Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help removing vundo/virtumonde


  • This topic is locked This topic is locked
17 replies to this topic

#1 fitz0224

fitz0224

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 15 November 2008 - 11:08 PM

I have been trying for a week to remove vundo/virtumonde using spybot, ad-aware, trend micro. Spybot is the only one detecting virtumonde and it says it fixes it but it returns once you restart the computer. The popups are starting to increase and the spybot registry changes are occuring more frequently. Here is the Hijackthis log. Thanks for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:55 PM, on 11/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\Internet Security\UfLogUi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Filter hijack: text/html - {4214de22-e4e7-48c2-a58b-98a6ad5ef049} - C:\WINDOWS\system32\msziptools.dll
O20 - AppInit_DLLs: , bhhecz.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

BC AdBot (Login to Remove)

 


#2 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:09:29 AM

Posted 18 November 2008 - 03:20 PM

Hi fitz0224, Welcome to Bleeping Computer Forums! :thumbsup:

I am The Gorilla, and will be helping you with this log

It may assist you to save this page as a favourite for easy recall in the future.

Can I draw your attention to the following:
I will be handling your log and helping you, please do not make any system changes yet.
The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself.
These fixes are specific to your problem and should only be used for this issue on this machine.
If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible. There may be a short delay in replying to you as all my posts to your need to be checked over by a HJT Expert.



Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself.

#3 fitz0224

fitz0224
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 18 November 2008 - 08:23 PM

Hi The Gorilla, thanks for the help. Sorry to make things more difficult but one of my family members clicked on one of the antivirus 2009 popups and some things have changed. Here is a new log. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:14 PM, on 11/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Filter hijack: text/html - {4214de22-e4e7-48c2-a58b-98a6ad5ef049} - C:\WINDOWS\system32\msziptools.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#4 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:09:29 AM

Posted 19 November 2008 - 06:06 PM

Hi :thumbsup:

Thanks for the update in relation to the Family member and anti virus 2009. Can I ask that in relation to this you make no changes to your computer. I will deal with that infection too.

It would appear that some malware is hiding from us and therefore were need to expose it prior to treating it.

Step #1
I need you to rename Hijack This.

Please follow the below path and rename Hijack This to Gorilla.exe by ricking on it and using rename

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <---rename this file gorilla.exe


Step #2
Please post back a new Hijack Log(renamed to gorill.exe)

:)

#5 fitz0224

fitz0224
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 19 November 2008 - 07:07 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:45 PM, on 11/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Gorilla.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C96BD99-F249-4C14-A5A1-DE668129F515} - (no file)
O2 - BHO: (no name) - {1309D3BE-AD8D-42EA-9717-FFDC30F0E342} - (no file)
O2 - BHO: (no name) - {299B5FAC-2168-4A5D-A67D-AA4C8F8055DA} - (no file)
O2 - BHO: (no name) - {2F2BCD28-AF1F-4393-8414-D65D57C4794B} - (no file)
O2 - BHO: (no name) - {3FDCD7BF-3C9F-4C4D-9993-78FF11B7B4C5} - (no file)
O2 - BHO: (no name) - {4B023D79-C179-4AAB-9E50-DE029FF2CCA3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\opNGwVNd.dll
O2 - BHO: (no name) - {BEBF2EAD-8D3F-438C-A7ED-91DE4F12A42E} - C:\WINDOWS\system32\fccddaXQ.dll
O2 - BHO: (no name) - {E3760214-CF7B-4546-AB54-9FCF0365E9ED} - (no file)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Filter hijack: text/html - {4214de22-e4e7-48c2-a58b-98a6ad5ef049} - C:\WINDOWS\system32\msziptools.dll
O20 - Winlogon Notify: nnnmKCSi - nnnmKCSi.dll (file missing)
O20 - Winlogon Notify: opNGwVNd - C:\WINDOWS\SYSTEM32\opNGwVNd.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

#6 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:09:29 AM

Posted 20 November 2008 - 01:40 PM

Hi fitz0224

Ok, thanks for renaming Hijack this, you will be able to see that it did reveal a few more files. Although I can't see direct evidance of Anti Virus 2009 I will keep an eye out for it as we progress and if evident remove it :thumbsup:

Few steps for you to do here, for ease I would either printout this post and or save it to notepad for future reference. If you have any questions please come back to me.

Step #1
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.


Step #2
Please disable Spybot S&D's TeaTimer protection, because it is known to interfere with our fixes.
You can enable it again after you're clean.
Open Spybot and click on 'Mode' then click 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.


Step #3
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Finally, please post back the following;
  • How you computer is running
  • The Combofix log
:)

#7 fitz0224

fitz0224
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 20 November 2008 - 03:44 PM

Hi,

I think the antivirus 2009 may have been removed by Trend Micro PC-Cillin. Since the other problems weren't fixed by my antivirus program, I thought that the new one wouldn't be either. But it appears that it has been fixed. There are still problems with the pop-ups. Today, there have been times when i close one and another one pops up. It seems like they start when I do a google search and they are in Internet Explorer, while I use firefox. There is always an iexplore.exe in the processes and it helps a little to end that when the pop ups occur. It comes back after a little bit, though. Could spybot interfere with how PC-Cillin works? After my first post, before I knew not to change anything, I was trying a few different things and I had removed spybot. The PC-Cillin showed a bunch of new vundo entries, but the problems are still there. Are there any specific things I should be doing in relation to use of this computer while it's infected? Thanks again for the help. Here's the new log.

ComboFix 08-11-19.08 - HP_Administrator 2008-11-20 15:04:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.215 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common\helper.sig
c:\program files\GetModule
c:\program files\Mjcore
c:\program files\scurit~1
c:\program files\scurit~1\s?curity\
c:\windows\system32\awttSlml.dll
c:\windows\system32\brastk.exe
c:\windows\system32\DeMmonpo.ini
c:\windows\system32\DeMmonpo.ini2
c:\windows\system32\denwgicj.ini
c:\windows\system32\distamgd.ini
c:\windows\system32\drrkwgoi.ini
c:\windows\system32\evpytjqx.ini
c:\windows\system32\fccddaXQ.dll
c:\windows\system32\hfccpkne.ini
c:\windows\system32\ieupdates.exe.tmp
c:\windows\system32\iSsAIkkj.ini
c:\windows\system32\iSsAIkkj.ini2
c:\windows\system32\jbxstynw.ini
c:\windows\system32\ktphua.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\msziptools.dll
c:\windows\system32\ngnjtoqs.dll
c:\windows\system32\opNGwVNd.dll
c:\windows\system32\pifukfgx.ini
c:\windows\system32\QXaddccf.ini
c:\windows\system32\QXaddccf.ini2
c:\windows\system32\rdpneuoa.dll
c:\windows\system32\sqotjngn.ini
c:\windows\system32\uBbdKkkj.ini
c:\windows\system32\uBbdKkkj.ini2
c:\windows\system32\xgfkufip.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-20 09:26 . 2008-11-20 09:26 5,753 --a------ c:\windows\system32\dkgissrw.dll
2008-11-19 21:22 . 2008-11-19 21:22 5,749 --a------ c:\windows\system32\bnntacqk.dll
2008-11-18 21:20 . 2008-11-18 21:20 5,749 --a------ c:\windows\system32\tbpkjkkn.dll
2008-11-17 14:17 . 2008-11-17 14:17 5,749 --a------ c:\windows\system32\pxgnygnb.dll
2008-11-17 14:14 . 2008-11-17 14:14 5,753 --a------ c:\windows\system32\hwvslouy.dll
2008-11-16 22:13 . 2008-11-16 22:13 5,711 --a------ c:\windows\system32\tsrsowhw.dll
2008-11-16 16:29 . 2008-11-16 16:29 <DIR> d-------- c:\program files\Opera
2008-11-15 20:22 . 2008-11-15 20:22 5,711 --a------ c:\windows\system32\uptejvlj.dll
2008-11-15 16:38 . 2008-11-18 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-15 08:53 . 2008-11-15 08:53 5,711 --a------ c:\windows\system32\rnxbvmim.dll
2008-11-11 09:04 . 2008-11-11 09:04 5,751 --a------ c:\windows\system32\nfulycnw.dll
2008-11-10 06:54 . 2008-11-10 06:54 5,751 --a------ c:\windows\system32\dcvlsddv.dll
2008-11-09 17:13 . 2008-11-09 17:13 <DIR> d-------- C:\VundoFix Backups
2008-11-09 15:27 . 2008-11-09 15:27 <DIR> d-------- c:\program files\Lavasoft
2008-11-09 15:25 . 2008-11-09 15:25 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-09 06:13 . 2008-11-09 06:13 5,751 --a------ c:\windows\system32\ktunxesw.dll
2008-11-09 06:11 . 2008-11-09 06:11 5,753 --a------ c:\windows\system32\vaishtqp.dll
2008-11-08 23:31 . 2008-11-09 09:45 23,040 --a------ c:\documents and settings\HP_Administrator\~.exe
2008-11-01 08:34 . 2008-11-01 08:34 5,753 --a------ c:\windows\system32\cccpkotn.dll
2008-11-01 08:34 . 2008-11-01 08:34 5,751 --a------ c:\windows\system32\oxaxbarr.dll
2008-10-28 18:06 . 2008-11-18 15:31 <DIR> d-------- c:\program files\VS Revo Group
2008-10-28 18:05 . 2008-10-28 18:05 <DIR> d-------- c:\program files\CCleaner
2008-10-28 18:01 . 2008-11-18 13:13 937 --a------ c:\windows\wininit.ini
2008-10-28 17:16 . 2008-11-18 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 08:25 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 20:05 --------- d-----w c:\program files\Common
2008-11-20 19:49 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-18 22:32 --------- d-----w c:\program files\Google
2008-11-18 19:42 16,384 ----a-w c:\windows\DCEBoot.exe
2008-11-16 05:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 21:17 --------- d-----w c:\program files\Trend Micro
2008-11-09 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-08 18:21 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2008-10-31 00:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-10-19 15:56 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\GetModule
2008-10-13 04:08 --------- d-----w c:\program files\Apple Software Update
2008-10-13 04:01 --------- d-----w c:\program files\iTunes
2008-10-13 04:01 --------- d-----w c:\program files\iPod
2008-10-13 04:01 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-13 03:57 --------- d-----w c:\program files\QuickTime
2008-10-13 03:20 --------- d-----w c:\program files\Bonjour
2008-10-09 23:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InterVideo
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-29 21:28 --------- d-----w c:\program files\Yahoo!
2008-09-28 04:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Winamp
2008-09-26 23:47 --------- d-----w c:\program files\Winamp
2008-09-21 16:13 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2008-09-04 23:11 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-09-04 23:11 249,856 ------w c:\windows\Setup1.exe
2008-08-23 18:03 76,360 ----a-w c:\documents and settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-05-15 17:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042120080428\index.dat
2008-05-15 17:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-05-03 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-05-03 23:10 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"FlashMute"="c:\program files\FlashMute\FlashMute.exe" [2005-12-18 143360]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 851968]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-24 344064]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ktphua.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C96BD99-F249-4C14-A5A1-DE668129F515} - (no file)
BHO-{1309D3BE-AD8D-42EA-9717-FFDC30F0E342} - (no file)
BHO-{2F2BCD28-AF1F-4393-8414-D65D57C4794B} - (no file)
BHO-{3FDCD7BF-3C9F-4C4D-9993-78FF11B7B4C5} - (no file)
BHO-{4B023D79-C179-4AAB-9E50-DE029FF2CCA3} - (no file)
BHO-{e04a4549-ca99-4cfe-afe6-4fbcce3de7d3} - c:\windows\system32\ktphua.dll
BHO-{E3760214-CF7B-4546-AB54-9FCF0365E9ED} - (no file)
BHO-{F1915A84-7622-4BE9-837C-4A4554DE15B6} - c:\windows\system32\fccddaXQ.dll
HKCU-Run-Aim6 - (no file)
Notify-nnnmKCSi - nnnmKCSi.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\krdnikuh.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.cnn.com
FF -: plugin - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\krdnikuh.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 15:14:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\FlashMute\mutelib.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\dllhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe
c:\program files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-11-20 15:24:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 20:24:36

Pre-Run: 175,276,670,976 bytes free
Post-Run: 175,189,307,392 bytes free

231 --- E O F --- 2008-10-31 04:27:30

#8 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:09:29 AM

Posted 21 November 2008 - 02:38 PM

Hi :thumbsup:

Could spybot interfere with how PC-Cillin works?

Yes Spybot can interfere with PC-Cillin, it can also interefere with other malware removal tools too, this is why I had you disable Teatimer.

After my first post, before I knew not to change anything, I was trying a few different things and I had removed spybot. The PC-Cillin showed a bunch of new vundo entries, but the problems are still there.

Spybot is a good programme, but there are features that protect certain parts of your computer and this sometimes can work against us.

Are there any specific things I should be doing in relation to use of this computer while it's infected?

I would suggest that you limit your use of the internet until we are clean - don't let family members download rogue software ;)

Thanks again for the help.

No problems :)

Lets continue. As before it may assist you to either prinitout this post and or save it to notepad for reference. Any problems or questions just shout up.

Step #1
Did you uninstall Viewpoint? I am still seeing signs if it. If you did then I can remove the remains later?


Step #2
I am seeing signs of Limewire in your log;
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Limewire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

My advice would be to remove this programme if present. If you agree then please continue with the following step;

Add Remove - Control Panel

Click "Start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Limewire

Additional instructions can be found here if needed.


Step #3
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.


Step #4
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\dkgissrw.dll
c:\windows\system32\bnntacqk.dll
c:\windows\system32\tbpkjkkn.dll
c:\windows\system32\pxgnygnb.dll
c:\windows\system32\hwvslouy.dll
c:\windows\system32\tsrsowhw.dll
c:\windows\system32\uptejvlj.dll
c:\windows\system32\rnxbvmim.dll
c:\windows\system32\nfulycnw.dll
c:\windows\system32\dcvlsddv.dll
c:\windows\system32\ktunxesw.dll
c:\windows\system32\vaishtqp.dll
c:\documents and settings\HP_Administrator\~.exe
c:\windows\system32\cccpkotn.dll
c:\windows\system32\oxaxbarr.dll

Folder::
c:\documents and settings\HP_Administrator\Application Data\GetModule

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Dirlook::
c:\documents and settings\All Users\Application Data\SecTaskMan
c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step #5
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Finally, well for this post, please provide the following :)
  • Did you uninstall Viewpoint?
  • Did you uninstall Limewire?
  • Please post back the log that Combofix produces after running the CFScript
  • The log produced by Kaspersky
  • How is your computer running, pop ups etc...
Cheers :)

#9 fitz0224

fitz0224
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 21 November 2008 - 07:01 PM

Hi,

I uninstalled Viewpoint yesterday and uninstalled limewire. The computer is running fine. There are no more popups and there have been no other problems so far.

ComboFix 08-11-19.08 - HP_Administrator 2008-11-21 15:33:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.172 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\cfscript.txt
* Created a new restore point

FILE ::
c:\documents and settings\HP_Administrator\~.exe
c:\windows\system32\bnntacqk.dll
c:\windows\system32\cccpkotn.dll
c:\windows\system32\dcvlsddv.dll
c:\windows\system32\dkgissrw.dll
c:\windows\system32\hwvslouy.dll
c:\windows\system32\ktunxesw.dll
c:\windows\system32\nfulycnw.dll
c:\windows\system32\oxaxbarr.dll
c:\windows\system32\pxgnygnb.dll
c:\windows\system32\rnxbvmim.dll
c:\windows\system32\tbpkjkkn.dll
c:\windows\system32\tsrsowhw.dll
c:\windows\system32\uptejvlj.dll
c:\windows\system32\vaishtqp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\~.exe
c:\documents and settings\HP_Administrator\Application Data\GetModule
c:\documents and settings\HP_Administrator\Application Data\GetModule\dicik.gz
c:\documents and settings\HP_Administrator\Application Data\GetModule\kwdik.gz
c:\documents and settings\HP_Administrator\Application Data\GetModule\ofadik.gz
c:\windows\system32\bnntacqk.dll
c:\windows\system32\cccpkotn.dll
c:\windows\system32\dcvlsddv.dll
c:\windows\system32\dkgissrw.dll
c:\windows\system32\hwvslouy.dll
c:\windows\system32\ktunxesw.dll
c:\windows\system32\nfulycnw.dll
c:\windows\system32\oxaxbarr.dll
c:\windows\system32\pxgnygnb.dll
c:\windows\system32\rnxbvmim.dll
c:\windows\system32\tbpkjkkn.dll
c:\windows\system32\tsrsowhw.dll
c:\windows\system32\uptejvlj.dll
c:\windows\system32\vaishtqp.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.

2008-11-21 03:01 . 2008-11-21 03:01 1,393 --a------ c:\windows\imsins.BAK
2008-11-20 15:26 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-20 15:25 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-16 16:29 . 2008-11-16 16:29 <DIR> d-------- c:\program files\Opera
2008-11-15 16:38 . 2008-11-18 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-09 17:13 . 2008-11-09 17:13 <DIR> d-------- C:\VundoFix Backups
2008-11-09 15:27 . 2008-11-09 15:27 <DIR> d-------- c:\program files\Lavasoft
2008-11-09 15:25 . 2008-11-09 15:25 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-28 18:06 . 2008-11-18 15:31 <DIR> d-------- c:\program files\VS Revo Group
2008-10-28 18:05 . 2008-10-28 18:05 <DIR> d-------- c:\program files\CCleaner
2008-10-28 18:01 . 2008-11-18 13:13 937 --a------ c:\windows\wininit.ini
2008-10-28 17:16 . 2008-11-18 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 08:25 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 20:05 --------- d-----w c:\program files\Common
2008-11-20 19:49 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-18 22:32 --------- d-----w c:\program files\Google
2008-11-18 19:42 16,384 ----a-w c:\windows\DCEBoot.exe
2008-11-16 05:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 21:17 --------- d-----w c:\program files\Trend Micro
2008-11-09 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-08 18:21 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2008-10-31 00:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\LimeWire
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-13 04:08 --------- d-----w c:\program files\Apple Software Update
2008-10-13 04:01 --------- d-----w c:\program files\iTunes
2008-10-13 04:01 --------- d-----w c:\program files\iPod
2008-10-13 04:01 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-13 03:57 --------- d-----w c:\program files\QuickTime
2008-10-13 03:20 --------- d-----w c:\program files\Bonjour
2008-10-09 23:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InterVideo
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 21:28 --------- d-----w c:\program files\Yahoo!
2008-09-28 04:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Winamp
2008-09-26 23:47 --------- d-----w c:\program files\Winamp
2008-09-21 16:13 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-09 15:32 2,004 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-09-09 15:30 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-04 23:11 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-09-04 23:11 249,856 ------w c:\windows\Setup1.exe
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-23 18:03 76,360 ----a-w c:\documents and settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-05-15 17:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042120080428\index.dat
2008-05-15 17:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} ----

2008-07-04 12:35 54632 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe
2008-04-24 07:25 11168 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat
2008-04-17 12:12 319456 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll
2008-04-17 12:12 2761 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf
2008-04-17 12:12 15464 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys
2008-04-17 12:12 107368 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll

---- Directory of c:\documents and settings\All Users\Application Data\SecTaskMan ----

2008-11-15 16:45 319 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\opNGwVNd.dll.q_8046400_q.ini
2008-11-15 16:44 319 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\jkkKdbBu.dll.q_804CA04_q.ini
2008-11-15 16:43 403 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\lovphs.dll.q_804E801_q.ini
2008-11-15 16:38 907 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0.dll
2008-11-15 16:38 901 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE
2008-11-15 16:38 897 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8D60D467ED8DE1141A8C9D9E83F0A848
2008-11-15 16:38 8860 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_12341rg
2008-11-15 16:38 832 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A
2008-11-15 16:38 83 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_74AB54E6C383E1C4E80DD084542C397D.dll
2008-11-15 16:38 781 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AE7F62FFEECBC874A9B1B6F48817D737.dll
2008-11-15 16:38 78 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_52A72DC65A4D52e4681B63BEABB22A97.dll
2008-11-15 16:38 74 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A37D795BDF51cb48939045B44951FCB.dll
2008-11-15 16:38 74 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610007.dll
2008-11-15 16:38 74 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610005.dll
2008-11-15 16:38 74 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_20E1CD9C4D0D2464CB5F020B4E786BCC.dll
2008-11-15 16:38 737 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A02D914F91779364E8030C370A048D87
2008-11-15 16:38 723 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_532CCD1ACCADF1E4D8116D0336B4A4FE
2008-11-15 16:38 705 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_55174F4FD4B5AA24798F94B05CE27A3F
2008-11-15 16:38 681 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EA8679D824ED40A44A1632165AC883D4
2008-11-15 16:38 6778 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AD3768CEB69FE7942BBDCBB720F96D08.dll
2008-11-15 16:38 671 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B2152BC94CE3FD34082064DBBAE5DDB1
2008-11-15 16:38 664 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B8D968DEE7C67C44F9F2DB456348C916.dll
2008-11-15 16:38 660 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_CF99FC027EC24AA469E64A1BC160264B.dll
2008-11-15 16:38 6594 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5E299CCB18C56604B95530CD012BD412.dll
2008-11-15 16:38 658 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E8CB71DAD5A495E4680401FD639EBE57.dll
2008-11-15 16:38 657 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_710E4B41FDCA0BD4D94998885F0F41A5.dll
2008-11-15 16:38 654 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_06188E974E5A2D7F3141ED8BAADDC992
2008-11-15 16:38 653 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_50D24CD8B0860B148887C6412D6420BD
2008-11-15 16:38 651 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7447A0000000000.dll
2008-11-15 16:38 645 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7B9D5BE0C6E8E9A47BF4617BEE986AB7.dll
2008-11-15 16:38 641 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EC868762FFD67F04C9850C11917B1B71
2008-11-15 16:38 641 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B7D45214FDAE8704EAA4DB373B00EE68
2008-11-15 16:38 641 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_90B5D65BBF4C0AE4E8DAB73C2E17A5D2
2008-11-15 16:38 637 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_45257E12E0144C949818E2A1A222122F.dll
2008-11-15 16:38 637 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DEF1459F7230FD4B869FE75FE26F291
2008-11-15 16:38 6244 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040211900063D11C8EF10054038389C.dll
2008-11-15 16:38 624 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B0DE36F12DDE73046BBA31856C42FA84
2008-11-15 16:38 624 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3CA95A43C5C690A47A5F63A97371C6A8
2008-11-15 16:38 623 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E186EA3D8E4F35459A08435D4C37042
2008-11-15 16:38 621 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7447A0000000000
2008-11-15 16:38 620 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_62287FAB00234BD4EB33D429A2978904
2008-11-15 16:38 620 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3EB0EDDDEBC06FB47BA53E6FC9498734
2008-11-15 16:38 6115 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040111900063D11C8EF00054038389C.dll
2008-11-15 16:38 606 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5E299CCB18C56604B95530CD012BD412
2008-11-15 16:38 602 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8549CBB2AC70348448B8C518645EFE8A.dll
2008-11-15 16:38 6018 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E186EA3D8E4F35459A08435D4C37042.dll
2008-11-15 16:38 601 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC274910
2008-11-15 16:38 590 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AE7F62FFEECBC874A9B1B6F48817D737
2008-11-15 16:38 588 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DEF1459F7230FD4B869FE75FE26F291.dll
2008-11-15 16:38 586 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2F57C23B594710D449131CE1796DF6C8
2008-11-15 16:38 581 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D29352A82D5C97E42ADB1CD5CDB59095
2008-11-15 16:38 571 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610007
2008-11-15 16:38 571 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610005
2008-11-15 16:38 569 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040030900063D11C8EF00054038389C
2008-11-15 16:38 561 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_CB75C0D824940694BBD64142656D2F33
2008-11-15 16:38 561 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B5BB5DEC42A2F7F2161BB255474880B4
2008-11-15 16:38 56 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_673BF18981488AE4BBDED95EAA367E5D.dll
2008-11-15 16:38 558 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D139E7FE48CDB174D86B8A3385904547
2008-11-15 16:38 557 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C938B6019ABD9AA0709EA9527951F16F
2008-11-15 16:38 557 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6AB815BD47BC6BE4A9DB88B0D6E6F183
2008-11-15 16:38 557 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_35F71A73850DB7622C6591BFD6FD8334
2008-11-15 16:38 556 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5C197754207D34147A2B7244EB59372F
2008-11-15 16:38 556 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E4D5D3B569E4C14BADF7A1BDA60362C
2008-11-15 16:38 555 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_45257E12E0144C949818E2A1A222122F
2008-11-15 16:38 555 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2BF93B92FDA549F4CB2831498217DDD0
2008-11-15 16:38 553 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5D8FBEE92178D1D4884FC4CDD272B03C
2008-11-15 16:38 55 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9B5C6BEDBB5DCA8D027F1F0E8F6AD7A5.dll
2008-11-15 16:38 547 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_238FE55B3164B91A2A22DD8B6BECB125
2008-11-15 16:38 547 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_15D556A132413A847B84F8A5B02E498C
2008-11-15 16:38 547 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_11C8DA09A4DE7EA4BB0777044C259C99
2008-11-15 16:38 545 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F65865963B6B0EB4ABB0F894B53E0233
2008-11-15 16:38 541 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_74AB54E6C383E1C4E80DD084542C397D
2008-11-15 16:38 539 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F2D810FB887C1BA4BA592108AE8B1FE3
2008-11-15 16:38 539 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C6F2FEA33D1FDC74FBB33A721FAFEB85
2008-11-15 16:38 539 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F841731866D117AB7000B0D410203
2008-11-15 16:38 539 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7B9D5BE0C6E8E9A47BF4617BEE986AB7
2008-11-15 16:38 539 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_18487FC3B7BF15B4992A5D0EDCB0A3FA
2008-11-15 16:38 539 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE
2008-11-15 16:38 537 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3F78756F653BCE54D80DE07685DECBEE
2008-11-15 16:38 536 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_07D301A1B9C5A1E43B6015606CF89941
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EEF9D54B4FA13F64A93852548F51745F
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E8CB71DAD5A495E4680401FD639EBE57
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DFB933CB055Fa174D862D48021C6267F
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D6CA77789F9839742866ED04F643E398
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_CF99FC027EC24AA469E64A1BC160264B
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C992983305F94C0D91C78A0834307BF9
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B8D968DEE7C67C44F9F2DB456348C916
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B78E16807D42C7E41BB1458FE6C51599
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AD3768CEB69FE7942BBDCBB720F96D08
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AA0F1499309B4FA40A55389A18C50C11
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9B5C6BEDBB5DCA8D027F1F0E8F6AD7A5
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A37D795BDF51cb48939045B44951FCB
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8549CBB2AC70348448B8C518645EFE8A
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7940052A23DFe3948B5E826D27D8EB5F
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_710E4B41FDCA0BD4D94998885F0F41A5
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6BBFDF96D153C8B4988D68D79C0D2A4A
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_673BF18981488AE4BBDED95EAA367E5D
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_65F8621D97ED8A918CCE69D184FF2DEF
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5B7CA2F78AD33d545B5E3FD6DCF9CDA6
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5B0B4DB695332394FB498C50EE387E01
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_56A968A049C8C7F45A7C79D2C3C8DEE9
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_52A72DC65A4D52e4681B63BEABB22A97
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4BA3AE4AC87E682469FD62305570EC55
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4301AEBD288588A40833184CFEC0AF92
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3B5AB9551E3E0A8C3E10F50535B14DC4
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_20E1CD9C4D0D2464CB5F020B4E786BCC
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1F3B805BA42A0C233B0158879691FE82
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_17400AB28230347339DBAF1833357A38
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472
2008-11-15 16:38 522 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_039537381BF0178D88235B9A2EC739AC
2008-11-15 16:38 52 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_CB75C0D824940694BBD64142656D2F33.dll
2008-11-15 16:38 4894 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B0DE36F12DDE73046BBA31856C42FA84.dll
2008-11-15 16:38 488 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3CA95A43C5C690A47A5F63A97371C6A8.dll
2008-11-15 16:38 48 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4BA3AE4AC87E682469FD62305570EC55.dll
2008-11-15 16:38 463 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2F57C23B594710D449131CE1796DF6C8.dll
2008-11-15 16:38 457 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C992983305F94C0D91C78A0834307BF9.dll
2008-11-15 16:38 448 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC274910.dll
2008-11-15 16:38 448 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_18487FC3B7BF15B4992A5D0EDCB0A3FA.dll
2008-11-15 16:38 44 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C6F2FEA33D1FDC74FBB33A721FAFEB85.dll
2008-11-15 16:38 437 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_15D556A132413A847B84F8A5B02E498C.dll
2008-11-15 16:38 437 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_11C8DA09A4DE7EA4BB0777044C259C99.dll
2008-11-15 16:38 4122 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B7D45214FDAE8704EAA4DB373B00EE68.dll
2008-11-15 16:38 41 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_56A968A049C8C7F45A7C79D2C3C8DEE9.dll
2008-11-15 16:38 3725 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_50D24CD8B0860B148887C6412D6420BD.dll
2008-11-15 16:38 3442 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040911900063D11C8EF00054038389C.dll
2008-11-15 16:38 3361 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_12345db
2008-11-15 16:38 3257 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A.dll
2008-11-15 16:38 32 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5C197754207D34147A2B7244EB59372F.dll
2008-11-15 16:38 3169 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_06188E974E5A2D7F3141ED8BAADDC992.dll
2008-11-15 16:38 31 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B5BB5DEC42A2F7F2161BB255474880B4.dll
2008-11-15 16:38 2958 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EA8679D824ED40A44A1632165AC883D4.dll
2008-11-15 16:38 2934 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C938B6019ABD9AA0709EA9527951F16F.dll
2008-11-15 16:38 28795 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_532CCD1ACCADF1E4D8116D0336B4A4FE.dll
2008-11-15 16:38 27 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6BBFDF96D153C8B4988D68D79C0D2A4A.dll
2008-11-15 16:38 26 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D139E7FE48CDB174D86B8A3385904547.dll
2008-11-15 16:38 2583 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_55174F4FD4B5AA24798F94B05CE27A3F.dll
2008-11-15 16:38 2548 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8D60D467ED8DE1141A8C9D9E83F0A848.dll
2008-11-15 16:38 2441 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3EB0EDDDEBC06FB47BA53E6FC9498734.dll
2008-11-15 16:38 223 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040030900063D11C8EF00054038389C.dll
2008-11-15 16:38 2210 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E4D5D3B569E4C14BADF7A1BDA60362C.dll
2008-11-15 16:38 2124 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B2152BC94CE3FD34082064DBBAE5DDB1.dll
2008-11-15 16:38 1953 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EC868762FFD67F04C9850C11917B1B71.dll
2008-11-15 16:38 1917 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A54B126A831D59A4EB01C7BA0AE59FE4.dll
2008-11-15 16:38 18487 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_90B5D65BBF4C0AE4E8DAB73C2E17A5D2.dll
2008-11-15 16:38 1654 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_238FE55B3164B91A2A22DD8B6BECB125.dll
2008-11-15 16:38 161 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_07D301A1B9C5A1E43B6015606CF89941.dll
2008-11-15 16:38 1566 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A02D914F91779364E8030C370A048D87.dll
2008-11-15 16:38 152 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE.dll
2008-11-15 16:38 151 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AA0F1499309B4FA40A55389A18C50C11.dll
2008-11-15 16:38 1429 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040111900063D11C8EF00054038389C
2008-11-15 16:38 1360 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_62287FAB00234BD4EB33D429A2978904.dll
2008-11-15 16:38 132 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE.dll
2008-11-15 16:38 126 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F2D810FB887C1BA4BA592108AE8B1FE3.dll
2008-11-15 16:38 1232 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A2B2C67995EC3BA438BFFB98E5822F6E.dll
2008-11-15 16:38 1210 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040211900063D11C8EF10054038389C
2008-11-15 16:38 1180 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F65865963B6B0EB4ABB0F894B53E0233.dll
2008-11-15 16:38 1097 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DFB933CB055Fa174D862D48021C6267F.dll
2008-11-15 16:38 1091 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A2B2C67995EC3BA438BFFB98E5822F6E
2008-11-15 16:38 108 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
2008-11-15 16:38 1070 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A54B126A831D59A4EB01C7BA0AE59FE4
2008-11-15 16:38 1066 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5D8FBEE92178D1D4884FC4CDD272B03C.dll
2008-11-15 16:38 1060 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2BF93B92FDA549F4CB2831498217DDD0.dll
2008-11-15 16:38 105 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6AB815BD47BC6BE4A9DB88B0D6E6F183.dll
2008-11-15 16:38 105 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5B0B4DB695332394FB498C50EE387E01.dll
2008-11-15 16:38 1029 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040911900063D11C8EF00054038389C
2008-11-15 16:38 1027 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B78E16807D42C7E41BB1458FE6C51599.dll
2008-11-15 16:38 1024 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D29352A82D5C97E42ADB1CD5CDB59095.dll
2008-11-15 16:38 101 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EEF9D54B4FA13F64A93852548F51745F.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D6CA77789F9839742866ED04F643E398.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F841731866D117AB7000B0D410203.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7940052A23DFe3948B5E826D27D8EB5F.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_65F8621D97ED8A918CCE69D184FF2DEF.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5B7CA2F78AD33d545B5E3FD6DCF9CDA6.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4301AEBD288588A40833184CFEC0AF92.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3F78756F653BCE54D80DE07685DECBEE.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3B5AB9551E3E0A8C3E10F50535B14DC4.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_35F71A73850DB7622C6591BFD6FD8334.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1F3B805BA42A0C233B0158879691FE82.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_17400AB28230347339DBAF1833357A38.dll
2008-11-15 16:38 10 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\icn_039537381BF0178D88235B9A2EC739AC.dll
2008-11-13 16:42 313856 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\jkkKdbBu.dll.q_804CA04_q
2008-04-13 19:11 706048 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
2008-04-13 19:11 617472 --a------ c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll


((((((((((((((((((((((((((((( snapshot@2008-11-20_15.23.51.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-10 01:10:56 1,379,840 ----a-w c:\windows\$hf_mig$\KB954459\SP3QFE\msxml6.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB954459\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB954459\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB954459\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB954459\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB954459\update\updspapi.dll
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-21 08:00:45 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-04-14 00:12:01 1,306,624 -c--a-w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 -c--a-w c:\windows\system32\dllcache\msxml6.dll
- 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-05-03 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-05-03 23:10 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"FlashMute"="c:\program files\FlashMute\FlashMute.exe" [2005-12-18 143360]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 851968]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-24 344064]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 15:36:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-21 15:37:18
ComboFix-quarantined-files.txt 2008-11-21 20:37:13
ComboFix2.txt 2008-11-20 20:24:52

Pre-Run: 175,563,542,528 bytes free
Post-Run: 175,546,961,920 bytes free

389 --- E O F --- 2008-11-21 14:12:21


KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 21, 2008 17:19:10
Records in database: 1399689


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics
Files scanned 94049
Threat name 12
Infected objects 40
Suspicious objects 0
Duration of the scan 02:04:28

File name Threat name Threats count
C:\Program Files\Trend Micro\Internet Security\Quarantine\10.tmp Infected: Trojan.Win32.Pakes.lka 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\11.tmp Infected: Trojan.Win32.Pakes.lka 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\12.tmp Infected: Trojan.Win32.Pakes.lka 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\13.tmp Infected: Trojan.Win32.Vapsup.neh 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\14.tmp Infected: Trojan.Win32.Pakes.lka 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\16.tmp Infected: Trojan.Win32.Monder.ywc 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\17.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\18.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\19.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\1A.tmp Infected: Trojan.Win32.Monder.ywc 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\1B.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\1C.tmp Infected: Trojan.Win32.Monder.ywc 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\1D.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\1E.tmp Infected: Trojan.Win32.Monder.ywc 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\1F.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\20.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\21.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\82.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\83.tmp Infected: Trojan.Win32.Monder.ywc 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\84.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\85.tmp Infected: Trojan.Win32.Monder.ywc 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\86.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\87.tmp Infected: Trojan.Win32.Monder.ywc 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\88.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\89.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\8A.tmp Infected: Trojan.Win32.Monder.ywf 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\A0035108.dll Infected: Trojan.Win32.Agent.akkd 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\A0037240.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ce 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\B0.tmp Infected: Backdoor.Win32.Agent.ugx 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\B1.tmp Infected: Backdoor.Win32.Agent.ugx 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\B2.tmp Infected: Backdoor.Win32.Agent.ugx 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\B3.tmp Infected: Backdoor.Win32.Agent.ugx 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\E.tmp Infected: Trojan.Win32.Monder.ywc 1

C:\Program Files\Trend Micro\Internet Security\Quarantine\stf7.tmp Infected: Trojan.Win32.Agent.ajdu 1

C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\~.exe.vir Infected: Trojan.Win32.Agent.amvk 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\awttSlml.dll.vir Infected: Trojan.Win32.Monderb.wvi 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\msziptools.dll.vir Infected: Trojan-Downloader.Win32.Agent.ajem 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\ngnjtoqs.dll.vir Infected: Backdoor.Win32.Agent.ugw 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\opNGwVNd.dll.vir Infected: Trojan.Win32.Monderb.wvi 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\xgfkufip.dll.vir Infected: Backdoor.Win32.Agent.ugw 1

The selected area was scanned.

#10 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:09:29 AM

Posted 22 November 2008 - 05:24 AM

Hi fitz0224

We are making progress and it's good news about the pop ups. There is light at the end of the tunnel so please continue with these next few steps. :thumbsup:

Step #1
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\HP_Administrator\Application Data\LimeWire
c:\documents and settings\All Users\Application Data\SecTaskMan


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step #2
Double click on the HJTInstall.exe/gorilla icon to start the program.
Click on the scan button. It will scan and then ask you to save the log.
Save the log, and post me it in your next reply.

Step #3
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please navigate to this folder:
C:\Program Files\Trend Micro\Internet Security\Quarantine <-----This folder
Once inside this folder press Ctrl+A (select all) to highlight all the files contained within and press delete
Return to your desktop


In the next post please paste the following information;
  • The ComboFix Log
  • The newly created Hijack This log
  • Details of how your system is running
:)

#11 fitz0224

fitz0224
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 22 November 2008 - 11:02 AM

Hi,

The computer is running fine. Last night Windows Defender and Trendmicro detected vundo and another one in their nightly scans. They were both quarantined so they should be gone after clearing the quarantined files.

ComboFix 08-11-19.08 - HP_Administrator 2008-11-22 10:49:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.211 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\SecTaskMan
c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_039537381BF0178D88235B9A2EC739AC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_039537381BF0178D88235B9A2EC739AC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_06188E974E5A2D7F3141ED8BAADDC992
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_06188E974E5A2D7F3141ED8BAADDC992.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_07D301A1B9C5A1E43B6015606CF89941
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_07D301A1B9C5A1E43B6015606CF89941.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DEF1459F7230FD4B869FE75FE26F291
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0DEF1459F7230FD4B869FE75FE26F291.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E186EA3D8E4F35459A08435D4C37042
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E186EA3D8E4F35459A08435D4C37042.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E4D5D3B569E4C14BADF7A1BDA60362C
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0E4D5D3B569E4C14BADF7A1BDA60362C.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_11C8DA09A4DE7EA4BB0777044C259C99
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_11C8DA09A4DE7EA4BB0777044C259C99.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_12341rg
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_12345db
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_15D556A132413A847B84F8A5B02E498C
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_15D556A132413A847B84F8A5B02E498C.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_17400AB28230347339DBAF1833357A38
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_17400AB28230347339DBAF1833357A38.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_18487FC3B7BF15B4992A5D0EDCB0A3FA
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_18487FC3B7BF15B4992A5D0EDCB0A3FA.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1F3B805BA42A0C233B0158879691FE82
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1F3B805BA42A0C233B0158879691FE82.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_20E1CD9C4D0D2464CB5F020B4E786BCC
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_20E1CD9C4D0D2464CB5F020B4E786BCC.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_238FE55B3164B91A2A22DD8B6BECB125
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_238FE55B3164B91A2A22DD8B6BECB125.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2BF93B92FDA549F4CB2831498217DDD0
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2BF93B92FDA549F4CB2831498217DDD0.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2F57C23B594710D449131CE1796DF6C8
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_2F57C23B594710D449131CE1796DF6C8.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_35F71A73850DB7622C6591BFD6FD8334
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_35F71A73850DB7622C6591BFD6FD8334.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3B5AB9551E3E0A8C3E10F50535B14DC4
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3B5AB9551E3E0A8C3E10F50535B14DC4.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3CA95A43C5C690A47A5F63A97371C6A8
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3CA95A43C5C690A47A5F63A97371C6A8.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3EB0EDDDEBC06FB47BA53E6FC9498734
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3EB0EDDDEBC06FB47BA53E6FC9498734.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3F78756F653BCE54D80DE07685DECBEE
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_3F78756F653BCE54D80DE07685DECBEE.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4301AEBD288588A40833184CFEC0AF92
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4301AEBD288588A40833184CFEC0AF92.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_45257E12E0144C949818E2A1A222122F
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_45257E12E0144C949818E2A1A222122F.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4BA3AE4AC87E682469FD62305570EC55
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4BA3AE4AC87E682469FD62305570EC55.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC274910
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC274910.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_50D24CD8B0860B148887C6412D6420BD
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_50D24CD8B0860B148887C6412D6420BD.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_52A72DC65A4D52e4681B63BEABB22A97
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_52A72DC65A4D52e4681B63BEABB22A97.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_532CCD1ACCADF1E4D8116D0336B4A4FE
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_532CCD1ACCADF1E4D8116D0336B4A4FE.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_55174F4FD4B5AA24798F94B05CE27A3F
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_55174F4FD4B5AA24798F94B05CE27A3F.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_56A968A049C8C7F45A7C79D2C3C8DEE9
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_56A968A049C8C7F45A7C79D2C3C8DEE9.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5B0B4DB695332394FB498C50EE387E01
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5B0B4DB695332394FB498C50EE387E01.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5B7CA2F78AD33d545B5E3FD6DCF9CDA6
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5B7CA2F78AD33d545B5E3FD6DCF9CDA6.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5C197754207D34147A2B7244EB59372F
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5C197754207D34147A2B7244EB59372F.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5D8FBEE92178D1D4884FC4CDD272B03C
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5D8FBEE92178D1D4884FC4CDD272B03C.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5E299CCB18C56604B95530CD012BD412
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5E299CCB18C56604B95530CD012BD412.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_62287FAB00234BD4EB33D429A2978904
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_62287FAB00234BD4EB33D429A2978904.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_65F8621D97ED8A918CCE69D184FF2DEF
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_65F8621D97ED8A918CCE69D184FF2DEF.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_673BF18981488AE4BBDED95EAA367E5D
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_673BF18981488AE4BBDED95EAA367E5D.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7447A0000000000
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7447A0000000000.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6AB815BD47BC6BE4A9DB88B0D6E6F183
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6AB815BD47BC6BE4A9DB88B0D6E6F183.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6BBFDF96D153C8B4988D68D79C0D2A4A
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_6BBFDF96D153C8B4988D68D79C0D2A4A.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_710E4B41FDCA0BD4D94998885F0F41A5
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_710E4B41FDCA0BD4D94998885F0F41A5.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_74AB54E6C383E1C4E80DD084542C397D
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_74AB54E6C383E1C4E80DD084542C397D.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7940052A23DFe3948B5E826D27D8EB5F
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7940052A23DFe3948B5E826D27D8EB5F.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7B9D5BE0C6E8E9A47BF4617BEE986AB7
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_7B9D5BE0C6E8E9A47BF4617BEE986AB7.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8549CBB2AC70348448B8C518645EFE8A
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8549CBB2AC70348448B8C518645EFE8A.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F841731866D117AB7000B0D410203
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F841731866D117AB7000B0D410203.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610005
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610005.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610007
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610007.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A37D795BDF51cb48939045B44951FCB
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A37D795BDF51cb48939045B44951FCB.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8D60D467ED8DE1141A8C9D9E83F0A848
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8D60D467ED8DE1141A8C9D9E83F0A848.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040030900063D11C8EF00054038389C
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040030900063D11C8EF00054038389C.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040111900063D11C8EF00054038389C
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040111900063D11C8EF00054038389C.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040211900063D11C8EF10054038389C
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040211900063D11C8EF10054038389C.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040911900063D11C8EF00054038389C
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040911900063D11C8EF00054038389C.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_90B5D65BBF4C0AE4E8DAB73C2E17A5D2
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_90B5D65BBF4C0AE4E8DAB73C2E17A5D2.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9B5C6BEDBB5DCA8D027F1F0E8F6AD7A5
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9B5C6BEDBB5DCA8D027F1F0E8F6AD7A5.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A02D914F91779364E8030C370A048D87
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A02D914F91779364E8030C370A048D87.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A2B2C67995EC3BA438BFFB98E5822F6E
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A2B2C67995EC3BA438BFFB98E5822F6E.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A54B126A831D59A4EB01C7BA0AE59FE4
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A54B126A831D59A4EB01C7BA0AE59FE4.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AA0F1499309B4FA40A55389A18C50C11
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AA0F1499309B4FA40A55389A18C50C11.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AD3768CEB69FE7942BBDCBB720F96D08
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AD3768CEB69FE7942BBDCBB720F96D08.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AE7F62FFEECBC874A9B1B6F48817D737
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AE7F62FFEECBC874A9B1B6F48817D737.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B0DE36F12DDE73046BBA31856C42FA84
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B0DE36F12DDE73046BBA31856C42FA84.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B2152BC94CE3FD34082064DBBAE5DDB1
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B2152BC94CE3FD34082064DBBAE5DDB1.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B5BB5DEC42A2F7F2161BB255474880B4
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B5BB5DEC42A2F7F2161BB255474880B4.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B78E16807D42C7E41BB1458FE6C51599
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B78E16807D42C7E41BB1458FE6C51599.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B7D45214FDAE8704EAA4DB373B00EE68
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B7D45214FDAE8704EAA4DB373B00EE68.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B8D968DEE7C67C44F9F2DB456348C916
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B8D968DEE7C67C44F9F2DB456348C916.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C6F2FEA33D1FDC74FBB33A721FAFEB85
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C6F2FEA33D1FDC74FBB33A721FAFEB85.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C938B6019ABD9AA0709EA9527951F16F
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C938B6019ABD9AA0709EA9527951F16F.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C992983305F94C0D91C78A0834307BF9
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C992983305F94C0D91C78A0834307BF9.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_CB75C0D824940694BBD64142656D2F33
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_CB75C0D824940694BBD64142656D2F33.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_CF99FC027EC24AA469E64A1BC160264B
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_CF99FC027EC24AA469E64A1BC160264B.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D139E7FE48CDB174D86B8A3385904547
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D139E7FE48CDB174D86B8A3385904547.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D29352A82D5C97E42ADB1CD5CDB59095
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D29352A82D5C97E42ADB1CD5CDB59095.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D6CA77789F9839742866ED04F643E398
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_D6CA77789F9839742866ED04F643E398.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DFB933CB055Fa174D862D48021C6267F
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DFB933CB055Fa174D862D48021C6267F.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E8CB71DAD5A495E4680401FD639EBE57
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E8CB71DAD5A495E4680401FD639EBE57.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EA8679D824ED40A44A1632165AC883D4
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EA8679D824ED40A44A1632165AC883D4.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EC868762FFD67F04C9850C11917B1B71
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EC868762FFD67F04C9850C11917B1B71.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EEF9D54B4FA13F64A93852548F51745F
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_EEF9D54B4FA13F64A93852548F51745F.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F2D810FB887C1BA4BA592108AE8B1FE3
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F2D810FB887C1BA4BA592108AE8B1FE3.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F65865963B6B0EB4ABB0F894B53E0233
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_F65865963B6B0EB4ABB0F894B53E0233.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\jkkKdbBu.dll.q_804CA04_q.ini
c:\documents and settings\All Users\Application Data\SecTaskMan\lovphs.dll.q_804E801_q.ini
c:\documents and settings\All Users\Application Data\SecTaskMan\opNGwVNd.dll.q_8046400_q.ini
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\HP_Administrator\Application Data\LimeWire
c:\documents and settings\HP_Administrator\Application Data\LimeWire\createtimes.cache
c:\documents and settings\HP_Administrator\Application Data\LimeWire\fileurns.bak
c:\documents and settings\HP_Administrator\Application Data\LimeWire\fileurns.cache
c:\documents and settings\HP_Administrator\Application Data\LimeWire\filters.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\gnutella.net
c:\documents and settings\HP_Administrator\Application Data\LimeWire\installation.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\library.dat
c:\documents and settings\HP_Administrator\Application Data\LimeWire\limewire.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\mojito.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\questions.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\responses.cache
c:\documents and settings\HP_Administrator\Application Data\LimeWire\simpp.xml
c:\documents and settings\HP_Administrator\Application Data\LimeWire\spam.dat
c:\documents and settings\HP_Administrator\Application Data\LimeWire\tables.props
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\HP_Administrator\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\HP_Administrator\Application Data\LimeWire\ttrees.cache
c:\documents and settings\HP_Administrator\Application Data\LimeWire\ttroot.cache
c:\documents and settings\HP_Administrator\Application Data\LimeWire\version.xml
c:\documents and settings\HP_Administrator\Application Data\LimeWire\xml\data\audio.sxml

.
((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.

2008-11-22 04:40 . 2008-11-22 04:40 <DIR> d-------- c:\windows\LastGood
2008-11-21 03:01 . 2008-11-21 03:01 1,393 --a------ c:\windows\imsins.BAK
2008-11-20 15:26 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-20 15:25 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-16 16:29 . 2008-11-16 16:29 <DIR> d-------- c:\program files\Opera
2008-11-09 17:13 . 2008-11-09 17:13 <DIR> d-------- C:\VundoFix Backups
2008-11-09 15:27 . 2008-11-09 15:27 <DIR> d-------- c:\program files\Lavasoft
2008-11-09 15:25 . 2008-11-09 15:25 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-28 18:06 . 2008-11-18 15:31 <DIR> d-------- c:\program files\VS Revo Group
2008-10-28 18:05 . 2008-10-28 18:05 <DIR> d-------- c:\program files\CCleaner
2008-10-28 18:01 . 2008-11-18 13:13 937 --a------ c:\windows\wininit.ini
2008-10-28 17:16 . 2008-11-18 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 08:25 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 20:05 --------- d-----w c:\program files\Common
2008-11-18 22:32 --------- d-----w c:\program files\Google
2008-11-18 19:42 16,384 ----a-w c:\windows\DCEBoot.exe
2008-11-16 05:26 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 21:17 --------- d-----w c:\program files\Trend Micro
2008-11-09 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-08 18:21 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-13 04:08 --------- d-----w c:\program files\Apple Software Update
2008-10-13 04:01 --------- d-----w c:\program files\iTunes
2008-10-13 04:01 --------- d-----w c:\program files\iPod
2008-10-13 04:01 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-13 03:57 --------- d-----w c:\program files\QuickTime
2008-10-13 03:20 --------- d-----w c:\program files\Bonjour
2008-10-09 23:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InterVideo
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 21:28 --------- d-----w c:\program files\Yahoo!
2008-09-28 04:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Winamp
2008-09-26 23:47 --------- d-----w c:\program files\Winamp
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-09 15:32 2,004 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-09-09 15:30 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-04 23:11 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-09-04 23:11 249,856 ------w c:\windows\Setup1.exe
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-23 18:03 76,360 ----a-w c:\documents and settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-05-15 17:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042120080428\index.dat
2008-05-15 17:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-20_15.23.51.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-10 01:10:56 1,379,840 ----a-w c:\windows\$hf_mig$\KB954459\SP3QFE\msxml6.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB954459\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB954459\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB954459\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB954459\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB954459\update\updspapi.dll
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-21 08:00:45 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2008-07-19 02:10:48 94,920 ----a-w c:\windows\LastGood\system32\cdm.dll
+ 2008-07-19 02:09:44 563,912 ----a-w c:\windows\LastGood\system32\wuapi.dll
+ 2008-07-19 02:10:42 53,448 ----a-w c:\windows\LastGood\system32\wuauclt.exe
+ 2008-07-19 02:09:42 1,811,656 ----a-w c:\windows\LastGood\system32\wuaueng.dll
+ 2008-07-19 02:09:46 325,832 ----a-w c:\windows\LastGood\system32\wucltui.dll
+ 2008-07-19 02:10:20 36,552 ----a-w c:\windows\LastGood\system32\wups.dll
+ 2008-07-19 02:10:40 45,768 ----a-w c:\windows\LastGood\system32\wups2.dll
+ 2008-07-19 02:09:44 205,000 ----a-w c:\windows\LastGood\system32\wuweb.dll
- 2008-07-19 02:10:48 94,920 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 19:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2008-04-14 00:12:01 1,306,624 -c--a-w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 -c--a-w c:\windows\system32\dllcache\msxml6.dll
- 2008-07-19 02:09:44 563,912 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 19:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-07-19 02:10:42 53,448 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-19 02:09:42 1,811,656 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-19 02:09:46 325,832 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 19:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2008-07-19 02:09:44 205,000 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 19:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
- 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-05-03 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-05-03 23:10 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"FlashMute"="c:\program files\FlashMute\FlashMute.exe" [2005-12-18 143360]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-11-23 851968]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-24 344064]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 10:52:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-22 10:53:41
ComboFix-quarantined-files.txt 2008-11-22 15:53:36
ComboFix2.txt 2008-11-21 20:37:19
ComboFix3.txt 2008-11-20 20:24:52

Pre-Run: 175,619,026,944 bytes free
Post-Run: 175,651,229,696 bytes free

419 --- E O F --- 2008-11-21 14:12:21



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:07 AM, on 11/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\FlashMute\flashmute.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Gorilla.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8123 bytes

#12 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:09:29 AM

Posted 22 November 2008 - 12:30 PM

Hi :thumbsup:

Glad your computer is running fine - those vundo files that were flagged by Trend and Defender, were they dispalying the same filepath? Did you happen to get any details?
I appreciate that we have cleaned up the Trend quarantine files but can you have a look in Windows Defender and see if one of its logs show the filepath, if so can you post it for me to look at.

Once you have completed the above please continue as below;

Please go to Eset Onlinescan (NOD32)
(You need to use Internet Explorer or enable IEView in Firefox)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
    The Onlinescan will now start and scan your pc (please let it run to completion)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
    The Scan results will now open in Notepad
  • Click into the text area, right-click and chose "select all"
  • Right-click again and chose "copy"
  • Close Notepad
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Include this log in your reply by right-clicking and "paste" in the text area of the reply post you just created.


Also there is a newer version of Java;

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 10...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe
  • Follow the on screen instructions to install the latest Java version.
Finally for this post, can you post back any log that Window Defender has in relation to the Vundo file and the log that Eset Inline Anti Virus produces.
:)

#13 fitz0224

fitz0224
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 22 November 2008 - 04:29 PM

Here's the Defender logs from today

Trojan:Win32/Vundo.D

file:
C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP284\A0043876.dll

file:
C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP273\A0043297.dll

file:
C:\Qoobox\Quarantine\C\WINDOWS\system32\fccddaXQ.dll.vir

file:
C:\Documents and Settings\All Users\Application Data\SecTaskMan\jkkKdbBu.dll.q_804CA04_q


TrojanDownloader:Win32/Renos

file:
C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP284\A0043867.exe

file:
C:\Qoobox\Quarantine\C\WINDOWS\system32\brastk.exe.vir


Trojan:Win32/Vundo.gen!AE

file:
C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP284\A0043887.dll

file:
C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP284\A0043882.dll

file:
C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP284\A0043881.dll

file:
C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP284\A0043870.dll

file:
C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP270\A0042152.dll

file:
C:\Qoobox\Quarantine\C\WINDOWS\system32\xgfkufip.dll.vir

file:
C:\Qoobox\Quarantine\C\WINDOWS\system32\opNGwVNd.dll.vir

file:
C:\Qoobox\Quarantine\C\WINDOWS\system32\ngnjtoqs.dll.vir

file:
C:\Qoobox\Quarantine\C\WINDOWS\system32\awttSlml.dll.vir




There were only two hits with Trend Micro and I don't think they are the same as the Defender ones

TROJ_FAKEAV.YT

C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP281\A0043496.exe

TROJ_VUNDO.PD

C:\System Volume Information\_restore{7E6001F9-0A8D-45EC-B593-E452C096CF95}\RP282\A0043799.dll

#14 fitz0224

fitz0224
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 22 November 2008 - 05:37 PM

And here is the Eset log

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3632 (20081121)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=6152f8aa1f5e494aab49475c26b7a78d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-11-22 10:23:54
# local_time=2008-11-22 05:23:54 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=588960
# found=7
# scan_time=2868
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent15.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent25.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent55.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL Win32/Toolbar.AskSBar application (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\msziptools.dll.vir a variant of Win32/TrojanDownloader.Agent.OKC trojan (unable to clean - deleted) 00000000000000000000000000000000

#15 The Gorilla

The Gorilla

  • Members
  • 766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Part of a breeding programme in a conservation zoo
  • Local time:09:29 AM

Posted 23 November 2008 - 04:24 AM

Hi fitz0224 :thumbsup:

Those infected files have already been taken care of and appear in system restore and back up folders, we will take care of them in a minute.

Time for some housekeeping;
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
This will uninstall ComboFix.

Did you install the Ask Toolbars? Whilst not considered bad it does appear to come bundled with software and installs itself. I would suggest that it is removed via the add/remove section of the control panel.

Congratulations your system is clean

You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:
    Go to Start > Programs > Accessories > System Tools and click "System Restore"
    Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    Then go to Start > Run and type: Cleanmgr
    Click "OK".
    Click the "More Options" Tab.
    Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
Finally - Safe Surfing :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users