Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • This topic is locked This topic is locked
18 replies to this topic

#1 Brett Smith

Brett Smith

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 22 August 2008 - 10:30 PM

I would appreciate if someone would check through this and let me know if there is anything in there that is bad or doesn't belong. Thank you in advance.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:30 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\bak\bak\qttask.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Qnext\qnextclient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Qnext] "C:\Program Files\Qnext\qnext.exe"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Programs\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Programs\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Programs\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZNfox000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093467278359
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6241 bytes

BC AdBot (Login to Remove)

 


#2 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:10:42 AM

Posted 23 August 2008 - 04:37 PM

Hi Brett Smith,

My name is dark messenger, but DM, or Brett is fine. (Same name hey?)

I will need some time to look over your computer's log(s). You may want to keep the link to this topic in your favorites.

I will need some time to look over your computer's log(s). You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, to track your topic. The topics you are tracking can be found here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Thanks,

DM.

#3 Brett Smith

Brett Smith
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 23 August 2008 - 05:19 PM

Not very often that I run into somebody who shares my name.


I thank you very much for taking a look at this for me. I don't have any current pressing issues. It's just that use Spyware Doctor and every time I boot my computer it tells me that it has to block things from accessing pages. I have recently (I hope) gotten rid of a number of problems including Virtumonde with Malwarebytes' Anti-Malware but I am not sure if the problem is totally resolved.

#4 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:10:42 AM

Posted 24 August 2008 - 07:17 AM

Hi Brett Smith,

I dont see any evidence of you having an Antivirus program, or a Firewall installed on your computer

These two programs are crucial to keeping your computer safe from infections.

Please download and install one of these free anti-virus programs.

Avir
Avast
Bitdefender Free

After that, please ensure that your windows firewall is enabled by going

Start > Control Panel > Windows Firewall.

Make sure that the On (recommended) box is selected.

You said that you tried getting rid of Virtumonde with Malwarebytes Anti-Malware, just to check, please download

ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


Thanks,

#5 Brett Smith

Brett Smith
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 25 August 2008 - 06:00 PM

Brett,

When I initially ran ComboFix it came up and told me that the recovery console was already installed and had to abort so I ran the program again and it worked fine. Was it supposed to change my default web browser, and if so is it alright if I change it back to Firefox? Iwould also like to thank you once again for taking the time to help me.


ComboFix 08-08-24.03 - Me 2008-08-25 18:26:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.647 [GMT -4:00]
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Me\Application Data\macromedia\Flash Player\#SharedObjects\6Z9PP6ZC\interclick.com
C:\Documents and Settings\Me\Application Data\macromedia\Flash Player\#SharedObjects\6Z9PP6ZC\interclick.com\ud.sol
C:\Documents and Settings\Me\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Me\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\drivers\aa829bdf.sys
C:\WINDOWS\system32\mkghj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_npf


((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2100-02-24 14:15 . 2001-04-02 16:30 821 --a--c--- C:\WINDOWS\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a--c--- C:\WINDOWS\SYSTEM32\LXASUSCI.INI
2008-08-25 03:21 . 2008-08-25 03:21 850 --a------ C:\WINDOWS\SYSTEM32\ProductTweaks.xml
2008-08-25 03:21 . 2008-08-25 03:21 385 --a------ C:\WINDOWS\SYSTEM32\user_gensett.xml
2008-08-25 03:00 . 2008-08-25 03:00 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\BitDefender
2008-08-25 02:46 . 2008-08-25 02:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\logs
2008-08-25 02:46 . 2008-08-25 02:46 <DIR> d-------- C:\Documents and Settings\Me\Application Data\BitDefender
2008-08-25 02:45 . 2008-08-25 02:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-08-25 02:43 . 2008-08-25 02:45 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-08-25 01:44 . 2008-08-25 02:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-24 22:55 . 2008-08-24 22:55 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-22 23:11 . 2008-08-22 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-22 20:24 . 2008-08-25 17:59 <DIR> d-------- C:\Documents and Settings\Me\.qnext
2008-08-22 20:23 . 2008-08-22 20:25 <DIR> d-------- C:\Program Files\Qnext
2008-08-22 16:36 . 2008-08-22 16:36 <DIR> d-------- C:\WINDOWS\ShellNew
2008-08-22 00:58 . 2008-08-22 01:01 <DIR> d-------- C:\Program Files\Alliance
2008-08-21 22:58 . 2008-08-21 22:59 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\.qnext
2008-08-21 17:42 . 2008-08-22 01:01 <DIR> d-------- C:\Documents and Settings\Me\ANtsP2P
2008-08-21 16:37 . 2008-08-22 01:01 <DIR> d-------- C:\Documents and Settings\Me\Application Data\Hamachi
2008-08-20 18:52 . 2008-08-22 01:01 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-08-20 11:54 . 2008-08-22 01:01 <DIR> d-------- C:\Program Files\RetroShare
2008-08-19 18:42 . 2008-08-22 01:01 <DIR> d-------- C:\Documents and Settings\Me\.gnunet
2008-08-14 18:54 . 2008-08-14 18:54 102,208 --a------ C:\WINDOWS\SYSTEM32\drivers\bdfndisf.sys
2008-08-12 18:40 . 2008-08-12 18:40 228,672 --a------ C:\WINDOWS\SYSTEM32\drivers\bdfsfltr.sys
2008-08-12 18:40 . 2008-08-12 18:40 108,864 --a------ C:\WINDOWS\SYSTEM32\drivers\bdfm.sys
2008-08-10 17:47 . 2008-08-10 17:47 <DIR> d-------- C:\Program Files\FLV Player
2008-08-10 16:56 . 2008-08-10 16:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe
2008-08-10 13:27 . 2008-08-10 13:27 <DIR> d-------- C:\Program Files\uTorrent
2008-08-10 13:26 . 2008-08-25 02:01 <DIR> d-------- C:\Documents and Settings\Me\Application Data\uTorrent
2008-08-10 11:38 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\SYSTEM32\TweakUI.exe
2008-08-10 11:38 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\SYSTEM32\PowerToysLicense.rtf
2008-08-10 11:18 . 2008-08-10 11:35 956 --a------ C:\Trash.lnk
2008-08-10 11:08 . 2008-08-10 13:58 <DIR> d-------- C:\iconmax
2008-08-10 10:28 . 2002-10-28 13:11 766 --a------ C:\WINDOWS\SYSTEM32\bom.ico
2008-08-10 10:15 . 2008-08-10 10:15 104 --a------ C:\Recycle Bin.lnk
2008-08-10 10:01 . 2008-08-10 10:05 <DIR> d-------- C:\Program Files\PressEasyToLaunch
2008-08-10 00:39 . 2008-08-10 00:32 160,792 --a------ C:\WINDOWS\SYSTEM32\drivers\pctfw2.sys
2008-08-10 00:22 . 2008-08-10 00:39 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-10 00:20 . 2008-08-10 00:20 <DIR> d-------- C:\Documents and Settings\Me\Application Data\PC Tools
2008-08-10 00:20 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\drivers\iksyssec.sys
2008-08-10 00:20 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\drivers\iksysflt.sys
2008-08-10 00:20 . 2008-08-10 00:32 42,376 --a------ C:\WINDOWS\SYSTEM32\drivers\ikfilesec.sys
2008-08-10 00:20 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\drivers\kcom.sys
2008-08-10 00:01 . 2008-08-10 00:12 <DIR> d-------- C:\Shell
2008-08-08 05:13 . 2008-08-10 12:51 81 --a------ C:\WINDOWS\WB.ini
2008-08-08 01:35 . 2008-08-09 20:53 <DIR> d-------- C:\Program Files\Stardock
2008-08-08 01:35 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\SYSTEM32\wbsys.dll
2008-08-06 21:29 . 2008-08-06 21:29 <DIR> d-------- C:\Documents and Settings\Me\Application Data\Malwarebytes
2008-08-06 21:28 . 2008-08-22 01:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 21:28 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\SYSTEM32\drivers\mbamswissarmy.sys
2008-08-06 21:28 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\SYSTEM32\drivers\mbam.sys
2008-08-06 19:34 . 2004-08-04 03:56 116,224 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xrxwiadr.dll
2008-08-06 19:34 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xlog.exe
2008-08-06 19:34 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xrxftplt.exe
2008-08-06 19:34 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xrxwbtmp.dll
2008-08-06 19:34 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xrxscnui.dll
2008-08-06 19:34 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xem336n5.sys
2008-08-06 19:34 . 2004-08-04 03:56 8,192 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\wshirda.dll
2008-08-06 19:34 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xrxflnch.exe
2008-08-06 19:32 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\usr1801.sys
2008-08-06 19:31 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\tridxp.dll
2008-08-06 19:30 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\stlnata.sys
2008-08-06 19:29 . 2001-08-17 14:56 157,696 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\sisv256.dll
2008-08-06 19:28 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\sblfx.dll
2008-08-06 19:27 . 2001-08-17 14:56 182,272 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\s3mt3d.dll
2008-08-06 19:26 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\r2mdkxga.sys
2008-08-06 19:25 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ovcodek2.sys
2008-08-06 19:24 . 2001-08-17 12:50 198,144 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nv3.sys
2008-08-06 19:24 . 2001-08-17 22:36 123,776 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nv3.dll
2008-08-06 19:24 . 2001-08-17 12:20 54,528 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\opl3sax.sys
2008-08-06 19:24 . 2001-08-17 12:49 51,552 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ntgrip.sys
2008-08-06 19:24 . 2004-08-04 02:00 28,672 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nscirda.sys
2008-08-06 19:24 . 2001-08-17 12:12 27,209 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\otc06x5.sys
2008-08-06 19:24 . 2001-08-17 13:47 9,344 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ntapm.sys
2008-08-06 19:24 . 2001-08-17 13:53 7,552 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nsmmc.sys
2008-08-06 19:22 . 2001-08-18 08:00 111,104 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mtstocom.exe
2008-08-06 19:22 . 2001-08-17 12:50 103,296 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mtxvideo.sys
2008-08-06 19:22 . 2001-08-17 13:50 75,520 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mxport.sys
2008-08-06 19:22 . 2004-08-04 02:09 49,024 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mstape.sys
2008-08-06 19:22 . 2004-08-04 02:00 22,016 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\msircomm.sys
2008-08-06 19:22 . 2001-08-17 13:50 21,888 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mxcard.sys
2008-08-06 19:22 . 2001-08-17 13:49 19,968 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mxnic.sys
2008-08-06 19:22 . 2001-08-17 22:36 19,968 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mxicfg.dll
2008-08-06 19:22 . 2001-08-17 13:48 12,416 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\msriffwv.sys
2008-08-06 19:22 . 2001-08-17 22:36 7,168 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mxport.dll
2008-08-06 19:22 . 2001-08-17 14:00 2,944 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\msmpu401.sys
2008-08-06 19:20 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ltsm.sys
2008-08-06 19:19 . 2004-08-04 03:56 152,576 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irftp.exe
2008-08-06 19:19 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\io8ports.dll
2008-08-06 19:19 . 2004-08-04 02:00 87,424 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irda.sys
2008-08-06 19:19 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ip5515.sys
2008-08-06 19:19 . 2001-08-17 13:50 38,784 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\io8.sys
2008-08-06 19:19 . 2004-08-04 03:56 27,136 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irmon.dll
2008-08-06 19:19 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irstusb.sys
2008-08-06 19:19 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irmk7.sys
2008-08-06 19:19 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irsir.sys
2008-08-06 19:19 . 2001-08-17 13:52 16,000 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ini910u.sys
2008-08-06 19:19 . 2001-08-17 13:47 13,056 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\inport.sys
2008-08-06 19:17 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\hcf_msft.sys
2008-08-06 19:16 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\g400d.dll
2008-08-06 19:15 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\el656ct5.sys
2008-08-06 19:14 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\diwan.sys
2008-08-06 19:13 . 2004-08-04 03:56 249,856 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ctmasetp.dll
2008-08-06 19:12 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\cicap.sys
2008-08-06 19:11 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\bcmdm.sys
2008-08-06 19:10 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\atidrab.dll
2008-08-06 19:09 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\3cwmcru.sys
2008-08-06 19:07 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\s3legacy.dll
2008-08-05 06:16 . 2008-08-05 06:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-05 04:58 . 2008-08-24 12:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-05 04:00 . 2008-08-05 06:18 <DIR> d-------- C:\WINDOWS\rnapxs
2008-08-04 17:42 . 2008-08-04 17:42 921 --a------ C:\WINDOWS\QSFVExit.bat
2008-08-04 17:40 . 2008-01-29 06:53 782,336 -ra------ C:\WINDOWS\SYSTEM32\tmp2D.tmp
2008-08-01 20:13 . 2008-08-05 04:03 <DIR> d-------- C:\Documents and Settings\Me\Application Data\Auslogics
2008-08-01 18:02 . 2008-01-29 06:53 782,336 -ra------ C:\WINDOWS\SYSTEM32\tmp6.tmp
2008-08-01 02:37 . 2008-08-01 02:37 145 --a------ C:\WINDOWS\SYSTEM32\winver.bat
2008-08-01 01:31 . 2008-08-01 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 01:14 . 2008-08-01 01:14 2 --a------ C:\-1533023409
2008-07-26 09:05 . 2008-01-29 06:53 782,336 -ra------ C:\WINDOWS\SYSTEM32\tmp5C1.tmp
2008-07-26 09:05 . 2008-01-29 06:53 782,336 -ra------ C:\WINDOWS\SYSTEM32\tmp5C0.tmp
2008-07-26 09:02 . 2008-01-29 06:53 782,336 -ra------ C:\WINDOWS\SYSTEM32\tmp56C.tmp
2008-07-26 09:02 . 2008-01-29 06:53 782,336 -ra------ C:\WINDOWS\SYSTEM32\tmp56B.tmp
2008-07-26 08:48 . 2008-07-26 08:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tages
2008-07-26 08:48 . 2008-07-26 08:48 278,984 --a------ C:\WINDOWS\SYSTEM32\drivers\atksgt.sys
2008-07-26 08:48 . 2008-07-26 08:48 25,416 --a------ C:\WINDOWS\SYSTEM32\drivers\lirsgt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 06:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 02:52 --------- d-----w C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Auslogics
2008-08-21 18:37 --------- d-----w C:\Program Files\AIM6
2008-08-21 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-08-10 12:50 --------- d-----w C:\Documents and Settings\Me\Application Data\Media Player Classic
2008-08-10 12:36 --------- d-----w C:\Program Files\DivX
2008-08-10 07:09 --------- d-----w C:\Program Files\VideoLAN
2008-08-05 10:28 --------- d-----w C:\Documents and Settings\Me\Application Data\MySpace
2008-08-05 09:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 22:08 --------- d-----w C:\Program Files\Java
2008-07-26 13:05 110,592 ----a-w C:\WINDOWS\SYSTEM32\OpenAL32.dll
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-07-20 16:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-19 19:32 --------- d-----w C:\Documents and Settings\Me\Application Data\LimeWire
2008-07-19 18:31 --------- d-----w C:\Program Files\Windows Live
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-18 18:31 --------- d-----w C:\Program Files\Zune
2008-07-14 06:17 --------- d-----w C:\Program Files\QuickTime
2008-07-14 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-14 06:15 --------- d-----w C:\Program Files\Apple Software Update
2008-07-14 06:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-05 23:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-05 23:11 --------- d-----w C:\Program Files\WinMX
2008-07-05 23:09 --------- d-----w C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\BitTorrent
2008-07-05 23:04 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-03 21:59 --------- d-----w C:\Documents and Settings\Me\Application Data\DivX
2008-07-02 17:07 82,568 ----a-w C:\WINDOWS\system32\drivers\BDVEDISK.sys
2008-07-02 05:16 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-01 14:51 --------- d-----w C:\Documents and Settings\Jessica\Application Data\Skype
2008-06-26 20:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hemera
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30 45632]
"BitDefender Antiphishing Helper"="G:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-10 23:53 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 04:48 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 22:22:52 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wbsrv]
2008-08-08 05:06 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CompuServe 2000 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CompuServe 2000 Tray Icon.lnk
backup=C:\WINDOWS\pss\CompuServe 2000 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=C:\Documents and Settings\Me\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=C:\WINDOWS\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 11:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
--a--c--- 2008-08-14 20:14 716800 G:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 21:47 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qnext]
--a------ 2008-03-04 23:11 51712 C:\Program Files\Qnext\qnext.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\bak\bak\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
--a------ 2006-06-08 10:05 5541888 C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPod Service"=3 (0x3)
"VSSERV"=2 (0x2)
"sdcoreservice"=3 (0x3)
"sdauxservice"=2 (0x2)
"LIVESRV"=2 (0x2)
"Arrakis3"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YAHOOM~1.EXE1193355090"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Documents\\Nesticle\\NESTCL95.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Qnext\\qnextclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader
"20982:TCP"= 20982:TCP:BitComet 20982 TCP
"20982:UDP"= 20982:UDP:BitComet 20982 UDP
"22721:TCP"= 22721:TCP:BitComet 22721 TCP
"22721:UDP"= 22721:UDP:BitComet 22721 UDP

R1 pctfw2;pctfw2;C:\WINDOWS\SYSTEM32\drivers\pctfw2.sys [2008-08-10 00:32]
R2 BDVEDISK;BDVEDISK;G:\Program Files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 13:07]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
R3 bdfm;BDFM;C:\WINDOWS\system32\drivers\bdfm.sys [2008-08-12 18:40]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-08-14 18:54]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);C:\WINDOWS\system32\drivers\e10kx2k.sys [2001-11-16 14:01]
S3 cdiskdun;cdiskdun;C:\DOCUME~1\Owner\LOCALS~1\Temp\cdiskdun.sys []
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2001-12-27 23:11]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-05-07 14:47]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]
S4 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 13:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2008-07-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-30 C:\WINDOWS\Tasks\{6884D617-6F4D-45DE-A4FE-249400B81AE4}_YOUR-FULKL1OH2Q_Jenn.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 03:56]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1125424064\ee\AOLHostManager.exe
MSConfigStartUp-MCUpdateExe - C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-NapsterShell - C:\Program Files\Napster\napster.exe
MSConfigStartUp-OASClnt - C:\Program Files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-VirusScan Online - C:\Program Files\McAfee.com\VSO\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\k1lc99u0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.myspace.com
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 18:33:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
G:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\vssvc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-08-25 18:46:39 - machine was rebooted [Me]
ComboFix-quarantined-files.txt 2008-08-25 22:46:32

Pre-Run: 7,320,358,912 bytes free
Post-Run: 7,420,030,976 bytes free

353 --- E O F --- 2008-08-25 22:14:54




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:36 PM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
G:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\NirCmd.cfexe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - G:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "G:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Programs\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Programs\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Programs\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZNfox000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093467278359
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - G:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 5864 bytes

#6 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:10:42 AM

Posted 27 August 2008 - 07:45 AM

Hi Brett,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\bom.ico
C:\WINDOWS\SYSTEM32\tmp2D.tmp
C:\WINDOWS\SYSTEM32\tmp6.tmp
C:\WINDOWS\SYSTEM32\tmp5C1.tmp
C:\WINDOWS\SYSTEM32\tmp5C0.tmp
C:\WINDOWS\SYSTEM32\tmp56C.tmp
C:\WINDOWS\SYSTEM32\tmp56B.tmp

Folder::
C:\-1533023409

DirLook::
C:\WINDOWS\rnapxs


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Click HERE to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Just to recap - A combofix log, awf log and a HJT log in your next reply please.

#7 Brett Smith

Brett Smith
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 27 August 2008 - 05:38 PM

Dear Sir,

I had an error while running FindAWF.exe I will post the log regardless.


Attached File  untitled.GIF   190.16KB   26 downloads



ComboFix 08-08-24.03 - Me 2008-08-27 18:09:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.629 [GMT -4:00]
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Me\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\SYSTEM32\bom.ico
C:\WINDOWS\SYSTEM32\tmp2D.tmp
C:\WINDOWS\SYSTEM32\tmp56B.tmp
C:\WINDOWS\SYSTEM32\tmp56C.tmp
C:\WINDOWS\SYSTEM32\tmp5C0.tmp
C:\WINDOWS\SYSTEM32\tmp5C1.tmp
C:\WINDOWS\SYSTEM32\tmp6.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1533023409\
C:\Documents and Settings\Me\Application Data\macromedia\Flash Player\#SharedObjects\6Z9PP6ZC\interclick.com
C:\Documents and Settings\Me\Application Data\macromedia\Flash Player\#SharedObjects\6Z9PP6ZC\interclick.com\ud.sol
C:\Documents and Settings\Me\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Me\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\SYSTEM32\bom.ico
C:\WINDOWS\SYSTEM32\tmp2D.tmp
C:\WINDOWS\SYSTEM32\tmp56B.tmp
C:\WINDOWS\SYSTEM32\tmp56C.tmp
C:\WINDOWS\SYSTEM32\tmp5C0.tmp
C:\WINDOWS\SYSTEM32\tmp5C1.tmp
C:\WINDOWS\SYSTEM32\tmp6.tmp

.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2100-02-24 14:15 . 2001-04-02 16:30 821 --a--c--- C:\WINDOWS\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a--c--- C:\WINDOWS\SYSTEM32\LXASUSCI.INI
2008-08-27 17:58 . 2008-08-27 17:58 <DIR> d-------- C:\Documents and Settings\Me\Application Data\BitDefender
2008-08-27 17:56 . 2008-08-27 17:56 <DIR> d-------- C:\Program Files\BitDefender
2008-08-27 17:56 . 2008-08-27 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-08-27 00:06 . 2008-08-27 00:06 <DIR> d-------- C:\Documents and Settings\Me\Application Data\InstallShield
2008-08-26 21:20 . 2008-08-26 21:20 <DIR> d-------- C:\Downloads
2008-08-25 03:21 . 2008-08-25 03:21 850 --a------ C:\WINDOWS\SYSTEM32\ProductTweaks.xml
2008-08-25 03:21 . 2008-08-25 03:21 385 --a------ C:\WINDOWS\SYSTEM32\user_gensett.xml
2008-08-25 02:46 . 2008-08-25 02:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\logs
2008-08-25 02:43 . 2008-08-27 17:56 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-08-25 01:44 . 2008-08-27 06:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-24 22:55 . 2008-08-24 22:55 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-22 23:11 . 2008-08-22 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-22 20:24 . 2008-08-27 02:04 <DIR> d-------- C:\Documents and Settings\Me\.qnext
2008-08-22 20:23 . 2008-08-22 20:25 <DIR> d-------- C:\Program Files\Qnext
2008-08-22 16:36 . 2008-08-22 16:36 <DIR> d-------- C:\WINDOWS\ShellNew
2008-08-22 00:58 . 2008-08-22 01:01 <DIR> d-------- C:\Program Files\Alliance
2008-08-21 22:58 . 2008-08-21 22:59 <DIR> d-------- C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\.qnext
2008-08-21 17:42 . 2008-08-22 01:01 <DIR> d-------- C:\Documents and Settings\Me\ANtsP2P
2008-08-21 16:37 . 2008-08-22 01:01 <DIR> d-------- C:\Documents and Settings\Me\Application Data\Hamachi
2008-08-20 18:52 . 2008-08-22 01:01 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-08-19 18:42 . 2008-08-22 01:01 <DIR> d-------- C:\Documents and Settings\Me\.gnunet
2008-08-12 18:40 . 2008-08-12 18:40 228,672 --a------ C:\WINDOWS\SYSTEM32\drivers\bdfsfltr.sys
2008-08-12 18:40 . 2008-08-12 18:40 108,864 --a------ C:\WINDOWS\SYSTEM32\drivers\bdfm.sys
2008-08-10 17:47 . 2008-08-10 17:47 <DIR> d-------- C:\Program Files\FLV Player
2008-08-10 16:56 . 2008-08-10 16:56 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe
2008-08-10 13:27 . 2008-08-10 13:27 <DIR> d-------- C:\Program Files\uTorrent
2008-08-10 13:26 . 2008-08-27 14:04 <DIR> d-------- C:\Documents and Settings\Me\Application Data\uTorrent
2008-08-10 11:38 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\SYSTEM32\TweakUI.exe
2008-08-10 11:38 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\SYSTEM32\PowerToysLicense.rtf
2008-08-10 11:18 . 2008-08-10 11:35 956 --a------ C:\Trash.lnk
2008-08-10 10:15 . 2008-08-10 10:15 104 --a------ C:\Recycle Bin.lnk
2008-08-10 00:39 . 2008-08-10 00:32 160,792 --a------ C:\WINDOWS\SYSTEM32\drivers\pctfw2.sys
2008-08-10 00:22 . 2008-08-10 00:39 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-08-10 00:20 . 2008-08-10 00:20 <DIR> d-------- C:\Documents and Settings\Me\Application Data\PC Tools
2008-08-10 00:20 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\drivers\iksyssec.sys
2008-08-10 00:20 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\drivers\iksysflt.sys
2008-08-10 00:20 . 2008-08-10 00:32 42,376 --a------ C:\WINDOWS\SYSTEM32\drivers\ikfilesec.sys
2008-08-10 00:20 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\drivers\kcom.sys
2008-08-10 00:01 . 2008-08-10 00:12 <DIR> d-------- C:\Shell
2008-08-08 05:13 . 2008-08-10 12:51 81 --a------ C:\WINDOWS\WB.ini
2008-08-08 01:35 . 2008-08-09 20:53 <DIR> d-------- C:\Program Files\Stardock
2008-08-08 01:35 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\SYSTEM32\wbsys.dll
2008-08-06 21:29 . 2008-08-06 21:29 <DIR> d-------- C:\Documents and Settings\Me\Application Data\Malwarebytes
2008-08-06 21:28 . 2008-08-22 01:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 21:28 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\SYSTEM32\drivers\mbamswissarmy.sys
2008-08-06 21:28 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\SYSTEM32\drivers\mbam.sys
2008-08-06 19:34 . 2004-08-04 03:56 116,224 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xrxwiadr.dll
2008-08-06 19:34 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xlog.exe
2008-08-06 19:34 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xrxftplt.exe
2008-08-06 19:34 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xrxwbtmp.dll
2008-08-06 19:34 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xrxscnui.dll
2008-08-06 19:34 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xem336n5.sys
2008-08-06 19:34 . 2004-08-04 03:56 8,192 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\wshirda.dll
2008-08-06 19:34 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xrxflnch.exe
2008-08-06 19:32 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\usr1801.sys
2008-08-06 19:31 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\tridxp.dll
2008-08-06 19:30 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\stlnata.sys
2008-08-06 19:29 . 2001-08-17 14:56 157,696 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\sisv256.dll
2008-08-06 19:28 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\sblfx.dll
2008-08-06 19:27 . 2001-08-17 14:56 182,272 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\s3mt3d.dll
2008-08-06 19:26 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\r2mdkxga.sys
2008-08-06 19:25 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ovcodek2.sys
2008-08-06 19:24 . 2001-08-17 12:50 198,144 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nv3.sys
2008-08-06 19:24 . 2001-08-17 22:36 123,776 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nv3.dll
2008-08-06 19:24 . 2001-08-17 12:20 54,528 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\opl3sax.sys
2008-08-06 19:24 . 2001-08-17 12:49 51,552 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ntgrip.sys
2008-08-06 19:24 . 2004-08-04 02:00 28,672 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nscirda.sys
2008-08-06 19:24 . 2001-08-17 12:12 27,209 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\otc06x5.sys
2008-08-06 19:24 . 2001-08-17 13:47 9,344 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ntapm.sys
2008-08-06 19:24 . 2001-08-17 13:53 7,552 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\nsmmc.sys
2008-08-06 19:22 . 2001-08-18 08:00 111,104 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mtstocom.exe
2008-08-06 19:22 . 2001-08-17 12:50 103,296 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mtxvideo.sys
2008-08-06 19:22 . 2001-08-17 13:50 75,520 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mxport.sys
2008-08-06 19:22 . 2004-08-04 02:09 49,024 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mstape.sys
2008-08-06 19:22 . 2004-08-04 02:00 22,016 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\msircomm.sys
2008-08-06 19:22 . 2001-08-17 13:50 21,888 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mxcard.sys
2008-08-06 19:22 . 2001-08-17 13:49 19,968 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mxnic.sys
2008-08-06 19:22 . 2001-08-17 22:36 19,968 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mxicfg.dll
2008-08-06 19:22 . 2001-08-17 13:48 12,416 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\msriffwv.sys
2008-08-06 19:22 . 2001-08-17 22:36 7,168 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mxport.dll
2008-08-06 19:22 . 2001-08-17 14:00 2,944 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\msmpu401.sys
2008-08-06 19:20 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ltsm.sys
2008-08-06 19:19 . 2004-08-04 03:56 152,576 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irftp.exe
2008-08-06 19:19 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\io8ports.dll
2008-08-06 19:19 . 2004-08-04 02:00 87,424 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irda.sys
2008-08-06 19:19 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ip5515.sys
2008-08-06 19:19 . 2001-08-17 13:50 38,784 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\io8.sys
2008-08-06 19:19 . 2004-08-04 03:56 27,136 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irmon.dll
2008-08-06 19:19 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irstusb.sys
2008-08-06 19:19 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irmk7.sys
2008-08-06 19:19 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\irsir.sys
2008-08-06 19:19 . 2001-08-17 13:52 16,000 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ini910u.sys
2008-08-06 19:19 . 2001-08-17 13:47 13,056 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\inport.sys
2008-08-06 19:17 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\hcf_msft.sys
2008-08-06 19:16 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\g400d.dll
2008-08-06 19:15 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\el656ct5.sys
2008-08-06 19:14 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\diwan.sys
2008-08-06 19:13 . 2004-08-04 03:56 249,856 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\ctmasetp.dll
2008-08-06 19:12 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\cicap.sys
2008-08-06 19:11 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\bcmdm.sys
2008-08-06 19:10 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\atidrab.dll
2008-08-06 19:09 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\3cwmcru.sys
2008-08-06 19:07 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\s3legacy.dll
2008-08-05 06:16 . 2008-08-05 06:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-05 04:58 . 2008-08-24 12:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-05 04:00 . 2008-08-05 06:18 <DIR> d-------- C:\WINDOWS\rnapxs
2008-08-04 17:42 . 2008-08-04 17:42 921 --a------ C:\WINDOWS\QSFVExit.bat
2008-08-01 20:13 . 2008-08-05 04:03 <DIR> d-------- C:\Documents and Settings\Me\Application Data\Auslogics
2008-08-01 02:37 . 2008-08-01 02:37 145 --a------ C:\WINDOWS\SYSTEM32\winver.bat
2008-08-01 01:31 . 2008-08-01 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 01:14 . 2008-08-01 01:14 2 --a------ C:\-1533023409

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 04:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-26 04:30 102,407 ----a-w C:\WINDOWS\SYSTEM32\USB.BAT
2008-08-25 06:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 02:52 --------- d-----w C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Auslogics
2008-08-21 18:37 --------- d-----w C:\Program Files\AIM6
2008-08-21 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-08-10 12:50 --------- d-----w C:\Documents and Settings\Me\Application Data\Media Player Classic
2008-08-10 12:36 --------- d-----w C:\Program Files\DivX
2008-08-10 07:09 --------- d-----w C:\Program Files\VideoLAN
2008-08-05 10:28 --------- d-----w C:\Documents and Settings\Me\Application Data\MySpace
2008-08-01 22:08 --------- d-----w C:\Program Files\Java
2008-07-26 13:05 413,696 ----a-w C:\WINDOWS\SYSTEM32\wrap_oal.dll
2008-07-26 13:05 110,592 ----a-w C:\WINDOWS\SYSTEM32\OpenAL32.dll
2008-07-26 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tages
2008-07-26 12:48 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-07-26 12:48 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-07-26 12:33 --------- d-----w C:\Program Files\OpenAL
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-07-20 16:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-19 19:32 --------- d-----w C:\Documents and Settings\Me\Application Data\LimeWire
2008-07-19 18:31 --------- d-----w C:\Program Files\Windows Live
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-18 18:31 --------- d-----w C:\Program Files\Zune
2008-07-14 06:17 --------- d-----w C:\Program Files\QuickTime
2008-07-14 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-14 06:15 --------- d-----w C:\Program Files\Apple Software Update
2008-07-14 06:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-05 23:14 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-05 23:11 --------- d-----w C:\Program Files\WinMX
2008-07-05 23:09 --------- d-----w C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\BitTorrent
2008-07-03 21:59 --------- d-----w C:\Documents and Settings\Me\Application Data\DivX
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\rnapxs ----



((((((((((((((((((((((((((((( snapshot@2008-08-25_18.45.21.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 22:03:35 61,440 ----a-r C:\WINDOWS\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\helpicon.exe
+ 2008-08-27 22:03:35 32,768 ----a-r C:\WINDOWS\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\maintenance_icon.exe
+ 2008-08-27 22:03:35 22,486 ----a-r C:\WINDOWS\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\register_icon.exe
+ 2008-08-27 22:03:35 57,344 ----a-r C:\WINDOWS\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\texticon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30 45632]
"QuickTime Task"="C:\Program Files\QuickTime\bak\bak\qttask.exe" [2007-02-16 10:54 282624]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 03:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 04:48 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 22:22:52 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wbsrv]
2008-08-08 05:06 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CompuServe 2000 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CompuServe 2000 Tray Icon.lnk
backup=C:\WINDOWS\pss\CompuServe 2000 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=C:\Documents and Settings\Me\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=C:\WINDOWS\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 11:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
--a------ 2008-08-14 20:14 716800 C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDWizReg]
--a------ 2008-08-15 11:04 811008 C:\Program Files\BitDefender\BitDefender 2009\bdwizreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper]
--a------ 2008-08-10 23:53 69632 C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a--c--- 2008-08-08 08:11 490952 G:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 21:47 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qnext]
--a------ 2008-03-04 23:11 51712 C:\Program Files\Qnext\qnext.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\bak\bak\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
--a------ 2006-06-08 10:05 5541888 C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPod Service"=3 (0x3)
"LIVESRV"=2 (0x2)
"Arrakis3"=3 (0x3)
"VSSERV"=2 (0x2)
"sdcoreservice"=3 (0x3)
"sdauxservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YAHOOM~1.EXE1193355090"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Documents\\Nesticle\\NESTCL95.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Qnext\\qnextclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader
"20982:TCP"= 20982:TCP:BitComet 20982 TCP
"20982:UDP"= 20982:UDP:BitComet 20982 UDP
"22721:TCP"= 22721:TCP:BitComet 22721 TCP
"22721:UDP"= 22721:UDP:BitComet 22721 UDP
"15407:TCP"= 15407:TCP:BitCometLite 15407 TCP
"15407:UDP"= 15407:UDP:BitCometLite 15407 UDP

R1 pctfw2;pctfw2;C:\WINDOWS\SYSTEM32\drivers\pctfw2.sys [2008-08-10 00:32]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);C:\WINDOWS\system32\drivers\e10kx2k.sys [2001-11-16 14:01]
S3 cdiskdun;cdiskdun;C:\DOCUME~1\Owner\LOCALS~1\Temp\cdiskdun.sys []
S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm.sys [2001-12-27 23:11]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-05-07 14:47]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]
S4 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 13:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-30 C:\WINDOWS\Tasks\{6884D617-6F4D-45DE-A4FE-249400B81AE4}_YOUR-FULKL1OH2Q_Jenn.job
- C:\WINDOWS\system32\mobsync.exe [2004-08-04 03:56]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-checktime - c:\program files\HPSelect\Frontend\ct.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 18:13:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-27 18:15:47
ComboFix-quarantined-files.txt 2008-08-27 22:15:18
ComboFix2.txt 2008-08-25 22:46:40

Pre-Run: 9,738,080,256 bytes free
Post-Run: 9,790,660,608 bytes free

341 --- E O F --- 2008-08-27 21:57:49













Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 08/27/2008
The current time is: 18:19:42.25


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:57 PM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZNfox000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093467278359
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5156 bytes

#8 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:10:42 AM

Posted 28 August 2008 - 06:20 AM

Hi Brett,

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\helpicon.exe
C:\WINDOWS\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\maintenance_icon.exe
C:\WINDOWS\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\register_icon.exe
C:\WINDOWS\Installer\{5DF86878-462F-41F2-96E0-E82EE57EC7D3}\texticon.exe
C:\-1533023409

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


Also, please go here and follow the Restoring the missing files section of the page.

Once complete, try running FindAWF again, following the instructions in my previous post.

#9 Brett Smith

Brett Smith
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 28 August 2008 - 07:55 PM

Dear Brett,

The scans on those files all came back as OK. The same message came up again while trying to run FindAWF.exe.

Edited by Brett Smith, 28 August 2008 - 07:56 PM.


#10 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:10:42 AM

Posted 29 August 2008 - 05:06 PM

Hi Brett, dont worry on FindAWF, error on my half.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
DM

#11 Brett Smith

Brett Smith
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 30 August 2008 - 11:54 PM

Brett,

Wow, I didn't know that this was going to take the better part of a day, something along the lines of 10 hours, and I didn't expect nearly as many results as I got.





*****************************************************************************************************************************************************************************
ANALYSIS: 2008-09-30 23:17:20
PROTECTIONS: 1
MALWARE: 43
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Spyware Doctor with AntiVirus <NULL> No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00024343 adware/keenvalue Adware No 0 Yes No c:\windows\system32\drivers\etc\hosts.bho
00029434 spyware/virtumonde Spyware No 1 Yes No c:\windows\dpusys.ini
00029459 spyware/betterinet Spyware No 1 Yes No c:\windows\inf\payload2.inf
00029459 spyware/betterinet Spyware No 1 Yes No c:\windows\inf\biini.inf
00040297 adware/blazefind Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\windows sr 2.0
00040740 adware/dopewars Adware No 0 Yes No hkey_local_machine\software\beermat software
00047863 adware/ieplugin Adware No 0 Yes No c:\windows\kwv2.dat
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Local Settings\Temp\Cookies\jenn@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Cookies\jenn@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Local Settings\Temp\Cookies\jenn@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Local Settings\Temp\Cookies\jenn@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@mediaplex[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.revenue.net/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.yadro.ru/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.yadro.ru/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.azjmp.com/]
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.perf.overture.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Cookies\jenn@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Local Settings\Temp\Cookies\jenn@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Me\Cookies\me@apmebf[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Cookies\jenn@apmebf[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.bs.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.bs.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@bs.serving-sys[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.adtech.de/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Me\Cookies\me@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Local Settings\Temp\Cookies\jenn@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Cookies\jenn@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.advertising.com/]
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
00169752 application/need2find HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{4D1C4E8A-A32A-416B-BCDB-33B3EF3617D3}
00169752 application/need2find HackTools No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\need2findbar uninstall
00169752 application/need2find HackTools No 0 Yes No hkey_local_machine\software\need2find
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@ads.pointroll[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Local Settings\Temp\Cookies\jenn@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.bravenet.com/]
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.bravenet.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@go[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Cookies\jenn@go[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@searchportal.information[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[searchportal.information.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Cookies\jenn@searchportal.information[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Cookies\jenn@target[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@target[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.target.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.atwola.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Local Settings\Temp\Cookies\jenn@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Cookies\jenn@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.YOUR-FULKL1OH2Q\Application Data\Mozilla\Firefox\Profiles\iw4tljwm.default\cookies.txt[.atwola.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Cookies\jessica@atwola[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[2].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[citi.bridgetrack.com/]
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\hvmomgag.default\cookies.txt[.adserver.easyad.info/]
02899253 Cookie/AntiSpyKit TrackingCookie No 0 Yes No C:\Documents and Settings\Jenn\Cookies\jenn@antispykit[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location 
;===================================================================================================================================================================================
No C:\Documents and Settings\Me\Desktop\ComboFix.exe 
No C:\hp\bin\KillIt.exe 
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 
;===================================================================================================================================================================================
;======================================================================

#12 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:10:42 AM

Posted 01 September 2008 - 10:02 AM

Hi Brett, I dont understand why it took so long!

Please open up My Computer and click Tools > Folder options. Then click on the view tab and click the Show Hidden Files and folders. Click ok.
Now navigate to, and delete the following files

c:\windows\system32\drivers\etc\hosts.bho
c:\windows\dpusys.ini
c:\windows\inf\payload2.inf
c:\windows\inf\biini.inf
c:\windows\kwv2.dat

Now pelase click: Start > Run and type in regedit and press enter, or click ok. Then when the window opens up, please click File > Export. And choose save as regbackup and save it to your desktop. Please close the window.

Please open up notepad. Copy the contents of the box below. Save it to your desktop as fix.reg and file type as all types. Double click on fix.reg and when prompted to merge with the registry, click yes/ok.

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\windows sr 2.0]

[-HKEY_LOCAL_MACHINE\software\beermat software]

Reboot back into normal mode. Please let me know if any problems arise after reboot. If none arise, please follow the next step.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please post a new HJT log

DM

#13 Brett Smith

Brett Smith
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 02 September 2008 - 08:50 AM

Hello Brett,

Here is the latest HJT log.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:00 AM, on 10/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Qnext] "C:\Program Files\Qnext\qnext.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "G:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZNfox000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093467278359
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

#14 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:10:42 AM

Posted 02 September 2008 - 09:52 AM

Hi Brett.

I notice that your BitDefender antivirus is not running. Have you disabled it or uninstalled it?
Either way, please re-enable it, or redownload it, its vital to have it installed to reduce the risk of getting infected again. :)

Please run Hijackthis, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O8 - Extra context menu item: &Search - ?p=ZNfox000


Please reboot your computer, and show me hopefully your final HJT log :thumbsup:

DM

#15 Brett Smith

Brett Smith
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 03 September 2008 - 08:40 PM

Brett,

Last one really?? That makes me happy. Does that mean that I am able to remove some of the programs that I have used due to this problem can be removed? The reason that Bitdefender wasn't running was because it slowed my computer down and often became unresponsive. I was in the process of installing Avast. Believe me I am not going to go through all the trouble of getting rid of the problem to just leave myself prone to future complications, and have all your hard work and help go to waste. Here is hopefully my last HJT log. Thank you again and again!!! :thumbsup:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:57 PM, on 10/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Qnext] "C:\Program Files\Qnext\qnext.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "G:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093467278359
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6015 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users