 10:43 . 2008-06-25 17:43 15 --a------ C:\WINDOWS\system32\getfile.dat
2008-06-25 10:23 . 2008-06-25 18:14 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-24 19:46 . 2008-06-24 19:46 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-24 19:45 . 2008-06-28 19:40 <DIR> d-------- C:\temp
2008-06-24 19:41 . 2006-11-13 02:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2008-06-24 19:41 . 2006-11-13 02:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2008-06-24 19:41 . 2006-11-13 02:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2008-06-23 17:37 . 2008-07-07 19:29 268 --ah----- C:\sqmdata02.sqm
2008-06-23 17:37 . 2008-07-07 19:29 244 --ah----- C:\sqmnoopt02.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 12:23 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\Skype
2008-07-20 12:18 --------- d-----w C:\Program Files\LogMeIn
2008-07-20 12:07 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\skypePM
2008-07-18 14:36 --------- d-----w C:\Program Files\FlashFXP
2008-07-16 16:04 --------- d-----w C:\Program Files\QuickTime
2008-07-16 13:42 --------- d-----w C:\Program Files\iPod
2008-07-14 09:30 --------- d-----w C:\Program Files\Java
2008-07-13 12:55 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\Kermit 95
2008-07-11 01:45 --------- d-----w C:\Program Files\Trillian
2008-07-10 20:29 --------- d-----w C:\Program Files\Safari
2008-07-10 04:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-10 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-01 21:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 20:15 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\Tyre
2008-06-29 01:18 --------- d-----w C:\Program Files\Tyre
2008-06-29 01:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tyre
2008-06-28 19:13 --------- d-----w C:\Program Files\Keyfinder Advanced 2007 (Trial Version)
2008-06-28 03:09 --------- d-----w C:\Program Files\TomTom HOME 2
2008-06-26 02:54 --------- d-----w C:\Program Files\Pamela
2008-06-25 22:15 --------- d-----w C:\Program Files\Common Files\Softwin
2008-06-24 23:00 --------- dc-h--w C:\Documents and Settings\All Users\Application Data\{44935D27-4C56-4F98-8549-DDBD99A95EBC}
2008-06-23 20:34 --------- d-----w C:\Program Files\DVDFab 5
2008-06-23 20:34 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\Vso
2008-06-22 18:03 --------- d-----w C:\Program Files\ttGps Center
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 13:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-06-15 13:37 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\TomTom
2008-06-15 13:35 --------- d-----w C:\Program Files\TomTom DesktopSuite
2008-06-13 18:33 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-26 11:18 --------- d-----w C:\Program Files\NewsLeecher
2008-05-24 23:46 --------- d-----w C:\Program Files\BulletProof FTP Client v2.6
2008-05-24 23:46 --------- d-----w C:\Documents and Settings\frederic.ducksworth\Application Data\BPFTP
2008-05-22 02:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-05-19 19:24 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-05-19 19:23 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2008-05-19 19:23 24,608 ----a-w C:\WINDOWS\system32\LMIport.dll
2008-05-19 19:23 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2008-05-19 19:23 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 13:28 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-13 01:05 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-01 22:18 30,524 ----a-w C:\Documents and Settings\frederic.ducksworth\Application Data\Pamela_Crash_472A50D0.zip
2007-06-10 18:20 47,360 ----a-w C:\Documents and Settings\frederic.ducksworth\Application Data\pcouffin.sys
2008-02-28 18:30 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 18:33 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-19_ 6.35.09.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-19 10:16:49 75,458 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-19 18:07:27 75,458 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-19 10:16:49 456,804 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-19 18:07:27 456,804 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChoiceMail"="C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe" [2005-04-25 19:10 3518464]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-06-24 11:49 67128]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"pamela.exe"="C:\Program Files\Pamela\Pamela.exe" [2008-02-13 19:57 6451200]
"Simp"="C:\Program Files\Secway\SimpPro 2.2\SimpPro.exe" [2007-08-28 20:10 2347008]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 04:42 202088]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3169"="command" [X]
"SpybotDeletingD5916"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 10:47 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 10:47 163840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54 127022]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 18:32 155648]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 18:31 61440]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 10:20 63048]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 15:21 57344]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 22:02 1232152]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]

C:\Documents and Settings\frederic.ducksworth\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11 01:00:00 1873280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-06-24 11:49:02 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mxmc"= MimicICM.DLL
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"MSVideo1"= CSvidcap.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Tunebite"=C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
"ConferencingNow Launcher"="C:\Documents and Settings\frederic.ducksworth\Application Data\ConferencingNow\TrayLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\IT\\officejet7800\\setup\\HPZnui01.exe"=
"C:\\IT\\officejet7800\\setup\\hponicifs01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 22:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 22:02]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R3 IMmirror;IMmirror;C:\WINDOWS\system32\DRIVERS\IMmirror.sys [2007-11-16 18:29]
S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys []
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 10:05]
S3 CV2K1;CommView Network Monitor;C:\WINDOWS\system32\DRIVERS\cv2k1.sys []
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 17:53]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 09:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-17 13:39:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{03739204-C89C-4009-9F0F-5A7F0278563F} - (no file)
BHO-{28554485-68D5-4A09-9DAD-A6B709F4674C} - (no file)
BHO-{7B84D0EF-DCEE-4D3E-9C89-F49BF879527B} - (no file)
BHO-{84942194-3512-4FAC-A724-73CC96A74AD4} - (no file)
BHO-{9E1BB680-A86E-461A-8C96-9A689D05874F} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 08:23:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-20 8:30:41
ComboFix-quarantined-files.txt 2008-07-20 12:30:36
ComboFix2.txt 2008-07-19 17:41:58
ComboFix3.txt 2008-07-19 10:35:37

Pre-Run: 152,959,258,624 bytes free
Post-Run: 152,954,523,648 bytes free

278 --- E O F --- 2008-07-14 10:59:17

#11 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 20 July 2008 - 01:42 PM

Hello StatusTray,

Spybot Search & Destroy
  • Double-click to open Spybot S&D.
  • Click on Recovery Button.
  • Put a tick in every item in there, if any.
  • Click on Purge selected Items.
  • Allow it to remove all items.
  • Close Spybot S&D.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Is the pc running better now?
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#12 StatusTray

StatusTray
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 20 July 2008 - 05:58 PM

Thanks so much ;-)

Yes, the PC does appear to be running better now ;-)


===========
Malwarebytes' Anti-Malware 1.21
Database version: 971
Windows 5.1.2600 Service Pack 2

6:55:57 PM 7/20/2008
mbam-log-7-20-2008 (18-55-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 179224
Time elapsed: 1 hour(s), 21 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by StatusTray, 20 July 2008 - 06:09 PM.


#13 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 21 July 2008 - 12:02 AM

Hello StatusTray,

Thanks so much


You are welcome :)

Yes, the PC does appear to be running better now

:thumbsup:
----------------------------------------------
Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
----------------------------------------------
I can't see any firewall in your HijackThis log, so i assume you use windows firewall.

FIREWALL
Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly. It's preferable to install one of the suggested firewalls.
Vista users, must check compatibility with Vista before installation.

FREE FIREWALLS Tutorial about Firewalls can be found here
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log.
----------------------------------------------
Post back:
Kaspersky report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#14 StatusTray

StatusTray
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 21 July 2008 - 09:42 PM

Monday, July 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, July 21, 2008 20:34:36
Records in database: 981551


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
Z:\

Scan statistics
Files scanned 147243
Threat name 7
Infected objects 17
Suspicious objects 1
Duration of the scan 05:49:32

File name Threat name Threats count
C:\Documents and Settings\frederic.ducksworth\Desktop\keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a 2

C:\Documents and Settings\frederic.ducksworth\Desktop\pword viewer\astlog.exe Infected: not-a-virus:PSWTool.Win32.Asterisk.a 1

C:\Documents and Settings\frederic.ducksworth\Downloads\Keystroke Logger\tessp602.rar Infected: not-a-virus:Monitor.Win32.SpyAgent.60006 5

C:\Documents and Settings\frederic.ducksworth\Downloads\Keystroke Logger\tessp602.rar Infected: not-a-virus:Monitor.Win32.SpyAgent.v 1

C:\Documents and Settings\frederic.ducksworth\Downloads\Keystroke Logger\tessp602.rar Infected: not-a-virus:Monitor.Win32.SpyAgent.p 1

C:\Documents and Settings\frederic.ducksworth\Downloads\NeroKeygen8280\Nero-8.2.8.0_eng_update.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

C:\Documents and Settings\frederic.ducksworth\Local Settings\Application Data\Microsoft\Outlook\backup.pst Infected: not-a-virus:PSWTool.Win32.RAS.a 2

C:\Documents and Settings\frederic.ducksworth\Local Settings\Application Data\Microsoft\Outlook\Copy of Outlook.pst Infected: not-a-virus:PSWTool.Win32.RAS.a 2

C:\Documents and Settings\frederic.ducksworth\Local Settings\Application Data\Microsoft\Outlook\Copy of Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\frederic.ducksworth\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: not-a-virus:PSWTool.Win32.RAS.a 2

The selected area was scanned.


======
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:48 PM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Pamela\Pamela.exe
C:\Program Files\Secway\SimpPro 2.2\SimpPro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E31CE47F-C268-41ba-897B-B415E613947D} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA578] command /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3166] cmd /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ChoiceMail] "C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe"
O4 - HKCU\..\Run: [pamela.exe] "C:\Program Files\Pamela\Pamela.exe"
O4 - HKCU\..\Run: [Simp] C:\Program Files\Secway\SimpPro 2.2\SimpPro.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3169] command /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5916] cmd /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C1355F7F-DF8F-4131-BAF2-2F36DE80E4C3} (SoundRecorder Class) - http://vm.ainweb.net/applet/soundrec.cab
O16 - DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} (InstallerCtrl Class) - http://www.tellmemore-online.com/bin/tol7inst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC560636-BE92-4FD4-BB64-D666779CF68F}: NameServer = 68.87.74.162,68.87.68.162
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 13678 bytes

#15 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 22 July 2008 - 06:15 AM

Hello StatusTray,

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E31CE47F-C268-41ba-897B-B415E613947D} - (no file)
O4 - HKLM\..\RunOnce: [SpybotDeletingA578] command /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3166] cmd /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3169] command /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5916] cmd /c del "C:\WINDOWS\system32\iiffEuUN.dll_old"


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Your kaspersky log shows evidence of illegally copied/pirated software present on your harddrive.
Additionally a keylogger is present in Kaspersky report.

I have to remove them.

If you need freeware replacements, then take a look here:

http://www.bleepingcomputer.com/forums/topic3616.html
----------------------------------------------
Download and Run OTMoveIt2

Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
C:\Documents and Settings\frederic.ducksworth\Desktop\keyfinder.exe
C:\Documents and Settings\frederic.ducksworth\Desktop\pword viewer
C:\Documents and Settings\frederic.ducksworth\Downloads\Keystroke Logger
C:\Documents and Settings\frederic.ducksworth\Downloads\NeroKeygen8280
C:\Documents and Settings\frederic.ducksworth\Local Settings\Application Data\Microsoft\Outlook\backup.pst
C:\Documents and Settings\frederic.ducksworth\Local Settings\Application Data\Microsoft\Outlook\Copy of Outlook.pst
C:\Documents and Settings\frederic.ducksworth\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
C:\WINDOWS\system32\iiffEuUN.dll_old
  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2
----------------------------------------------
Run Kaspersky again.
----------------------------------------------
Post back:
OTMoveIt2 results.
Kaspersky report.
A new HijackThisj log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users