Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Was Infected With Antivirus Xp 2008


  • This topic is locked This topic is locked
11 replies to this topic

#1 racerxx

racerxx

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 22 July 2008 - 09:43 PM

Hello

I have run Ad-aware, Malwarebytes and ComboFix. Malwarebytes is still reporting:

Files Infected:
C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> No action taken.

Thanks for taking the time.

Deckard's System Scanner v20071014.68
Run by Sonny on 2008-07-22 21:15:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Sonny.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:57 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Sonny\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sonny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.briggs-freeman.com/links.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208283066286
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208655268640
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Application Management AppMgmtTapiSrvupnphost (AppMgmtTapiSrvupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtTapiSrvupnphost AppMgmtTapiSrvupnphostSCardSvr (AppMgmtTapiSrvupnphostSCardSvr) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtTapiSrvupnphost AppMgmtTapiSrvupnphostSCardSvr AppMgmtTapiSrvupnphostSCardSvrERSvc (AppMgmtTapiSrvupnphostSCardSvrERSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: DNS Client DnscacheThemes (DnscacheThemes) - Unknown owner - C:\WINDOWS\
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager RDSessMgrwscsvc (RDSessMgrwscsvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Routing and Remote Access RemoteAccessSwPrv (RemoteAccessSwPrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Secondary Logon seclogonLmHosts (seclogonLmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Print Spooler SpoolerNla (SpoolerNla) - Unknown owner - C:\WINDOWS\
O23 - Service: Telephony TapiSrvupnphost (TapiSrvupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Terminal Services TermServiceLmHosts (TermServiceLmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Volume Shadow Copy VSSSpooler (VSSSpooler) - Unknown owner - C:\WINDOWS\
O23 - Service: WebClient WebClientNtmsSvc (WebClientNtmsSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: WMI Performance Adapter WmiApSrvdmserver (WmiApSrvdmserver) - Unknown owner - C:\WINDOWS\

--
End of file - 5456 bytes

-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-22 20:23:44 12800 -----n--- C:\WINDOWS\system32\WinNt32.dll
2008-07-22 20:20:58 68096 --a------ C:\WINDOWS\zip.exe
2008-07-22 20:20:58 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-22 20:20:58 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-22 20:20:58 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-22 20:20:58 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-22 20:20:58 98816 --a------ C:\WINDOWS\sed.exe
2008-07-22 20:20:58 80412 --a------ C:\WINDOWS\grep.exe
2008-07-22 20:20:58 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-22 20:10:56 0 d-------- C:\Program Files\Trend Micro
2008-07-22 19:11:00 0 d-------- C:\Program Files\Lavasoft
2008-07-22 19:10:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 19:10:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 18:51:43 0 dr-hs---- C:\cmdcons
2008-07-22 18:51:40 0 d-------- C:\WINDOWS\setup.pss
2008-07-22 18:51:27 0 d-------- C:\WINDOWS\setupupd
2008-07-15 21:58:14 0 d-------- C:\WINDOWS\pss
2008-07-15 20:56:31 0 d-------- C:\Documents and Settings\Sonny\Application Data\Malwarebytes
2008-07-15 20:56:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-15 20:56:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-10 22:40:46 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-10 22:40:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-10 22:40:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-10 22:40:46 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-10 22:40:46 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-10 22:40:46 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-10 22:40:46 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-10 22:40:46 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-10 22:40:46 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-10 22:40:46 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-10 22:40:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-10 22:40:46 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-10 22:40:46 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-10 22:40:46 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-01 08:21:30 0 --a------ C:\WINDOWS\system32\apphelpd.sys
2008-06-27 19:42:44 926031 --ahs---- C:\WINDOWS\system32\amstreamf.sys


-- Find3M Report ---------------------------------------------------------------

2008-07-22 20:56:20 0 d-------- C:\Program Files\Java
2008-07-22 20:23:17 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000000-00001102-00000002-80611102}.dat
2008-07-22 20:23:17 24 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000000-00001102-00000002-80611102}.dat
2008-07-22 19:10:42 0 d-------- C:\Program Files\Common Files
2008-07-15 21:15:10 288 --a-s---- C:\WINDOWS\system32\138147614.dat
2008-05-26 22:57:37 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-24 23:50:24 102006 --a------ C:\WINDOWS\hpoins04.dat
2008-04-24 21:23:35 16 --a------ C:\WINDOWS\popcinfo.dat
2008-04-24 21:03:40 774144 --a------ C:\Program Files\RngInterstitial.dll <Not Verified; RealNetworks, Inc.; RealNetworks, Inc. RngInterstitial>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsg.exe" [04/03/2001 10:38 AM C:\WINDOWS\system32\ltmsg.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nta84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq06.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ygM30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
CTHELPER.EXE


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:11 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.briggs-freeman.com/links.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208283066286
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208655268640
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Application Management AppMgmtTapiSrvupnphost (AppMgmtTapiSrvupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtTapiSrvupnphost AppMgmtTapiSrvupnphostSCardSvr (AppMgmtTapiSrvupnphostSCardSvr) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtTapiSrvupnphost AppMgmtTapiSrvupnphostSCardSvr AppMgmtTapiSrvupnphostSCardSvrERSvc (AppMgmtTapiSrvupnphostSCardSvrERSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: DNS Client DnscacheThemes (DnscacheThemes) - Unknown owner - C:\WINDOWS\
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager RDSessMgrwscsvc (RDSessMgrwscsvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Routing and Remote Access RemoteAccessSwPrv (RemoteAccessSwPrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Secondary Logon seclogonLmHosts (seclogonLmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Print Spooler SpoolerNla (SpoolerNla) - Unknown owner - C:\WINDOWS\
O23 - Service: Telephony TapiSrvupnphost (TapiSrvupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Terminal Services TermServiceLmHosts (TermServiceLmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Volume Shadow Copy VSSSpooler (VSSSpooler) - Unknown owner - C:\WINDOWS\
O23 - Service: WebClient WebClientNtmsSvc (WebClientNtmsSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: WMI Performance Adapter WmiApSrvdmserver (WmiApSrvdmserver) - Unknown owner - C:\WINDOWS\

--
End of file - 5549 bytes


-- End of Deckard's System Scanner: finished at 2008-07-22 21:16:24 ------------

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:51 PM

Posted 07 August 2008 - 12:28 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
SNOWHITE
Posted Image

#3 racerxx

racerxx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 15 August 2008 - 12:52 PM

I'm sorry it has taken me so long to respond back. Thanks for taking the time to look at this.

Your help is very appreciated.


----------------------------------------------------------------------------------------------------------------


KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 14, 2008 15:05:08
Records in database: 1093320


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
H:\

Scan statistics
Files scanned 134770
Threat name 13
Infected objects 54
Suspicious objects 0
Duration of the scan 02:48:07

File name Threat name Threats count
C:\WINDOWS\system32\winlogon.exe/C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\services.exe/C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\lsass.exe/C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\svchost.exe/C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.aa 3

C:\WINDOWS\System32\svchost.exe/C:\WINDOWS\System32\svchost.exe Infected: Trojan.Win32.Patched.aa 3

C:\WINDOWS\Explorer.EXE/C:\WINDOWS\Explorer.EXE Infected: Trojan.Win32.Patched.aa 1

C:\Program Files\CrossLoop\VNCHOOKS.DLL/C:\Program Files\CrossLoop\VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 13

C:\WINDOWS\system32\spoolsv.exe/C:\WINDOWS\system32\spoolsv.exe Infected: Trojan.Win32.Patched.aa 1

winvnc.exe\winvnc.exe/winvnc.exe\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

C:\Program Files\CrossLoop\winvnc.exe/C:\Program Files\CrossLoop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

C:\Documents and Settings\Sonny\Local Settings\Temporary Internet Files\Content.IE5\QL48SYJP\crossloopsetup[1].exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

C:\Documents and Settings\Sonny\Local Settings\Temporary Internet Files\Content.IE5\QL48SYJP\crossloopsetup[1].exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1

C:\Program Files\CrossLoop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1

C:\Program Files\CrossLoop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Winci30.sys.vir Infected: Trojan-Downloader.Win32.Mutant.aim 1

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ygM30.sys.vir Infected: Trojan-Dropper.Win32.Agent.stj 1

C:\WINDOWS\explorer.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\spoolsv.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\WinNt32.dll Infected: Trojan-Downloader.Win32.Mutant.adh 1

---------------------------------------------------------------------------------------------------------


Deckard's System Scanner v20071014.68
Run by Sonny on 2008-08-14 08:33:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-14 13:33:19 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Sonny.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:40 AM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sonny\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sonny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.briggs-freeman.com/links.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208283066286
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208655268640
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Application Management AppMgmtTapiSrvupnphost (AppMgmtTapiSrvupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtTapiSrvupnphost AppMgmtTapiSrvupnphostSCardSvr (AppMgmtTapiSrvupnphostSCardSvr) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtTapiSrvupnphost AppMgmtTapiSrvupnphostSCardSvr AppMgmtTapiSrvupnphostSCardSvrERSvc (AppMgmtTapiSrvupnphostSCardSvrERSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: DNS Client DnscacheThemes (DnscacheThemes) - Unknown owner - C:\WINDOWS\
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager RDSessMgrwscsvc (RDSessMgrwscsvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Routing and Remote Access RemoteAccessSwPrv (RemoteAccessSwPrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Secondary Logon seclogonLmHosts (seclogonLmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Print Spooler SpoolerNla (SpoolerNla) - Unknown owner - C:\WINDOWS\
O23 - Service: Telephony TapiSrvupnphost (TapiSrvupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Terminal Services TermServiceLmHosts (TermServiceLmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Volume Shadow Copy VSSSpooler (VSSSpooler) - Unknown owner - C:\WINDOWS\
O23 - Service: WebClient WebClientNtmsSvc (WebClientNtmsSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: WMI Performance Adapter WmiApSrvdmserver (WmiApSrvdmserver) - Unknown owner - C:\WINDOWS\

--
End of file - 5724 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Nta84 - c:\windows\system32\drivers\nta84.sys

S0 Winkq06 - c:\windows\system32\drivers\winkq06.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 AppMgmtTapiSrvupnphost (Application Management AppMgmtTapiSrvupnphost) - %|x srv (file missing)
S2 AppMgmtTapiSrvupnphostSCardSvr (Application Management AppMgmtTapiSrvupnphost AppMgmtTapiSrvupnphostSCardSvr) - %|x srv (file missing)
S2 AppMgmtTapiSrvupnphostSCardSvrERSvc (Application Management AppMgmtTapiSrvupnphost AppMgmtTapiSrvupnphostSCardSvr AppMgmtTapiSrvupnphostSCardSvrERSvc) - %|x srv (file missing)
S2 DnscacheThemes (DNS Client DnscacheThemes) - %|x srv (file missing)
S2 RDSessMgrwscsvc (Remote Desktop Help Session Manager RDSessMgrwscsvc) - %|x srv (file missing)
S2 RemoteAccessSwPrv (Routing and Remote Access RemoteAccessSwPrv) - %|x srv (file missing)
S2 seclogonLmHosts (Secondary Logon seclogonLmHosts) - %|x srv (file missing)
S2 SpoolerNla (Print Spooler SpoolerNla) - %|x srv (file missing)
S2 TapiSrvupnphost (Telephony TapiSrvupnphost) - %|x srv (file missing)
S2 TermServiceLmHosts (Terminal Services TermServiceLmHosts) - %|x srv (file missing)
S2 VSSSpooler (Volume Shadow Copy VSSSpooler) - %|x srv (file missing)
S2 WebClientNtmsSvc (WebClient WebClientNtmsSvc) - %|x srv (file missing)
S2 WmiApSrvdmserver (WMI Performance Adapter WmiApSrvdmserver) - %|x srv (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_01321028&REV_01\3&267A616A&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_01321028&REV_01\3&267A616A&0&FD
Service:


-- Process Modules -------------------------------------------------------------

All modules okay.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-14 03:18:48 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-02 20:36:31 0 d-------- C:\Program Files\Windows Defender
2008-07-28 18:06:38 0 d-------- C:\Program Files\Western Digital Technologies
2008-07-23 18:14:25 0 d-------- C:\Program Files\CrossLoop
2008-07-22 20:23:44 12800 --a------ C:\WINDOWS\system32\WinNt32.dll
2008-07-22 20:20:58 68096 --a------ C:\WINDOWS\zip.exe
2008-07-22 20:20:58 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-22 20:20:58 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-22 20:20:58 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-22 20:20:58 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-22 20:20:58 98816 --a------ C:\WINDOWS\sed.exe
2008-07-22 20:20:58 80412 --a------ C:\WINDOWS\grep.exe
2008-07-22 20:20:58 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-22 20:10:56 0 d-------- C:\Program Files\Trend Micro
2008-07-22 19:11:00 0 d-------- C:\Program Files\Lavasoft
2008-07-22 19:10:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 19:10:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 18:51:43 0 dr-hs---- C:\cmdcons
2008-07-22 18:51:40 0 d-------- C:\WINDOWS\setup.pss
2008-07-22 18:51:27 0 d-------- C:\WINDOWS\setupupd
2008-07-15 21:58:14 0 d-------- C:\WINDOWS\pss
2008-07-15 20:56:31 0 d-------- C:\Documents and Settings\Sonny\Application Data\Malwarebytes
2008-07-15 20:56:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-15 20:56:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware


-- Find3M Report ---------------------------------------------------------------

2008-08-14 03:15:01 0 d-------- C:\Program Files\Messenger
2008-08-14 03:14:08 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000000-00001102-00000002-80611102}.dat
2008-08-14 03:14:08 24 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000000-00001102-00000002-80611102}.dat
2008-07-22 20:56:20 0 d-------- C:\Program Files\Java
2008-07-22 19:10:42 0 d-------- C:\Program Files\Common Files
2008-07-15 21:15:10 288 --a-s---- C:\WINDOWS\system32\138147614.dat
2008-07-15 21:13:44 926031 --ahs---- C:\WINDOWS\system32\amstreamf.sys
2008-07-15 20:49:27 0 --a------ C:\WINDOWS\system32\apphelpd.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsg.exe" [04/03/2001 10:38 AM C:\WINDOWS\system32\ltmsg.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nta84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq06.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ygM30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
CTHELPER.EXE




-- End of Deckard's System Scanner: finished at 2008-08-14 08:35:06 ------------


-------------------------------------------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.80GHz
Percentage of Memory in Use: 17%
Physical Memory (total/avail): 2046.8 MiB / 1689.79 MiB
Pagefile Memory (total/avail): 3943.59 MiB / 3707.02 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.29 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 298.08 GiB total, 261.28 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (FAT32) - 111.72 GiB total, 88.91 GiB free.
H: is Fixed (FAT32) - 931.28 GiB total, 581.65 GiB free.

\\.\PHYSICALDRIVE1 - WDC WD1200JB-75CRA0 - 111.76 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 111.75 GiB - F:

\\.\PHYSICALDRIVE0 - WDC WD3200AAJB-00TYA0 - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.08 GiB - C:

\\.\PHYSICALDRIVE2 - WD 10EACS External USB Device - 931.51 GiB - 1 partition
\PARTITION0 - Unknown - 931.51 GiB - H:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"="C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe:*:Enabled:CrossLoop - Simple Secure Screen Sharing"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Sonny\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SONNY-W5C8K6CS3
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Sonny
LOGONSERVER=\\SONNY-W5C8K6CS3
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Sonny\LOCALS~1\Temp
TMP=C:\DOCUME~1\Sonny\LOCALS~1\Temp
USERDOMAIN=SONNY-W5C8K6CS3
USERNAME=Sonny
USERPROFILE=C:\Documents and Settings\Sonny
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Sonny (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
CrossLoop 2.20 --> "C:\Program Files\CrossLoop\unins000.exe"
DW Remote5.0.6.2 --> "C:\WINDOWS\DW Remote\uninstall.exe" "/U:C:\Program Files\Digital Witness\DW Remote5.0.5.0\irunin.xml"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Driver Diagnostics --> MsiExec.exe /X{624D19C3-D55D-4368-BC10-9B53036D8358}
HP PSC & Officejet 4.2 Corporate Edition --> "C:\Program Files\HP\Digital Imaging\{AC1314E7-D28C-40A1-B322-80D2868D35CE}\setup\hpzscr01.exe" -datfile hposcr04.dat
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Lucent Win Modem --> C:\WINDOWS\system32\ltremove.exe -s
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MyODBC --> MsiExec.exe /X{29042B1C-0713-4575-B7CA-5C8E7B0899D4}
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
Sound Blaster Live! Web 2K/XP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}\Setup.exe" -l0x9
VP6 Decoder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D064F16E-88DA-4E8F-BBAE-0E2AA9A6AE61}\Setup.exe" -l0x9
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type219 / Error
Event Submitted/Written: 08/14/2008 08:34:28 AM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Event Record #/Type216 / Warning
Event Submitted/Written: 08/14/2008 03:13:44 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type202 / Error
Event Submitted/Written: 08/02/2008 08:45:16 PM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
EventType mptelemetry, P1 80070002, P2 updatedefinitions, P3 unspecified, P4 1.1.2965.0, P5 mpsigstub.exe, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Event Record #/Type198 / Error
Event Submitted/Written: 07/30/2008 05:30:26 PM
Event ID/Source: 1013 / MsiInstaller
Event Description:
Product: Adobe Reader 8 -- Setup has detected that you already have a more functional product installed. Setup will now terminate.

Event Record #/Type197 / Error
Event Submitted/Written: 07/29/2008 11:45:07 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application msimn.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2334 / Warning
Event Submitted/Written: 08/14/2008 08:33:55 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SONNY-W5C8K6CS327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SONNY-W5C8K6CS327 can't undo changes that you allow.

For more information please see the following:
%SONNY-W5C8K6CS3275

Scan ID: {7B6514AB-7CD3-47C0-887C-9B0744D657F9}

User: SONNY-W5C8K6CS3\Sonny

Name: %SONNY-W5C8K6CS3271

ID: %SONNY-W5C8K6CS3272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SONNY-W5C8K6CS3276

Alert Type: %SONNY-W5C8K6CS3278

Detection Type: 1.1.1593.02

Event Record #/Type2333 / Warning
Event Submitted/Written: 08/14/2008 08:33:55 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SONNY-W5C8K6CS327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SONNY-W5C8K6CS327 can't undo changes that you allow.

For more information please see the following:
%SONNY-W5C8K6CS3275

Scan ID: {D36C3133-5FE9-4A39-A098-38FC6DB650A3}

User: SONNY-W5C8K6CS3\Sonny

Name: %SONNY-W5C8K6CS3271

ID: %SONNY-W5C8K6CS3272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SONNY-W5C8K6CS3276

Alert Type: %SONNY-W5C8K6CS3278

Detection Type: 1.1.1593.02

Event Record #/Type2332 / Warning
Event Submitted/Written: 08/14/2008 08:33:55 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SONNY-W5C8K6CS327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SONNY-W5C8K6CS327 can't undo changes that you allow.

For more information please see the following:
%SONNY-W5C8K6CS3275

Scan ID: {FDC6E156-F703-4365-8ECF-41F08D19CBC5}

User: SONNY-W5C8K6CS3\Sonny

Name: %SONNY-W5C8K6CS3271

ID: %SONNY-W5C8K6CS3272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SONNY-W5C8K6CS3276

Alert Type: %SONNY-W5C8K6CS3278

Detection Type: 1.1.1593.02

Event Record #/Type2331 / Warning
Event Submitted/Written: 08/14/2008 08:33:52 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SONNY-W5C8K6CS327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SONNY-W5C8K6CS327 can't undo changes that you allow.

For more information please see the following:
%SONNY-W5C8K6CS3275

Scan ID: {24563E5A-2E49-4730-B08C-22220EA9E9E7}

User: SONNY-W5C8K6CS3\Sonny

Name: %SONNY-W5C8K6CS3271

ID: %SONNY-W5C8K6CS3272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SONNY-W5C8K6CS3276

Alert Type: %SONNY-W5C8K6CS3278

Detection Type: 1.1.1593.02

Event Record #/Type2330 / Warning
Event Submitted/Written: 08/14/2008 08:33:52 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SONNY-W5C8K6CS327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SONNY-W5C8K6CS327 can't undo changes that you allow.

For more information please see the following:
%SONNY-W5C8K6CS3275

Scan ID: {33239E99-F34C-4872-8752-F9039A2D5EBD}

User: SONNY-W5C8K6CS3\Sonny

Name: %SONNY-W5C8K6CS3271

ID: %SONNY-W5C8K6CS3272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %SONNY-W5C8K6CS3276

Alert Type: %SONNY-W5C8K6CS3278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-08-14 08:35:06 ------------

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:51 PM

Posted 16 August 2008 - 12:38 PM

Hello racerxx,

Don't worry for your delay, I am busy as well.. Lets try to clean your computer, you have some nasty infections in there. Please follow these steps:

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. To see how to disable security programs visit this tutorial How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Regards,
SNOWHITE
Posted Image

#5 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:51 PM

Posted 29 August 2008 - 08:19 PM

racerxx do you still need help ?
SNOWHITE
Posted Image

#6 racerxx

racerxx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 02 September 2008 - 02:07 PM

Sorry, I've been out of town. Let me try combo fix and I'll post back. Thanks again.

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:51 PM

Posted 06 September 2008 - 04:22 PM

Sorry, I've been out of town. Let me try combo fix and I'll post back. Thanks again.

Hello racerxx,

How are the things going? Can I see the combofix log?

Regards
SNOWHITE
Posted Image

#8 racerxx

racerxx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 07 September 2008 - 10:19 AM

Ok, here it is. Sorry it has taken so long and thanks again for your help!

ComboFix 08-09-05.03 - Sonny 2008-09-07 9:59:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1555 [GMT -5:00]
Running from: C:\Documents and Settings\Sonny\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Sonny\Cookies\sonny@ehg-dig.hitbox[1].txt
C:\WINDOWS\system32\WinNt32.dll
H:\Autorun.inf
C:\WINDOWS\system32\WinNt32.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
.

2008-09-07 10:03 . 2008-09-07 10:03 12,800 --------- C:\WINDOWS\system32\WinNt32.dll
2008-08-13 21:41 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-08 13:06 . 2004-08-04 02:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-08 13:06 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 14:53 --------- d-----w C:\Program Files\CrossLoop
2008-08-03 01:36 --------- d-----w C:\Program Files\Windows Defender
2008-08-02 19:51 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 01:07 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-31 01:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-28 23:06 --------- d-----w C:\Program Files\Western Digital Technologies
2008-07-23 01:56 --------- d-----w C:\Program Files\Java
2008-07-23 01:10 --------- d-----w C:\Program Files\Trend Micro
2008-07-23 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-23 00:11 --------- d-----w C:\Program Files\Lavasoft
2008-07-23 00:10 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-16 01:56 --------- d-----w C:\Documents and Settings\Sonny\Application Data\Malwarebytes
2008-07-16 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 02:03 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-05-26 23:55 49,152 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051720080518\index.dat
.

------- Sigcheck -------

2002-09-03 12:05 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 02:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 02:56 17408 9810e25160212ad38f7da6d9a089df51 C:\WINDOWS\system32\svchost.exe

2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2002-09-03 12:06 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 01:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2004-08-04 01:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
2008-06-20 05:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 05:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\drivers\tcpip.sys

2002-09-03 12:12 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 02:56 506368 34edfbb077ab4065ff546c028dc08134 C:\WINDOWS\system32\winlogon.exe

2007-06-13 05:23 1035776 d231f0bebfa23d55742ad00dcab72cca C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2002-09-03 11:32 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 02:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 02:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2002-09-03 11:59 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 02:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 02:56 110592 bfe07a29fbfe123d5708eadcd75e011b C:\WINDOWS\system32\services.exe

2002-09-03 11:39 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 02:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 02:56 14848 3a4525be40a7dfe05f70b4b72451062d C:\WINDOWS\system32\lsass.exe

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2002-09-03 12:04 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 02:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2004-08-04 02:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2005-06-10 18:53 58880 d8b91a98e268745709a68fbb91b653ea C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-22_20.25.23.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-07 20:06:43 253,952 ----a-w C:\WINDOWS\$hf_mig$\KB950974\SP2QFE\es.dll
+ 2008-07-07 20:26:58 253,952 ----a-w C:\WINDOWS\$hf_mig$\KB950974\SP3GDR\es.dll
+ 2008-07-07 20:23:18 253,952 ----a-w C:\WINDOWS\$hf_mig$\KB950974\SP3QFE\es.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB950974\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB950974\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB950974\update\updspapi.dll
+ 2008-07-14 11:03:00 62,976 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\SP2QFE\tzchange.exe
+ 2008-07-11 12:42:28 62,976 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\SP3GDR\tzchange.exe
+ 2008-07-11 12:51:51 62,976 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\SP3QFE\tzchange.exe
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951072-v2\update\updspapi.dll
+ 2008-06-24 16:28:00 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB952954\SP2QFE\mscms.dll
+ 2008-06-24 16:43:16 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB952954\SP3GDR\mscms.dll
+ 2008-06-24 16:53:10 74,240 ----a-w C:\WINDOWS\$hf_mig$\KB952954\SP3QFE\mscms.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB952954\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB952954\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB952954\update\updspapi.dll
+ 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\advpack.dll
+ 2008-04-23 04:16:28 347,136 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\dxtmsft.dll
+ 2008-04-23 04:16:28 214,528 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\dxtrans.dll
+ 2008-04-23 04:16:28 133,120 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\extmgr.dll
+ 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\icardie.dll
+ 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ie4uinit.exe
+ 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieakeng.dll
+ 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieaksie.dll
+ 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieakui.dll
+ 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieapfltr.dll
+ 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iedkcs32.dll
+ 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieframe.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iernonce.dll
+ 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iertutil.dll
+ 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieudinit.exe
+ 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iexplore.exe
+ 2008-04-23 04:16:28 27,648 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\jsproxy.dll
+ 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msfeeds.dll
+ 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msfeedsbs.dll
+ 2008-04-24 03:16:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mshtml.dll
+ 2008-04-23 04:16:28 478,208 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mshtmled.dll
+ 2008-04-23 04:16:28 193,024 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msrating.dll
+ 2008-04-23 04:16:28 671,232 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mstime.dll
+ 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\occache.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\updspapi.dll
+ 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\url.dll
+ 2008-04-23 04:16:29 1,159,680 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\urlmon.dll
+ 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\webcheck.dll
+ 2008-04-23 04:16:29 826,368 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\wininet.dll
+ 2007-05-31 18:35:22 6,420,320 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\POWERPNT.EXE
- 2008-07-10 08:04:35 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-08-14 08:08:11 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-07-10 08:04:35 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-08-14 08:08:11 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-07-10 08:04:35 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-08-14 08:08:11 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-07-10 08:04:35 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-08-14 08:08:11 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-07-10 08:04:35 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-08-14 08:08:11 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-07-10 08:04:35 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-08-14 08:08:11 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-07-10 08:04:35 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-08-14 08:08:11 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-07-10 08:04:35 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-08-14 08:08:11 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-07-10 08:04:35 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-08-14 08:08:11 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-07-10 08:04:35 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-08-14 08:08:11 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-07-10 08:04:35 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-08-14 08:08:11 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-07-10 08:04:35 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-08-14 08:08:11 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-07-10 08:04:35 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-08-14 08:08:11 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-06-23 16:57:27 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-07-31 00:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2008-07-19 03:10:48 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
- 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-06-23 16:57:27 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-07-31 00:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2008-07-19 03:10:48 94,920 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2008-04-23 04:16:28 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-06-23 16:57:27 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-04-23 04:16:28 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-06-23 16:57:27 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-07-07 20:32:22 253,952 -c----w C:\WINDOWS\system32\dllcache\es.dll
- 2008-04-23 04:16:28 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-06-23 16:57:27 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-06-23 16:57:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-06-23 09:20:25 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-06-23 16:57:29 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-06-23 16:57:29 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-06-21 05:23:54 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-06-23 16:57:29 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-06-23 16:57:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-06-23 16:57:33 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-06-23 16:57:33 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-06-23 16:57:34 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-06-23 09:20:26 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-06-23 09:20:52 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-21 06:15:44 683,520 -c----w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 -c----w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2008-04-23 04:16:28 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-06-23 16:57:35 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-06-24 16:23:05 74,240 -c----w C:\WINDOWS\system32\dllcache\mscms.dll
- 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-06-23 16:57:36 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-06-23 16:57:36 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-04-24 03:16:30 3,591,680 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-06-24 15:57:40 3,592,192 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-04-23 04:16:28 478,208 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-06-23 16:57:39 477,696 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-04-23 04:16:28 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-06-23 16:57:39 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-04-23 04:16:28 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-06-23 16:57:40 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-06-23 16:57:40 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-06-23 16:57:40 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-06-23 16:57:40 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2008-04-23 04:16:29 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-06-23 16:57:40 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-06-23 16:57:41 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-04-23 04:16:29 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-06-23 16:57:41 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-07-19 03:09:44 563,912 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2007-07-31 00:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2008-07-19 03:10:42 53,448 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2007-07-31 00:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-19 03:09:42 1,811,656 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2008-07-19 03:09:46 325,832 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2008-07-19 03:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-19 03:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
- 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-06-23 16:57:27 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-06-23 16:57:27 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2005-07-26 04:39:45 243,200 ----a-w C:\WINDOWS\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w C:\WINDOWS\system32\es.dll
- 2008-04-23 04:16:28 133,120 ------w C:\WINDOWS\system32\extmgr.dll
+ 2008-06-23 16:57:27 133,120 ------w C:\WINDOWS\system32\extmgr.dll
- 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-06-23 16:57:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-04-22 07:39:58 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-06-23 09:20:25 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2008-06-23 16:57:29 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2008-06-23 16:57:29 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2008-04-20 05:07:51 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2008-06-21 05:23:54 161,792 ------w C:\WINDOWS\system32\ieakui.dll
- 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-06-23 16:57:29 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-06-23 16:57:33 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2008-06-23 16:57:33 44,544 ------w C:\WINDOWS\system32\iernonce.dll
- 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-06-23 16:57:34 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-04-23 04:16:28 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
+ 2008-06-23 16:57:35 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
- 2007-10-11 19:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 23:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
- 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-08-05 18:11:02 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
- 2005-06-29 01:46:00 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
- 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-06-23 16:57:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-06-23 16:57:36 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-04-24 03:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-06-24 15:57:40 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-06-23 16:57:39 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-04-23 04:16:28 193,024 ------w C:\WINDOWS\system32\msrating.dll
+ 2008-06-23 16:57:39 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2008-04-23 04:16:28 671,232 ------w C:\WINDOWS\system32\mstime.dll
+ 2008-06-23 16:57:40 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2007-07-31 00:19:10 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
+ 2008-07-19 03:07:34 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
- 2007-07-31 00:18:34 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2008-07-19 03:07:32 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
- 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\system32\occache.dll
+ 2008-06-23 16:57:40 102,912 ------w C:\WINDOWS\system32\occache.dll
- 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\pngfilt.dll
+ 2008-06-23 16:57:40 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-07-19 03:10:20 36,552 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\wups.dll
+ 2008-07-19 03:10:40 45,768 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\wups2.dll
- 2007-11-13 11:31:11 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2008-07-14 11:09:18 62,976 ------w C:\WINDOWS\system32\tzchange.exe
- 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-06-23 16:57:40 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-06-23 16:57:40 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-06-23 16:57:41 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-06-23 16:57:41 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
- 2007-07-31 00:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2008-07-19 03:09:44 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2007-07-31 00:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2008-07-19 03:10:42 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2007-07-31 00:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2008-07-19 03:09:42 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2007-07-31 00:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2008-07-19 03:09:46 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2007-07-31 00:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
+ 2008-07-19 03:10:20 36,552 ----a-w C:\WINDOWS\system32\wups.dll
- 2007-07-31 00:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2008-07-19 03:10:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
- 2007-07-31 00:19:46 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2008-07-19 03:09:44 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2005-09-23 04:48:08 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2005-09-23 04:48:08 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-23 04:48:06 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LTWinModem1"="ltmsg.exe" [2001-04-03 C:\WINDOWS\system32\ltmsg.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nta84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq06.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ygM30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 01:00 28672 C:\Program Files\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-07-28 15:19 4841472 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=

R0 Nta84;Nta84;C:\WINDOWS\system32\Drivers\Nta84.sys [2008-06-05 28032]
S0 Winkq06;Winkq06;C:\WINDOWS\system32\Drivers\Winkq06.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.briggs-freeman.com/links.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 10:04:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmtTapiSrvupnphost]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmtTapiSrvupnphostSCardSvr]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmtTapiSrvupnphostSCardSvrERSvc]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DnscacheThemes]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgrwscsvc]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccessSwPrv]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogonLmHosts]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SpoolerNla]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrvupnphost]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermServiceLmHosts]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSSSpooler]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClientNtmsSvc]
"ImagePath"="%|x\01\09 srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrvdmserver]
"ImagePath"="%|x\01\09 srv"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-09-07 10:06:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-07 15:06:44
ComboFix2.txt 2008-07-23 01:25:46

Pre-Run: 279,482,494,976 bytes free
Post-Run: 279,950,725,120 bytes free

434 --- E O F --- 2008-09-06 06:03:47



__________________________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:30 AM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\CrossLoop\CrossLoopConnect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CrossLoop\winvnc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.briggs-freeman.com/links.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208283066286
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208655268640
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Application Management AppMgmtTapiSrvupnphost (AppMgmtTapiSrvupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtTapiSrvupnphost AppMgmtTapiSrvupnphostSCardSvr (AppMgmtTapiSrvupnphostSCardSvr) - Unknown owner - C:\WINDOWS\
O23 - Service: Application Management AppMgmtTapiSrvupnphost AppMgmtTapiSrvupnphostSCardSvr AppMgmtTapiSrvupnphostSCardSvrERSvc (AppMgmtTapiSrvupnphostSCardSvrERSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: DNS Client DnscacheThemes (DnscacheThemes) - Unknown owner - C:\WINDOWS\
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager RDSessMgrwscsvc (RDSessMgrwscsvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Routing and Remote Access RemoteAccessSwPrv (RemoteAccessSwPrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Secondary Logon seclogonLmHosts (seclogonLmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Print Spooler SpoolerNla (SpoolerNla) - Unknown owner - C:\WINDOWS\
O23 - Service: Telephony TapiSrvupnphost (TapiSrvupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Terminal Services TermServiceLmHosts (TermServiceLmHosts) - Unknown owner - C:\WINDOWS\
O23 - Service: Volume Shadow Copy VSSSpooler (VSSSpooler) - Unknown owner - C:\WINDOWS\
O23 - Service: WebClient WebClientNtmsSvc (WebClientNtmsSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: WMI Performance Adapter WmiApSrvdmserver (WmiApSrvdmserver) - Unknown owner - C:\WINDOWS\

--
End of file - 5384 bytes

#9 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:51 PM

Posted 07 September 2008 - 03:07 PM

Hello again racerxx,

Unfortunately I don't have good news for you. The computer has file infecter and already a lot of damage has been done, many services are deleted also this infection has backdoor functionality, this allows hackers to remotely control your computer, steal critical system information and Download and Execute files. Use a known secure computer to change all of your online passwords and contact your bank and credit card company for possible unauthorized transactions. If you have any flash drives that you have used them at the infected computer, such as usb etc. check them with antivirus or online scanner to see if they are infected, also if your computer is sharing network with other computers, disconnect them and you will need to check the rest of the computers for infection. I personally hate the word reformat, but in cases like this when file infecter is involved, the best action is to reformat.

Do you have recovery CD?

Regards
SNOWHITE
Posted Image

#10 racerxx

racerxx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 07 September 2008 - 04:25 PM

Snowhite,

Thanks for all your help. Yes, I have the cd. I guess it's time save off data and reformat. Thanks again for looking at these log files.

-racerxx

#11 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:51 PM

Posted 09 September 2008 - 08:12 PM

Snowhite,

Thanks for all your help. Yes, I have the cd. I guess it's time save off data and reformat. Thanks again for looking at these log files.

-racerxx

Hello again racerxx,

The best would be not to back up any exe, scr files even if they are in zip or rar. You can back up music, pictures and documents. If you decide to back up also exe/scr files, scan them with online scanner such as Kaspersky or at VirusTotal.

If you need help with reformatting see this tutorial : http://spyware-free.us/tutorials/reformat/

Let me know if you need help.

Regards
SNOWHITE
Posted Image

#12 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:51 PM

Posted 21 September 2008 - 04:25 AM

As the problem here seems to be resolved this topic is now closed.
To get it reopened PM a staff member with the address of this thread.
This applies to the topic starter only, everyone else with similar problems start a new topic.

Thank you
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users