Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, Virtumonde Infections?


  • Please log in to reply
11 replies to this topic

#1 kenda

kenda

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 04 August 2008 - 09:01 AM

Hi there.

I'm trying to help a friend sort out his computer but I seem to be in an endless loop of spyware problems that keep reinfecting his laptop. Vundo, adtech, Virtualmonde and similar programs appear to be the problem. Have tried running various anti spyware programs and VundoFix to no avail. As well as various popups appearing in Firefox he has also lost c and the dvd drive from My Computer but I can see c drive (but not the dvd) by 'explore all' right-clicking the start button. By creating a new user account I can see both c and the dvd with no problems. There are other problems as well such as automatic updates refusing to activate no matter what I try - manually restarting services etc. He is running XP Home sp3.

Any help would be appreciated.


Deckard's System Scanner v20071014.68
Run by Dug Blair on 2008-08-04 15:44:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-04 13:44:11 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-04 15:49:14
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Tenebril\SpyCatcher\ProtectorSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Softwin\BitDefender9\bdswitch.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Dug Blair\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {084D86EB-2BE2-4493-9064-9C0F5C8BE173} - C:\WINDOWS\system32\wvUljgDS.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {3b13fccf-a40f-cf89-6984-b7d09dee05a9} - {9a50eed9-0d7b-4896-98fc-f04afccf31b3} - C:\WINDOWS\system32\qcviic.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O3 - Toolbar: fdkowvbp - {6F3905A7-AA9F-4858-A8AD-6294CAEC1A68} - (no file)
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZRfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (file missing)
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://memberservices.tesco.net (HKCU)
O15 - Trusted Zone: https://register.tesco.net (HKCU)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} () - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149534543703
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: sockspy.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: insc42 - C:\WINDOWS\system32\insc42.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\Program Files\MyWebSearch\bar\4.bin\MWSSVC.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
O23 - Service: Protector - Tenebril Inc. - C:\Program Files\Tenebril\SpyCatcher\ProtectorSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\system32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender9\vsserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


--
End of file - 10077 bytes

-- File Associations -----------------------------------------------------------

.bat - unable to read key
.bat - unable to read key
.bat - unable to read key
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.js - unable to read key
.js - unable to read key
.pif - unable to read key
.reg - reg_auto_file - DefaultIcon - unable to read value
.reg - reg_auto_file - shell\open\command - "C:\WINDOWS\regedit.exe" "%1"
.reg - reg_auto_file - shell\edit\command - unable to read value
.scr - unable to read key


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 bdftdif (BitDefender Firewall TDI Filter) - c:\program files\common files\softwin\bitdefender firewall\bdftdif.sys <Not Verified; Softwin SRL; BitDefender 9 Internet Security>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.3 Build 4>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 Bdfndisf (BitDefender Firewall NDIS Filter Service) - c:\windows\system32\drivers\bdfndisf.sys <Not Verified; Softwin SRL; BitDefender 9 Internet Security>

S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 PID_0928 (Logitech QuickCam Express(PID_0928)) - c:\windows\system32\drivers\lv561av.sys (file missing)
S3 PPPoEWin (PPPoEWin Miniport) - c:\windows\system32\drivers\pppoewin.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcrSch2Svc (Acronis Scheduler2 Service) - "c:\program files\common files\acronis\schedule2\schedul2.exe" <Not Verified; Acronis; Acronis Scheduler 2>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>

S2 MyWebSearchService (My Web Search Service) - c:\progra~1\mywebs~1\bar\4.bin\mwssvc.exe <Not Verified; MyWebSearch.com; My Web Search Bar>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6234
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6234
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-08-04 15:33:42 494 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-08-04 14:00:34 1472 --a------ C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
2008-07-26 16:17:09 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 15:27:57 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-08-04 14:09:49 0 d-------- C:\Documents and Settings\Test\Application Data\Google
2008-08-04 14:00:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-08-04 14:00:06 0 d-------- C:\Program Files\Webroot
2008-08-04 14:00:06 0 d-------- C:\Documents and Settings\Test\Application Data\Webroot
2008-08-04 14:00:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-08-04 13:50:38 0 d-------- C:\VundoFix Backups
2008-08-04 13:04:44 0 d-------- C:\Documents and Settings\Test\Application Data\TuneUp Software
2008-08-04 12:31:30 0 d-------- C:\Documents and Settings\Test\Application Data\Macromedia
2008-08-04 12:31:28 0 d-------- C:\Documents and Settings\Test\Application Data\Adobe
2008-08-04 12:29:17 0 d-------- C:\Documents and Settings\Test\Application Data\Mozilla
2008-08-04 09:47:09 0 d-------- C:\Documents and Settings\Test\Application Data\SUPERAntiSpyware.com
2008-08-04 08:59:22 0 d-------- C:\Program Files\7-Zip
2008-08-04 08:35:05 0 dr-h----- C:\Documents and Settings\Dug Blair\Recent
2008-08-04 08:24:45 0 d-------- C:\Program Files\CCleaner
2008-08-03 23:17:04 0 d-------- C:\Documents and Settings\Test\Application Data\BitDefender
2008-08-03 23:13:39 0 d-------- C:\Documents and Settings\Test\Application Data\Jasc Software Inc
2008-08-03 23:13:39 0 d-------- C:\Documents and Settings\Test\Application Data\Intel
2008-08-03 23:13:39 0 d-------- C:\Documents and Settings\Test\Application Data\Identities
2008-08-03 23:13:39 0 d--h----- C:\Documents and Settings\Test\Application Data\Gtek
2008-08-03 23:13:38 0 d--h----- C:\Documents and Settings\Test\Templates
2008-08-03 23:13:38 0 dr------- C:\Documents and Settings\Test\Start Menu
2008-08-03 23:13:38 0 dr-h----- C:\Documents and Settings\Test\SendTo
2008-08-03 23:13:38 0 dr-h----- C:\Documents and Settings\Test\Recent
2008-08-03 23:13:38 0 d--h----- C:\Documents and Settings\Test\PrintHood
2008-08-03 23:13:38 0 d--h----- C:\Documents and Settings\Test\NetHood
2008-08-03 23:13:38 0 dr------- C:\Documents and Settings\Test\My Documents
2008-08-03 23:13:38 0 d--h----- C:\Documents and Settings\Test\Local Settings
2008-08-03 23:13:38 0 dr------- C:\Documents and Settings\Test\Favorites
2008-08-03 23:13:38 0 d-------- C:\Documents and Settings\Test\Desktop
2008-08-03 23:13:38 0 d--hs---- C:\Documents and Settings\Test\Cookies
2008-08-03 23:13:38 0 dr-h----- C:\Documents and Settings\Test\Application Data
2008-08-03 23:13:38 0 d-------- C:\Documents and Settings\Test\Application Data\You've Got Pictures Screensaver
2008-08-03 23:13:38 0 d-------- C:\Documents and Settings\Test\Application Data\Symantec
2008-08-03 23:13:38 0 d-------- C:\Documents and Settings\Test\Application Data\Sun
2008-08-03 23:13:38 0 d---s---- C:\Documents and Settings\Test\Application Data\Microsoft
2008-08-03 23:13:37 1310720 --ah----- C:\Documents and Settings\Test\NTUSER.DAT
2008-08-03 19:22:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 19:21:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 19:21:43 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\SUPERAntiSpyware.com
2008-08-03 19:15:04 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-08-03 19:08:34 0 d-------- C:\WINDOWS\system32\SpycatcherAgentSetupTemp
2008-08-03 19:07:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-08-03 19:07:29 0 d-------- C:\Program Files\Tenebril
2008-08-03 17:37:28 0 d-------- C:\Program Files\Spyware Doctor
2008-08-03 16:01:48 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 15:09:19 130432 --a------ C:\WINDOWS\system32\jeaevsoo.dll
2008-08-03 15:06:19 98688 --a------ C:\WINDOWS\system32\pvkfeiil.dll
2008-08-03 14:06:16 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-08-03 14:05:12 15 --a------ C:\WINDOWS\system32\getfile.dat
2008-08-03 14:01:44 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\BitDefender
2008-08-03 13:57:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-03 10:58:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 10:41:50 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\TuneUp Software
2008-08-03 10:41:16 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-03 10:41:12 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-03 10:38:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 19:02:41 98688 --a------ C:\WINDOWS\system32\mxtwibij.dll
2008-08-02 19:02:37 130432 --a------ C:\WINDOWS\system32\fbkqyl.dll
2008-08-02 19:02:36 130432 --a------ C:\WINDOWS\system32\oqjruvks.dll
2008-08-02 18:58:59 8040 --ahs---- C:\WINDOWS\system32\SDgjlUvw.ini2
2008-08-02 18:58:53 322816 -----n--- C:\WINDOWS\system32\wvUljgDS.dll
2008-08-02 12:25:24 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\TmpRecentIcons
2008-07-31 13:56:20 0 d-------- C:\Program Files\MediaMonkey
2008-07-31 12:18:03 0 d-------- C:\Program Files\PixiePack Codec Pack
2008-07-31 12:16:42 0 d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-07-31 12:16:05 0 d-------- C:\Program Files\RapidSolution
2008-07-30 19:16:55 0 d--h----- C:\$hf_mig$
2008-07-30 18:45:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 17:36:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-30 17:32:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-07-30 17:29:17 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-30 17:29:17 0 d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-07-30 17:29:16 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-30 17:29:16 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-30 17:29:16 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-30 17:29:16 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-30 17:29:16 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-30 17:29:16 1110016 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-30 17:29:16 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-30 17:29:16 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-30 17:29:16 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-30 17:29:16 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-30 17:29:16 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-30 17:29:16 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-30 17:29:16 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-20 12:41:16 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\OpenOffice.org2


-- Find3M Report ---------------------------------------------------------------

2008-08-04 15:19:17 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\Mozilla
2008-08-03 22:41:54 0 d-a------ C:\Program Files\Common Files
2008-08-03 16:20:47 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-08-03 15:50:07 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\Skype
2008-08-03 12:31:16 0 d-------- C:\Program Files\Nokia
2008-08-03 12:26:41 0 d-------- C:\Program Files\Jasc Software Inc
2008-08-03 12:18:23 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\Lavasoft
2008-08-03 10:11:22 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\skypePM
2008-08-01 11:56:20 0 d-------- C:\Program Files\Google
2008-08-01 11:56:18 1401 --a------ C:\Documents and Settings\Dug Blair\Application Data\.googlewebacchosts
2008-07-27 13:18:07 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\LimeWire
2008-07-22 15:49:36 0 d-------- C:\Program Files\Lx_cats
2008-07-20 13:09:32 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\Thunderbird
2008-07-18 14:08:32 0 d-------- C:\Program Files\iTunes
2008-07-18 14:08:13 0 d-------- C:\Program Files\iPod
2008-07-18 14:06:55 0 d-------- C:\Program Files\QuickTime
2008-07-17 18:08:30 0 d-------- C:\Program Files\Java
2008-07-02 06:44:17 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-02 06:43:48 0 d-------- C:\Program Files\Common Files\Skype
2008-06-21 22:24:09 0 d-------- C:\Program Files\Messenger
2008-06-21 22:23:45 0 d-------- C:\Program Files\Movie Maker
2008-06-21 22:20:26 0 d-------- C:\Program Files\Windows NT
2008-06-12 14:32:46 0 d-------- C:\Program Files\PC Connectivity Solution


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{084D86EB-2BE2-4493-9064-9C0F5C8BE173}]
02/08/2008 18:58 322816 --------- C:\WINDOWS\system32\wvUljgDS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9a50eed9-0d7b-4896-98fc-f04afccf31b3}]
C:\WINDOWS\system32\qcviic.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender9\bdnagent.exe" [09/06/2005 10:28]
"BDMCon"="C:\Program Files\Softwin\BitDefender9\bdmcon.exe" [20/04/2006 11:48]
"BDOESRV"="C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [11/03/2005 17:53]
"BDSwitchAgent"="C:\Program Files\Softwin\BitDefender9\bdswitch.exe" [06/04/2005 13:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\insc42]
insc42.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/09/2004 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap C:\WINDOWS\system32\wvUljgDS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Active Desktop Calendar"=C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
"b83a26a4"=rundll32.exe "C:\WINDOWS\system32\pvkfeiil.dll",b
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3233d8bf-6810-11da-b9b5-0011f5588ca4}]
AutoRun\command- E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe



-- End of Deckard's System Scanner: finished at 2008-08-04 15:52:49 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.73GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1023.37 MiB / 553.96 MiB
Pagefile Memory (total/avail): 2457.78 MiB / 2104.6 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.05 MiB

C: is Fixed (NTFS) - 52.8 GiB total, 36.66 GiB free.
D: is CDROM (No Media)
F: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - Hitachi HTS541060G9AT00 - 55.89 GiB - 3 partitions
\PARTITION0 - Unknown - 86.26 MiB
\PARTITION1 (bootable) - Installable File System - 52.8 GiB - C:
\PARTITION2 - Unknown - 3 GiB

\\.\PHYSICALDRIVE1 - LEXAR JUMPDRIVE SECURE USB Device - 964.84 MiB - 1 partition
\PARTITION0 - Unknown - 967.48 MiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dug Blair\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DOUGLAS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dug Blair
LOGONSERVER=\\DOUGLAS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DUGBLA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DUGBLA~1\LOCALS~1\Temp
USERDOMAIN=DOUGLAS
USERNAME=Dug Blair
USERPROFILE=C:\Documents and Settings\Dug Blair
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dug Blair (admin)
Test (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Acronis True Image --> C:\Program Files\Acronis\TrueImage\MediaBuilder.exe -uninstall
Acronis True Image Home --> MsiExec.exe /X{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}
Active Desktop Calendar 7.57 --> "C:\Program Files\XemiComputers\Active Desktop Calendar\unins000.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Apple Mobile Device Support --> MsiExec.exe /I{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ArcSoft Panorama Maker 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1CABB679-3958-44AA-BFFF-4E68A2684255}\Setup.exe" -l0x9 -uninst
Ashampoo WinOptimizer Platinum Suite 2 --> "C:\Program Files\Ashampoo\Ashampoo WinOptimizer Platinum Suite 2\Uninstall\WOPS2_Uninstall.exe"
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BitDefender 9 Internet Security --> MsiExec.exe /I{42280236-AC62-47AC-93B7-11987FA39C8D}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CIT200 --> MsiExec.exe /X{9CDEC547-A505-47CA-991C-DB65F3C0CB87}
Conexant D110 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
CutePDF Printer Setup --> C:\WINDOWS\system32\UnCutePP.exe
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
Dell Support 5.0.0 (630) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
Dell System Restore -->
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
DMX Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE8913B7-B2C4-48BE-8A26-84390FF4F231}\Setup.exe" -l0x9 -L0x9 /SMAINT
Garmin USB Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C24C3F25-CC7F-41D5-B03D-24F8059BABAD}\setup.exe" -l0x9 AddRemove
Garmin WebUpdater --> MsiExec.exe /X{366FFC89-C800-4366-B903-B9C4314109A5}
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HTML Slideshow Powertoy for Windows XP --> MsiExec.exe /I{4E475FD4-4513-4B1D-8DDA-43912B068C99}
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iPod for Windows 2006-06-28 -->
iPod for Windows 2006-06-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BD57EA4D-026E-4F08-9B93-080E282B81FE} /l1033
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lexmark 4300 Series --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxceUNST.EXE -NOLICENSE
Lexmark Fax Solutions --> C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe
LinguaSaver_11 --> C:\WINDOWS\system32\LinguaSaver_11.scr /u
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
MediaMonkey 3.0 --> "C:\Program Files\MediaMonkey\unins000.exe"
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.16) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
mToolkit --> MsiExec.exe /I{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{4F1DCA42-2030-437C-A94E-736692A499C1}
PC Connectivity Solution --> MsiExec.exe /I{AC599724-5755-48C1-ABE7-ABB857652930}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PixiePack Codec Pack --> MsiExec.exe /I{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4 - ALL
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Radiotracker --> MsiExec.exe /I{E01AFDD5-1395-4826-A8AC-FEC0CEAB3852}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Skype™ 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Software para Impressoras EPSON --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpyCatcher 5.1 --> MsiExec.exe /I{F0137EB8-1B6E-480B-8676-CE8A293F9FB8}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tesco internet access dialler --> rundll32 C:\PROGRA~1\Tesconet\RyDial.dll,Uninstall
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
VideoCAM Slim USB2 --> C:\WINDOWS\System\WCamRmv.exe
VideoCAM Slim USB2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{43695674-7C8B-494D-A88D-F36C703A4993}\Setup.exe" -l0x9
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VoipCheapCom --> "C:\Program Files\VoipCheapCom\unins000.exe"
Voipwise --> "C:\Program Files\Voipwise.com\Voipwise\unins000.exe"
WebFldrs XP -->
WIDCOMM Bluetooth Software --> MsiExec.exe /X{E98D6792-FC51-4187-9448-CA9BF893384E}
Windows Driver Package - Nokia Modem (03/05/2008 3.7) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_635B28EFCFA9395123BB1C251595CB16129E2560\nokia_bluetooth.inf
Windows Driver Package - Nokia Modem (08/03/2007 3.2) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_05A76228EE0EF20D8B64523AD40E95C8F09D6988\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_1EB5F2E6F54A6BEDE9F436D1BA5D830FC71739BE\nokbtmdm.inf
Windows Driver Package - Nokia Modem (10/12/2007 3.6) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_0A5D98F754C6588B2E3DDE89DDEF097075ADFFB7\nokia_bluetooth.inf
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccsmcfd_4A1E30386F4D0DEC8F5DF262CFBD8845EEBAB175\pccsmcfd.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type11467 / Error
Event Submitted/Written: 08/04/2008 03:50:31 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type11466 / Error
Event Submitted/Written: 08/04/2008 03:50:31 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type11465 / Error
Event Submitted/Written: 08/04/2008 03:50:30 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type11464 / Error
Event Submitted/Written: 08/04/2008 03:50:29 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type11450 / Error
Event Submitted/Written: 08/04/2008 02:57:57 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type58745 / Error
Event Submitted/Written: 08/04/2008 03:32:01 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type58744 / Error
Event Submitted/Written: 08/04/2008 03:31:54 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type58743 / Error
Event Submitted/Written: 08/04/2008 03:29:12 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
APPDRV
bdftdif
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip
Tcpip6

Event Record #/Type58742 / Error
Event Submitted/Written: 08/04/2008 03:29:12 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Simple TCP/IP Services service depends on the AFD service which failed to start because of the following error:
%%31

Event Record #/Type58741 / Error
Event Submitted/Written: 08/04/2008 03:29:12 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-08-04 15:52:49 ------------

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:33 PM

Posted 04 August 2008 - 11:09 AM

Hi there and welcome to BC! :thumbsup:

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 kenda

kenda
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 04 August 2008 - 01:15 PM

Hi again,

I hope the combofix log is ok as the laptop shutdown part way through and I had to run it a second time. The two logs are as shown below.


ComboFix 08-08-03.05 - Dug Blair 2008-08-04 19:49:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.553 [GMT 2:00]
Running from: C:\Documents and Settings\Dug Blair\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Starware337
C:\Documents and Settings\Dug Blair\Application Data\Starware337
.
---- Previous Run -------
.
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\4.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\4.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\4.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\4.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\4.bin\FWPBUDDY.PNG
C:\Program Files\MyWebSearch\bar\4.bin\M3HIGHIN.EXE
C:\Program Files\MyWebSearch\bar\4.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\4.bin\M3MEDINT.EXE
C:\Program Files\MyWebSearch\bar\4.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\4.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\4.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\4.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\4.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\4.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\4.bin\MWSSVC.EXE
C:\Program Files\MyWebSearch\bar\4.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Cache\01A38362
C:\Program Files\MyWebSearch\bar\Cache\01A3937F
C:\Program Files\MyWebSearch\bar\Cache\01A395F0.bin
C:\Program Files\MyWebSearch\bar\Cache\01A398BF.bin
C:\Program Files\MyWebSearch\bar\Cache\01A39B8E.bin
C:\Program Files\MyWebSearch\bar\Cache\01A39D14.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-04 19:46 . 2008-08-04 19:46 294 ---hs---- C:\WINDOWS\system32\kdgouhaj.ini
2008-08-04 17:30 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-04 17:30 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-04 16:44 . 2008-08-04 16:51 <DIR> d-------- C:\getservice
2008-08-04 16:06 . 2008-08-04 16:06 99,200 --a------ C:\WINDOWS\system32\jahuogdk.dll
2008-08-04 15:43 . 2008-08-04 15:43 <DIR> d-------- C:\Deckard
2008-08-04 15:27 . 2008-08-04 15:27 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-08-04 14:00 . 2008-08-04 14:00 <DIR> d-------- C:\Program Files\Webroot
2008-08-04 14:00 . 2008-08-04 14:00 <DIR> d-------- C:\Documents and Settings\Test\Application Data\Webroot
2008-08-04 14:00 . 2008-08-04 14:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-08-04 14:00 . 2008-08-04 14:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-08-04 14:00 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-08-04 14:00 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-08-04 14:00 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-08-04 14:00 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-08-04 14:00 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-08-04 13:50 . 2008-08-04 13:50 <DIR> d-------- C:\VundoFix Backups
2008-08-04 13:04 . 2008-08-04 13:04 <DIR> d-------- C:\Documents and Settings\Test\Application Data\TuneUp Software
2008-08-04 09:47 . 2008-08-04 09:47 <DIR> d-------- C:\Documents and Settings\Test\Application Data\SUPERAntiSpyware.com
2008-08-04 08:59 . 2008-08-04 08:59 <DIR> d-------- C:\Program Files\7-Zip
2008-08-04 08:24 . 2008-08-04 08:24 <DIR> d-------- C:\Program Files\CCleaner
2008-08-03 23:17 . 2008-08-03 23:17 <DIR> d-------- C:\Documents and Settings\Test\Application Data\BitDefender
2008-08-03 23:13 . 2005-10-14 20:24 <DIR> d-------- C:\Documents and Settings\Test\Application Data\You've Got Pictures Screensaver
2008-08-03 23:13 . 2005-10-14 20:30 <DIR> d-------- C:\Documents and Settings\Test\Application Data\Symantec
2008-08-03 23:13 . 2005-10-14 20:28 <DIR> d-------- C:\Documents and Settings\Test\Application Data\Jasc Software Inc
2008-08-03 23:13 . 2005-10-14 20:19 <DIR> d-------- C:\Documents and Settings\Test\Application Data\Intel
2008-08-03 23:13 . 2005-10-14 20:26 <DIR> d--h----- C:\Documents and Settings\Test\Application Data\Gtek
2008-08-03 23:13 . 2008-08-04 15:12 <DIR> d-------- C:\Documents and Settings\Test
2008-08-03 19:22 . 2008-08-03 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 19:21 . 2008-08-03 19:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 19:21 . 2008-08-03 19:21 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\SUPERAntiSpyware.com
2008-08-03 19:08 . 2008-08-03 19:08 <DIR> d-------- C:\WINDOWS\system32\SpycatcherAgentSetupTemp
2008-08-03 19:07 . 2008-08-03 19:07 <DIR> d-------- C:\Program Files\Tenebril
2008-08-03 19:07 . 2008-08-03 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-08-03 17:37 . 2008-08-03 18:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-03 16:01 . 2008-08-03 16:03 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 15:09 . 2008-08-03 15:09 130,432 --a------ C:\WINDOWS\system32\jeaevsoo.dll
2008-08-03 15:06 . 2008-08-03 15:06 98,688 --a------ C:\WINDOWS\system32\pvkfeiil.dll
2008-08-03 14:06 . 2008-08-04 19:56 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-08-03 14:05 . 2008-08-03 14:05 15 --a------ C:\WINDOWS\system32\getfile.dat
2008-08-03 14:01 . 2008-08-03 14:01 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\BitDefender
2008-08-03 13:57 . 2008-08-03 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-03 13:41 . 2008-08-03 13:41 <DIR> d-------- C:\Program Files\Softwin
2008-08-03 13:38 . 2008-08-03 13:42 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-08-03 10:58 . 2008-08-03 10:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-03 10:58 . 2008-08-04 08:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\TuneUp Software
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-03 10:41 . 2008-08-03 10:41 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-03 10:41 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-03 10:38 . 2008-08-03 19:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 19:02 . 2008-08-02 19:02 130,432 --a------ C:\WINDOWS\system32\oqjruvks.dll
2008-08-02 19:02 . 2008-08-02 19:02 130,432 --a------ C:\WINDOWS\system32\fbkqyl.dll
2008-08-02 19:02 . 2008-08-02 19:02 98,688 --a------ C:\WINDOWS\system32\mxtwibij.dll
2008-07-31 13:56 . 2008-07-31 13:56 <DIR> d-------- C:\Program Files\MediaMonkey
2008-07-31 12:18 . 2008-07-31 12:18 <DIR> d-------- C:\Program Files\PixiePack Codec Pack
2008-07-31 12:16 . 2008-07-31 12:16 <DIR> d-------- C:\Program Files\RapidSolution
2008-07-31 12:16 . 2008-07-31 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-07-30 19:16 . 2008-07-30 19:16 <DIR> d--h----- C:\$hf_mig$
2008-07-30 18:45 . 2008-08-03 18:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 17:29 . 2005-10-14 20:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-30 17:29 . 2005-10-14 20:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-30 17:29 . 2005-10-14 20:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-07-30 17:29 . 2005-10-14 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-07-30 17:29 . 2005-10-14 20:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-07-30 17:29 . 2008-08-03 13:57 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-20 12:41 . 2008-07-20 13:32 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\OpenOffice.org2
2008-07-08 06:52 . 2008-07-08 06:52 1,645,888 --a------ C:\WINDOWS\system32\Protector.dll
2008-07-08 06:52 . 2008-07-08 06:52 169,280 --a------ C:\WINDOWS\system32\SecuLoad.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 14:12 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-03 13:50 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\Skype
2008-08-03 10:31 --------- d-----w C:\Program Files\Nokia
2008-08-03 10:26 --------- d-----w C:\Program Files\Jasc Software Inc
2008-08-03 10:18 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\Lavasoft
2008-08-03 08:11 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\skypePM
2008-08-01 09:56 --------- d-----w C:\Program Files\Google
2008-07-27 11:18 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\LimeWire
2008-07-22 13:49 --------- d-----w C:\Program Files\Lx_cats
2008-07-20 11:09 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\Thunderbird
2008-07-18 12:08 --------- d-----w C:\Program Files\iTunes
2008-07-18 12:08 --------- d-----w C:\Program Files\iPod
2008-07-18 12:06 --------- d-----w C:\Program Files\QuickTime
2008-07-17 16:08 --------- d-----w C:\Program Files\Java
2008-07-02 04:43 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 12:32 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-06-12 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-01-07 18:17 54,656 -c--a-w C:\Documents and Settings\Dug Blair\Application Data\GDIPFONTCACHEV1.DAT
2007-11-20 18:32 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-08-04 13:02 8 --sh--r C:\WINDOWS\system32\6489E1236E.sys
2006-08-04 13:02 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender9\bdnagent.exe" [2005-06-09 10:28 9728]
"BDMCon"="C:\Program Files\Softwin\BitDefender9\bdmcon.exe" [2006-04-20 11:48 372736]
"BDOESRV"="C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [2005-03-11 17:53 90112]
"BDSwitchAgent"="C:\Program Files\Softwin\BitDefender9\bdswitch.exe" [2005-04-06 13:09 33280]
"b83a26a4"="C:\WINDOWS\system32\jahuogdk.dll" [2008-08-04 16:06 99200]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:12 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Active Desktop Calendar"=C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
"b83a26a4"=rundll32.exe "C:\WINDOWS\system32\pvkfeiil.dll",b
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\VoipCheap\\VoipCheap.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-03-02 22:11]
R2 Protector;Protector;C:\Program Files\Tenebril\SpyCatcher\ProtectorSvc.exe [2008-07-08 06:52]
R2 TryAndDecideService;Acronis Try And Decide Service;C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-10-31 14:19]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 02:12]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2006-05-29 11:43]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-03 10:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3233d8bf-6810-11da-b9b5-0011f5588ca4}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-04 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-23 16:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{614A41E5-D4AA-42F2-BE33-85AC36CDF717} - C:\WINDOWS\system32\wvUljgDS.dll
Toolbar-{6F3905A7-AA9F-4858-A8AD-6294CAEC1A68} - (no file)
Notify-insc42 - insc42.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dug Blair\Application Data\Mozilla\Firefox\Profiles\us3coox6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/firefox
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 19:58:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\jahuogdk.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
-> ?:\WINDOWS\system32\MLANG.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-04 20:04:55 - machine was rebooted [Dug Blair]
ComboFix-quarantined-files.txt 2008-08-04 18:04:42

Pre-Run: 39,211,331,584 bytes free
Post-Run: 39,111,217,152 bytes free

310 --- E O F --- 2008-07-09 12:31:29



Deckard's System Scanner v20071014.68
Run by Dug Blair on 2008-08-04 20:07:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-04 20:08:05
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Tenebril\SpyCatcher\ProtectorSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Softwin\BitDefender9\bdswitch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Dug Blair\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [b83a26a4] rundll32.exe "C:\WINDOWS\system32\jahuogdk.dll",b
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZRfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (file missing)
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://memberservices.tesco.net (HKCU)
O15 - Trusted Zone: https://register.tesco.net (HKCU)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} () - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149534543703
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: sockspy.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
O23 - Service: Protector - Tenebril Inc. - C:\Program Files\Tenebril\SpyCatcher\ProtectorSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\system32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender9\vsserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


--
End of file - 10000 bytes

-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 19:09:32 68096 --a------ C:\WINDOWS\zip.exe
2008-08-04 19:09:32 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-04 19:09:32 98816 --a------ C:\WINDOWS\sed.exe
2008-08-04 19:09:32 80412 --a------ C:\WINDOWS\grep.exe
2008-08-04 19:09:31 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-04 19:09:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-04 19:09:31 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-04 19:09:31 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-04 16:44:33 0 d-------- C:\getservice
2008-08-04 16:06:47 99200 --a------ C:\WINDOWS\system32\jahuogdk.dll
2008-08-04 15:27:57 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-08-04 14:09:49 0 d-------- C:\Documents and Settings\Test\Application Data\Google
2008-08-04 14:00:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-08-04 14:00:06 0 d-------- C:\Program Files\Webroot
2008-08-04 14:00:06 0 d-------- C:\Documents and Settings\Test\Application Data\Webroot
2008-08-04 14:00:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-08-04 13:50:38 0 d-------- C:\VundoFix Backups
2008-08-04 13:04:44 0 d-------- C:\Documents and Settings\Test\Application Data\TuneUp Software
2008-08-04 12:31:30 0 d-------- C:\Documents and Settings\Test\Application Data\Macromedia
2008-08-04 12:31:28 0 d-------- C:\Documents and Settings\Test\Application Data\Adobe
2008-08-04 12:29:17 0 d-------- C:\Documents and Settings\Test\Application Data\Mozilla
2008-08-04 09:47:09 0 d-------- C:\Documents and Settings\Test\Application Data\SUPERAntiSpyware.com
2008-08-04 08:59:22 0 d-------- C:\Program Files\7-Zip
2008-08-04 08:35:05 0 dr-h----- C:\Documents and Settings\Dug Blair\Recent
2008-08-04 08:24:45 0 d-------- C:\Program Files\CCleaner
2008-08-03 23:17:04 0 d-------- C:\Documents and Settings\Test\Application Data\BitDefender
2008-08-03 23:13:39 0 d-------- C:\Documents and Settings\Test\Application Data\Jasc Software Inc
2008-08-03 23:13:39 0 d-------- C:\Documents and Settings\Test\Application Data\Intel
2008-08-03 23:13:39 0 d-------- C:\Documents and Settings\Test\Application Data\Identities
2008-08-03 23:13:39 0 d--h----- C:\Documents and Settings\Test\Application Data\Gtek
2008-08-03 23:13:38 0 d--h----- C:\Documents and Settings\Test\Templates
2008-08-03 23:13:38 0 dr------- C:\Documents and Settings\Test\Start Menu
2008-08-03 23:13:38 0 dr-h----- C:\Documents and Settings\Test\SendTo
2008-08-03 23:13:38 0 dr-h----- C:\Documents and Settings\Test\Recent
2008-08-03 23:13:38 0 d--h----- C:\Documents and Settings\Test\PrintHood
2008-08-03 23:13:38 0 d--h----- C:\Documents and Settings\Test\NetHood
2008-08-03 23:13:38 0 dr------- C:\Documents and Settings\Test\My Documents
2008-08-03 23:13:38 0 d--h----- C:\Documents and Settings\Test\Local Settings
2008-08-03 23:13:38 0 dr------- C:\Documents and Settings\Test\Favorites
2008-08-03 23:13:38 0 d-------- C:\Documents and Settings\Test\Desktop
2008-08-03 23:13:38 0 d--hs---- C:\Documents and Settings\Test\Cookies
2008-08-03 23:13:38 0 dr-h----- C:\Documents and Settings\Test\Application Data
2008-08-03 23:13:38 0 d-------- C:\Documents and Settings\Test\Application Data\You've Got Pictures Screensaver
2008-08-03 23:13:38 0 d-------- C:\Documents and Settings\Test\Application Data\Symantec
2008-08-03 23:13:38 0 d-------- C:\Documents and Settings\Test\Application Data\Sun
2008-08-03 23:13:38 0 d---s---- C:\Documents and Settings\Test\Application Data\Microsoft
2008-08-03 23:13:37 1310720 --ah----- C:\Documents and Settings\Test\NTUSER.DAT
2008-08-03 19:22:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 19:21:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 19:21:43 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\SUPERAntiSpyware.com
2008-08-03 19:15:04 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-08-03 19:08:34 0 d-------- C:\WINDOWS\system32\SpycatcherAgentSetupTemp
2008-08-03 19:07:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-08-03 19:07:29 0 d-------- C:\Program Files\Tenebril
2008-08-03 17:37:28 0 d-------- C:\Program Files\Spyware Doctor
2008-08-03 16:01:48 0 d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 15:09:19 130432 --a------ C:\WINDOWS\system32\jeaevsoo.dll
2008-08-03 15:06:19 98688 --a------ C:\WINDOWS\system32\pvkfeiil.dll
2008-08-03 14:06:16 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-08-03 14:05:12 15 --a------ C:\WINDOWS\system32\getfile.dat
2008-08-03 14:01:44 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\BitDefender
2008-08-03 13:57:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-03 10:58:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 10:41:50 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\TuneUp Software
2008-08-03 10:41:16 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-03 10:41:12 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-03 10:38:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 19:02:41 98688 --a------ C:\WINDOWS\system32\mxtwibij.dll
2008-08-02 19:02:37 130432 --a------ C:\WINDOWS\system32\fbkqyl.dll
2008-08-02 19:02:36 130432 --a------ C:\WINDOWS\system32\oqjruvks.dll
2008-07-31 13:56:20 0 d-------- C:\Program Files\MediaMonkey
2008-07-31 12:18:03 0 d-------- C:\Program Files\PixiePack Codec Pack
2008-07-31 12:16:42 0 d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-07-31 12:16:05 0 d-------- C:\Program Files\RapidSolution
2008-07-30 19:16:55 0 d--h----- C:\$hf_mig$
2008-07-30 18:45:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 17:36:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-30 17:32:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-07-30 17:29:17 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-07-30 17:29:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-30 17:29:17 0 d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-07-30 17:29:16 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-30 17:29:16 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-30 17:29:16 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-30 17:29:16 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-30 17:29:16 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-30 17:29:16 1110016 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-30 17:29:16 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-30 17:29:16 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-30 17:29:16 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-30 17:29:16 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-30 17:29:16 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-30 17:29:16 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-30 17:29:16 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-20 12:41:16 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\OpenOffice.org2


-- Find3M Report ---------------------------------------------------------------

2008-08-04 19:53:15 0 d-a------ C:\Program Files\Common Files
2008-08-04 16:12:31 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-08-04 15:19:17 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\Mozilla
2008-08-03 15:50:07 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\Skype
2008-08-03 12:31:16 0 d-------- C:\Program Files\Nokia
2008-08-03 12:26:41 0 d-------- C:\Program Files\Jasc Software Inc
2008-08-03 12:18:23 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\Lavasoft
2008-08-03 10:11:22 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\skypePM
2008-08-01 11:56:20 0 d-------- C:\Program Files\Google
2008-08-01 11:56:18 1401 --a------ C:\Documents and Settings\Dug Blair\Application Data\.googlewebacchosts
2008-07-27 13:18:07 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\LimeWire
2008-07-22 15:49:36 0 d-------- C:\Program Files\Lx_cats
2008-07-20 13:09:32 0 d-------- C:\Documents and Settings\Dug Blair\Application Data\Thunderbird
2008-07-18 14:08:32 0 d-------- C:\Program Files\iTunes
2008-07-18 14:08:13 0 d-------- C:\Program Files\iPod
2008-07-18 14:06:55 0 d-------- C:\Program Files\QuickTime
2008-07-17 18:08:30 0 d-------- C:\Program Files\Java
2008-07-02 06:44:17 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-02 06:43:48 0 d-------- C:\Program Files\Common Files\Skype
2008-06-21 22:24:09 0 d-------- C:\Program Files\Messenger
2008-06-21 22:23:45 0 d-------- C:\Program Files\Movie Maker
2008-06-21 22:20:26 0 d-------- C:\Program Files\Windows NT
2008-06-12 14:32:46 0 d-------- C:\Program Files\PC Connectivity Solution


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender9\bdnagent.exe" [09/06/2005 10:28]
"BDMCon"="C:\Program Files\Softwin\BitDefender9\bdmcon.exe" [20/04/2006 11:48]
"BDOESRV"="C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [11/03/2005 17:53]
"BDSwitchAgent"="C:\Program Files\Softwin\BitDefender9\bdswitch.exe" [06/04/2005 13:09]
"b83a26a4"="C:\WINDOWS\system32\jahuogdk.dll" [04/08/2008 16:06]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [27/07/2004 17:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoPropertiesRecycleBin"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoPropertiesMyDocuments"=0 (0x0)
"NoDesktopCleanupWizard"=0 (0x0)
"DisablePersonalDirChange"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoStartMenuNetworkPlaces"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoSecConsole"=0 (0x0)
"NoSharedDocuments"=0 (0x0)
"NoSecurityTab"=0 (0x0)
"NoHardwareTab"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/09/2004 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Active Desktop Calendar"=C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
"b83a26a4"=rundll32.exe "C:\WINDOWS\system32\pvkfeiil.dll",b
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3233d8bf-6810-11da-b9b5-0011f5588ca4}]
AutoRun\command- E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe



-- End of Deckard's System Scanner: finished at 2008-08-04 20:09:04 ------------

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:33 PM

Posted 04 August 2008 - 04:29 PM

Good work! Let's continue.. :thumbsup:

Click start > run and type: notepad, then hit enter.
Copy and paste in the following text into the window.

File::
C:\WINDOWS\system32\kdgouhaj.ini
C:\WINDOWS\system32\jeaevsoo.dll
C:\WINDOWS\system32\pvkfeiil.dll
C:\WINDOWS\system32\oqjruvks.dll
C:\WINDOWS\system32\fbkqyl.dll
C:\WINDOWS\system32\mxtwibij.dll

Rootkit::
C:\WINDOWS\system32\jahuogdk.dll

Click File > Save and call it "CFScript.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. Please post it back here.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [b83a26a4] rundll32.exe "C:\WINDOWS\system32\jahuogdk.dll",b
O8 - Extra context menu item: &Search - ?p=ZRfox000

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#5 kenda

kenda
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 05 August 2008 - 12:19 AM

Combofix file below. Other info to follow shortly.

ComboFix 08-08-03.05 - Dug Blair 2008-08-05 7:03:22.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.460 [GMT 2:00]
Running from: C:\Documents and Settings\Dug Blair\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dug Blair\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kdgouhaj.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-04 21:19 . 2007-03-30 00:44 4,245,008 --a------ C:\WINDOWS\system32\qtp-mt334.dll
2008-08-04 21:19 . 2007-03-30 00:44 247,824 --a------ C:\WINDOWS\system32\prgiso.dll
2008-08-04 21:19 . 2007-03-30 00:44 131,456 --a------ C:\WINDOWS\system32\drivers\Uim_IM.sys
2008-08-04 21:19 . 2007-03-30 00:44 38,448 --a------ C:\WINDOWS\system32\drivers\hotcore3.sys
2008-08-04 21:19 . 2007-03-30 00:44 32,352 --a------ C:\WINDOWS\system32\drivers\UimBus.sys
2008-08-04 21:19 . 2007-03-30 00:44 11,840 --a------ C:\WINDOWS\system32\drivers\UimFIO.sys
2008-08-04 21:18 . 2008-08-04 21:18 <DIR> d-------- C:\Program Files\Paragon Software
2008-08-04 21:09 . 2008-08-04 21:23 <DIR> d-------- C:\Program Files\Vision Backup
2008-08-04 17:30 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-04 17:30 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-04 16:44 . 2008-08-04 16:51 <DIR> d-------- C:\getservice
2008-08-04 16:06 . 2008-08-04 16:06 99,200 --a------ C:\WINDOWS\system32\jahuogdk.dll
2008-08-04 15:43 . 2008-08-04 15:43 <DIR> d-------- C:\Deckard
2008-08-04 13:50 . 2008-08-04 13:50 <DIR> d-------- C:\VundoFix Backups
2008-08-04 13:04 . 2008-08-04 13:04 <DIR> d-------- C:\Documents and Settings\Test\Application Data\TuneUp Software
2008-08-04 09:47 . 2008-08-04 09:47 <DIR> d-------- C:\Documents and Settings\Test\Application Data\SUPERAntiSpyware.com
2008-08-04 08:59 . 2008-08-04 08:59 <DIR> d-------- C:\Program Files\7-Zip
2008-08-03 23:17 . 2008-08-03 23:17 <DIR> d-------- C:\Documents and Settings\Test\Application Data\BitDefender
2008-08-03 23:13 . 2005-10-14 20:24 <DIR> d-------- C:\Documents and Settings\Test\Application Data\You've Got Pictures Screensaver
2008-08-03 23:13 . 2005-10-14 20:30 <DIR> d-------- C:\Documents and Settings\Test\Application Data\Symantec
2008-08-03 23:13 . 2005-10-14 20:28 <DIR> d-------- C:\Documents and Settings\Test\Application Data\Jasc Software Inc
2008-08-03 23:13 . 2005-10-14 20:19 <DIR> d-------- C:\Documents and Settings\Test\Application Data\Intel
2008-08-03 23:13 . 2005-10-14 20:26 <DIR> d--h----- C:\Documents and Settings\Test\Application Data\Gtek
2008-08-03 23:13 . 2008-08-04 15:12 <DIR> d-------- C:\Documents and Settings\Test
2008-08-03 19:22 . 2008-08-03 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 19:21 . 2008-08-04 22:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 19:21 . 2008-08-03 19:21 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\SUPERAntiSpyware.com
2008-08-03 19:08 . 2008-08-03 19:08 <DIR> d-------- C:\WINDOWS\system32\SpycatcherAgentSetupTemp
2008-08-03 19:07 . 2008-08-03 19:07 <DIR> d-------- C:\Program Files\Tenebril
2008-08-03 19:07 . 2008-08-03 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-08-03 17:37 . 2008-08-03 18:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-03 16:01 . 2008-08-03 16:03 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 14:06 . 2008-08-05 07:07 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-08-03 14:05 . 2008-08-03 14:05 15 --a------ C:\WINDOWS\system32\getfile.dat
2008-08-03 14:01 . 2008-08-03 14:01 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\BitDefender
2008-08-03 13:57 . 2008-08-03 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-03 13:41 . 2008-08-03 13:41 <DIR> d-------- C:\Program Files\Softwin
2008-08-03 13:38 . 2008-08-03 13:42 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-08-03 10:58 . 2008-08-04 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\TuneUp Software
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-03 10:41 . 2008-08-03 10:41 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-03 10:41 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-03 10:38 . 2008-08-03 19:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 13:56 . 2008-07-31 13:56 <DIR> d-------- C:\Program Files\MediaMonkey
2008-07-31 12:18 . 2008-07-31 12:18 <DIR> d-------- C:\Program Files\PixiePack Codec Pack
2008-07-31 12:16 . 2008-07-31 12:16 <DIR> d-------- C:\Program Files\RapidSolution
2008-07-31 12:16 . 2008-07-31 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-07-30 19:16 . 2008-07-30 19:16 <DIR> d--h----- C:\$hf_mig$
2008-07-30 18:45 . 2008-08-03 18:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 17:29 . 2005-10-14 20:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-30 17:29 . 2005-10-14 20:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-30 17:29 . 2005-10-14 20:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-07-30 17:29 . 2005-10-14 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-07-30 17:29 . 2005-10-14 20:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-07-30 17:29 . 2008-08-03 13:57 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-20 12:41 . 2008-07-20 13:32 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\OpenOffice.org2
2008-07-08 06:52 . 2008-07-08 06:52 1,645,888 --a------ C:\WINDOWS\system32\Protector.dll
2008-07-08 06:52 . 2008-07-08 06:52 169,280 --a------ C:\WINDOWS\system32\SecuLoad.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 19:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 19:16 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-04 18:56 --------- d-----w C:\Program Files\Acronis
2008-08-04 18:40 --------- d-----w C:\Program Files\Common Files\Acronis
2008-08-03 13:50 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\Skype
2008-08-03 10:31 --------- d-----w C:\Program Files\Nokia
2008-08-03 10:26 --------- d-----w C:\Program Files\Jasc Software Inc
2008-08-03 10:18 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\Lavasoft
2008-08-03 08:11 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\skypePM
2008-08-01 09:56 --------- d-----w C:\Program Files\Google
2008-07-27 11:18 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\LimeWire
2008-07-22 13:49 --------- d-----w C:\Program Files\Lx_cats
2008-07-20 11:09 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\Thunderbird
2008-07-18 12:08 --------- d-----w C:\Program Files\iTunes
2008-07-18 12:08 --------- d-----w C:\Program Files\iPod
2008-07-18 12:06 --------- d-----w C:\Program Files\QuickTime
2008-07-17 16:08 --------- d-----w C:\Program Files\Java
2008-07-02 04:43 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 12:32 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-06-12 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-01-07 18:17 54,656 -c--a-w C:\Documents and Settings\Dug Blair\Application Data\GDIPFONTCACHEV1.DAT
2007-11-20 18:32 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-08-04 13:02 8 --sh--r C:\WINDOWS\system32\6489E1236E.sys
2006-08-04 13:02 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-04_20.03.54.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-07-27 07:17:52 5,600 ----a-w C:\WINDOWS\system\winaspi.dll
+ 2006-07-27 07:04:34 102,453 ----a-w C:\WINDOWS\system\wnaspi32.dll
+ 2006-07-27 07:17:52 4,672 ----a-w C:\WINDOWS\system\wowpost.exe
+ 2006-07-27 16:19:40 23,936 ----a-w C:\WINDOWS\system32\drivers\ASPI32.SYS
+ 2006-07-27 07:04:34 102,453 ----a-w C:\WINDOWS\system32\wnaspi32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2008-07-29 10:53 3780608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDNewsAgent"="c:\program files\softwin\bitdefender9\bdnagent.exe" [2005-06-09 10:28 9728]
"BDMCon"="C:\Program Files\Softwin\BitDefender9\bdmcon.exe" [2006-04-20 11:48 372736]
"BDOESRV"="C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [2005-03-11 17:53 90112]
"BDSwitchAgent"="c:\program files\softwin\bitdefender9\bdswitch.exe" [2005-04-06 13:09 33280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:12 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Active Desktop Calendar"=C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\VoipCheap\\VoipCheap.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-30 00:44]
R2 Protector;Protector;C:\Program Files\Tenebril\SpyCatcher\ProtectorSvc.exe [2008-07-08 06:52]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 02:12]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2006-05-29 11:43]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-03 10:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3233d8bf-6810-11da-b9b5-0011f5588ca4}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 07:08:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-05 7:10:52
ComboFix-quarantined-files.txt 2008-08-05 05:10:45
ComboFix2.txt 2008-08-04 18:04:58

Pre-Run: 39,178,395,648 bytes free
Post-Run: 39,186,280,448 bytes free

226 --- E O F --- 2008-07-09 12:31:29

#6 kenda

kenda
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 05 August 2008 - 04:55 AM

Other information requested below.

Pease note that at the moment your link "Kaspersky Webscan" appears to be broken but I found one on their site.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:45, on 2008-08-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Tenebril\SpyCatcher\ProtectorSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\program files\softwin\bitdefender9\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\program files\softwin\bitdefender9\bdswitch.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\program files\softwin\bitdefender9\bdmcon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\program files\softwin\bitdefender9\bdswitch.exe"
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149534543703
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Protector - Tenebril Inc. - C:\Program Files\Tenebril\SpyCatcher\ProtectorSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender9\vsserv.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9022 bytes


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 04, 2008 16:07:43
Records in database: 1053458
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 64792
Threat name: 17
Infected objects: 19
Suspicious objects: 48
Duration of the scan: 01:41:40


File name / Threat name / Threats count
C:\Documents and Settings\Dug Blair\Application Data\Thunderbird\Inbox Infected: Trojan-Spy.HTML.Bankfraud.rw 2
C:\Documents and Settings\Dug Blair\Application Data\Thunderbird\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 48
C:\Documents and Settings\Dug Blair\Local Settings\Temp\Av-test.txt Infected: EICAR-Test-File 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\F3DTACTL.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dn 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cn 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ch 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ck 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\M3IDLE.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\M3MSG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cm 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\M3SKIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cl 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cc 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ci 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\4.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.db 1
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ca 1

The selected area was scanned.

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:33 PM

Posted 05 August 2008 - 01:48 PM

Good work! Let's continue.. :thumbsup:

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes:
C:\WINDOWS\system32\jahuogdk.dll

Allow the PC to reboot, if it doesn't do it automatically, please reboot manually.

After the reboot, find and delete the following file and folder:
C:\Documents and Settings\Dug Blair\Local Settings\Temp\Av-test.txt
C:\QooBox <--folder

Then please post a new Combofix log.

#8 kenda

kenda
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 05 August 2008 - 03:20 PM

C:\WINDOWS\system32\jahuogdk.dll deleted by hijackthis.

C:\QooBox <--folder - deleted manually

C:\Documents and Settings\Dug Blair\Local Settings\Temp\Av-test.txt - already deleted by Bitdefender on scheduled scan this afternoon.

Combofix log follows.

ComboFix 08-08-03.05 - Dug Blair 2008-08-05 22:04:20.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.541 [GMT 2:00]
Running from: C:\Documents and Settings\Dug Blair\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 18:05 . 2008-08-05 18:06 <DIR> d-------- C:\Program Files\iTunes
2008-08-05 16:57 . 2008-08-05 16:57 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\Ashampoo
2008-08-05 16:55 . 2008-08-05 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ashampoo
2008-08-05 12:00 . 2008-08-05 12:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Vision Backup
2008-08-05 12:00 . 2008-08-05 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TasksSchedule
2008-08-05 08:22 . 2008-08-05 08:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-04 21:19 . 2007-03-30 00:44 4,245,008 --a------ C:\WINDOWS\system32\qtp-mt334.dll
2008-08-04 21:19 . 2007-03-30 00:44 247,824 --a------ C:\WINDOWS\system32\prgiso.dll
2008-08-04 21:19 . 2007-03-30 00:44 131,456 --a------ C:\WINDOWS\system32\drivers\Uim_IM.sys
2008-08-04 21:19 . 2007-03-30 00:44 38,448 --a------ C:\WINDOWS\system32\drivers\hotcore3.sys
2008-08-04 21:19 . 2007-03-30 00:44 32,352 --a------ C:\WINDOWS\system32\drivers\UimBus.sys
2008-08-04 21:19 . 2007-03-30 00:44 11,840 --a------ C:\WINDOWS\system32\drivers\UimFIO.sys
2008-08-04 21:18 . 2008-08-04 21:18 <DIR> d-------- C:\Program Files\Paragon Software
2008-08-04 21:09 . 2008-08-05 12:42 <DIR> d-------- C:\Program Files\Vision Backup
2008-08-04 17:30 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-04 17:30 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-04 16:44 . 2008-08-04 16:51 <DIR> d-------- C:\getservice
2008-08-04 08:59 . 2008-08-04 08:59 <DIR> d-------- C:\Program Files\7-Zip
2008-08-03 19:22 . 2008-08-03 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 19:21 . 2008-08-04 22:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 19:21 . 2008-08-03 19:21 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\SUPERAntiSpyware.com
2008-08-03 19:08 . 2008-08-03 19:08 <DIR> d-------- C:\WINDOWS\system32\SpycatcherAgentSetupTemp
2008-08-03 19:07 . 2008-08-03 19:07 <DIR> d-------- C:\Program Files\Tenebril
2008-08-03 19:07 . 2008-08-03 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-08-03 17:37 . 2008-08-03 18:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-03 16:01 . 2008-08-03 16:03 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 14:06 . 2008-08-05 22:07 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-08-03 14:05 . 2008-08-03 14:05 15 --a------ C:\WINDOWS\system32\getfile.dat
2008-08-03 14:01 . 2008-08-03 14:01 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\BitDefender
2008-08-03 13:57 . 2008-08-03 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-03 13:41 . 2008-08-03 13:41 <DIR> d-------- C:\Program Files\Softwin
2008-08-03 13:38 . 2008-08-03 13:42 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-08-03 10:58 . 2008-08-04 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\TuneUp Software
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-03 10:41 . 2008-08-03 10:41 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-03 10:41 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-03 10:38 . 2008-08-03 19:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 16:06 . 2008-07-31 16:06 251,392 --a------ C:\WINDOWS\system\esebcli2.dll
2008-07-31 16:06 . 2008-07-31 16:06 23,936 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-07-31 16:06 . 2008-07-31 16:06 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2008-07-31 16:06 . 2008-07-31 16:06 4,672 --a------ C:\WINDOWS\system\wowpost.exe
2008-07-31 13:56 . 2008-08-05 17:38 <DIR> d-------- C:\Program Files\MediaMonkey
2008-07-31 12:18 . 2008-07-31 12:18 <DIR> d-------- C:\Program Files\PixiePack Codec Pack
2008-07-31 12:16 . 2008-08-05 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-07-30 19:16 . 2008-07-30 19:16 <DIR> d--h----- C:\$hf_mig$
2008-07-30 18:45 . 2008-08-03 18:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 17:29 . 2005-10-14 20:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-30 17:29 . 2005-10-14 20:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-30 17:29 . 2005-10-14 20:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-07-30 17:29 . 2005-10-14 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-07-30 17:29 . 2005-10-14 20:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-07-30 17:29 . 2008-08-03 13:57 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-08 06:52 . 2008-07-08 06:52 1,645,888 --a------ C:\WINDOWS\system32\Protector.dll
2008-07-08 06:52 . 2008-07-08 06:52 169,280 --a------ C:\WINDOWS\system32\SecuLoad.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 16:05 --------- d-----w C:\Program Files\iPod
2008-08-05 16:00 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\Skype
2008-08-05 15:59 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\skypePM
2008-08-05 15:13 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-05 14:55 --------- d-----w C:\Program Files\Ashampoo
2008-08-05 10:56 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\Thunderbird
2008-08-04 19:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 18:56 --------- d-----w C:\Program Files\Acronis
2008-08-04 18:40 --------- d-----w C:\Program Files\Common Files\Acronis
2008-08-03 10:31 --------- d-----w C:\Program Files\Nokia
2008-08-03 10:26 --------- d-----w C:\Program Files\Jasc Software Inc
2008-08-01 09:56 --------- d-----w C:\Program Files\Google
2008-07-22 13:49 --------- d-----w C:\Program Files\Lx_cats
2008-07-18 12:06 --------- d-----w C:\Program Files\QuickTime
2008-07-17 16:08 --------- d-----w C:\Program Files\Java
2008-07-02 04:43 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 12:32 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-06-12 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-01-07 18:17 54,656 -c--a-w C:\Documents and Settings\Dug Blair\Application Data\GDIPFONTCACHEV1.DAT
2007-11-20 18:32 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-08-04 13:02 8 --sh--r C:\WINDOWS\system32\6489E1236E.sys
2006-08-04 13:02 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2008-07-29 10:53 3780608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender9\bdnagent.exe" [2005-06-09 10:28 9728]
"BDMCon"="C:\Program Files\Softwin\BitDefender9\bdmcon.exe" [2006-04-20 11:48 372736]
"BDOESRV"="C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [2005-03-11 17:53 90112]
"BDSwitchAgent"="C:\Program Files\Softwin\BitDefender9\bdswitch.exe" [2005-04-06 13:09 33280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:12 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Active Desktop Calendar"=C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\VoipCheap\\VoipCheap.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-30 00:44]
R2 Protector;Protector;C:\Program Files\Tenebril\SpyCatcher\ProtectorSvc.exe [2008-07-08 06:52]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 02:12]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2006-05-29 11:43]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-03 10:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3233d8bf-6810-11da-b9b5-0011f5588ca4}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-23 16:53]

2008-07-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-05 C:\WINDOWS\Tasks\Paragon Archive name arc_050808181433093.job
- C:\Program Files\Paragon Software\Drive Backup 8.5 Special Edition\Program\scripts.exe [2007-03-30 00:44]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dug Blair\Application Data\Mozilla\Firefox\Profiles\us3coox6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/firefox
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 22:09:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [2748] 0x85CFBDA0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-05 22:11:13
ComboFix-quarantined-files.txt 2008-08-05 20:10:56

Pre-Run: 38,820,028,416 bytes free
Post-Run: 38,916,116,480 bytes free

219 --- E O F --- 2008-07-09 12:31:29

#9 kenda

kenda
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 05 August 2008 - 03:45 PM

Felt sure I'd deleted C:\QooBox but it was there again on the log. Therefore deleted again and new log attached!

ComboFix 08-08-03.05 - Dug Blair 2008-08-05 22:34:55.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.530 [GMT 2:00]
Running from: C:\Documents and Settings\Dug Blair\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 18:05 . 2008-08-05 18:06 <DIR> d-------- C:\Program Files\iTunes
2008-08-05 16:57 . 2008-08-05 16:57 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\Ashampoo
2008-08-05 16:55 . 2008-08-05 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ashampoo
2008-08-05 12:00 . 2008-08-05 12:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Vision Backup
2008-08-05 12:00 . 2008-08-05 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TasksSchedule
2008-08-05 08:22 . 2008-08-05 08:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-04 21:19 . 2007-03-30 00:44 4,245,008 --a------ C:\WINDOWS\system32\qtp-mt334.dll
2008-08-04 21:19 . 2007-03-30 00:44 247,824 --a------ C:\WINDOWS\system32\prgiso.dll
2008-08-04 21:19 . 2007-03-30 00:44 131,456 --a------ C:\WINDOWS\system32\drivers\Uim_IM.sys
2008-08-04 21:19 . 2007-03-30 00:44 38,448 --a------ C:\WINDOWS\system32\drivers\hotcore3.sys
2008-08-04 21:19 . 2007-03-30 00:44 32,352 --a------ C:\WINDOWS\system32\drivers\UimBus.sys
2008-08-04 21:19 . 2007-03-30 00:44 11,840 --a------ C:\WINDOWS\system32\drivers\UimFIO.sys
2008-08-04 21:18 . 2008-08-04 21:18 <DIR> d-------- C:\Program Files\Paragon Software
2008-08-04 21:09 . 2008-08-05 12:42 <DIR> d-------- C:\Program Files\Vision Backup
2008-08-04 17:30 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-08-04 17:30 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-08-04 16:44 . 2008-08-04 16:51 <DIR> d-------- C:\getservice
2008-08-04 08:59 . 2008-08-04 08:59 <DIR> d-------- C:\Program Files\7-Zip
2008-08-03 19:22 . 2008-08-03 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 19:21 . 2008-08-04 22:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 19:21 . 2008-08-03 19:21 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\SUPERAntiSpyware.com
2008-08-03 19:08 . 2008-08-03 19:08 <DIR> d-------- C:\WINDOWS\system32\SpycatcherAgentSetupTemp
2008-08-03 19:07 . 2008-08-03 19:07 <DIR> d-------- C:\Program Files\Tenebril
2008-08-03 19:07 . 2008-08-03 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2008-08-03 17:37 . 2008-08-03 18:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-03 16:01 . 2008-08-03 16:03 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-08-03 14:06 . 2008-08-05 22:38 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-08-03 14:05 . 2008-08-03 14:05 15 --a------ C:\WINDOWS\system32\getfile.dat
2008-08-03 14:01 . 2008-08-03 14:01 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\BitDefender
2008-08-03 13:57 . 2008-08-03 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-03 13:41 . 2008-08-03 13:41 <DIR> d-------- C:\Program Files\Softwin
2008-08-03 13:38 . 2008-08-03 13:42 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-08-03 10:58 . 2008-08-04 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Documents and Settings\Dug Blair\Application Data\TuneUp Software
2008-08-03 10:41 . 2008-08-03 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-03 10:41 . 2008-08-03 10:41 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-03 10:41 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-03 10:38 . 2008-08-03 19:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 16:06 . 2008-07-31 16:06 251,392 --a------ C:\WINDOWS\system\esebcli2.dll
2008-07-31 16:06 . 2008-07-31 16:06 23,936 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-07-31 16:06 . 2008-07-31 16:06 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2008-07-31 16:06 . 2008-07-31 16:06 4,672 --a------ C:\WINDOWS\system\wowpost.exe
2008-07-31 12:18 . 2008-07-31 12:18 <DIR> d-------- C:\Program Files\PixiePack Codec Pack
2008-07-31 12:16 . 2008-08-05 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-07-30 19:16 . 2008-07-30 19:16 <DIR> d--h----- C:\$hf_mig$
2008-07-30 18:45 . 2008-08-03 18:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 17:29 . 2005-10-14 20:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-07-30 17:29 . 2005-10-14 20:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-30 17:29 . 2005-10-14 20:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-07-30 17:29 . 2005-10-14 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-07-30 17:29 . 2005-10-14 20:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-07-30 17:29 . 2008-08-03 13:57 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-08 06:52 . 2008-07-08 06:52 1,645,888 --a------ C:\WINDOWS\system32\Protector.dll
2008-07-08 06:52 . 2008-07-08 06:52 169,280 --a------ C:\WINDOWS\system32\SecuLoad.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 20:23 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-05 16:05 --------- d-----w C:\Program Files\iPod
2008-08-05 16:00 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\Skype
2008-08-05 15:59 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\skypePM
2008-08-05 14:55 --------- d-----w C:\Program Files\Ashampoo
2008-08-05 10:56 --------- d-----w C:\Documents and Settings\Dug Blair\Application Data\Thunderbird
2008-08-04 19:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 18:56 --------- d-----w C:\Program Files\Acronis
2008-08-04 18:40 --------- d-----w C:\Program Files\Common Files\Acronis
2008-08-03 10:31 --------- d-----w C:\Program Files\Nokia
2008-08-03 10:26 --------- d-----w C:\Program Files\Jasc Software Inc
2008-08-01 09:56 --------- d-----w C:\Program Files\Google
2008-07-22 13:49 --------- d-----w C:\Program Files\Lx_cats
2008-07-18 12:06 --------- d-----w C:\Program Files\QuickTime
2008-07-17 16:08 --------- d-----w C:\Program Files\Java
2008-07-02 04:43 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 12:32 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-06-12 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-01-07 18:17 54,656 -c--a-w C:\Documents and Settings\Dug Blair\Application Data\GDIPFONTCACHEV1.DAT
2007-11-20 18:32 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-08-04 13:02 8 --sh--r C:\WINDOWS\system32\6489E1236E.sys
2006-08-04 13:02 3,766 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2008-07-29 10:53 3780608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender9\bdnagent.exe" [2005-06-09 10:28 9728]
"BDMCon"="C:\Program Files\Softwin\BitDefender9\bdmcon.exe" [2006-04-20 11:48 372736]
"BDOESRV"="C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" [2005-03-11 17:53 90112]
"BDSwitchAgent"="C:\Program Files\Softwin\BitDefender9\bdswitch.exe" [2005-04-06 13:09 33280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:12 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Active Desktop Calendar"=C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\VoipCheap\\VoipCheap.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-30 00:44]
R2 Protector;Protector;C:\Program Files\Tenebril\SpyCatcher\ProtectorSvc.exe [2008-07-08 06:52]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 02:12]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2006-05-29 11:43]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2008-04-14 02:12]
S3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-03 10:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3233d8bf-6810-11da-b9b5-0011f5588ca4}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-23 16:53]

2008-07-26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-05 C:\WINDOWS\Tasks\Paragon Archive name arc_050808181433093.job
- C:\Program Files\Paragon Software\Drive Backup 8.5 Special Edition\Program\scripts.exe [2007-03-30 00:44]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dug Blair\Application Data\Mozilla\Firefox\Profiles\us3coox6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/firefox
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 22:38:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-05 22:41:01
ComboFix-quarantined-files.txt 2008-08-05 20:40:53
ComboFix2.txt 2008-08-05 20:11:15

Pre-Run: 38,937,649,152 bytes free
Post-Run: 38,917,582,848 bytes free

218 --- E O F --- 2008-07-09 12:31:29

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:33 PM

Posted 05 August 2008 - 04:38 PM

Everytime you re-run Combofix, it will create a Qoobox folder if not already present.
The logs are looking clean! How is the system running now? :thumbsup:

#11 kenda

kenda
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 06 August 2008 - 12:46 AM

Everything is fine now - thanks very much for your help.

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:33 PM

Posted 06 August 2008 - 01:44 PM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. This link has listings of stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users