Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advice Needed


  • This topic is locked This topic is locked
26 replies to this topic

#1 krazedone

krazedone

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 23 March 2007 - 06:35 AM

Lately i have been having crazy pop ups when opening internet explorer, i have ran ad-aware se, spybot, pest patrol, and an AV scan all in safe mode..only to find when i rebooted that the annoying trojan/virus was still there...heres the logfile from hijackthis, any help would be very much appreciated

Logfile of HijackThis v1.99.1
Scan saved at 7:19:39 AM, on 3/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [hvojuem.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\hvojuem.dll",ajkpyne
O4 - HKLM\..\Run: [etuvmud.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\etuvmud.dll",kvpdqhc
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [pjrqpnm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\pjrqpnm.dll",dxzabmc
O4 - HKLM\..\Run: [kgeikdd.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\kgeikdd.dll",srdxunb
O4 - HKLM\..\Run: [ollvxpm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\ollvxpm.dll",drytaqc
O4 - HKLM\..\Run: [qaxnoqi.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\qaxnoqi.dll",ngoiaae
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - (no file)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 March 2007 - 07:46 AM

Welcome to the BleepingComputer HijackThis forum krazedone :thumbsup:

Before we can provide you with any further assistance,you need to go here,download and install Service Pack 1;
http://www.softwarepatch.com/security/winxpsp1-security.html
This will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system.
As your machine stands right now it's exremely vulnerable to infection.
You need to get these updates installed first before we can proceed any further or we’ll both be wasting our time.

Note:
Do not install Service pack 2 just yet.
If you install SP 2 on an infected machine it will cause serious problems within the operating system.

When you've finished,post a new Hijackthis log into this topic please.
Posted Image
Posted Image

#3 krazedone

krazedone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 23 March 2007 - 01:30 PM

ok, installed SP1 and here it is

Logfile of HijackThis v1.99.1
Scan saved at 2:25:39 PM, on 3/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [hvojuem.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\hvojuem.dll",ajkpyne
O4 - HKLM\..\Run: [etuvmud.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\etuvmud.dll",kvpdqhc
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [pjrqpnm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\pjrqpnm.dll",dxzabmc
O4 - HKLM\..\Run: [kgeikdd.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\kgeikdd.dll",srdxunb
O4 - HKLM\..\Run: [ollvxpm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\ollvxpm.dll",drytaqc
O4 - HKLM\..\Run: [qaxnoqi.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\qaxnoqi.dll",ngoiaae
O4 - HKLM\..\Run: [lmvgsjn.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\lmvgsjn.dll",xcjlkv
O4 - HKLM\..\Run: [aigkiue.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\aigkiue.dll",ulapkzd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpeokulh.dll",setvm
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - (no file)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 March 2007 - 02:58 PM

Please go to:
C:\Program Files\Hijackthis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#5 krazedone

krazedone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 23 March 2007 - 03:05 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:01:49 PM, on 3/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {289EA67A-C522-D5C5-33B3-0A06B7302ABD} - C:\WINDOWS\System32\rhkdlbm.dll
O2 - BHO: (no name) - {3937C0B0-99C5-74F2-A6A2-086A6584264C} - C:\WINDOWS\System32\wjpkltk.dll
O2 - BHO: (no name) - {3A7467BE-208F-4827-B22E-BBCBD1CDA90E} - (no file)
O2 - BHO: (no name) - {3B35D985-7648-4521-83BE-1E16AE5CD05F} - C:\WINDOWS\system32\driverb.dll
O2 - BHO: (no name) - {3B77865B-6037-4A25-963B-11D034ECFADB} - C:\WINDOWS\System32\awtqp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {565E5C7D-9477-1D58-D7C4-05C7E08CF482} - C:\WINDOWS\System32\hpcquqn.dll
O2 - BHO: (no name) - {5F74ADA1-8871-E2DE-AC3C-02C2EFF69AF3} - C:\WINDOWS\System32\dakmgbn.dll
O2 - BHO: (no name) - {65689146-97F6-B5CF-6872-029CCF422183} - C:\WINDOWS\System32\hbcyrmf.dll
O2 - BHO: (no name) - {6EE198AA-C618-450D-83C4-766E8EB71F56} - (no file)
O2 - BHO: (no name) - {721B7513-C646-838B-84B8-0113B82A0815} - C:\WINDOWS\System32\lymhcmh.dll
O2 - BHO: (no name) - {72EA236A-2BDD-3D17-1C21-0841FBF6413A} - C:\WINDOWS\System32\xxrgfwd.dll
O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\System32\opnnoon.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [hvojuem.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\hvojuem.dll",ajkpyne
O4 - HKLM\..\Run: [etuvmud.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\etuvmud.dll",kvpdqhc
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [pjrqpnm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\pjrqpnm.dll",dxzabmc
O4 - HKLM\..\Run: [kgeikdd.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\kgeikdd.dll",srdxunb
O4 - HKLM\..\Run: [ollvxpm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\ollvxpm.dll",drytaqc
O4 - HKLM\..\Run: [qaxnoqi.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\qaxnoqi.dll",ngoiaae
O4 - HKLM\..\Run: [lmvgsjn.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\lmvgsjn.dll",xcjlkv
O4 - HKLM\..\Run: [aigkiue.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\aigkiue.dll",ulapkzd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpeokulh.dll",setvm
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174681026406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: awtqp - C:\WINDOWS\System32\awtqp.dll
O20 - Winlogon Notify: opnnoon - C:\WINDOWS\SYSTEM32\opnnoon.dll
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - (no file)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 March 2007 - 03:12 PM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply,along with a new Hijackthis log.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Posted Image
Posted Image

#7 krazedone

krazedone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 23 March 2007 - 06:36 PM

ok this is what i got

VundoFix V6.3.16

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 10:08:06 PM 3/14/2007

Listing files found while scanning....

C:\WINDOWS\System32\whfmxupa.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Sun Java not detected
Scan started at 4:15:07 PM 3/23/2007

Listing files found while scanning....

C:\WINDOWS\System32\awtqp.dll
C:\WINDOWS\System32\pqtwa.bak1
C:\WINDOWS\System32\pqtwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\awtqp.dll
C:\WINDOWS\System32\awtqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\pqtwa.bak1
C:\WINDOWS\System32\pqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\pqtwa.ini
C:\WINDOWS\System32\pqtwa.ini Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 7:31:49 PM, on 3/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {289EA67A-C522-D5C5-33B3-0A06B7302ABD} - C:\WINDOWS\System32\rhkdlbm.dll
O2 - BHO: (no name) - {3937C0B0-99C5-74F2-A6A2-086A6584264C} - C:\WINDOWS\System32\wjpkltk.dll
O2 - BHO: (no name) - {3A7467BE-208F-4827-B22E-BBCBD1CDA90E} - (no file)
O2 - BHO: (no name) - {3B35D985-7648-4521-83BE-1E16AE5CD05F} - C:\WINDOWS\system32\driverb.dll
O2 - BHO: (no name) - {3B77865B-6037-4A25-963B-11D034ECFADB} - C:\WINDOWS\System32\awtqp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {565E5C7D-9477-1D58-D7C4-05C7E08CF482} - C:\WINDOWS\System32\hpcquqn.dll
O2 - BHO: (no name) - {5F74ADA1-8871-E2DE-AC3C-02C2EFF69AF3} - C:\WINDOWS\System32\dakmgbn.dll
O2 - BHO: (no name) - {65689146-97F6-B5CF-6872-029CCF422183} - C:\WINDOWS\System32\hbcyrmf.dll
O2 - BHO: (no name) - {6EE198AA-C618-450D-83C4-766E8EB71F56} - (no file)
O2 - BHO: (no name) - {721B7513-C646-838B-84B8-0113B82A0815} - C:\WINDOWS\System32\lymhcmh.dll
O2 - BHO: (no name) - {72EA236A-2BDD-3D17-1C21-0841FBF6413A} - C:\WINDOWS\System32\xxrgfwd.dll
O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\System32\opnnoon.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A63D760-0FDC-4A18-958C-A7CD39FB0E12} - C:\WINDOWS\System32\kcrydyuu.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A978343E-DD66-4FA1-B4FC-3250E854298C} - C:\WINDOWS\System32\pmnlk.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [hvojuem.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\hvojuem.dll",ajkpyne
O4 - HKLM\..\Run: [etuvmud.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\etuvmud.dll",kvpdqhc
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [pjrqpnm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\pjrqpnm.dll",dxzabmc
O4 - HKLM\..\Run: [kgeikdd.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\kgeikdd.dll",srdxunb
O4 - HKLM\..\Run: [ollvxpm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\ollvxpm.dll",drytaqc
O4 - HKLM\..\Run: [qaxnoqi.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\qaxnoqi.dll",ngoiaae
O4 - HKLM\..\Run: [lmvgsjn.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\lmvgsjn.dll",xcjlkv
O4 - HKLM\..\Run: [aigkiue.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\aigkiue.dll",ulapkzd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpeokulh.dll",setvm
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174681026406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: opnnoon - C:\WINDOWS\SYSTEM32\opnnoon.dll
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\System32\pmnlk.dll
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - (no file)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 March 2007 - 07:03 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\System32\rhkdlbm.dll
C:\WINDOWS\System32\wjpkltk.dll
C:\WINDOWS\system32\driverb.dll
C:\WINDOWS\System32\hpcquqn.dll
C:\WINDOWS\System32\dakmgbn.dll
C:\WINDOWS\System32\hbcyrmf.dll
C:\WINDOWS\System32\lymhcmh.dll
C:\WINDOWS\System32\xxrgfwd.dll
C:\WINDOWS\System32\opnnoon.dll
C:\WINDOWS\System32\kcrydyuu.dll
C:\WINDOWS\System32\pmnlk.dll
C:\WINDOWS\System32\xpeokulh.dll
C:\WINDOWS\SYSTEM32\winmfu32.dll
C:\Documents and Settings\Shady\Local Settings\Application Data\hvojuem.dll
C:\Documents and Settings\Shady\Local Settings\Application Data\etuvmud.dll
C:\Documents and Settings\Shady\Local Settings\Application Data\pjrqpnm.dll
C:\Documents and Settings\Shady\Local Settings\Application Data\kgeikdd.dll
C:\Documents and Settings\Shady\Local Settings\Application Data\ollvxpm.dll
C:\Documents and Settings\Shady\Local Settings\Application Data\qaxnoqi.dll
C:\Documents and Settings\Shady\Local Settings\Application Data\lmvgsjn.dll
C:\Documents and Settings\Shady\Local Settings\Application Data\aigkiue.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

****************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Restart your pc.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt,the C:\ComboFix.txt,and a new Hijackthis log into your next reply please.
Posted Image
Posted Image

#9 krazedone

krazedone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 23 March 2007 - 07:42 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xmelucjt

*******************

Script file located at: \??\C:\Program Files\mfyuccth.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\rhkdlbm.dll deleted successfully.
File C:\WINDOWS\System32\wjpkltk.dll deleted successfully.
File C:\WINDOWS\system32\driverb.dll deleted successfully.
File C:\WINDOWS\System32\hpcquqn.dll deleted successfully.
File C:\WINDOWS\System32\dakmgbn.dll deleted successfully.
File C:\WINDOWS\System32\hbcyrmf.dll deleted successfully.
File C:\WINDOWS\System32\lymhcmh.dll deleted successfully.
File C:\WINDOWS\System32\xxrgfwd.dll deleted successfully.
File C:\WINDOWS\System32\opnnoon.dll deleted successfully.
File C:\WINDOWS\System32\kcrydyuu.dll deleted successfully.
File C:\WINDOWS\System32\pmnlk.dll deleted successfully.
File C:\WINDOWS\System32\xpeokulh.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\winmfu32.dll deleted successfully.
File C:\Documents and Settings\Shady\Local Settings\Application Data\hvojuem.dll deleted successfully.
File C:\Documents and Settings\Shady\Local Settings\Application Data\etuvmud.dll deleted successfully.
File C:\Documents and Settings\Shady\Local Settings\Application Data\pjrqpnm.dll deleted successfully.
File C:\Documents and Settings\Shady\Local Settings\Application Data\kgeikdd.dll deleted successfully.
File C:\Documents and Settings\Shady\Local Settings\Application Data\ollvxpm.dll deleted successfully.
File C:\Documents and Settings\Shady\Local Settings\Application Data\qaxnoqi.dll deleted successfully.
File C:\Documents and Settings\Shady\Local Settings\Application Data\lmvgsjn.dll deleted successfully.
File C:\Documents and Settings\Shady\Local Settings\Application Data\aigkiue.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


"Shady" - 07-03-23 20:16:10 Service Pack 1
ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Shady\Desktop"

/wow section not completed - STAGE #4
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\vbzip11.dll
C:\WINDOWS\system32\gebyy.dll
C:\Program Files\Common Files\{38626~1
C:\Program Files\msconfigs


((((((((((((((((((((((((((((((( Files Created from 2007-02-23 to 2007-03-23 ))))))))))))))))))))))))))))))))))


2007-03-23 20:12 <DIR> d-------- C:\avenger
2007-03-23 20:00 45,056 --a------ C:\command.exe
2007-03-23 19:28 1,206,759 ---hs---- C:\WINDOWS\system32\klnmp.bak1
2007-03-23 14:10 <DIR> d-------- C:\WINDOWS\Prefetch
2007-03-23 13:30 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-03-23 13:18 921,475 --------- C:\WINDOWS\system32\ati3d2ag.dll
2007-03-23 13:18 89,088 --a------ C:\WINDOWS\system32\mqsec.dll
2007-03-23 13:18 73,728 --a------ C:\WINDOWS\system32\tlntsess.exe
2007-03-23 13:18 7,168 --a------ C:\WINDOWS\system32\tlntsvrp.dll
2007-03-23 13:18 67,584 --a------ C:\WINDOWS\system32\tlntsvr.exe
2007-03-23 13:18 67,584 --a------ C:\WINDOWS\system32\fdeploy.dll
2007-03-23 13:18 67,200 --a------ C:\WINDOWS\system32\drivers\mqac.sys
2007-03-23 13:18 613,888 --a------ C:\WINDOWS\system32\mqqm.dll
2007-03-23 13:18 57,856 --a------ C:\WINDOWS\system32\tlntadmn.exe
2007-03-23 13:18 57,344 --a------ C:\WINDOWS\system32\nwwks.dll
2007-03-23 13:18 545,792 --a------ C:\WINDOWS\system32\wsecedit.dll
2007-03-23 13:18 478,720 --a------ C:\WINDOWS\system32\mqsnap.dll
2007-03-23 13:18 469,504 --a------ C:\WINDOWS\system32\mqutil.dll
2007-03-23 13:18 377,984 --a------ C:\WINDOWS\system32\ati2dvaa.dll
2007-03-23 13:18 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-03-23 13:18 277,504 --a------ C:\WINDOWS\system32\appmgr.dll
2007-03-23 13:18 231,936 --a------ C:\WINDOWS\system32\tracerpt.exe
2007-03-23 13:18 183,296 --a------ C:\WINDOWS\system32\gptext.dll
2007-03-23 13:18 164,864 --a------ C:\WINDOWS\system32\mqrt.dll
2007-03-23 13:18 164,352 --a------ C:\WINDOWS\system32\mqtrig.dll
2007-03-23 13:18 156,672 --a------ C:\WINDOWS\system32\appmgmts.dll
2007-03-23 13:18 156,544 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2007-03-23 13:18 14,848 --a------ C:\WINDOWS\system32\mqise.dll
2007-03-23 13:18 130,048 --a------ C:\WINDOWS\system32\mqad.dll
2007-03-23 13:18 113,664 --a------ C:\WINDOWS\system32\schtasks.exe
2007-03-23 13:18 113,152 --a------ C:\WINDOWS\system32\gpresult.exe
2007-03-23 13:18 103,936 --a------ C:\WINDOWS\system32\rsnotify.exe
2007-03-23 13:18 1,677,312 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-03-23 13:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-03-23 13:15 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-03-23 13:15 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-03-23 13:15 9,216 --a------ C:\WINDOWS\system32\dumprep.exe
2007-03-23 13:15 802,304 --a------ C:\WINDOWS\system32\dxmrtp.dll
2007-03-23 13:15 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-03-23 13:15 76,288 --a------ C:\WINDOWS\system32\dfrgfat.exe
2007-03-23 13:15 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-03-23 13:15 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-03-23 13:15 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-03-23 13:15 70,656 --a------ C:\WINDOWS\system32\defrag.exe
2007-03-23 13:15 70,144 --a------ C:\WINDOWS\system32\cryptdlg.dll
2007-03-23 13:15 64,512 --a------ C:\WINDOWS\system32\ciodm.dll
2007-03-23 13:15 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-03-23 13:15 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-03-23 13:15 61,440 --a------ C:\WINDOWS\system32\dbnetlib.dll
2007-03-23 13:15 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-03-23 13:15 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-03-23 13:15 55,296 --a------ C:\WINDOWS\system32\digest.dll
2007-03-23 13:15 54,272 --a------ C:\WINDOWS\system32\clusapi.dll
2007-03-23 13:15 53,248 --a------ C:\WINDOWS\system32\cryptsvc.dll
2007-03-23 13:15 498,205 --a------ C:\WINDOWS\system32\dxmasf.dll
2007-03-23 13:15 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-03-23 13:15 471,040 --a------ C:\WINDOWS\system32\cryptui.dll
2007-03-23 13:15 45,568 --a------ C:\WINDOWS\system32\docprop2.dll
2007-03-23 13:15 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-03-23 13:15 41,472 --a------ C:\WINDOWS\system32\cmdl32.exe
2007-03-23 13:15 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-03-23 13:15 35,328 --a------ C:\WINDOWS\system32\dfrgsnap.dll
2007-03-23 13:15 324,608 --a------ C:\WINDOWS\system32\cmdial32.dll
2007-03-23 13:15 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-03-23 13:15 307,712 --a------ C:\WINDOWS\system32\cscui.dll
2007-03-23 13:15 28,672 --a------ C:\WINDOWS\system32\dbnmpntw.dll
2007-03-23 13:15 266,752 --a------ C:\WINDOWS\winhlp32.exe
2007-03-23 13:15 263,680 --a------ C:\WINDOWS\system32\duser.dll
2007-03-23 13:15 263,168 --a------ C:\WINDOWS\system32\devmgr.dll
2007-03-23 13:15 25,600 --a------ C:\WINDOWS\system32\dfsshlex.dll
2007-03-23 13:15 24,576 --a------ C:\WINDOWS\system32\dbmsvinn.dll
2007-03-23 13:15 24,576 --a------ C:\WINDOWS\system32\dbmsrpcn.dll
2007-03-23 13:15 24,576 --a------ C:\WINDOWS\system32\conime.exe
2007-03-23 13:15 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-03-23 13:15 238,592 --a------ C:\WINDOWS\system32\compatui.dll
2007-03-23 13:15 227,840 --a------ C:\WINDOWS\system32\dsquery.dll
2007-03-23 13:15 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-03-23 13:15 20,480 --a------ C:\WINDOWS\system32\dbmsadsn.dll
2007-03-23 13:15 186,880 --a------ C:\WINDOWS\system32\certcli.dll
2007-03-23 13:15 180,224 --a------ C:\WINDOWS\system32\dwwin.exe
2007-03-23 13:15 168,960 --a------ C:\WINDOWS\system32\dinput8.dll
2007-03-23 13:15 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-03-23 13:15 16,384 --a------ C:\WINDOWS\system32\ds32gt.dll
2007-03-23 13:15 158,720 --a------ C:\WINDOWS\system32\credui.dll
2007-03-23 13:15 151,552 --a------ C:\WINDOWS\system32\dinput.dll
2007-03-23 13:15 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-03-23 13:15 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-03-23 13:15 135,680 --a------ C:\WINDOWS\system32\dsprop.dll
2007-03-23 13:15 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe
2007-03-23 13:15 124,928 --a------ C:\WINDOWS\system32\dssenh.dll
2007-03-23 13:15 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-03-23 13:15 113,152 --a------ C:\WINDOWS\system32\dfrgui.dll
2007-03-23 13:15 103,424 --a------ C:\WINDOWS\system32\dgnet.dll
2007-03-23 13:15 1,740 --a------ C:\WINDOWS\system32\dcache.bin
2007-03-23 13:15 1,004,032 --a------ C:\WINDOWS\explorer.exe
2007-03-23 13:14 91,648 --a------ C:\WINDOWS\system32\iuctl.dll
2007-03-23 13:14 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2007-03-23 13:14 8,832 --a------ C:\WINDOWS\system32\framebuf.dll
2007-03-23 13:14 73,728 --a------ C:\WINDOWS\system32\ils.dll
2007-03-23 13:14 7,040 --a------ C:\WINDOWS\system32\kd1394.dll
2007-03-23 13:14 68,096 --a------ C:\WINDOWS\system32\mscms.dll
2007-03-23 13:14 67,584 --a------ C:\WINDOWS\system32\msctfp.dll
2007-03-23 13:14 66,560 --a------ C:\WINDOWS\system32\faultrep.dll
2007-03-23 13:14 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2007-03-23 13:14 60,928 --a------ C:\WINDOWS\system32\ipv6.exe
2007-03-23 13:14 59,392 --a------ C:\WINDOWS\system32\iesetup.dll
2007-03-23 13:14 587,776 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-03-23 13:14 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2007-03-23 13:14 56,320 --a------ C:\WINDOWS\system32\mshtmler.dll
2007-03-23 13:14 512,031 --a------ C:\WINDOWS\system32\msexch40.dll
2007-03-23 13:14 51,712 --a------ C:\WINDOWS\system32\ipconfig.exe
2007-03-23 13:14 504,320 --a------ C:\WINDOWS\system32\logonui.exe
2007-03-23 13:14 49,664 --a------ C:\WINDOWS\system32\ixsso.dll
2007-03-23 13:14 49,152 --a------ C:\WINDOWS\system32\eventlog.dll
2007-03-23 13:14 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-03-23 13:14 4,608 --a------ C:\WINDOWS\system32\msimg32.dll
2007-03-23 13:14 4,126 --a------ C:\WINDOWS\system32\msdxmlc.dll
2007-03-23 13:14 381,440 --a------ C:\WINDOWS\system32\lmrt.dll
2007-03-23 13:14 380,445 --a------ C:\WINDOWS\system32\expsrv.dll
2007-03-23 13:14 368,710 --a------ C:\WINDOWS\system32\msisam11.dll
2007-03-23 13:14 36,922 --a------ C:\WINDOWS\system32\imeshare.dll
2007-03-23 13:14 348,195 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2007-03-23 13:14 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-03-23 13:14 319,519 --a------ C:\WINDOWS\system32\msexcl40.dll
2007-03-23 13:14 318,464 --a------ C:\WINDOWS\system32\ippromon.dll
2007-03-23 13:14 30,208 --a------ C:\WINDOWS\system32\imgutil.dll
2007-03-23 13:14 272,896 --a------ C:\WINDOWS\system32\kerberos.dll
2007-03-23 13:14 266,752 --a------ C:\WINDOWS\system32\msctf.dll
2007-03-23 13:14 241,695 --a------ C:\WINDOWS\system32\msjtes40.dll
2007-03-23 13:14 240,640 --a------ C:\WINDOWS\system32\hnetcfg.dll
2007-03-23 13:14 236,032 --a------ C:\WINDOWS\system32\icm32.dll
2007-03-23 13:14 229,888 --a------ C:\WINDOWS\system32\msieftp.dll
2007-03-23 13:14 22,528 --a------ C:\WINDOWS\system32\mslbui.dll
2007-03-23 13:14 219,648 --a------ C:\WINDOWS\system32\logon.scr
2007-03-23 13:14 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2007-03-23 13:14 210,944 --a------ C:\WINDOWS\system32\moricons.dll
2007-03-23 13:14 196,096 --a------ C:\WINDOWS\system32\mobsync.dll
2007-03-23 13:14 19,456 --a------ C:\WINDOWS\system32\licmgr10.dll
2007-03-23 13:14 19,456 --a------ C:\WINDOWS\system32\fontview.exe
2007-03-23 13:14 19,456 --a------ C:\WINDOWS\system32\ersvc.dll
2007-03-23 13:14 178,688 --a------ C:\WINDOWS\system32\eudcedit.exe
2007-03-23 13:14 165,376 --a------ C:\WINDOWS\system32\els.dll
2007-03-23 13:14 163,840 --a------ C:\WINDOWS\system32\mindex.dll
2007-03-23 13:14 155,648 --a------ C:\WINDOWS\system32\ipsecsvc.dll
2007-03-23 13:14 143,872 --a------ C:\WINDOWS\system32\msimtf.dll
2007-03-23 13:14 134,144 --a------ C:\WINDOWS\system32\ipv6mon.dll
2007-03-23 13:14 126,976 --a------ C:\WINDOWS\system32\msdart.dll
2007-03-23 13:14 123,904 --a------ C:\WINDOWS\system32\imapi.exe
2007-03-23 13:14 12,288 --a------ C:\WINDOWS\system32\mscpx32r.dll
2007-03-23 13:14 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2007-03-23 13:14 114,176 --a------ C:\WINDOWS\system32\input.dll
2007-03-23 13:14 113,152 --a------ C:\WINDOWS\system32\idq.dll
2007-03-23 13:14 103,936 --a------ C:\WINDOWS\system32\imm32.dll
2007-03-23 13:14 10,240 --a------ C:\WINDOWS\system32\localui.dll
2007-03-23 13:14 1,503,262 --a------ C:\WINDOWS\system32\msjet40.dll
2007-03-23 13:14 1,128,960 --a------ C:\WINDOWS\system32\mmcndmgr.dll
2007-03-23 13:13 98,304 --a------ C:\WINDOWS\system32\oleprn.dll
2007-03-23 13:13 95,744 --a------ C:\WINDOWS\system32\nlhtml.dll
2007-03-23 13:13 94,208 --a------ C:\WINDOWS\system32\odbccp32.dll
2007-03-23 13:13 91,136 --a------ C:\WINDOWS\system32\rastls.dll
2007-03-23 13:13 9,728 --a------ C:\WINDOWS\system32\mstinit.exe
2007-03-23 13:13 87,304 --a------ C:\WINDOWS\system32\rdpdd.dll
2007-03-23 13:13 857,600 --a------ C:\WINDOWS\system32\netplwiz.dll
2007-03-23 13:13 82,944 --a------ C:\WINDOWS\system32\psbase.dll
2007-03-23 13:13 81,408 --a------ C:\WINDOWS\system32\msoert2.dll
2007-03-23 13:13 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-03-23 13:13 699,392 --a------ C:\WINDOWS\system32\msxml2.dll
2007-03-23 13:13 686,080 --a------ C:\WINDOWS\system32\opengl32.dll
2007-03-23 13:13 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll
2007-03-23 13:13 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll
2007-03-23 13:13 598,016 --a------ C:\WINDOWS\system32\mstscax.dll
2007-03-23 13:13 584,192 --a------ C:\WINDOWS\system32\netcfgx.dll
2007-03-23 13:13 58,880 --a------ C:\WINDOWS\system32\pautoenr.dll
2007-03-23 13:13 57,856 --a------ C:\WINDOWS\system32\raschap.dll
2007-03-23 13:13 552,991 --a------ C:\WINDOWS\system32\msrepl40.dll
2007-03-23 13:13 53,248 --a------ C:\WINDOWS\system32\packager.exe
2007-03-23 13:13 53,248 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-03-23 13:13 49,152 --a------ C:\WINDOWS\system32\npptools.dll
2007-03-23 13:13 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-03-23 13:13 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2007-03-23 13:13 42,496 --a------ C:\WINDOWS\system32\ncobjapi.dll
2007-03-23 13:13 401,462 --a------ C:\WINDOWS\system32\msvcp60.dll
2007-03-23 13:13 399,360 --a------ C:\WINDOWS\system32\netlogon.dll
2007-03-23 13:13 392,704 --a------ C:\WINDOWS\system32\ntmssvc.dll
2007-03-23 13:13 39,424 --a------ C:\WINDOWS\system32\net.exe
2007-03-23 13:13 388,608 --a------ C:\WINDOWS\system32\mstsc.exe
2007-03-23 13:13 38,400 --a------ C:\WINDOWS\system32\ntmsapi.dll
2007-03-23 13:13 38,400 --a------ C:\WINDOWS\system32\ntlanman.dll
2007-03-23 13:13 348,191 --a------ C:\WINDOWS\system32\mspbde40.dll
2007-03-23 13:13 344,095 --a------ C:\WINDOWS\system32\msxbde40.dll
2007-03-23 13:13 34,304 --a------ C:\WINDOWS\system32\rcimlby.exe
2007-03-23 13:13 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2007-03-23 13:13 33,808 --a------ C:\WINDOWS\system32\ntio.sys
2007-03-23 13:13 328,704 --a------ C:\WINDOWS\system32\oakley.dll
2007-03-23 13:13 323,072 --a------ C:\WINDOWS\system32\msvcrt.dll
2007-03-23 13:13 32,768 --a------ C:\WINDOWS\system32\odbcad32.exe
2007-03-23 13:13 319,760 --a------ C:\WINDOWS\system32\msnsspc.dll
2007-03-23 13:13 254,976 --a------ C:\WINDOWS\system32\pdh.dll
2007-03-23 13:13 253,983 --a------ C:\WINDOWS\system32\mstext40.dll
2007-03-23 13:13 250,368 --a------ C:\WINDOWS\system32\mstask.dll
2007-03-23 13:13 241,725 --a------ C:\WINDOWS\system32\msuni11.dll
2007-03-23 13:13 24,576 --a------ C:\WINDOWS\system32\odbcbcp.dll
2007-03-23 13:13 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-03-23 13:13 238,080 --a------ C:\WINDOWS\system32\newdev.dll
2007-03-23 13:13 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-03-23 13:13 212,480 --a------ C:\WINDOWS\system32\osk.exe
2007-03-23 13:13 200,704 --a------ C:\WINDOWS\system32\odbc32.dll
2007-03-23 13:13 193,536 --a------ C:\WINDOWS\system32\rasppp.dll
2007-03-23 13:13 182,784 --a------ C:\WINDOWS\system32\msutb.dll
2007-03-23 13:13 17,408 --a------ C:\WINDOWS\system32\psapi.dll
2007-03-23 13:13 165,888 --a------ C:\WINDOWS\system32\ntmsdba.dll
2007-03-23 13:13 16,384 --a------ C:\WINDOWS\system32\ping.exe
2007-03-23 13:13 16,384 --a------ C:\WINDOWS\system32\odbc32gt.dll
2007-03-23 13:13 16,384 --a------ C:\WINDOWS\system32\nddenb32.dll
2007-03-23 13:13 154,112 --a------ C:\WINDOWS\system32\netman.dll
2007-03-23 13:13 147,456 --a------ C:\WINDOWS\system32\odbctrac.dll
2007-03-23 13:13 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-03-23 13:13 137,216 --a------ C:\WINDOWS\system32\ntshrui.dll
2007-03-23 13:13 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
2007-03-23 13:13 131,072 --a------ C:\WINDOWS\system32\msorcl32.dll
2007-03-23 13:13 13,824 --a------ C:\WINDOWS\system32\rassapi.dll
2007-03-23 13:13 122,880 --a------ C:\WINDOWS\system32\odbcconf.dll
2007-03-23 13:13 12,288 --a------ C:\WINDOWS\system32\odbcp32r.dll
2007-03-23 13:13 115,200 --a------ C:\WINDOWS\system32\net1.exe
2007-03-23 13:13 113,664 --a------ C:\WINDOWS\system32\msvfw32.dll
2007-03-23 13:13 112,128 --a------ C:\WINDOWS\system32\ntmarta.dll
2007-03-23 13:13 109,568 --a------ C:\WINDOWS\system32\offfilt.dll
2007-03-23 13:13 105,984 --a------ C:\WINDOWS\system32\netdde.exe
2007-03-23 13:13 10,240 --a------ C:\WINDOWS\system32\msrle32.dll
2007-03-23 13:13 1,622,528 --a------ C:\WINDOWS\system32\netshell.dll
2007-03-23 13:13 1,349,120 --a------ C:\WINDOWS\system32\query.dll
2007-03-23 13:13 1,122,304 --a------ C:\WINDOWS\system32\msxml3.dll
2007-03-23 13:12 82,944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-03-23 13:12 81,920 --a------ C:\WINDOWS\system32\trkwks.dll
2007-03-23 13:12 8,192 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-03-23 13:12 74,240 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-03-23 13:12 71,168 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-03-23 13:12 667,648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-03-23 13:12 66,560 --a------ C:\WINDOWS\system32\spoolss.dll
2007-03-23 13:12 66,048 --a------ C:\WINDOWS\system32\sigverif.exe
2007-03-23 13:12 638,976 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-03-23 13:12 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2007-03-23 13:12 62,976 --a------ C:\WINDOWS\system32\shgina.dll
2007-03-23 13:12 61,952 --a------ C:\WINDOWS\system32\sti.dll
2007-03-23 13:12 60,416 --a------ C:\WINDOWS\system32\shimeng.dll
2007-03-23 13:12 6,144 --a------ C:\WINDOWS\system32\sensapi.dll
2007-03-23 13:12 569,344 --a------ C:\WINDOWS\system32\sspipes.scr
2007-03-23 13:12 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2007-03-23 13:12 534,016 --a------ C:\WINDOWS\system32\spider.exe
2007-03-23 13:12 52,224 --a------ C:\WINDOWS\system32\secur32.dll
2007-03-23 13:12 48,128 --a------ C:\WINDOWS\system32\reg.exe
2007-03-23 13:12 44,032 --a------ C:\WINDOWS\system32\regapi.dll
2007-03-23 13:12 43,008 --a------ C:\WINDOWS\system32\ssdpsrv.dll
2007-03-23 13:12 420,864 --a------ C:\WINDOWS\system32\shimgvw.dll
2007-03-23 13:12 385,024 --a------ C:\WINDOWS\system32\sqlsrv32.dll
2007-03-23 13:12 384,000 --a------ C:\WINDOWS\system32\themeui.dll
2007-03-23 13:12 364,544 --a------ C:\WINDOWS\system32\ssflwbox.scr
2007-03-23 13:12 36,352 --a------ C:\WINDOWS\system32\sens.dll
2007-03-23 13:12 334,848 --a------ C:\WINDOWS\system32\smlogcfg.dll
2007-03-23 13:12 33,280 --a------ C:\WINDOWS\system32\shmgrate.exe
2007-03-23 13:12 3,338 --a------ C:\WINDOWS\system32\redir.exe
2007-03-23 13:12 297,984 --a------ C:\WINDOWS\system32\scesrv.dll
2007-03-23 13:12 27,136 --a------ C:\WINDOWS\system32\ssdpapi.dll
2007-03-23 13:12 251,904 --a------ C:\WINDOWS\system32\strmdll.dll
2007-03-23 13:12 24,064 --a------ C:\WINDOWS\system32\skeys.exe
2007-03-23 13:12 233,984 --a------ C:\WINDOWS\system32\tapisrv.dll
2007-03-23 13:12 22,528 --a------ C:\WINDOWS\system32\slayerxp.dll
2007-03-23 13:12 22,528 --a------ C:\WINDOWS\system32\shfolder.dll
2007-03-23 13:12 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2007-03-23 13:12 20,992 --a------ C:\WINDOWS\system32\setup.exe
2007-03-23 13:12 19,456 --a------ C:\WINDOWS\system32\ssmarque.scr
2007-03-23 13:12 18,944 --a------ C:\WINDOWS\system32\ssbezier.scr
2007-03-23 13:12 174,592 --a------ C:\WINDOWS\system32\scecli.dll
2007-03-23 13:12 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-03-23 13:12 17,408 --a------ C:\WINDOWS\system32\ssmyst.scr
2007-03-23 13:12 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-03-23 13:12 165,376 --a------ C:\WINDOWS\system32\tapi32.dll
2007-03-23 13:12 16,896 --a------ C:\WINDOWS\system32\snmpapi.dll
2007-03-23 13:12 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-03-23 13:12 158,720 --a------ C:\WINDOWS\system32\srsvc.dll
2007-03-23 13:12 133,632 --a------ C:\WINDOWS\system32\rsaenh.dll
2007-03-23 13:12 133,120 --a------ C:\WINDOWS\system32\sfc_os.dll
2007-03-23 13:12 130,560 --a------ C:\WINDOWS\system32\sti_ci.dll
2007-03-23 13:12 13,312 --a------ C:\WINDOWS\system32\ssstars.scr
2007-03-23 13:12 128,512 --a------ C:\WINDOWS\system32\taskmgr.exe
2007-03-23 13:12 12,800 --a------ C:\WINDOWS\system32\runonce.exe
2007-03-23 13:12 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-03-23 13:12 117,760 --a------ C:\WINDOWS\system32\stobject.dll
2007-03-23 13:12 11,776 --a------ C:\WINDOWS\system32\sigtab.dll
2007-03-23 13:12 10,752 --a------ C:\WINDOWS\system32\tracert.exe
2007-03-23 13:12 1,157,632 --a------ C:\WINDOWS\system32\sfcfiles.dll
2007-03-23 13:11 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-03-23 13:11 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-03-23 13:11 86,528 --a------ C:\WINDOWS\system32\wlnotify.dll
2007-03-23 13:11 86,016 --a------ C:\WINDOWS\system32\xactsrv.dll
2007-03-23 13:11 77,824 --a------ C:\WINDOWS\system32\wmpstub.exe
2007-03-23 13:11 61,952 --a------ C:\WINDOWS\system32\webclnt.dll
2007-03-23 13:11 60,416 --a------ C:\WINDOWS\system32\wextract.exe
2007-03-23 13:11 56,832 --a------ C:\WINDOWS\system32\wzcdlg.dll
2007-03-23 13:11 51,200 --a------ C:\WINDOWS\system32\wmerrenu.dll
2007-03-23 13:11 48,640 --a------ C:\WINDOWS\system32\vdmredir.dll
2007-03-23 13:11 48,128 --a------ C:\WINDOWS\system32\winsta.dll
2007-03-23 13:11 479,261 --a------ C:\WINDOWS\system32\vbscript.dll
2007-03-23 13:11 47,616 --a------ C:\WINDOWS\system32\utilman.exe
2007-03-23 13:11 409,088 --a------ C:\WINDOWS\system32\vssapi.dll
2007-03-23 13:11 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-03-23 13:11 38,912 --a------ C:\WINDOWS\system32\wsnmp32.dll
2007-03-23 13:11 339,456 --a------ C:\WINDOWS\system32\usp10.dll
2007-03-23 13:11 32,256 --a------ C:\WINDOWS\system32\umandlg.dll
2007-03-23 13:11 296,448 --a------ C:\WINDOWS\system32\wmstream.dll
2007-03-23 13:11 247,808 --a------ C:\WINDOWS\system32\wow32.dll
2007-03-23 13:11 231,424 --a------ C:\WINDOWS\system32\upnpui.dll
2007-03-23 13:11 22,016 --a------ C:\WINDOWS\system32\udhisapi.dll
2007-03-23 13:11 203,264 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-03-23 13:11 172,664 --a------ C:\WINDOWS\system32\xenroll.dll
2007-03-23 13:11 171,520 --a------ C:\WINDOWS\system32\winmm.dll
2007-03-23 13:11 17,408 --a------ C:\WINDOWS\system32\wtsapi32.dll
2007-03-23 13:11 168,448 --a------ C:\WINDOWS\system32\wldap32.dll
2007-03-23 13:11 165,376 --a------ C:\WINDOWS\system32\w32time.dll
2007-03-23 13:11 164,864 --a------ C:\WINDOWS\system32\upnphost.dll
2007-03-23 13:11 16,384 --a------ C:\WINDOWS\system32\watchdog.sys
2007-03-23 13:11 16,384 --a------ C:\WINDOWS\system32\ups.exe
2007-03-23 13:11 13,312 --a------ C:\WINDOWS\system32\wship6.dll
2007-03-23 13:11 124,928 --a------ C:\WINDOWS\system32\webvw.dll
2007-03-23 13:11 120,320 --a------ C:\WINDOWS\system32\upnp.dll
2007-03-23 13:11 119,808 --a------ C:\WINDOWS\system32\wiadss.dll
2007-03-23 13:11 107,008 --a------ C:\WINDOWS\system32\umpnpmgr.dll
2007-03-23 12:26 85,504 --a------ C:\WINDOWS\system32\aigkiue.dll
2007-03-23 12:26 26,697 --a------ C:\WINDOWS\system32\ljjhgfe.dll
2007-03-23 10:16 <DIR> d-------- C:\Program Files\Ultimate Defender
2007-03-23 07:40 85,504 --a------ C:\WINDOWS\system32\lmvgsjn.dll
2007-03-23 07:40 26,697 --a------ C:\WINDOWS\system32\efcyvtt.dll
2007-03-23 00:42 85,504 --a------ C:\WINDOWS\system32\lujhioi.dll
2007-03-23 00:42 26,697 --a------ C:\WINDOWS\system32\khfefec.dll
2007-03-22 14:59 85,504 --a------ C:\WINDOWS\system32\qaxnoqi.dll
2007-03-22 14:59 26,697 --a------ C:\WINDOWS\system32\fcccaya.dll
2007-03-22 14:49 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-22 12:57 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-22 12:57 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-22 12:57 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-22 12:57 <DIR> d-------- C:\SmitfraudFix
2007-03-22 12:54 740,046 --a------ C:\SmitfraudFix.exe
2007-03-22 10:18 86,016 --a------ C:\WINDOWS\system32\ollvxpm.dll
2007-03-22 10:17 26,697 --a------ C:\WINDOWS\system32\hggdeda.dll
2007-03-22 06:22 <DIR> d-------- C:\DOCUME~1\Shady\APPLIC~1\PC Tools
2007-03-22 06:11 <DIR> d-------- C:\Program Files\Lavasoft Refupdate
2007-03-22 05:27 96,256 --a-s---- C:\WINDOWS\system32\monterreyb_olive.exe
2007-03-22 05:27 96,256 --a------ C:\WINDOWS\system32\driverb.exe
2007-03-22 05:25 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-03-22 05:24 1,032,192 --a------ C:\WINDOWS\system32\VchReg.dll
2007-03-22 03:08 85,504 --a------ C:\WINDOWS\system32\ymvdpth.dll
2007-03-22 03:08 26,697 --a------ C:\WINDOWS\system32\opnlmnm.dll
2007-03-22 02:44 <DIR> d-------- C:\Program Files\Ultimate Cleaner
2007-03-21 22:16 13,013 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-03-21 17:29 85,504 --a------ C:\WINDOWS\system32\kgeikdd.dll
2007-03-21 17:29 26,697 --a------ C:\WINDOWS\system32\mljghhg.dll
2007-03-21 11:53 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-21 10:24 81,408 --a------ C:\WINDOWS\system32\pjrqpnm.dll
2007-03-21 09:56 <DIR> d-------- C:\Program Files\Uniblue
2007-03-21 09:56 <DIR> d-------- C:\DOCUME~1\Shady\APPLIC~1\Uniblue
2007-03-21 09:39 57,344 --a------ C:\WINDOWS\unezfw.exe
2007-03-21 09:37 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-03-21 09:35 95,344 --a------ C:\WINDOWS\system32\ISafeIf.dll
2007-03-21 09:35 74,864 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-03-21 09:35 74,864 --a------ C:\WINDOWS\system32\iSafProd.dll
2007-03-21 09:35 629,264 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-03-21 09:35 21,031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-03-21 09:35 15,735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-03-21 09:35 15,478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-03-21 09:35 111,728 --a------ C:\WINDOWS\AVShlExt.dll
2007-03-21 09:35 108,592 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-03-21 03:03 <DIR> d-------- C:\Program Files\Trojan Remover
2007-03-21 02:51 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-03-20 09:23 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-03-19 20:57 <DIR> d-------- C:\Program Files\Magix
2007-03-18 14:06 81,408 --a------ C:\WINDOWS\system32\etuvmud.dll
2007-03-18 14:06 57,856 --a------ C:\WINDOWS\system32\wpomqlk.dll
2007-03-18 03:19 57,856 --a------ C:\WINDOWS\system32\bqxripb.dll
2007-03-15 21:30 6,029,312 --a------ C:\DOCUME~1\Shady\ntuser.dat
2007-03-15 21:30 466,944 --a------ C:\DOCUME~1\NETWOR~1\ntuser.dat
2007-03-15 21:30 466,944 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-03-15 21:30 262,144 --a------ C:\DOCUME~1\chris\ntuser.dat
2007-03-15 03:43 <DIR> d-------- C:\Program Files\Safarp
2007-03-15 03:31 <DIR> d-------- C:\Program Files\CCleaner
2007-03-14 22:08 <DIR> d-------- C:\VundoFix Backups
2007-03-14 21:46 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2007-03-14 21:46 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-03-14 21:46 42,496 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-14 21:46 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-14 21:46 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-03-14 21:46 278,902 --a------ C:\win32delfkil.exe
2007-03-14 21:46 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-03-14 21:46 <DIR> d-------- C:\WINDOWS\system32\regdacl
2007-03-14 21:46 <DIR> d-------- C:\_backupD
2007-03-14 21:13 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-14 21:00 <DIR> d-------- C:\DOCUME~1\Shady\.housecall6.6
2007-03-14 18:18 <DIR> d-------- C:\Program Files\Common Files\iZotope
2007-03-14 18:18 <DIR> d-------- C:\Program Files\Common Files\HP
2007-03-14 18:12 <DIR> d-------- C:\Program Files\Steinberg
2007-03-14 18:08 <DIR> d-------- C:\DOCUME~1\Shady\APPLIC~1\PACE Anti-Piracy
2007-03-14 18:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PACE Anti-Piracy
2007-03-14 02:30 81,408 --a------ C:\WINDOWS\system32\hdyjadd.dll
2007-03-13 19:28 1,125,876 --ahs---- C:\WINDOWS\system32\vycdd.bak1
2007-03-13 19:22 57,856 --a------ C:\WINDOWS\system32\podljhg.dll
2007-03-13 05:50 543,232 --a------ C:\WINDOWS\LOOP.exe
2007-03-08 04:29 <DIR> d-------- C:\Program Files\Antares
2007-03-07 13:51 133,120 --a------ C:\WINDOWS\system32\zip32.dll
2007-03-07 03:21 286,720 --a------ C:\WINDOWS\iun506.exe
2007-03-07 03:20 <DIR> d-------- C:\Program Files\PSP VintageWarmer
2007-03-03 03:49 <DIR> d-------- C:\Program Files\iZotope
2007-02-25 04:47 139,264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2007-02-23 23:08 <DIR> d-------- C:\Program Files\VstPlugins


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-23 15:17 -------- d-------- C:\Program Files\msn messenger
2007-03-23 13:18 -------- d-------- C:\Program Files\messenger
2007-03-23 13:17 -------- d-------- C:\Program Files\movie maker
2007-03-22 17:43 -------- d-------- C:\Program Files\winace
2007-03-22 17:28 -------- d-------- C:\Program Files\norton internet security
2007-03-22 17:15 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-22 17:14 -------- d-------- C:\Program Files\Common Files\scanner
2007-03-22 14:45 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-22 06:25 -------- d-------- C:\Program Files\soulseek
2007-03-21 22:15 4103032 --a------ C:\WINDOWS\system32\spoonuninstall.exe
2007-03-21 13:42 -------- d-------- C:\Program Files\image-line
2007-03-21 11:55 -------- d-------- C:\DOCUME~1\Shady\APPLIC~1\lavasoft
2007-03-21 09:38 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-21 09:35 115824 --a------ C:\WINDOWS\unvet32.exe
2007-03-17 06:01 3896 --a------ C:\DOCUME~1\Shady\APPLIC~1\hpsu_48bitscanupdate.log
2007-03-17 06:00 -------- d-------- C:\Program Files\hp
2007-03-15 03:52 -------- d-------- C:\Program Files\xbc
2007-03-14 17:48 -------- d-------- C:\Program Files\waves
2007-03-07 13:51 -------- d-------- C:\Program Files\cdburnerxp pro 3
2007-02-25 04:50 41487 --a------ C:\DOCUME~1\Shady\APPLIC~1\patchupdate_hp_counterreport_update_hpsu.log
2007-02-25 04:47 73162 --a------ C:\DOCUME~1\Shady\APPLIC~1\update_hp_redboxhprblog_hpsu.log
2007-02-20 14:04 -------- d-------- C:\Program Files\digidesign
2007-02-20 12:42 -------- d-------- C:\DOCUME~1\Shady\APPLIC~1\waves audio
2007-02-20 11:47 -------- d--h----- C:\Program Files\installshield installation information
2007-02-20 02:57 -------- d-------- C:\Program Files\Common Files\pace anti-piracy
2007-02-20 02:41 72608 --a------ C:\WINDOWS\system32\drivers\TPkd.sys
2007-02-20 02:41 638976 --a------ C:\WINDOWS\system32\ilinet.dll
2007-02-20 02:41 27328 --a------ C:\WINDOWS\system32\drivers\iLokDrvr.sys
2007-02-15 22:37 -------- d-------- C:\Program Files\messengerplus! 3
2007-02-15 22:37 -------- d-------- C:\Program Files\itunes
2007-02-15 22:05 -------- d-------- C:\Program Files\quicktime
2007-02-07 19:11 -------- d-------- C:\Program Files\sony
2007-02-06 16:58 -------- d-------- C:\DOCUME~1\Shady\APPLIC~1\image zone express
2007-01-31 21:16 1109 --a------ C:\WINDOWS\checkip.dat
2007-01-25 04:59 -------- d-------- C:\DOCUME~1\Shady\APPLIC~1\viewpoint
2007-01-23 14:55 -------- d-------- C:\DOCUME~1\Shady\APPLIC~1\real
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-15 09:32 785 --------- C:\WINDOWS\tpkdboot.reg
2007-01-04 22:14 4 --a------ C:\WINDOWS\pix11.dat
2006-12-24 23:58 112886 --a------ C:\WINDOWS\hpoins07.dat
2006-12-24 22:52 161 --a------ C:\Delme.bat
2006-12-24 20:56 98304 --a------ C:\WINDOWS\system32\qttask.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3tray2.exe"
"QuickTime Task"="\"C:\\WINDOWS\\system32\\qttask.exe\" -atboottime"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"hvojuem.dll"="\"C:\\WINDOWS\\System32\\rundll32.exe\" \"C:\\Documents and Settings\\Shady\\Local Settings\\Application Data\\hvojuem.dll\",ajkpyne"
"etuvmud.dll"="\"C:\\WINDOWS\\System32\\rundll32.exe\" \"C:\\Documents and Settings\\Shady\\Local Settings\\Application Data\\etuvmud.dll\",kvpdqhc"
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust PestPatrol\\PPActiveDetection.exe\""
"QOELOADER"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust Anti-Spam\\QSP-2.1.215.5\\QOELoader.exe\""
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
"pjrqpnm.dll"="C:\\WINDOWS\\System32\\rundll32.exe \"C:\\Documents and Settings\\Shady\\Local Settings\\Application Data\\pjrqpnm.dll\",dxzabmc"
"kgeikdd.dll"="C:\\WINDOWS\\System32\\rundll32.exe \"C:\\Documents and Settings\\Shady\\Local Settings\\Application Data\\kgeikdd.dll\",srdxunb"
"ollvxpm.dll"="C:\\WINDOWS\\System32\\rundll32.exe \"C:\\Documents and Settings\\Shady\\Local Settings\\Application Data\\ollvxpm.dll\",drytaqc"
"qaxnoqi.dll"="C:\\WINDOWS\\System32\\rundll32.exe \"C:\\Documents and Settings\\Shady\\Local Settings\\Application Data\\qaxnoqi.dll\",ngoiaae"
"lmvgsjn.dll"="C:\\WINDOWS\\System32\\rundll32.exe \"C:\\Documents and Settings\\Shady\\Local Settings\\Application Data\\lmvgsjn.dll\",xcjlkv"
"aigkiue.dll"="C:\\WINDOWS\\System32\\rundll32.exe \"C:\\Documents and Settings\\Shady\\Local Settings\\Application Data\\aigkiue.dll\",ulapkzd"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\System32\\xpeokulh.dll\",setvm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"item"="Yahoo! Pager"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"hkey"="HKEY"
"key"="Run"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7A5C6872-78F2-4B24-BD41-A5C18170D55F}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks\AutorunsDisabled]
"{3A7467BE-208F-4827-B22E-BBCBD1CDA90E}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"="C:\\WINDOWS\\svchost.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfu32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\PCHPantispychris.job
C:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-23 20:21:11


Logfile of HijackThis v1.99.1
Scan saved at 8:37:12 PM, on 3/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {289EA67A-C522-D5C5-33B3-0A06B7302ABD} - C:\WINDOWS\System32\rhkdlbm.dll (file missing)
O2 - BHO: (no name) - {3937C0B0-99C5-74F2-A6A2-086A6584264C} - C:\WINDOWS\System32\wjpkltk.dll (file missing)
O2 - BHO: (no name) - {3A7467BE-208F-4827-B22E-BBCBD1CDA90E} - (no file)
O2 - BHO: (no name) - {3B35D985-7648-4521-83BE-1E16AE5CD05F} - C:\WINDOWS\system32\driverb.dll (file missing)
O2 - BHO: (no name) - {3B77865B-6037-4A25-963B-11D034ECFADB} - C:\WINDOWS\System32\awtqp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {565E5C7D-9477-1D58-D7C4-05C7E08CF482} - C:\WINDOWS\System32\hpcquqn.dll (file missing)
O2 - BHO: (no name) - {5F74ADA1-8871-E2DE-AC3C-02C2EFF69AF3} - C:\WINDOWS\System32\dakmgbn.dll (file missing)
O2 - BHO: (no name) - {65689146-97F6-B5CF-6872-029CCF422183} - C:\WINDOWS\System32\hbcyrmf.dll (file missing)
O2 - BHO: (no name) - {6EE198AA-C618-450D-83C4-766E8EB71F56} - (no file)
O2 - BHO: (no name) - {721B7513-C646-838B-84B8-0113B82A0815} - C:\WINDOWS\System32\lymhcmh.dll (file missing)
O2 - BHO: (no name) - {72EA236A-2BDD-3D17-1C21-0841FBF6413A} - C:\WINDOWS\System32\xxrgfwd.dll (file missing)
O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\System32\opnnoon.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A63D760-0FDC-4A18-958C-A7CD39FB0E12} - C:\WINDOWS\System32\kcrydyuu.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A978343E-DD66-4FA1-B4FC-3250E854298C} - C:\WINDOWS\System32\pmnlk.dll (file missing)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [hvojuem.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\hvojuem.dll",ajkpyne
O4 - HKLM\..\Run: [etuvmud.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\etuvmud.dll",kvpdqhc
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [pjrqpnm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\pjrqpnm.dll",dxzabmc
O4 - HKLM\..\Run: [kgeikdd.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\kgeikdd.dll",srdxunb
O4 - HKLM\..\Run: [ollvxpm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\ollvxpm.dll",drytaqc
O4 - HKLM\..\Run: [qaxnoqi.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\qaxnoqi.dll",ngoiaae
O4 - HKLM\..\Run: [lmvgsjn.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\lmvgsjn.dll",xcjlkv
O4 - HKLM\..\Run: [aigkiue.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\aigkiue.dll",ulapkzd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpeokulh.dll",setvm
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174681026406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: opnnoon - opnnoon.dll (file missing)
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\System32\pmnlk.dll (file missing)
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - (no file)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 March 2007 - 08:12 PM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {289EA67A-C522-D5C5-33B3-0A06B7302ABD} - C:\WINDOWS\System32\rhkdlbm.dll (file missing)
O2 - BHO: (no name) - {3937C0B0-99C5-74F2-A6A2-086A6584264C} - C:\WINDOWS\System32\wjpkltk.dll (file missing)
O2 - BHO: (no name) - {3A7467BE-208F-4827-B22E-BBCBD1CDA90E} - (no file)
O2 - BHO: (no name) - {3B35D985-7648-4521-83BE-1E16AE5CD05F} - C:\WINDOWS\system32\driverb.dll (file missing)
O2 - BHO: (no name) - {3B77865B-6037-4A25-963B-11D034ECFADB} - C:\WINDOWS\System32\awtqp.dll (file missing)
O2 - BHO: (no name) - {565E5C7D-9477-1D58-D7C4-05C7E08CF482} - C:\WINDOWS\System32\hpcquqn.dll (file missing)
O2 - BHO: (no name) - {5F74ADA1-8871-E2DE-AC3C-02C2EFF69AF3} - C:\WINDOWS\System32\dakmgbn.dll (file missing)
O2 - BHO: (no name) - {65689146-97F6-B5CF-6872-029CCF422183} - C:\WINDOWS\System32\hbcyrmf.dll (file missing)
O2 - BHO: (no name) - {6EE198AA-C618-450D-83C4-766E8EB71F56} - (no file)
O2 - BHO: (no name) - {721B7513-C646-838B-84B8-0113B82A0815} - C:\WINDOWS\System32\lymhcmh.dll (file missing)
O2 - BHO: (no name) - {72EA236A-2BDD-3D17-1C21-0841FBF6413A} - C:\WINDOWS\System32\xxrgfwd.dll (file missing)
O2 - BHO: (no name) - {7A5C6872-78F2-4B24-BD41-A5C18170D55F} - C:\WINDOWS\System32\opnnoon.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A63D760-0FDC-4A18-958C-A7CD39FB0E12} - C:\WINDOWS\System32\kcrydyuu.dll (file missing)
O2 - BHO: (no name) - {A978343E-DD66-4FA1-B4FC-3250E854298C} - C:\WINDOWS\System32\pmnlk.dll (file missing)
O4 - HKLM\..\Run: [hvojuem.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\hvojuem.dll",ajkpyne
O4 - HKLM\..\Run: [etuvmud.dll] "C:\WINDOWS\System32\rundll32.exe" "C:\Documents and Settings\Shady\Local Settings\Application Data\etuvmud.dll",kvpdqhc
O4 - HKLM\..\Run: [pjrqpnm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\pjrqpnm.dll",dxzabmc
O4 - HKLM\..\Run: [kgeikdd.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\kgeikdd.dll",srdxunb
O4 - HKLM\..\Run: [ollvxpm.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\ollvxpm.dll",drytaqc
O4 - HKLM\..\Run: [qaxnoqi.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\qaxnoqi.dll",ngoiaae
O4 - HKLM\..\Run: [lmvgsjn.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\lmvgsjn.dll",xcjlkv
O4 - HKLM\..\Run: [aigkiue.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Shady\Local Settings\Application Data\aigkiue.dll",ulapkzd
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xpeokulh.dll",setvm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll (file missing)
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Filter: AutorunsDisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: opnnoon - opnnoon.dll (file missing)
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\System32\pmnlk.dll (file missing)
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Posted Image
Posted Image

#11 krazedone

krazedone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 24 March 2007 - 03:10 AM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:51:57 AM 3/24/2007

+ Scan result:



C:\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\efcyvtt.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fcccaya.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hggdeda.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\khfefec.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mljghhg.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\opnlmnm.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/opnnoon.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Shady\Cookies\shady@buzznet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@grouplotto.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@ehg-hollywood.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@ehg-hollywoodmedia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Shady\Cookies\shady@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\avenger\backup.zip/avenger/winmfu32.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 4:06:52 AM, on 3/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174681026406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - (no file)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 24 March 2007 - 04:29 AM

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6.0'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

*************************

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply,along with a new Hijackthis log please.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#13 krazedone

krazedone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 24 March 2007 - 05:12 AM

Thanks for all the help, im not getting pop ups anymore and ive noticed a huge difference in speed, cant express how happy i am lol, heres the logs

"Shady" - 07-03-24 5:56:51 Service Pack 1
ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Shady\Desktop"

/wow section not completed - STAGE #4
((((((((((((((((((((((((((((((( Files Created from 2007-02-24 to 2007-03-24 ))))))))))))))))))))))))))))))))))


2007-03-24 05:53 <DIR> d-------- C:\Program Files\Java
2007-03-24 04:35 26,787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-03-24 04:34 95,344 --a------ C:\WINDOWS\system32\ISafeIf.dll
2007-03-24 04:34 74,864 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-03-24 04:34 74,864 --a------ C:\WINDOWS\system32\iSafProd.dll
2007-03-24 04:34 629,264 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-03-24 04:34 49,152 --a------ C:\WINDOWS\unezas.exe
2007-03-24 04:34 21,031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-03-24 04:34 15,735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-03-24 04:34 15,478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-03-24 04:34 111,728 --a------ C:\WINDOWS\AVShlExt.dll
2007-03-24 04:34 108,592 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-03-23 21:22 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-23 20:12 <DIR> d-------- C:\avenger
2007-03-23 20:00 45,056 --a------ C:\command.exe
2007-03-23 19:28 1,206,759 ---hs---- C:\WINDOWS\system32\klnmp.bak1
2007-03-23 14:10 <DIR> d-------- C:\WINDOWS\Prefetch
2007-03-23 13:30 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-03-23 13:18 921,475 --------- C:\WINDOWS\system32\ati3d2ag.dll
2007-03-23 13:18 89,088 --a------ C:\WINDOWS\system32\mqsec.dll
2007-03-23 13:18 73,728 --a------ C:\WINDOWS\system32\tlntsess.exe
2007-03-23 13:18 7,168 --a------ C:\WINDOWS\system32\tlntsvrp.dll
2007-03-23 13:18 67,584 --a------ C:\WINDOWS\system32\tlntsvr.exe
2007-03-23 13:18 67,584 --a------ C:\WINDOWS\system32\fdeploy.dll
2007-03-23 13:18 67,200 --a------ C:\WINDOWS\system32\drivers\mqac.sys
2007-03-23 13:18 613,888 --a------ C:\WINDOWS\system32\mqqm.dll
2007-03-23 13:18 57,856 --a------ C:\WINDOWS\system32\tlntadmn.exe
2007-03-23 13:18 57,344 --a------ C:\WINDOWS\system32\nwwks.dll
2007-03-23 13:18 545,792 --a------ C:\WINDOWS\system32\wsecedit.dll
2007-03-23 13:18 478,720 --a------ C:\WINDOWS\system32\mqsnap.dll
2007-03-23 13:18 469,504 --a------ C:\WINDOWS\system32\mqutil.dll
2007-03-23 13:18 377,984 --a------ C:\WINDOWS\system32\ati2dvaa.dll
2007-03-23 13:18 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-03-23 13:18 277,504 --a------ C:\WINDOWS\system32\appmgr.dll
2007-03-23 13:18 231,936 --a------ C:\WINDOWS\system32\tracerpt.exe
2007-03-23 13:18 183,296 --a------ C:\WINDOWS\system32\gptext.dll
2007-03-23 13:18 164,864 --a------ C:\WINDOWS\system32\mqrt.dll
2007-03-23 13:18 164,352 --a------ C:\WINDOWS\system32\mqtrig.dll
2007-03-23 13:18 156,672 --a------ C:\WINDOWS\system32\appmgmts.dll
2007-03-23 13:18 156,544 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2007-03-23 13:18 14,848 --a------ C:\WINDOWS\system32\mqise.dll
2007-03-23 13:18 130,048 --a------ C:\WINDOWS\system32\mqad.dll
2007-03-23 13:18 113,664 --a------ C:\WINDOWS\system32\schtasks.exe
2007-03-23 13:18 113,152 --a------ C:\WINDOWS\system32\gpresult.exe
2007-03-23 13:18 103,936 --a------ C:\WINDOWS\system32\rsnotify.exe
2007-03-23 13:18 1,677,312 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-03-23 13:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-03-23 13:15 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
2007-03-23 13:15 91,648 --a------ C:\WINDOWS\system32\ahui.exe
2007-03-23 13:15 9,216 --a------ C:\WINDOWS\system32\dumprep.exe
2007-03-23 13:15 802,304 --a------ C:\WINDOWS\system32\dxmrtp.dll
2007-03-23 13:15 8,192 --a------ C:\WINDOWS\system32\autolfn.exe
2007-03-23 13:15 76,288 --a------ C:\WINDOWS\system32\dfrgfat.exe
2007-03-23 13:15 76,288 --a------ C:\WINDOWS\system32\avifil32.dll
2007-03-23 13:15 74,810 --a------ C:\WINDOWS\system32\atl.dll
2007-03-23 13:15 71,680 --a------ C:\WINDOWS\system32\browsewm.dll
2007-03-23 13:15 70,656 --a------ C:\WINDOWS\system32\defrag.exe
2007-03-23 13:15 70,144 --a------ C:\WINDOWS\system32\cryptdlg.dll
2007-03-23 13:15 64,512 --a------ C:\WINDOWS\system32\ciodm.dll
2007-03-23 13:15 62,976 --a------ C:\WINDOWS\system32\browselc.dll
2007-03-23 13:15 62,464 --a------ C:\WINDOWS\system32\adsmsext.dll
2007-03-23 13:15 61,440 --a------ C:\WINDOWS\system32\dbnetlib.dll
2007-03-23 13:15 6,656 --a------ C:\WINDOWS\system32\batt.dll
2007-03-23 13:15 59,392 --a------ C:\WINDOWS\system32\6to4svc.dll
2007-03-23 13:15 55,296 --a------ C:\WINDOWS\system32\digest.dll
2007-03-23 13:15 54,272 --a------ C:\WINDOWS\system32\clusapi.dll
2007-03-23 13:15 53,248 --a------ C:\WINDOWS\system32\cryptsvc.dll
2007-03-23 13:15 498,205 --a------ C:\WINDOWS\system32\dxmasf.dll
2007-03-23 13:15 49,152 --a------ C:\WINDOWS\system32\browser.dll
2007-03-23 13:15 471,040 --a------ C:\WINDOWS\system32\cryptui.dll
2007-03-23 13:15 45,568 --a------ C:\WINDOWS\system32\docprop2.dll
2007-03-23 13:15 41,984 --a------ C:\WINDOWS\system32\alg.exe
2007-03-23 13:15 41,472 --a------ C:\WINDOWS\system32\cmdl32.exe
2007-03-23 13:15 38,912 --a------ C:\WINDOWS\system32\audiosrv.dll
2007-03-23 13:15 35,328 --a------ C:\WINDOWS\system32\dfrgsnap.dll
2007-03-23 13:15 324,608 --a------ C:\WINDOWS\system32\cmdial32.dll
2007-03-23 13:15 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-03-23 13:15 307,712 --a------ C:\WINDOWS\system32\cscui.dll
2007-03-23 13:15 28,672 --a------ C:\WINDOWS\system32\dbnmpntw.dll
2007-03-23 13:15 266,752 --a------ C:\WINDOWS\winhlp32.exe
2007-03-23 13:15 263,680 --a------ C:\WINDOWS\system32\duser.dll
2007-03-23 13:15 263,168 --a------ C:\WINDOWS\system32\devmgr.dll
2007-03-23 13:15 25,600 --a------ C:\WINDOWS\system32\dfsshlex.dll
2007-03-23 13:15 24,576 --a------ C:\WINDOWS\system32\dbmsvinn.dll
2007-03-23 13:15 24,576 --a------ C:\WINDOWS\system32\dbmsrpcn.dll
2007-03-23 13:15 24,576 --a------ C:\WINDOWS\system32\conime.exe
2007-03-23 13:15 239,616 --a------ C:\WINDOWS\system32\adsnt.dll
2007-03-23 13:15 238,592 --a------ C:\WINDOWS\system32\compatui.dll
2007-03-23 13:15 227,840 --a------ C:\WINDOWS\system32\dsquery.dll
2007-03-23 13:15 22,528 --a------ C:\WINDOWS\system32\at.exe
2007-03-23 13:15 20,480 --a------ C:\WINDOWS\system32\dbmsadsn.dll
2007-03-23 13:15 186,880 --a------ C:\WINDOWS\system32\certcli.dll
2007-03-23 13:15 180,224 --a------ C:\WINDOWS\system32\dwwin.exe
2007-03-23 13:15 168,960 --a------ C:\WINDOWS\system32\dinput8.dll
2007-03-23 13:15 162,816 --a------ C:\WINDOWS\system32\adsldp.dll
2007-03-23 13:15 16,384 --a------ C:\WINDOWS\system32\ds32gt.dll
2007-03-23 13:15 158,720 --a------ C:\WINDOWS\system32\credui.dll
2007-03-23 13:15 151,552 --a------ C:\WINDOWS\system32\dinput.dll
2007-03-23 13:15 14,366 --a------ C:\WINDOWS\system32\asfsipc.dll
2007-03-23 13:15 139,776 --a------ C:\WINDOWS\system32\adsldpc.dll
2007-03-23 13:15 135,680 --a------ C:\WINDOWS\system32\dsprop.dll
2007-03-23 13:15 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe
2007-03-23 13:15 124,928 --a------ C:\WINDOWS\system32\dssenh.dll
2007-03-23 13:15 115,712 --a------ C:\WINDOWS\system32\apphelp.dll
2007-03-23 13:15 113,152 --a------ C:\WINDOWS\system32\dfrgui.dll
2007-03-23 13:15 103,424 --a------ C:\WINDOWS\system32\dgnet.dll
2007-03-23 13:15 1,740 --a------ C:\WINDOWS\system32\dcache.bin
2007-03-23 13:15 1,004,032 --a------ C:\WINDOWS\explorer.exe
2007-03-23 13:14 91,648 --a------ C:\WINDOWS\system32\iuctl.dll
2007-03-23 13:14 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2007-03-23 13:14 8,832 --a------ C:\WINDOWS\system32\framebuf.dll
2007-03-23 13:14 73,728 --a------ C:\WINDOWS\system32\ils.dll
2007-03-23 13:14 7,040 --a------ C:\WINDOWS\system32\kd1394.dll
2007-03-23 13:14 68,096 --a------ C:\WINDOWS\system32\mscms.dll
2007-03-23 13:14 67,584 --a------ C:\WINDOWS\system32\msctfp.dll
2007-03-23 13:14 66,560 --a------ C:\WINDOWS\system32\faultrep.dll
2007-03-23 13:14 65,536 --a------ C:\WINDOWS\system32\msconf.dll
2007-03-23 13:14 60,928 --a------ C:\WINDOWS\system32\ipv6.exe
2007-03-23 13:14 59,392 --a------ C:\WINDOWS\system32\iesetup.dll
2007-03-23 13:14 587,776 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-03-23 13:14 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2007-03-23 13:14 56,320 --a------ C:\WINDOWS\system32\mshtmler.dll
2007-03-23 13:14 512,031 --a------ C:\WINDOWS\system32\msexch40.dll
2007-03-23 13:14 51,712 --a------ C:\WINDOWS\system32\ipconfig.exe
2007-03-23 13:14 504,320 --a------ C:\WINDOWS\system32\logonui.exe
2007-03-23 13:14 49,664 --a------ C:\WINDOWS\system32\ixsso.dll
2007-03-23 13:14 49,152 --a------ C:\WINDOWS\system32\eventlog.dll
2007-03-23 13:14 42,537 --a------ C:\WINDOWS\system32\keyboard.sys
2007-03-23 13:14 4,608 --a------ C:\WINDOWS\system32\msimg32.dll
2007-03-23 13:14 4,126 --a------ C:\WINDOWS\system32\msdxmlc.dll
2007-03-23 13:14 381,440 --a------ C:\WINDOWS\system32\lmrt.dll
2007-03-23 13:14 380,445 --a------ C:\WINDOWS\system32\expsrv.dll
2007-03-23 13:14 368,710 --a------ C:\WINDOWS\system32\msisam11.dll
2007-03-23 13:14 36,922 --a------ C:\WINDOWS\system32\imeshare.dll
2007-03-23 13:14 348,195 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2007-03-23 13:14 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-03-23 13:14 319,519 --a------ C:\WINDOWS\system32\msexcl40.dll
2007-03-23 13:14 318,464 --a------ C:\WINDOWS\system32\ippromon.dll
2007-03-23 13:14 30,208 --a------ C:\WINDOWS\system32\imgutil.dll
2007-03-23 13:14 272,896 --a------ C:\WINDOWS\system32\kerberos.dll
2007-03-23 13:14 266,752 --a------ C:\WINDOWS\system32\msctf.dll
2007-03-23 13:14 241,695 --a------ C:\WINDOWS\system32\msjtes40.dll
2007-03-23 13:14 240,640 --a------ C:\WINDOWS\system32\hnetcfg.dll
2007-03-23 13:14 236,032 --a------ C:\WINDOWS\system32\icm32.dll
2007-03-23 13:14 229,888 --a------ C:\WINDOWS\system32\msieftp.dll
2007-03-23 13:14 22,528 --a------ C:\WINDOWS\system32\mslbui.dll
2007-03-23 13:14 219,648 --a------ C:\WINDOWS\system32\logon.scr
2007-03-23 13:14 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2007-03-23 13:14 210,944 --a------ C:\WINDOWS\system32\moricons.dll
2007-03-23 13:14 196,096 --a------ C:\WINDOWS\system32\mobsync.dll
2007-03-23 13:14 19,456 --a------ C:\WINDOWS\system32\licmgr10.dll
2007-03-23 13:14 19,456 --a------ C:\WINDOWS\system32\fontview.exe
2007-03-23 13:14 19,456 --a------ C:\WINDOWS\system32\ersvc.dll
2007-03-23 13:14 178,688 --a------ C:\WINDOWS\system32\eudcedit.exe
2007-03-23 13:14 165,376 --a------ C:\WINDOWS\system32\els.dll
2007-03-23 13:14 163,840 --a------ C:\WINDOWS\system32\mindex.dll
2007-03-23 13:14 155,648 --a------ C:\WINDOWS\system32\ipsecsvc.dll
2007-03-23 13:14 143,872 --a------ C:\WINDOWS\system32\msimtf.dll
2007-03-23 13:14 134,144 --a------ C:\WINDOWS\system32\ipv6mon.dll
2007-03-23 13:14 126,976 --a------ C:\WINDOWS\system32\msdart.dll
2007-03-23 13:14 123,904 --a------ C:\WINDOWS\system32\imapi.exe
2007-03-23 13:14 12,288 --a------ C:\WINDOWS\system32\mscpx32r.dll
2007-03-23 13:14 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
2007-03-23 13:14 114,176 --a------ C:\WINDOWS\system32\input.dll
2007-03-23 13:14 113,152 --a------ C:\WINDOWS\system32\idq.dll
2007-03-23 13:14 103,936 --a------ C:\WINDOWS\system32\imm32.dll
2007-03-23 13:14 10,240 --a------ C:\WINDOWS\system32\localui.dll
2007-03-23 13:14 1,503,262 --a------ C:\WINDOWS\system32\msjet40.dll
2007-03-23 13:14 1,128,960 --a------ C:\WINDOWS\system32\mmcndmgr.dll
2007-03-23 13:13 98,304 --a------ C:\WINDOWS\system32\oleprn.dll
2007-03-23 13:13 95,744 --a------ C:\WINDOWS\system32\nlhtml.dll
2007-03-23 13:13 94,208 --a------ C:\WINDOWS\system32\odbccp32.dll
2007-03-23 13:13 91,136 --a------ C:\WINDOWS\system32\rastls.dll
2007-03-23 13:13 9,728 --a------ C:\WINDOWS\system32\mstinit.exe
2007-03-23 13:13 87,304 --a------ C:\WINDOWS\system32\rdpdd.dll
2007-03-23 13:13 857,600 --a------ C:\WINDOWS\system32\netplwiz.dll
2007-03-23 13:13 82,944 --a------ C:\WINDOWS\system32\psbase.dll
2007-03-23 13:13 81,408 --a------ C:\WINDOWS\system32\msoert2.dll
2007-03-23 13:13 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-03-23 13:13 699,392 --a------ C:\WINDOWS\system32\msxml2.dll
2007-03-23 13:13 686,080 --a------ C:\WINDOWS\system32\opengl32.dll
2007-03-23 13:13 61,440 --a------ C:\WINDOWS\system32\odbccu32.dll
2007-03-23 13:13 61,440 --a------ C:\WINDOWS\system32\odbccr32.dll
2007-03-23 13:13 598,016 --a------ C:\WINDOWS\system32\mstscax.dll
2007-03-23 13:13 584,192 --a------ C:\WINDOWS\system32\netcfgx.dll
2007-03-23 13:13 58,880 --a------ C:\WINDOWS\system32\pautoenr.dll
2007-03-23 13:13 57,856 --a------ C:\WINDOWS\system32\raschap.dll
2007-03-23 13:13 552,991 --a------ C:\WINDOWS\system32\msrepl40.dll
2007-03-23 13:13 53,248 --a------ C:\WINDOWS\system32\packager.exe
2007-03-23 13:13 53,248 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-03-23 13:13 49,152 --a------ C:\WINDOWS\system32\npptools.dll
2007-03-23 13:13 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-03-23 13:13 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2007-03-23 13:13 42,496 --a------ C:\WINDOWS\system32\ncobjapi.dll
2007-03-23 13:13 401,462 --a------ C:\WINDOWS\system32\msvcp60.dll
2007-03-23 13:13 399,360 --a------ C:\WINDOWS\system32\netlogon.dll
2007-03-23 13:13 392,704 --a------ C:\WINDOWS\system32\ntmssvc.dll
2007-03-23 13:13 39,424 --a------ C:\WINDOWS\system32\net.exe
2007-03-23 13:13 388,608 --a------ C:\WINDOWS\system32\mstsc.exe
2007-03-23 13:13 38,400 --a------ C:\WINDOWS\system32\ntmsapi.dll
2007-03-23 13:13 38,400 --a------ C:\WINDOWS\system32\ntlanman.dll
2007-03-23 13:13 348,191 --a------ C:\WINDOWS\system32\mspbde40.dll
2007-03-23 13:13 344,095 --a------ C:\WINDOWS\system32\msxbde40.dll
2007-03-23 13:13 34,304 --a------ C:\WINDOWS\system32\rcimlby.exe
2007-03-23 13:13 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2007-03-23 13:13 33,808 --a------ C:\WINDOWS\system32\ntio.sys
2007-03-23 13:13 328,704 --a------ C:\WINDOWS\system32\oakley.dll
2007-03-23 13:13 323,072 --a------ C:\WINDOWS\system32\msvcrt.dll
2007-03-23 13:13 32,768 --a------ C:\WINDOWS\system32\odbcad32.exe
2007-03-23 13:13 319,760 --a------ C:\WINDOWS\system32\msnsspc.dll
2007-03-23 13:13 254,976 --a------ C:\WINDOWS\system32\pdh.dll
2007-03-23 13:13 253,983 --a------ C:\WINDOWS\system32\mstext40.dll
2007-03-23 13:13 250,368 --a------ C:\WINDOWS\system32\mstask.dll
2007-03-23 13:13 241,725 --a------ C:\WINDOWS\system32\msuni11.dll
2007-03-23 13:13 24,576 --a------ C:\WINDOWS\system32\odbcbcp.dll
2007-03-23 13:13 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-03-23 13:13 238,080 --a------ C:\WINDOWS\system32\newdev.dll
2007-03-23 13:13 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-03-23 13:13 212,480 --a------ C:\WINDOWS\system32\osk.exe
2007-03-23 13:13 200,704 --a------ C:\WINDOWS\system32\odbc32.dll
2007-03-23 13:13 193,536 --a------ C:\WINDOWS\system32\rasppp.dll
2007-03-23 13:13 182,784 --a------ C:\WINDOWS\system32\msutb.dll
2007-03-23 13:13 17,408 --a------ C:\WINDOWS\system32\psapi.dll
2007-03-23 13:13 165,888 --a------ C:\WINDOWS\system32\ntmsdba.dll
2007-03-23 13:13 16,384 --a------ C:\WINDOWS\system32\ping.exe
2007-03-23 13:13 16,384 --a------ C:\WINDOWS\system32\odbc32gt.dll
2007-03-23 13:13 16,384 --a------ C:\WINDOWS\system32\nddenb32.dll
2007-03-23 13:13 154,112 --a------ C:\WINDOWS\system32\netman.dll
2007-03-23 13:13 147,456 --a------ C:\WINDOWS\system32\odbctrac.dll
2007-03-23 13:13 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-03-23 13:13 137,216 --a------ C:\WINDOWS\system32\ntshrui.dll
2007-03-23 13:13 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
2007-03-23 13:13 131,072 --a------ C:\WINDOWS\system32\msorcl32.dll
2007-03-23 13:13 13,824 --a------ C:\WINDOWS\system32\rassapi.dll
2007-03-23 13:13 122,880 --a------ C:\WINDOWS\system32\odbcconf.dll
2007-03-23 13:13 12,288 --a------ C:\WINDOWS\system32\odbcp32r.dll
2007-03-23 13:13 115,200 --a------ C:\WINDOWS\system32\net1.exe
2007-03-23 13:13 113,664 --a------ C:\WINDOWS\system32\msvfw32.dll
2007-03-23 13:13 112,128 --a------ C:\WINDOWS\system32\ntmarta.dll
2007-03-23 13:13 109,568 --a------ C:\WINDOWS\system32\offfilt.dll
2007-03-23 13:13 105,984 --a------ C:\WINDOWS\system32\netdde.exe
2007-03-23 13:13 10,240 --a------ C:\WINDOWS\system32\msrle32.dll
2007-03-23 13:13 1,622,528 --a------ C:\WINDOWS\system32\netshell.dll
2007-03-23 13:13 1,349,120 --a------ C:\WINDOWS\system32\query.dll
2007-03-23 13:13 1,122,304 --a------ C:\WINDOWS\system32\msxml3.dll
2007-03-23 13:12 82,944 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-03-23 13:12 81,920 --a------ C:\WINDOWS\system32\trkwks.dll
2007-03-23 13:12 8,192 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-03-23 13:12 74,240 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-03-23 13:12 71,168 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-03-23 13:12 667,648 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-03-23 13:12 66,560 --a------ C:\WINDOWS\system32\spoolss.dll
2007-03-23 13:12 66,048 --a------ C:\WINDOWS\system32\sigverif.exe
2007-03-23 13:12 638,976 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-03-23 13:12 63,488 --a------ C:\WINDOWS\system32\srclient.dll
2007-03-23 13:12 62,976 --a------ C:\WINDOWS\system32\shgina.dll
2007-03-23 13:12 61,952 --a------ C:\WINDOWS\system32\sti.dll
2007-03-23 13:12 60,416 --a------ C:\WINDOWS\system32\shimeng.dll
2007-03-23 13:12 6,144 --a------ C:\WINDOWS\system32\sensapi.dll
2007-03-23 13:12 569,344 --a------ C:\WINDOWS\system32\sspipes.scr
2007-03-23 13:12 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
2007-03-23 13:12 534,016 --a------ C:\WINDOWS\system32\spider.exe
2007-03-23 13:12 52,224 --a------ C:\WINDOWS\system32\secur32.dll
2007-03-23 13:12 48,128 --a------ C:\WINDOWS\system32\reg.exe
2007-03-23 13:12 44,032 --a------ C:\WINDOWS\system32\regapi.dll
2007-03-23 13:12 43,008 --a------ C:\WINDOWS\system32\ssdpsrv.dll
2007-03-23 13:12 420,864 --a------ C:\WINDOWS\system32\shimgvw.dll
2007-03-23 13:12 385,024 --a------ C:\WINDOWS\system32\sqlsrv32.dll
2007-03-23 13:12 384,000 --a------ C:\WINDOWS\system32\themeui.dll
2007-03-23 13:12 364,544 --a------ C:\WINDOWS\system32\ssflwbox.scr
2007-03-23 13:12 36,352 --a------ C:\WINDOWS\system32\sens.dll
2007-03-23 13:12 334,848 --a------ C:\WINDOWS\system32\smlogcfg.dll
2007-03-23 13:12 33,280 --a------ C:\WINDOWS\system32\shmgrate.exe
2007-03-23 13:12 3,338 --a------ C:\WINDOWS\system32\redir.exe
2007-03-23 13:12 297,984 --a------ C:\WINDOWS\system32\scesrv.dll
2007-03-23 13:12 27,136 --a------ C:\WINDOWS\system32\ssdpapi.dll
2007-03-23 13:12 251,904 --a------ C:\WINDOWS\system32\strmdll.dll
2007-03-23 13:12 24,064 --a------ C:\WINDOWS\system32\skeys.exe
2007-03-23 13:12 233,984 --a------ C:\WINDOWS\system32\tapisrv.dll
2007-03-23 13:12 22,528 --a------ C:\WINDOWS\system32\slayerxp.dll
2007-03-23 13:12 22,528 --a------ C:\WINDOWS\system32\shfolder.dll
2007-03-23 13:12 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
2007-03-23 13:12 20,992 --a------ C:\WINDOWS\system32\setup.exe
2007-03-23 13:12 19,456 --a------ C:\WINDOWS\system32\ssmarque.scr
2007-03-23 13:12 18,944 --a------ C:\WINDOWS\system32\ssbezier.scr
2007-03-23 13:12 174,592 --a------ C:\WINDOWS\system32\scecli.dll
2007-03-23 13:12 171,008 --a------ C:\WINDOWS\system32\sccsccp.dll
2007-03-23 13:12 17,408 --a------ C:\WINDOWS\system32\ssmyst.scr
2007-03-23 13:12 169,984 --a------ C:\WINDOWS\system32\sccbase.dll
2007-03-23 13:12 165,376 --a------ C:\WINDOWS\system32\tapi32.dll
2007-03-23 13:12 16,896 --a------ C:\WINDOWS\system32\snmpapi.dll
2007-03-23 13:12 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-03-23 13:12 158,720 --a------ C:\WINDOWS\system32\srsvc.dll
2007-03-23 13:12 133,632 --a------ C:\WINDOWS\system32\rsaenh.dll
2007-03-23 13:12 133,120 --a------ C:\WINDOWS\system32\sfc_os.dll
2007-03-23 13:12 130,560 --a------ C:\WINDOWS\system32\sti_ci.dll
2007-03-23 13:12 13,312 --a------ C:\WINDOWS\system32\ssstars.scr
2007-03-23 13:12 128,512 --a------ C:\WINDOWS\system32\taskmgr.exe
2007-03-23 13:12 12,800 --a------ C:\WINDOWS\system32\runonce.exe
2007-03-23 13:12 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-03-23 13:12 117,760 --a------ C:\WINDOWS\system32\stobject.dll
2007-03-23 13:12 11,776 --a------ C:\WINDOWS\system32\sigtab.dll
2007-03-23 13:12 10,752 --a------ C:\WINDOWS\system32\tracert.exe
2007-03-23 13:12 1,157,632 --a------ C:\WINDOWS\system32\sfcfiles.dll
2007-03-23 13:11 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-03-23 13:11 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-03-23 13:11 86,528 --a------ C:\WINDOWS\system32\wlnotify.dll
2007-03-23 13:11 86,016 --a------ C:\WINDOWS\system32\xactsrv.dll
2007-03-23 13:11 77,824 --a------ C:\WINDOWS\system32\wmpstub.exe
2007-03-23 13:11 61,952 --a------ C:\WINDOWS\system32\webclnt.dll
2007-03-23 13:11 60,416 --a------ C:\WINDOWS\system32\wextract.exe
2007-03-23 13:11 56,832 --a------ C:\WINDOWS\system32\wzcdlg.dll
2007-03-23 13:11 51,200 --a------ C:\WINDOWS\system32\wmerrenu.dll
2007-03-23 13:11 48,640 --a------ C:\WINDOWS\system32\vdmredir.dll
2007-03-23 13:11 48,128 --a------ C:\WINDOWS\system32\winsta.dll
2007-03-23 13:11 479,261 --a------ C:\WINDOWS\system32\vbscript.dll
2007-03-23 13:11 47,616 --a------ C:\WINDOWS\system32\utilman.exe
2007-03-23 13:11 409,088 --a------ C:\WINDOWS\system32\vssapi.dll
2007-03-23 13:11 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-03-23 13:11 38,912 --a------ C:\WINDOWS\system32\wsnmp32.dll
2007-03-23 13:11 339,456 --a------ C:\WINDOWS\system32\usp10.dll
2007-03-23 13:11 32,256 --a------ C:\WINDOWS\system32\umandlg.dll
2007-03-23 13:11 296,448 --a------ C:\WINDOWS\system32\wmstream.dll
2007-03-23 13:11 247,808 --a------ C:\WINDOWS\system32\wow32.dll
2007-03-23 13:11 231,424 --a------ C:\WINDOWS\system32\upnpui.dll
2007-03-23 13:11 22,016 --a------ C:\WINDOWS\system32\udhisapi.dll
2007-03-23 13:11 203,264 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-03-23 13:11 172,664 --a------ C:\WINDOWS\system32\xenroll.dll
2007-03-23 13:11 171,520 --a------ C:\WINDOWS\system32\winmm.dll
2007-03-23 13:11 17,408 --a------ C:\WINDOWS\system32\wtsapi32.dll
2007-03-23 13:11 168,448 --a------ C:\WINDOWS\system32\wldap32.dll
2007-03-23 13:11 165,376 --a------ C:\WINDOWS\system32\w32time.dll
2007-03-23 13:11 164,864 --a------ C:\WINDOWS\system32\upnphost.dll
2007-03-23 13:11 16,384 --a------ C:\WINDOWS\system32\watchdog.sys
2007-03-23 13:11 16,384 --a------ C:\WINDOWS\system32\ups.exe
2007-03-23 13:11 13,312 --a------ C:\WINDOWS\system32\wship6.dll
2007-03-23 13:11 124,928 --a------ C:\WINDOWS\system32\webvw.dll
2007-03-23 13:11 120,320 --a------ C:\WINDOWS\system32\upnp.dll
2007-03-23 13:11 119,808 --a------ C:\WINDOWS\system32\wiadss.dll
2007-03-23 13:11 107,008 --a------ C:\WINDOWS\system32\umpnpmgr.dll
2007-03-23 12:26 85,504 --a------ C:\WINDOWS\system32\aigkiue.dll
2007-03-23 12:26 26,697 --a------ C:\WINDOWS\system32\ljjhgfe.dll
2007-03-23 07:40 85,504 --a------ C:\WINDOWS\system32\lmvgsjn.dll
2007-03-23 00:42 85,504 --a------ C:\WINDOWS\system32\lujhioi.dll
2007-03-22 14:59 85,504 --a------ C:\WINDOWS\system32\qaxnoqi.dll
2007-03-22 14:49 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-22 12:57 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-22 12:57 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-22 12:57 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-22 12:57 <DIR> d-------- C:\SmitfraudFix
2007-03-22 12:54 740,046 --a------ C:\SmitfraudFix.exe
2007-03-22 10:18 86,016 --a------ C:\WINDOWS\system32\ollvxpm.dll
2007-03-22 06:22 <DIR> d-------- C:\DOCUME~1\Shady\APPLIC~1\PC Tools
2007-03-22 06:11 <DIR> d-------- C:\Program Files\Lavasoft Refupdate
2007-03-22 05:27 96,256 --a-s---- C:\WINDOWS\system32\monterreyb_olive.exe
2007-03-22 05:27 96,256 --a------ C:\WINDOWS\system32\driverb.exe
2007-03-22 05:25 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-03-22 05:24 1,032,192 --a------ C:\WINDOWS\system32\VchReg.dll
2007-03-22 03:08 85,504 --a------ C:\WINDOWS\system32\ymvdpth.dll
2007-03-21 22:16 13,013 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-03-21 17:29 85,504 --a------ C:\WINDOWS\system32\kgeikdd.dll
2007-03-21 11:53 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-21 10:24 81,408 --a------ C:\WINDOWS\system32\pjrqpnm.dll
2007-03-21 09:56 <DIR> d-------- C:\Program Files\Uniblue
2007-03-21 09:56 <DIR> d-------- C:\DOCUME~1\Shady\APPLIC~1\Uniblue
2007-03-21 09:39 57,344 --a------ C:\WINDOWS\unezfw.exe
2007-03-21 03:03 <DIR> d-------- C:\Program Files\Trojan Remover
2007-03-21 02:51 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-03-20 09:23 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-03-19 20:57 <DIR> d-------- C:\Program Files\Magix
2007-03-18 14:06 81,408 --a------ C:\WINDOWS\system32\etuvmud.dll
2007-03-18 14:06 57,856 --a------ C:\WINDOWS\system32\wpomqlk.dll
2007-03-18 03:19 57,856 --a------ C:\WINDOWS\system32\bqxripb.dll
2007-03-15 21:30 6,029,312 --a------ C:\DOCUME~1\Shady\ntuser.dat
2007-03-15 21:30 466,944 --a------ C:\DOCUME~1\NETWOR~1\ntuser.dat
2007-03-15 21:30 466,944 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-03-15 21:30 262,144 --a------ C:\DOCUME~1\chris\ntuser.dat
2007-03-15 03:43 <DIR> d-------- C:\Program Files\Safarp
2007-03-15 03:31 <DIR> d-------- C:\Program Files\CCleaner
2007-03-14 22:08 <DIR> d-------- C:\VundoFix Backups
2007-03-14 21:46 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2007-03-14 21:46 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-03-14 21:46 42,496 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-14 21:46 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-14 21:46 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-03-14 21:46 278,902 --a------ C:\win32delfkil.exe
2007-03-14 21:46 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-03-14 21:46 <DIR> d-------- C:\WINDOWS\system32\regdacl
2007-03-14 21:46 <DIR> d-------- C:\_backupD
2007-03-14 21:13 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-14 21:00 <DIR> d-------- C:\DOCUME~1\Shady\.housecall6.6
2007-03-14 18:18 <DIR> d-------- C:\Program Files\Common Files\iZotope
2007-03-14 18:18 <DIR> d-------- C:\Program Files\Common Files\HP
2007-03-14 18:12 <DIR> d-------- C:\Program Files\Steinberg
2007-03-14 18:08 <DIR> d-------- C:\DOCUME~1\Shady\APPLIC~1\PACE Anti-Piracy
2007-03-14 18:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PACE Anti-Piracy
2007-03-14 02:30 81,408 --a------ C:\WINDOWS\system32\hdyjadd.dll
2007-03-13 19:28 1,125,876 --ahs---- C:\WINDOWS\system32\vycdd.bak1
2007-03-13 19:22 57,856 --a------ C:\WINDOWS\system32\podljhg.dll
2007-03-13 05:50 543,232 --a------ C:\WINDOWS\LOOP.exe
2007-03-08 04:29 <DIR> d-------- C:\Program Files\Antares
2007-03-07 13:51 133,120 --a------ C:\WINDOWS\system32\zip32.dll
2007-03-07 03:21 286,720 --a------ C:\WINDOWS\iun506.exe
2007-03-07 03:20 <DIR> d-------- C:\Program Files\PSP VintageWarmer
2007-03-03 03:49 <DIR> d-------- C:\Program Files\iZotope
2007-02-25 04:47 139,264 --a------ C:\WINDOWS\system32\hpzjrd01.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-24 04:34 115824 --a------ C:\WINDOWS\unvet32.exe
2007-03-23 15:17 -------- d-------- C:\Program Files\msn messenger
2007-03-23 13:18 -------- d-------- C:\Program Files\messenger
2007-03-23 13:17 -------- d-------- C:\Program Files\movie maker
2007-03-22 17:43 -------- d-------- C:\Program Files\winace
2007-03-22 17:28 -------- d-------- C:\Program Files\norton internet security
2007-03-22 17:15 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-22 17:14 -------- d-------- C:\Program Files\Common Files\scanner
2007-03-22 14:45 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-22 08:37 -------- d-------- C:\Program Files\vstplugins
2007-03-22 06:25 -------- d-------- C:\Program Files\soulseek
2007-03-21 22:15 4103032 --a------ C:\WINDOWS\system32\spoonuninstall.exe
2007-03-21 13:42 -------- d-------- C:\Program Files\image-line
2007-03-21 11:55 -------- d-------- C:\DOCUME~1\Shady\APPLIC~1\lavasoft
2007-03-21 09:38 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-17 06:01 3896 --a------ C:\DOCUME~1\Shady\APPLIC~1\hpsu_48bitscanupdate.log
2007-03-17 06:00 -------- d-------- C:\Program Files\hp
2007-03-15 03:52 -------- d-------- C:\Program Files\xbc
2007-03-14 17:48 -------- d-------- C:\Program Files\waves
2007-03-07 13:51 -------- d-------- C:\Program Files\cdburnerxp pro 3
2007-02-25 04:50 41487 --a------ C:\DOCUME~1\Shady\APPLIC~1\patchupdate_hp_counterreport_update_hpsu.log
2007-02-25 04:47 73162 --a------ C:\DOCUME~1\Shady\APPLIC~1\update_hp_redboxhprblog_hpsu.log
2007-02-20 14:04 -------- d-------- C:\Program Files\digidesign
2007-02-20 12:42 -------- d-------- C:\DOCUME~1\Shady\APPLIC~1\waves audio
2007-02-20 11:47 -------- d--h----- C:\Program Files\installshield installation information
2007-02-20 02:57 -------- d-------- C:\Program Files\Common Files\pace anti-piracy
2007-02-20 02:41 72608 --a------ C:\WINDOWS\system32\drivers\TPkd.sys
2007-02-20 02:41 638976 --a------ C:\WINDOWS\system32\ilinet.dll
2007-02-20 02:41 27328 --a------ C:\WINDOWS\system32\drivers\iLokDrvr.sys
2007-02-15 22:37 -------- d-------- C:\Program Files\messengerplus! 3
2007-02-15 22:37 -------- d-------- C:\Program Files\itunes
2007-02-15 22:05 -------- d-------- C:\Program Files\quicktime
2007-02-07 19:11 -------- d-------- C:\Program Files\sony
2007-02-06 16:58 -------- d-------- C:\DOCUME~1\Shady\APPLIC~1\image zone express
2007-01-31 21:16 1109 --a------ C:\WINDOWS\checkip.dat
2007-01-25 04:59 -------- d-------- C:\DOCUME~1\Shady\APPLIC~1\viewpoint
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-15 09:32 785 --------- C:\WINDOWS\tpkdboot.reg
2007-01-04 22:14 4 --a------ C:\WINDOWS\pix11.dat
2006-12-24 23:58 112886 --a------ C:\WINDOWS\hpoins07.dat
2006-12-24 22:52 161 --a------ C:\Delme.bat
2006-12-24 20:56 98304 --a------ C:\WINDOWS\system32\qttask.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3tray2.exe"
"QuickTime Task"="\"C:\\WINDOWS\\system32\\qttask.exe\" -atboottime"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust PestPatrol\\PPActiveDetection.exe\""
"Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe\""
"QOELOADER"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust Anti-Spam\\QSP-2.1.215.5\\QOELoader.exe\""
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Antivirus\\CAVRID.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"item"="Yahoo! Pager"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"hkey"="HKEY"
"key"="Run"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7A5C6872-78F2-4B24-BD41-A5C18170D55F}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks\AutorunsDisabled]
"{3A7467BE-208F-4827-B22E-BBCBD1CDA90E}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"="C:\\WINDOWS\\svchost.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\PCHPantispychris.job
C:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-24 6:01:34
C:\ComboFix2.txt ... 07-03-23 20:21


Logfile of HijackThis v1.99.1
Scan saved at 6:03:48 AM, on 3/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1174681026406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - (no file)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 24 March 2007 - 06:46 AM

You have Norton AntiVirus and eTrust EZ Antivirus installed.
Not a good idea to have more than one antivirus program installed on your computer.
Each program may interpret the actions of the other as viral, therefore giving you false virus warnings about virus-related activities.
It could also lead to system slowdowns and other problems within the operating system,due to the two conflicting with each other.
You should uninstall one or the other as soon as possible.

*****************************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

****************************

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\ljjhgfe.dll
C:\WINDOWS\system32\lujhioi.dll
C:\WINDOWS\system32\qaxnoqi.dll
C:\WINDOWS\system32\ollvxpm.dll
C:\WINDOWS\system32\monterreyb_olive.exe
C:\WINDOWS\system32\driverb.exe
C:\WINDOWS\system\SysSD.dll
C:\WINDOWS\system32\VchReg.dll
C:\WINDOWS\system32\ymvdpth.dll
C:\WINDOWS\system32\kgeikdd.dll
C:\WINDOWS\system32\pjrqpnm.dll
C:\WINDOWS\unezfw.exe
C:\WINDOWS\system32\etuvmud.dll
C:\WINDOWS\system32\wpomqlk.dll
C:\WINDOWS\system32\bqxripb.dll
C:\WINDOWS\system32\hdyjadd.dll
C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\podljhg.dll
C:\WINDOWS\LOOP.exe

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.
Posted Image
Posted Image

#15 krazedone

krazedone
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 24 March 2007 - 11:40 AM

Norton isnt showing up in my add/remove programs, is there any other way to uninstall it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users