Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Removing Ultimate Defender. Hijackthis Log Included


  • Please log in to reply
18 replies to this topic

#1 catstrophy

catstrophy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 01 April 2007 - 02:50 AM

Hi everyone this is my first post. Have tried many things to get rif of this without any luck. Running Windows XP, Mcafee, spybot, superantispyware, adaware. Any help would be much appreciated. Log fiel included from hijackthis. Thanks a lot.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:37:18 AM, on 4/1/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\wltray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\System32\ProtEX32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FolderShare\FolderShare.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\System32\rundll32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {116ca0c0-1dd2-11b2-8f24-856b92ccd18d} - (no file)
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {43139cfe-1dd2-11b2-8ba9-cb60a14e8652} - (no file)
O2 - BHO: (no name) - {53b869c2-1dd2-11b2-a14e-d1ae0e3a49ce} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Virtual Debit Card\PayPalHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: PayPal Virtual Debit Card - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Virtual Debit Card\OToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wltray.exe] C:\WINNT\System32\wltray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PayPal Virtual Debit Card] rundll32.exe C:\PROGRA~1\PayPal\PAYPAL~1\OToolbar.dll,StartUp /dontopenmycards
O4 - HKLM\..\Run: [Protections] C:\WINNT\System32\ProtEX32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2481292301c71d...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145945024448
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150601741414
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21EC03F9-F621-4088-8FA9-1009BFFA0A10}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{31AA160B-12FD-48A1-B994-A50FB1518861}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{60622CA0-31A1-4F11-A6F1-0422C912E7FE}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9CC2A48-024D-42B4-84D4-71FE32DDB31D}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{21EC03F9-F621-4088-8FA9-1009BFFA0A10}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{21EC03F9-F621-4088-8FA9-1009BFFA0A10}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.220
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:02 PM

Posted 03 April 2007 - 01:33 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Greets Jürgenv

Donation: Click me.

#3 catstrophy

catstrophy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 03 April 2007 - 10:58 PM

Thanks a lot for the help. I am pasting both the logs here. I am also having problems with my NVIDIA driver....its saying it might not be updated and when I go into windows update to get the necessary updates I am being asked to install Windows genuine authentication tool which is already downloaded in my machine, but i do not wish to instal it. Is there anyway to get the updates for my windows by skipping the windows authentication install? Thanks a lot again for all the help.


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Creative WebCam Tray"="C:\\Program Files\\Creative\\Shared Files\\CAMTRAY.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"wltray.exe"="C:\\WINNT\\System32\\wltray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"eBayToolbar"="C:\\Program Files\\eBay\\eBay Toolbar2\\eBayTBDaemon.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"PayPal Virtual Debit Card"="rundll32.exe C:\\PROGRA~1\\PayPal\\PAYPAL~1\\OToolbar.dll,StartUp /dontopenmycards"
"Protections"="C:\\WINNT\\System32\\ProtEX32.exe"
"RegistryMechanic"=""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"FolderShare"="\"C:\\Program Files\\FolderShare\\FolderShare.exe\" /background"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


=====================================================================

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:53:06 PM, on 4/3/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\System32\wltray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\ProtEX32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FolderShare\FolderShare.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn2\YTBSDK.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\Antispyware\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {116ca0c0-1dd2-11b2-8f24-856b92ccd18d} - (no file)
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {43139cfe-1dd2-11b2-8ba9-cb60a14e8652} - (no file)
O2 - BHO: (no name) - {53b869c2-1dd2-11b2-a14e-d1ae0e3a49ce} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Virtual Debit Card\PayPalHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: PayPal Virtual Debit Card - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Virtual Debit Card\OToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wltray.exe] C:\WINNT\System32\wltray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PayPal Virtual Debit Card] rundll32.exe C:\PROGRA~1\PayPal\PAYPAL~1\OToolbar.dll,StartUp /dontopenmycards
O4 - HKLM\..\Run: [Protections] C:\WINNT\System32\ProtEX32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2481292301c71d...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145945024448
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150601741414
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21EC03F9-F621-4088-8FA9-1009BFFA0A10}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{31AA160B-12FD-48A1-B994-A50FB1518861}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{60622CA0-31A1-4F11-A6F1-0422C912E7FE}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9CC2A48-024D-42B4-84D4-71FE32DDB31D}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{21EC03F9-F621-4088-8FA9-1009BFFA0A10}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{21EC03F9-F621-4088-8FA9-1009BFFA0A10}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.220
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe

--
End of file - 11236 bytes

#4 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:02 PM

Posted 04 April 2007 - 06:25 AM

* Please open hijackthis and put a check next to the following:

2 - BHO: (no name) - {116ca0c0-1dd2-11b2-8f24-856b92ccd18d} - (no file)
O2 - BHO: (no name) - {43139cfe-1dd2-11b2-8ba9-cb60a14e8652} - (no file)
O2 - BHO: (no name) - {53b869c2-1dd2-11b2-a14e-d1ae0e3a49ce} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Global Startup: palstart.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2481292301c71d...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{21EC03F9-F621-4088-8FA9-1009BFFA0A10}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{31AA160B-12FD-48A1-B994-A50FB1518861}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{60622CA0-31A1-4F11-A6F1-0422C912E7FE}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9CC2A48-024D-42B4-84D4-71FE32DDB31D}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{21EC03F9-F621-4088-8FA9-1009BFFA0A10}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{21EC03F9-F621-4088-8FA9-1009BFFA0A10}: NameServer = 85.255.116.119,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.119 85.255.112.220


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* And why would you skip the authentication install?
Greets Jürgenv

Donation: Click me.

#5 catstrophy

catstrophy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 04 April 2007 - 01:12 PM

I want to skip windows authentication because when i bought my computer, I bought it off ebay and the guy provided me with a windows xp key which I lost. Thanks again for your help.

Sorry i meant to say windows Genuine advantage tool. Thats what I need to remove. Thanks

Edited by catstrophy, 04 April 2007 - 02:18 PM.


#6 catstrophy

catstrophy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 04 April 2007 - 01:34 PM

It just popped up again... I did all that you told me to.... what should I do now? Thanks again

Edited by catstrophy, 04 April 2007 - 01:39 PM.


#7 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:02 PM

Posted 04 April 2007 - 02:19 PM

You mean you have an illegal version of windows?
Greets Jürgenv

Donation: Click me.

#8 catstrophy

catstrophy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 04 April 2007 - 03:03 PM

No Its legal, I paid for it with my machine but I dislocated the key

#9 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:02 PM

Posted 04 April 2007 - 03:44 PM

Are tou using another key now?
Greets Jürgenv

Donation: Click me.

#10 catstrophy

catstrophy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 04 April 2007 - 04:58 PM

Oh nevermind I found the key and its been validated. But the ultimate defender ballon still pops up!!

#11 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:02 PM

Posted 04 April 2007 - 05:07 PM

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Greets Jürgenv

Donation: Click me.

#12 catstrophy

catstrophy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 04 April 2007 - 10:11 PM

That link is not working and as I was looking for other places to download it from I saw this. http://www.windowsbbs.com/showthread.php?t=62293

They are saying not to use CF. Any idea ??

#13 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:02 PM

Posted 05 April 2007 - 06:39 AM

Try this link: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Greets Jürgenv

Donation: Click me.

#14 catstrophy

catstrophy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 06 April 2007 - 03:20 AM

Ok here they are. Thanks

"Administrator" - 07-04-06 3:09:44 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Program Files\Mozilla Firefox"


((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))


2007-04-05 17:45 0 --a------ C:\WINNT\system32\SBRC.dat
2007-04-05 17:45 0 --a------ C:\WINNT\system32\SBFC.dat
2007-04-05 14:29 37,514,904 --a------ C:\Temp\counterspy.exe
2007-04-05 13:35 <DIR> d-------- C:\WINNT\system32\tnucaeev
2007-04-05 04:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
2007-04-05 01:11 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-05 01:08 <DIR> d-------- C:\WINNT\system32\LogFiles
2007-04-05 01:08 <DIR> d-------- C:\WINNT\system32\drivers\UMDF
2007-04-05 00:51 <DIR> d-------- C:\WINNT\network diagnostic
2007-04-04 23:53 6,718,976 --a------ C:\Temp\winamp533_full_emusic-7plus.exe
2007-04-04 23:47 25,755,448 --a------ C:\Temp\wmp11-windowsxp-x86-enu.exe
2007-04-04 23:44 15,505,200 --a------ C:\Temp\Internet_explorer7.exe
2007-04-04 21:37 <DIR> d-------- C:\WINNT\system32\PreInstall
2007-04-04 20:45 <DIR> d-------- C:\WINNT\Prefetch
2007-04-04 20:19 9,728 --------- C:\WINNT\system32\rwnh.dll
2007-04-04 20:19 9,728 --------- C:\WINNT\system32\comsdupd.exe
2007-04-04 20:19 73,216 --------- C:\WINNT\system32\drivers\atintuxx.sys
2007-04-04 20:19 701,440 --------- C:\WINNT\system32\drivers\ati2mtag.sys
2007-04-04 20:19 63,663 --------- C:\WINNT\system32\drivers\ati1rvxx.sys
2007-04-04 20:19 63,488 --------- C:\WINNT\system32\drivers\atinxsxx.sys
2007-04-04 20:19 57,856 --------- C:\WINNT\system32\drivers\atinbtxx.sys
2007-04-04 20:19 56,623 --------- C:\WINNT\system32\drivers\ati1btxx.sys
2007-04-04 20:19 52,224 --------- C:\WINNT\system32\drivers\atinraxx.sys
2007-04-04 20:19 46,464 --------- C:\WINNT\system32\drivers\gagp30kx.sys
2007-04-04 20:19 44,928 --------- C:\WINNT\system32\drivers\agpcpq.sys
2007-04-04 20:19 43,008 --------- C:\WINNT\system32\drivers\amdagp.sys
2007-04-04 20:19 42,752 --------- C:\WINNT\system32\drivers\alim1541.sys
2007-04-04 20:19 40,832 --------- C:\WINNT\system32\drivers\irbus.sys
2007-04-04 20:19 4,255 --------- C:\WINNT\system32\drivers\adv01nt5.dll
2007-04-04 20:19 38,016 --------- C:\WINNT\system32\drivers\bthmodem.sys
2007-04-04 20:19 37,376 --------- C:\WINNT\system32\drivers\amdk7.sys
2007-04-04 20:19 36,463 --------- C:\WINNT\system32\drivers\ati1tuxx.sys
2007-04-04 20:19 35,456 --------- C:\WINNT\system32\drivers\bthprint.sys
2007-04-04 20:19 34,735 --------- C:\WINNT\system32\drivers\ati1xsxx.sys
2007-04-04 20:19 327,040 --------- C:\WINNT\system32\drivers\ati2mtaa.sys
2007-04-04 20:19 32,768 --------- C:\WINNT\system32\asr_pfu.exe
2007-04-04 20:19 31,744 --------- C:\WINNT\system32\drivers\atinxbxx.sys
2007-04-04 20:19 30,671 --------- C:\WINNT\system32\drivers\ati1raxx.sys
2007-04-04 20:19 3,967 --------- C:\WINNT\system32\drivers\adv02nt5.dll
2007-04-04 20:19 3,775 --------- C:\WINNT\system32\drivers\adv11nt5.dll
2007-04-04 20:19 3,711 --------- C:\WINNT\system32\drivers\adv09nt5.dll
2007-04-04 20:19 3,647 --------- C:\WINNT\system32\drivers\adv07nt5.dll
2007-04-04 20:19 3,615 --------- C:\WINNT\system32\drivers\adv05nt5.dll
2007-04-04 20:19 3,135 --------- C:\WINNT\system32\drivers\adv08nt5.dll
2007-04-04 20:19 29,455 --------- C:\WINNT\system32\drivers\ati1xbxx.sys
2007-04-04 20:19 28,672 --------- C:\WINNT\system32\drivers\atinsnxx.sys
2007-04-04 20:19 274,304 --------- C:\WINNT\system32\drivers\bthport.sys
2007-04-04 20:19 26,367 --------- C:\WINNT\system32\drivers\ati1snxx.sys
2007-04-04 20:19 25,600 --------- C:\WINNT\system32\drivers\hidbth.sys
2007-04-04 20:19 25,471 --------- C:\WINNT\system32\drivers\atv04nt5.dll
2007-04-04 20:19 220,032 --------- C:\WINNT\system32\drivers\hsfbs2s2.sys
2007-04-04 20:19 21,343 --------- C:\WINNT\system32\drivers\ati1ttxx.sys
2007-04-04 20:19 21,183 --------- C:\WINNT\system32\drivers\atv01nt5.dll
2007-04-04 20:19 18,944 --------- C:\WINNT\system32\drivers\bthusb.sys
2007-04-04 20:19 17,279 --------- C:\WINNT\system32\drivers\atv10nt5.dll
2007-04-04 20:19 17,024 --------- C:\WINNT\system32\drivers\bthenum.sys
2007-04-04 20:19 15,423 --------- C:\WINNT\system32\drivers\ch7xxnt5.dll
2007-04-04 20:19 15,104 --------- C:\WINNT\system32\drivers\hidir.sys
2007-04-04 20:19 14,336 --------- C:\WINNT\system32\drivers\atinpdxx.sys
2007-04-04 20:19 14,143 --------- C:\WINNT\system32\drivers\atv06nt5.dll
2007-04-04 20:19 13,824 --------- C:\WINNT\system32\drivers\atinttxx.sys
2007-04-04 20:19 13,824 --------- C:\WINNT\system32\drivers\atinmdxx.sys
2007-04-04 20:19 12,047 --------- C:\WINNT\system32\drivers\ati1pdxx.sys
2007-04-04 20:19 11,615 --------- C:\WINNT\system32\drivers\ati1mdxx.sys
2007-04-04 20:19 11,359 --------- C:\WINNT\system32\drivers\atv02nt5.dll
2007-04-04 20:19 104,960 --------- C:\WINNT\system32\drivers\atinrvxx.sys
2007-04-04 20:19 100,992 --------- C:\WINNT\system32\drivers\bthpan.sys
2007-04-04 20:19 10,752 --------- C:\WINNT\system32\smtpapi.dll
2007-04-04 20:18 95,424 --------- C:\WINNT\system32\drivers\slnthal.sys
2007-04-04 20:18 937,984 --------- C:\WINNT\system32\winbrand.dll
2007-04-04 20:18 88,064 --------- C:\WINNT\system32\p2pnetsh.dll
2007-04-04 20:18 870,784 --------- C:\WINNT\system32\ati3d1ag.dll
2007-04-04 20:18 86,016 --------- C:\WINNT\system32\p2pgasvc.dll
2007-04-04 20:18 86,016 --------- C:\WINNT\system32\mdmxsdk.dll
2007-04-04 20:18 81,408 --------- C:\WINNT\system32\wscsvc.dll
2007-04-04 20:18 8,192 --------- C:\WINNT\system32\smbinst.exe
2007-04-04 20:18 78,464 --------- C:\WINNT\system32\drivers\usbvideo.sys
2007-04-04 20:18 78,336 --a------ C:\WINNT\system32\ieencode.dll
2007-04-04 20:18 75,776 --------- C:\WINNT\system32\strmfilt.dll
2007-04-04 20:18 73,832 --------- C:\WINNT\system32\slcoinst.dll
2007-04-04 20:18 73,796 --------- C:\WINNT\system32\slserv.exe
2007-04-04 20:18 71,680 --------- C:\WINNT\system32\blastcln.exe
2007-04-04 20:18 7,680 --------- C:\WINNT\system32\kbdsmsno.dll
2007-04-04 20:18 7,680 --------- C:\WINNT\system32\kbdsmsfi.dll
2007-04-04 20:18 7,168 --------- C:\WINNT\system32\kbdukx.dll
2007-04-04 20:18 7,168 --------- C:\WINNT\system32\kbdno1.dll
2007-04-04 20:18 7,168 --------- C:\WINNT\system32\kbdfi1.dll
2007-04-04 20:18 685,056 --------- C:\WINNT\system32\drivers\hsfcxts2.sys
2007-04-04 20:18 67,584 --------- C:\WINNT\system32\drivers\sdbus.sys
2007-04-04 20:18 60,416 --------- C:\WINNT\system32\fwcfg.dll
2007-04-04 20:18 6,656 --------- C:\WINNT\system32\kbdinmal.dll
2007-04-04 20:18 6,656 --------- C:\WINNT\system32\kbdinben.dll
2007-04-04 20:18 6,144 --------- C:\WINNT\system32\kbdmlt48.dll
2007-04-04 20:18 6,144 --------- C:\WINNT\system32\kbdmlt47.dll
2007-04-04 20:18 6,144 --------- C:\WINNT\system32\kbdinbe1.dll
2007-04-04 20:18 6,016 --------- C:\WINNT\system32\drivers\smbali.sys
2007-04-04 20:18 59,648 --------- C:\WINNT\system32\drivers\rfcomm.sys
2007-04-04 20:18 526,848 --------- C:\WINNT\system32\p2psvc.dll
2007-04-04 20:18 516,768 --------- C:\WINNT\system32\ativvaxx.dll
2007-04-04 20:18 50,688 --------- C:\WINNT\system32\btpanui.dll
2007-04-04 20:18 50,176 --------- C:\WINNT\system32\xmlprovi.dll
2007-04-04 20:18 5,632 --------- C:\WINNT\system32\kbdmaori.dll
2007-04-04 20:18 49,152 --------- C:\WINNT\system32\powercfg.exe
2007-04-04 20:18 48,640 --------- C:\WINNT\system32\pnrpnsp.dll
2007-04-04 20:18 452,736 --------- C:\WINNT\system32\drivers\mtxparhm.sys
2007-04-04 20:18 44,672 --------- C:\WINNT\system32\drivers\uagp35.sys
2007-04-04 20:18 44,032 --------- C:\WINNT\system32\twext.dll
2007-04-04 20:18 42,240 --------- C:\WINNT\system32\drivers\viaagp.sys
2007-04-04 20:18 41,088 --------- C:\WINNT\system32\drivers\sisagp.sys
2007-04-04 20:18 404,990 --------- C:\WINNT\system32\drivers\slntamr.sys
2007-04-04 20:18 4,274,816 --------- C:\WINNT\system32\nv4_disp.dll
2007-04-04 20:18 4,096 --------- C:\WINNT\system32\dsprpres.dll
2007-04-04 20:18 397,056 --------- C:\WINNT\system32\s3gnb.dll
2007-04-04 20:18 377,984 --------- C:\WINNT\system32\ati2dvaa.dll
2007-04-04 20:18 36,096 --------- C:\WINNT\system32\drivers\intelppm.sys
2007-04-04 20:18 32,866 --------- C:\WINNT\system32\slrundll.exe
2007-04-04 20:18 32,866 --------- C:\WINNT\slrundll.exe
2007-04-04 20:18 32,768 --------- C:\WINNT\system32\ativtmxx.dll
2007-04-04 20:18 32,285 --------- C:\WINNT\system32\hsfcisp2.dll
2007-04-04 20:18 312,320 --------- C:\WINNT\system32\p2pgraph.dll
2007-04-04 20:18 30,208 --------- C:\WINNT\system32\bthserv.dll
2007-04-04 20:18 30,080 --------- C:\WINNT\system32\drivers\rndismpx.sys
2007-04-04 20:18 3,901 --------- C:\WINNT\system32\drivers\siint5.dll
2007-04-04 20:18 29,184 --------- C:\WINNT\system32\sdhcinst.dll
2007-04-04 20:18 29,056 --------- C:\WINNT\system32\drivers\ip6fw.sys
2007-04-04 20:18 286,792 --------- C:\WINNT\system32\slextspk.dll
2007-04-04 20:18 270,848 --------- C:\WINNT\system32\sbe.dll
2007-04-04 20:18 262,784 --------- C:\WINNT\system32\drivers\http.sys
2007-04-04 20:18 25,471 --------- C:\WINNT\system32\drivers\watv10nt.sys
2007-04-04 20:18 24,576 --------- C:\WINNT\system32\httpapi.dll
2007-04-04 20:18 229,376 --------- C:\WINNT\system32\ati2cqag.dll
2007-04-04 20:18 22,271 --------- C:\WINNT\system32\drivers\watv06nt.sys
2007-04-04 20:18 201,728 --------- C:\WINNT\system32\ati2dvag.dll
2007-04-04 20:18 20,992 --------- C:\WINNT\system32\bthci.dll
2007-04-04 20:18 193,024 --------- C:\WINNT\system32\fsquirt.exe
2007-04-04 20:18 188,508 --------- C:\WINNT\system32\slgen.dll
2007-04-04 20:18 187,392 --------- C:\WINNT\system32\xpsp1res.dll
2007-04-04 20:18 186,368 --------- C:\WINNT\system32\encdec.dll
2007-04-04 20:18 180,360 --------- C:\WINNT\system32\drivers\ntmtlfax.sys
2007-04-04 20:18 17,408 --------- C:\WINNT\system32\winshfhc.dll
2007-04-04 20:18 166,912 --------- C:\WINNT\system32\drivers\s3gnbm.sys
2007-04-04 20:18 159,232 --------- C:\WINNT\system32\sbeio.dll
2007-04-04 20:18 15,872 --------- C:\WINNT\system32\w3ssl.dll
2007-04-04 20:18 15,488 --------- C:\WINNT\system32\drivers\mssmbios.sys
2007-04-04 20:18 14,336 --------- C:\WINNT\system32\auditusr.exe
2007-04-04 20:18 134,656 --------- C:\WINNT\system32\mssap.dll
2007-04-04 20:18 13,824 --------- C:\WINNT\system32\wscntfy.exe
2007-04-04 20:18 13,824 --------- C:\WINNT\system32\cmsetacl.dll
2007-04-04 20:18 13,776 --------- C:\WINNT\system32\drivers\recagent.sys
2007-04-04 20:18 13,568 --------- C:\WINNT\system32\drivers\wacompen.sys
2007-04-04 20:18 13,240 --------- C:\WINNT\system32\drivers\slwdmsup.sys
2007-04-04 20:18 129,536 --------- C:\WINNT\system32\xmlprov.dll
2007-04-04 20:18 129,535 --------- C:\WINNT\system32\drivers\slnt7554.sys
2007-04-04 20:18 126,686 --------- C:\WINNT\system32\drivers\mtlmnt5.sys
2007-04-04 20:18 12,672 --------- C:\WINNT\system32\drivers\usb8023x.sys
2007-04-04 20:18 12,672 --------- C:\WINNT\system32\drivers\mutohpen.sys
2007-04-04 20:18 12,416 --------- C:\WINNT\system32\drivers\tunmp.sys
2007-04-04 20:18 118,784 --------- C:\WINNT\system32\msdadiag.dll
2007-04-04 20:18 116,224 --------- C:\WINNT\system32\p2p.dll
2007-04-04 20:18 11,935 --------- C:\WINNT\system32\drivers\wadv11nt.sys
2007-04-04 20:18 11,871 --------- C:\WINNT\system32\drivers\wadv09nt.sys
2007-04-04 20:18 11,868 --------- C:\WINNT\system32\drivers\mdmxsdk.sys
2007-04-04 20:18 11,807 --------- C:\WINNT\system32\drivers\wadv07nt.sys
2007-04-04 20:18 11,325 --------- C:\WINNT\system32\drivers\vchnt5.dll
2007-04-04 20:18 11,295 --------- C:\WINNT\system32\drivers\wadv08nt.sys
2007-04-04 20:18 11,136 --------- C:\WINNT\system32\drivers\sffdisk.sys
2007-04-04 20:18 108,032 --------- C:\WINNT\system32\wshbth.dll
2007-04-04 20:18 10,240 --------- C:\WINNT\system32\drivers\sffp_sd.sys
2007-04-04 20:18 1,897,408 --------- C:\WINNT\system32\drivers\nv4_mini.sys
2007-04-04 20:18 1,888,992 --------- C:\WINNT\system32\ati3duag.dll
2007-04-04 20:18 1,737,856 --------- C:\WINNT\system32\mtxparhd.dll
2007-04-04 20:18 1,309,184 --------- C:\WINNT\system32\drivers\mtlstrm.sys
2007-04-04 20:18 1,041,536 --------- C:\WINNT\system32\drivers\hsfdpsp2.sys
2007-04-04 20:18 <DIR> d-------- C:\WINNT\provisioning
2007-04-04 20:18 <DIR> d-------- C:\WINNT\peernet
2007-04-04 20:13 <DIR> d-------- C:\WINNT\ServicePackFiles
2007-04-04 20:09 2,897,920 --------- C:\WINNT\system32\xpsp2res.dll
2007-04-04 20:06 <DIR> d-------- C:\WINNT\system32\ReinstallBackups
2007-04-04 20:00 <DIR> d-------- C:\WINNT\EHome
2007-04-04 17:41 278,927,592 --a------ C:\Temp\WindowsXP-KB835935-SP2-ENU.exe
2007-04-04 16:09 85,376 --a------ C:\WINNT\system32\drivers\nabtsfec.sys
2007-04-04 16:09 825,344 --a------ C:\WINNT\system32\d3dim700.dll
2007-04-04 16:09 71,680 --a------ C:\WINNT\system32\dsdmoprp.dll
2007-04-04 16:09 59,904 --a------ C:\WINNT\system32\devenum.dll
2007-04-04 16:09 57,344 --a------ C:\WINNT\system32\dpwsockx.dll
2007-04-04 16:09 562,176 --a------ C:\WINNT\system32\qedit.dll
2007-04-04 16:09 51,328 --a------ C:\WINNT\system32\drivers\msdv.sys
2007-04-04 16:09 50,688 --a------ C:\WINNT\system32\wstdecod.dll
2007-04-04 16:09 48,640 --a------ C:\WINNT\system32\drivers\stream.sys
2007-04-04 16:09 46,592 --a------ C:\WINNT\system32\dxdllreg.exe
2007-04-04 16:09 394,240 --a------ C:\WINNT\system32\diactfrm.dll
2007-04-04 16:09 385,024 --a------ C:\WINNT\system32\qdvd.dll
2007-04-04 16:09 375,296 --a------ C:\WINNT\system32\dpnet.dll
2007-04-04 16:09 367,616 --a------ C:\WINNT\system32\dsound.dll
2007-04-04 16:09 363,520 --a------ C:\WINNT\system32\psisdecd.dll
2007-04-04 16:09 35,328 --a------ C:\WINNT\system32\dpnhpast.dll
2007-04-04 16:09 279,040 --a------ C:\WINNT\system32\qdv.dll
2007-04-04 16:09 266,240 --a------ C:\WINNT\system32\ddraw.dll
2007-04-04 16:09 23,552 --a------ C:\WINNT\system32\dpmodemx.dll
2007-04-04 16:09 229,888 --a------ C:\WINNT\system32\dplayx.dll
2007-04-04 16:09 212,480 --a------ C:\WINNT\system32\dpvoice.dll
2007-04-04 16:09 204,288 --a------ C:\WINNT\system32\mswebdvd.dll
2007-04-04 16:09 192,512 --a------ C:\WINNT\system32\qcap.dll
2007-04-04 16:09 19,328 --a------ C:\WINNT\system32\drivers\wstcodec.sys
2007-04-04 16:09 181,760 --a------ C:\WINNT\system32\dinput8.dll
2007-04-04 16:09 181,248 --a------ C:\WINNT\system32\dmime.dll
2007-04-04 16:09 17,408 --a------ C:\WINNT\system32\msyuv.dll
2007-04-04 16:09 17,024 --a------ C:\WINNT\system32\drivers\ccdecode.sys
2007-04-04 16:09 159,232 --a------ C:\WINNT\system32\dinput.dll
2007-04-04 16:09 15,360 --a------ C:\WINNT\system32\drivers\streamip.sys
2007-04-04 16:09 15,360 --a------ C:\WINNT\system32\drivers\mpe.sys
2007-04-04 16:09 11,776 --a------ C:\WINNT\system32\drivers\bdasup.sys
2007-04-04 16:09 11,136 --a------ C:\WINNT\system32\drivers\slip.sys
2007-04-04 16:09 104,448 --a------ C:\WINNT\system32\dmusic.dll
2007-04-04 16:09 10,880 --a------ C:\WINNT\system32\drivers\ndisip.sys
2007-04-04 16:09 1,428,480 --a------ C:\WINNT\system32\msvidctl.dll
2007-04-04 16:09 1,298,432 --a------ C:\WINNT\system32\dxdiag.exe
2007-04-04 16:09 1,227,264 --a------ C:\WINNT\system32\dx8vb.dll
2007-04-04 16:09 1,179,648 --a------ C:\WINNT\system32\d3d8.dll
2007-04-04 15:40 77,312 --a------ C:\WINNT\system32\browser.dll
2007-04-04 15:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-03-28 18:59 5,797,152 --a------ C:\Temp\SUPERAntiSpyware.exe
2007-03-28 18:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-03-28 18:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-28 18:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-28 18:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-28 13:07 4,991,776 --a------ C:\Temp\rminstall.exe
2007-03-27 12:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SopCast
2007-03-27 12:39 <DIR> d-------- C:\Program Files\SopCast
2007-03-27 12:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Ultimate Fixer
2007-03-27 04:48 78,336 --a------ C:\xasdsadw.exe
2007-03-27 04:48 262,144 --a------ C:\WINNT\system32\ProtEX32.exe
2007-03-27 02:08 <DIR> d-------- C:\Program Files\PayPal
2007-03-27 02:07 5,039,704 --a------ C:\Temp\Setup.exe
2007-03-25 00:59 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-25 00:59 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2007-03-25 00:58 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-03-22 22:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-22 22:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-03-22 17:09 2,855 --a------ C:\WINNT\system32\stobj32.PIF
2007-03-22 17:08 <DIR> d--h----- C:\WINNT\PIF
2007-03-22 15:11 114,464 --a------ C:\WINNT\system32\drivers\naiavf5x.sys
2007-03-22 03:43 <DIR> d-------- C:\Program Files\McAfee.com
2007-03-22 03:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-03-22 03:41 <DIR> d-------- C:\Temp\Mcafee
2007-03-15 12:23 497,496 --a------ C:\WINNT\system32\XceedZip.dll
2007-03-15 12:19 526,184 --a------ C:\WINNT\system32\XceedCry.dll
2007-03-15 03:07 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WinAntiSpyware 2007
2007-03-14 04:00 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Symantec
2007-03-13 05:15 <DIR> d-------- C:\Program Files\Symantec
2007-03-09 14:58 221,184 --a------ C:\WINNT\system32\wmpns.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-06 02:57 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\skype
2007-04-05 04:43 -------- d-------- C:\Program Files\paltalk messenger
2007-04-05 03:38 -------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\wholesecurity
2007-04-05 01:51 -------- d-------- C:\Program Files\java
2007-04-05 01:05 -------- d-------- C:\Program Files\winamp
2007-04-05 00:33 -------- d-------- C:\Program Files\messenger
2007-04-04 20:55 -------- d-------- C:\Program Files\msn messenger
2007-04-04 20:18 -------- d-------- C:\Program Files\movie maker
2007-04-04 20:12 -------- d-------- C:\Program Files\windows nt
2007-04-01 13:28 1744 --a------ C:\WINNT\system32\d3d9caps.dat
2007-03-27 02:08 -------- d--h----- C:\Program Files\installshield installation information
2007-03-22 19:30 -------- d-------- C:\Program Files\macrogaming
2007-03-22 14:47 4500 --a------ C:\WINNT\mozver.dat
2007-03-22 03:39 -------- d-------- C:\Program Files\yahoo!
2007-03-22 03:34 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-08 10:36 577536 --a------ C:\WINNT\system32\user32.dll
2007-03-08 10:36 40960 --a------ C:\WINNT\system32\mf3216.dll
2007-03-08 10:36 281600 --a------ C:\WINNT\system32\gdi32.dll
2007-03-08 08:47 1843584 --a------ C:\WINNT\system32\win32k.sys
2007-02-22 23:29 524288 --a------ C:\WINNT\system32\divxsm.exe
2007-02-22 23:29 3596288 --a------ C:\WINNT\system32\qt-dx331.dll
2007-02-22 23:29 200704 --a------ C:\WINNT\system32\ssldivx.dll
2007-02-22 23:29 1044480 --a------ C:\WINNT\system32\libdivx.dll
2007-02-22 23:25 823296 --a------ C:\WINNT\system32\divx_xx0c.dll
2007-02-22 23:25 823296 --a------ C:\WINNT\system32\divx_xx07.dll
2007-02-22 23:25 802816 --a------ C:\WINNT\system32\divx_xx11.dll
2007-02-22 23:25 73728 --a------ C:\WINNT\system32\dpl100.dll
2007-02-22 23:25 639066 --a------ C:\WINNT\system32\divx.dll
2007-02-22 23:25 593920 --a------ C:\WINNT\system32\dpugui11.dll
2007-02-22 23:25 57344 --a------ C:\WINNT\system32\dpv11.dll
2007-02-22 23:25 53248 --a------ C:\WINNT\system32\dpugui10.dll
2007-02-22 23:25 344064 --a------ C:\WINNT\system32\dpus11.dll
2007-02-22 23:25 294912 --a------ C:\WINNT\system32\dpu11.dll
2007-02-22 23:25 294912 --a------ C:\WINNT\system32\dpu10.dll
2007-02-22 23:25 196608 --a------ C:\WINNT\system32\dtu100.dll
2007-02-15 20:40 124472 --a------ C:\WINNT\system32\divxcodecupdatechecker.exe
2007-01-25 20:19 129784 --------- C:\WINNT\system32\pxafs.dll
2007-01-25 20:19 118520 --------- C:\WINNT\system32\pxinsi64.exe
2007-01-25 20:19 116472 --------- C:\WINNT\system32\pxcpyi64.exe
2007-01-19 13:53 51056 --a------ C:\WINNT\system32\sirenacm.dll
2007-01-08 19:01 17408 --a------ C:\WINNT\system32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"FolderShare"="\"C:\\Program Files\\FolderShare\\FolderShare.exe\" /background"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"Creative WebCam Tray"="C:\\Program Files\\Creative\\Shared Files\\CAMTRAY.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"wltray.exe"="C:\\WINNT\\System32\\wltray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"eBayToolbar"="C:\\Program Files\\eBay\\eBay Toolbar2\\eBayTBDaemon.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"PayPal Virtual Debit Card"="rundll32.exe C:\\PROGRA~1\\PayPal\\PAYPAL~1\\OToolbar.dll,StartUp /dontopenmycards"
"Protections"="C:\\WINNT\\System32\\ProtEX32.exe"
"RegistryMechanic"=""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
BITSgroup REG_MULTI_SZ BITS\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background?g
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background?g

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-06 3:14:09
C:\ComboFix-quarantined-files.txt ... 07-04-06 03:14


Hijackthis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:16:47 AM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\wltray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\ProtEX32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\Ares\Ares.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\Antispyware\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Virtual Debit Card\PayPalHelper.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: PayPal Virtual Debit Card - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Virtual Debit Card\OToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wltray.exe] C:\WINNT\System32\wltray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [PayPal Virtual Debit Card] rundll32.exe C:\PROGRA~1\PayPal\PAYPAL~1\OToolbar.dll,StartUp /dontopenmycards
O4 - HKLM\..\Run: [Protections] C:\WINNT\System32\ProtEX32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145945024448
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150601741414
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe

--
End of file - 10958 bytes

#15 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:02 PM

Posted 06 April 2007 - 06:11 AM

* Please open hijackthis and put a check next to the following:

O4 - HKLM\..\Run: [Protections] C:\WINNT\System32\ProtEX32.exe

* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\System32\ProtEX32.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

* After that, post a new hijackthis log here.
Greets Jürgenv

Donation: Click me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users