Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan


  • This topic is locked This topic is locked
12 replies to this topic

#1 missionverdana

missionverdana

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 06 May 2007 - 01:53 PM

I have used various programs to try and find out the cause of a sudden abundance of pop up advertisements and weird music being played even when no applications were running.

I used Ad-Aware and McAfee AntiVirus three times each but they only found cookies. Spybot-Search And Destroy was also used. McAfee Stinger found no problems, while Bit Defender detected two trojans and removed most of the files that were infected. Housecall Anti Virus found one virus and one spyware problem and cleaned infections. I then used Bit Defender once more, and yet again a trojan was detected. Most files were deleted, but one file remains; acc290.dll (located in C:\WINDOWS\system32). I tried searching for this file with Google but came up with no results, leading me to suspect it is not a legitimate system file. I have not had any further problems with the pop up adverts or the music after Housecall was used, but I am still concerned about the remaining file.


Logfile of HijackThis v1.99.1
Scan saved at 19:40:58, on 06/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1177437422\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://format.packardbell.com/cgi-bin/redi...&key=SEARCH
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -

Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {59fa9a62-57fd-4ba8-af33-27df06e64ae8} - C:\WINDOWS\system32

\acc290.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program

files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef

/Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch

USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3

\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S8F.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [EmailChecker] C:\APPS\EmailChecker\ech.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1177437422

\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3

\E_FATIBVE.EXE /FU "C:\DOCUME~1\rratn02s\LOCALS~1\Temp\E_S7F.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d

locale=en-GB ee://aol/imApp
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works

Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%

\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-

9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32

\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://eu-housecall.trendmicro-

europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) -

http://amiuptodate.mcafee.com/vsc/bin/2,0,...pdatePortal.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{681CFF44-24B2-4204-A3AB-46A5C8E5E30C}: NameServer =

212.139.132.23 212.139.132.22
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1

\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1

\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: acc290 - C:\WINDOWS\SYSTEM32\acc290.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32

\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1

\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner -

c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner -

c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program

Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1

\McAfee\EmProxy\emproxy.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) -

Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common

Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1

\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1

\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common

files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1

\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1

\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1

\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program

Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32

\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 06 May 2007 - 02:51 PM

Hello and welcome to BC. :thumbsup:
  • Please download ComboFix

    Note: It is important that it is saved directly to your desktop.

    Close all browsers.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
  • Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.


#3 missionverdana

missionverdana
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 06 May 2007 - 03:03 PM

Here is the log:

"rratn02s" - 2007-05-06 20:52:54 Service Pack 2
ComboFix 07-05.07.1.V - Running from: "C:\Documents and Settings\rratn02s\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))


2007-05-06 18:01 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-06 17:19 <DIR> d-------- C:\DOCUME~1\rratn02s\.housecall6.6
2007-05-06 13:27 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-06 13:13 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-06 13:12 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-06 13:12 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-06 13:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-05-06 12:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-05 14:05 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Lavasoft
2007-05-05 14:02 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-05 14:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-04 16:49 21,895 --a------ C:\WINDOWS\system32\acc290.dll
2007-04-23 16:43 <DIR> d-------- C:\hegames
2007-04-23 16:42 12,800 --a------ C:\WINDOWS\system32\wing32.dll
2007-04-18 20:44 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\AdobeUM
2007-04-18 19:56 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\acccore
2007-04-18 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-04-14 20:03 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Apple Computer
2007-04-14 20:02 <DIR> d-------- C:\Program Files\iTunes
2007-04-14 20:02 <DIR> d-------- C:\Program Files\iPod
2007-04-14 20:01 <DIR> d-------- C:\Program Files\QuickTime
2007-04-14 20:01 <DIR> d-------- C:\Program Files\Apple Software Update
2007-04-14 20:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-13 17:38 <DIR> d-------- C:\DOCUME~1\jr\.thumbnails
2007-04-13 17:37 <DIR> d-------- C:\DOCUME~1\jr\.gimp-2.2
2007-04-12 23:09 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\EPSON
2007-04-12 15:25 <DIR> d-------- C:\WINDOWS\DISNEY
2007-04-12 15:25 <DIR> d-------- C:\DISNEY
2007-04-10 20:27 <DIR> d-------- C:\DOCUME~1\rratn02s\.thumbnails
2007-04-10 20:23 <DIR> d-------- C:\DOCUME~1\rratn02s\.gimp-2.2
2007-04-10 20:22 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-04-10 20:20 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-04-09 18:27 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\CyberLink
2007-04-08 10:39 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\AdobeUM
2007-04-07 20:27 <DIR> d-------- C:\WINDOWS\Twain32
2007-04-07 20:20 <DIR> d-------- C:\WINDOWS\ShellNew
2007-04-07 20:19 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Microsoft Web Folders
2007-04-07 20:17 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Help
2007-04-07 19:56 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\Template
2007-04-07 18:31 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-04-07 18:31 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-04-07 18:31 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-04-07 18:31 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-04-07 18:31 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-04-07 18:31 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-04-07 18:30 <DIR> d-------- C:\Program Files\McAfee.com
2007-04-07 18:30 <DIR> d-------- C:\Program Files\McAfee
2007-04-07 18:30 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-04-07 18:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-04-07 18:14 77,824 --a------ C:\WINDOWS\system32\PICEntry.dll
2007-04-07 18:14 73,728 --a------ C:\WINDOWS\system32\PICSDK.dll
2007-04-07 18:14 65,536 --a------ C:\WINDOWS\system32\EPPicMgr.dll
2007-04-07 18:14 495,616 --a------ C:\WINDOWS\system32\PICSDK2.dll
2007-04-07 18:14 4,943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2007-04-07 18:14 31,053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2007-04-07 18:14 27,417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2007-04-07 18:14 26,154 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2007-04-07 18:14 24,903 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2007-04-07 18:14 21,390 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2007-04-07 18:14 20,148 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2007-04-07 18:14 114,688 --a------ C:\WINDOWS\system32\EpPicPrt.dll
2007-04-07 18:14 111,932 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2007-04-07 18:14 11,811 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2007-04-07 18:14 1,146 --a------ C:\WINDOWS\system32\EPPICPresetData_DU.dat
2007-04-07 18:14 1,139 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2007-04-07 18:14 1,139 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2007-04-07 18:14 1,136 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2007-04-07 18:14 1,129 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2007-04-07 18:14 1,129 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2007-04-07 18:14 1,120 --a------ C:\WINDOWS\system32\EPPICPresetData_IT.dat
2007-04-07 18:14 1,107 --a------ C:\WINDOWS\system32\EPPICPresetData_GE.dat
2007-04-07 18:14 1,104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2007-04-07 18:12 73,216 --a------ C:\WINDOWS\system32\E_FLBBVE.DLL
2007-04-07 18:12 62,976 --a------ C:\WINDOWS\system32\E_FD4BBVE.DLL
2007-04-07 18:12 49,152 --a------ C:\WINDOWS\system32\E_DCINST.DLL
2007-04-07 18:12 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-07 18:10 63,488 --a------ C:\WINDOWS\system32\escwiad.dll
2007-04-07 18:10 <DIR> d-------- C:\Program Files\epson
2007-04-07 18:06 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-07 11:32 <DIR> d-------- C:\DOCUME~1\jr\Contacts
2007-04-07 10:55 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-04-07 10:48 2,621,440 --ah----- C:\DOCUME~1\jr\NTUSER.DAT
2007-04-07 10:48 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\You've Got Pictures Screensaver
2007-04-07 10:48 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\Symantec
2007-04-07 10:48 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\Real
2007-04-07 01:37 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2007-04-07 01:37 <DIR> dr-hs---- C:\cmdcons
2007-04-07 01:37 <DIR> dr--s---- C:\WINDOWS\Fonts
2007-04-07 01:37 <DIR> dr------- C:\WINDOWS\Web
2007-04-07 01:37 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-04-07 01:37 <DIR> dr------- C:\Program Files
2007-04-07 01:37 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-04-07 01:37 <DIR> d--hs---- C:\WINDOWS\Installer
2007-04-07 01:37 <DIR> d--hs---- C:\System Volume Information
2007-04-07 01:37 <DIR> d--hs---- C:\RECYCLER
2007-04-07 01:37 <DIR> d--hs---- C:\DRIVERS
2007-04-07 01:37 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM
2007-04-07 01:37 <DIR> d--h----- C:\WINDOWS\inf
2007-04-07 01:37 <DIR> d--h----- C:\WINDOWS\I386
2007-04-07 01:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-07 01:37 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-04-07 01:37 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-04-07 01:37 <DIR> d--h----- C:\PNP
2007-04-07 01:37 <DIR> d--h----- C:\DIVTOOLS
2007-04-07 01:37 <DIR> d---s---- C:\WINDOWS\Tasks
2007-04-07 01:37 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\WinSxS
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\twain_32
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\wins
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\wbem
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\usmt
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\trayres
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\spool
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\Setup
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\Restore
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\ras
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\oobe
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\npp
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\mui
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\Macromed
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\IME
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\icsxml
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\ias
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\export
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\drivers
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\DirectX
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\dhcp
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\config
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\Com
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\3076
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\2052
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1054
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1042
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1041
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1037
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1033
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1031
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1028
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1025
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\srchasst
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\SiS
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\security
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Resources
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\REPAIR
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Registration
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Provisioning
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\PREFETCH
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\PeerNet
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\pchealth
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\occache
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\mui
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\msapps
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\msagent
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Modio
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Media
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\ime
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Help
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Driver Cache
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Debug
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Cursors
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Connection Wizard
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Config
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\AppPatch
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\addins
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS
2007-04-07 01:37 <DIR> d-------- C:\SiS VGA Utilities V3.65
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Windows NT
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Viewpoint
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Symantec
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Sonic
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Real
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Online Services
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-04-07 01:37 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Movie Maker
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Microsoft Works
2007-04-07 01:37 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Messenger
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Dynamic Toolbar
2007-04-07 01:37 <DIR> d-------- C:\Program Files\CyberLink
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\SpeechEngines
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\Real
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\ODBC
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-04-07 01:37 <DIR> d-------- C:\Program Files\AvRack
2007-04-07 01:37 <DIR> d-------- C:\Program Files\AOL Companion
2007-04-07 01:37 <DIR> d-------- C:\Program Files\AOL 9.0
2007-04-07 01:37 <DIR> d-------- C:\My Music
2007-04-07 01:37 <DIR> d-------- C:\Documents and Settings
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SBSI
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-04-07 01:37 <DIR> d-------- C:\APPS
2007-04-06 20:04 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-04-06 20:04 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-04-06 20:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-04-06 19:52 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-04-06 19:52 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-06 19:52 <DIR> d-------- C:\DOCUME~1\rratn02s\Contacts
2007-04-06 19:19 <DIR> d-------- C:\Files
2007-04-06 19:00 <DIR> d-------- C:\Program Files\MSBuild
2007-04-06 18:56 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-04-06 18:56 <DIR> d-------- C:\WINDOWS\system32\bak
2007-04-06 18:56 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-04-06 18:55 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-04-06 18:54 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-06 18:54 <DIR> d-------- C:\59f5049322f8ee4b3f71
2007-04-06 18:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-06 18:53 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-06 18:48 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-06 18:42 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-06 18:42 <DIR> d-------- C:\d608ff6be638f6eed95a7f2d0fc5d0
2007-04-06 18:34 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-04-06 18:27 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-04-06 18:27 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-04-06 18:27 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-04-06 18:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-06 18:12 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-04-06 18:12 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-04-06 18:07 <DIR> d--hs---- C:\DOCUME~1\rratn02s\UserData
2007-04-06 18:06 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-06 18:00 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2007-04-06 18:00 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2007-04-06 18:00 5,606 --a------ C:\WINDOWS\system32\stci.dll
2007-04-06 18:00 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2007-04-06 18:00 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys
2007-04-06 18:00 <DIR> d-------- C:\Program Files\Thomson
2007-04-06 17:49 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-04-06 17:49 2,621,440 --ah----- C:\DOCUME~1\rratn02s\NTUSER.DAT
2007-04-06 17:49 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\You've Got Pictures Screensaver
2007-04-06 17:49 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Symantec
2007-04-06 17:49 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Real
2007-04-06 17:48 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-04-06 17:48 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver
2007-04-06 17:48 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Symantec
2007-04-06 17:48 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Real


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-05 13:05:32 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Lavasoft
2007-04-29 17:10:50 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Apple Computer
2007-04-18 20:02:02 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\AdobeUM
2007-04-18 18:56:08 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\acccore
2007-04-09 17:27:37 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\CyberLink
2007-04-07 19:19:34 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Microsoft Web Folders
2007-04-07 19:17:08 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Help
2007-04-07 00:37:50 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\You've Got Pictures Screensaver
2007-04-06 17:33:06 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Real
2007-04-06 16:52:23 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Symantec
2007-03-23 05:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
"{59fa9a62-57fd-4ba8-af33-27df06e64ae8}"="C:\WINDOWS\system32\acc290.dll"
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"="c:\program files\mcafee\virusscan\scriptcl.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SoundMan"="SOUNDMAN.EXE"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"PCMService"="\"c:\\Apps\\Powercinema\\PCMService.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNOTIFY.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"EPSON Stylus DX5000 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIBVE.EXE /FU \"C:\\WINDOWS\\TEMP\\E_S8F.tmp\" /EF \"HKLM\""
"EmailChecker"="C:\\APPS\\EmailChecker\\ech.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1177437422\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"EPSON Stylus DX5000 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIBVE.EXE /FU \"C:\\DOCUME~1\\rratn02s\\LOCALS~1\\Temp\\E_S7F.tmp\" /EF \"HKCU\""
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-GB ee://aol/imApp"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acc290

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0




*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SBHR
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_TMCOMM
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_VSMON


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 20:55:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-06 20:55:49
C:\ComboFix-quarantined-files.txt ... 2007-05-06 20:55

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 06 May 2007 - 04:39 PM

Hi,

Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v acc290

Posted Image

A log will be produced. I'll need that in your next reply.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===============================

Please download FindAWF from: http://noahdfear.geekstogo.com/FindAWF.exe and save it on your desktop. Double-click on the file to run it. It will produce a report (awf.txt). Please post that report as a reply to this thread.

================================

Reboot and post back a fresh HijackThis log along with the Combofix.txt2 and awf.txt please.

#5 missionverdana

missionverdana
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 06 May 2007 - 04:58 PM

ComboFix log:

"rratn02s" - 2007-05-06 20:52:54 Service Pack 2
ComboFix 07-05.07.1.V - Running from: "C:\Documents and Settings\rratn02s\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))


2007-05-06 18:01 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-06 17:19 <DIR> d-------- C:\DOCUME~1\rratn02s\.housecall6.6
2007-05-06 13:27 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-06 13:13 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-06 13:12 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-05-06 13:12 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-06 13:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-05-06 12:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-05 14:05 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Lavasoft
2007-05-05 14:02 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-05 14:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-04 16:49 21,895 --a------ C:\WINDOWS\system32\acc290.dll
2007-04-23 16:43 <DIR> d-------- C:\hegames
2007-04-23 16:42 12,800 --a------ C:\WINDOWS\system32\wing32.dll
2007-04-18 20:44 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\AdobeUM
2007-04-18 19:56 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\acccore
2007-04-18 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-04-14 20:03 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Apple Computer
2007-04-14 20:02 <DIR> d-------- C:\Program Files\iTunes
2007-04-14 20:02 <DIR> d-------- C:\Program Files\iPod
2007-04-14 20:01 <DIR> d-------- C:\Program Files\QuickTime
2007-04-14 20:01 <DIR> d-------- C:\Program Files\Apple Software Update
2007-04-14 20:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-13 17:38 <DIR> d-------- C:\DOCUME~1\jr\.thumbnails
2007-04-13 17:37 <DIR> d-------- C:\DOCUME~1\jr\.gimp-2.2
2007-04-12 23:09 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\EPSON
2007-04-12 15:25 <DIR> d-------- C:\WINDOWS\DISNEY
2007-04-12 15:25 <DIR> d-------- C:\DISNEY
2007-04-10 20:27 <DIR> d-------- C:\DOCUME~1\rratn02s\.thumbnails
2007-04-10 20:23 <DIR> d-------- C:\DOCUME~1\rratn02s\.gimp-2.2
2007-04-10 20:22 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-04-10 20:20 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-04-09 18:27 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\CyberLink
2007-04-08 10:39 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\AdobeUM
2007-04-07 20:27 <DIR> d-------- C:\WINDOWS\Twain32
2007-04-07 20:20 <DIR> d-------- C:\WINDOWS\ShellNew
2007-04-07 20:19 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Microsoft Web Folders
2007-04-07 20:17 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Help
2007-04-07 19:56 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\Template
2007-04-07 18:31 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-04-07 18:31 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-04-07 18:31 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-04-07 18:31 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-04-07 18:31 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-04-07 18:31 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-04-07 18:30 <DIR> d-------- C:\Program Files\McAfee.com
2007-04-07 18:30 <DIR> d-------- C:\Program Files\McAfee
2007-04-07 18:30 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-04-07 18:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-04-07 18:14 77,824 --a------ C:\WINDOWS\system32\PICEntry.dll
2007-04-07 18:14 73,728 --a------ C:\WINDOWS\system32\PICSDK.dll
2007-04-07 18:14 65,536 --a------ C:\WINDOWS\system32\EPPicMgr.dll
2007-04-07 18:14 495,616 --a------ C:\WINDOWS\system32\PICSDK2.dll
2007-04-07 18:14 4,943 --a------ C:\WINDOWS\system32\EPPICPattern6.dat
2007-04-07 18:14 31,053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2007-04-07 18:14 27,417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2007-04-07 18:14 26,154 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2007-04-07 18:14 24,903 --a------ C:\WINDOWS\system32\EPPICPattern3.dat
2007-04-07 18:14 21,390 --a------ C:\WINDOWS\system32\EPPICPattern5.dat
2007-04-07 18:14 20,148 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2007-04-07 18:14 114,688 --a------ C:\WINDOWS\system32\EpPicPrt.dll
2007-04-07 18:14 111,932 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2007-04-07 18:14 11,811 --a------ C:\WINDOWS\system32\EPPICPattern4.dat
2007-04-07 18:14 1,146 --a------ C:\WINDOWS\system32\EPPICPresetData_DU.dat
2007-04-07 18:14 1,139 --a------ C:\WINDOWS\system32\EPPICPresetData_PT.dat
2007-04-07 18:14 1,139 --a------ C:\WINDOWS\system32\EPPICPresetData_BP.dat
2007-04-07 18:14 1,136 --a------ C:\WINDOWS\system32\EPPICPresetData_ES.dat
2007-04-07 18:14 1,129 --a------ C:\WINDOWS\system32\EPPICPresetData_FR.dat
2007-04-07 18:14 1,129 --a------ C:\WINDOWS\system32\EPPICPresetData_CF.dat
2007-04-07 18:14 1,120 --a------ C:\WINDOWS\system32\EPPICPresetData_IT.dat
2007-04-07 18:14 1,107 --a------ C:\WINDOWS\system32\EPPICPresetData_GE.dat
2007-04-07 18:14 1,104 --a------ C:\WINDOWS\system32\EPPICPresetData_EN.dat
2007-04-07 18:12 73,216 --a------ C:\WINDOWS\system32\E_FLBBVE.DLL
2007-04-07 18:12 62,976 --a------ C:\WINDOWS\system32\E_FD4BBVE.DLL
2007-04-07 18:12 49,152 --a------ C:\WINDOWS\system32\E_DCINST.DLL
2007-04-07 18:12 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-07 18:10 63,488 --a------ C:\WINDOWS\system32\escwiad.dll
2007-04-07 18:10 <DIR> d-------- C:\Program Files\epson
2007-04-07 18:06 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-07 11:32 <DIR> d-------- C:\DOCUME~1\jr\Contacts
2007-04-07 10:55 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-04-07 10:48 2,621,440 --ah----- C:\DOCUME~1\jr\NTUSER.DAT
2007-04-07 10:48 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\You've Got Pictures Screensaver
2007-04-07 10:48 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\Symantec
2007-04-07 10:48 <DIR> d-------- C:\DOCUME~1\jr\APPLIC~1\Real
2007-04-07 01:37 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2007-04-07 01:37 <DIR> dr-hs---- C:\cmdcons
2007-04-07 01:37 <DIR> dr--s---- C:\WINDOWS\Fonts
2007-04-07 01:37 <DIR> dr------- C:\WINDOWS\Web
2007-04-07 01:37 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-04-07 01:37 <DIR> dr------- C:\Program Files
2007-04-07 01:37 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-04-07 01:37 <DIR> d--hs---- C:\WINDOWS\Installer
2007-04-07 01:37 <DIR> d--hs---- C:\System Volume Information
2007-04-07 01:37 <DIR> d--hs---- C:\RECYCLER
2007-04-07 01:37 <DIR> d--hs---- C:\DRIVERS
2007-04-07 01:37 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM
2007-04-07 01:37 <DIR> d--h----- C:\WINDOWS\inf
2007-04-07 01:37 <DIR> d--h----- C:\WINDOWS\I386
2007-04-07 01:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-07 01:37 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-04-07 01:37 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-04-07 01:37 <DIR> d--h----- C:\PNP
2007-04-07 01:37 <DIR> d--h----- C:\DIVTOOLS
2007-04-07 01:37 <DIR> d---s---- C:\WINDOWS\Tasks
2007-04-07 01:37 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\WinSxS
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\twain_32
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\wins
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\wbem
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\usmt
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\trayres
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\spool
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\Setup
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\Restore
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\ras
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\oobe
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\npp
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\mui
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\Macromed
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\IME
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\icsxml
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\ias
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\export
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\drivers
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\DirectX
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\dhcp
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\config
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\Com
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\3076
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\2052
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1054
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1042
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1041
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1037
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1033
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1031
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1028
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32\1025
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system32
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\system
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\srchasst
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\SiS
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\security
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Resources
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\REPAIR
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Registration
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Provisioning
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\PREFETCH
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\PeerNet
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\pchealth
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\occache
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\mui
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\msapps
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\msagent
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Modio
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Media
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\ime
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Help
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Driver Cache
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Debug
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Cursors
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Connection Wizard
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\Config
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\AppPatch
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS\addins
2007-04-07 01:37 <DIR> d-------- C:\WINDOWS
2007-04-07 01:37 <DIR> d-------- C:\SiS VGA Utilities V3.65
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Windows NT
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Viewpoint
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Symantec
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Sonic
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Real
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Online Services
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-04-07 01:37 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Movie Maker
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Microsoft Works
2007-04-07 01:37 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Messenger
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Dynamic Toolbar
2007-04-07 01:37 <DIR> d-------- C:\Program Files\CyberLink
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\SpeechEngines
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\Real
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\ODBC
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-04-07 01:37 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-04-07 01:37 <DIR> d-------- C:\Program Files\AvRack
2007-04-07 01:37 <DIR> d-------- C:\Program Files\AOL Companion
2007-04-07 01:37 <DIR> d-------- C:\Program Files\AOL 9.0
2007-04-07 01:37 <DIR> d-------- C:\My Music
2007-04-07 01:37 <DIR> d-------- C:\Documents and Settings
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SBSI
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-04-07 01:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-04-07 01:37 <DIR> d-------- C:\APPS
2007-04-06 20:04 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-04-06 20:04 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-04-06 20:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-04-06 19:52 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-04-06 19:52 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-06 19:52 <DIR> d-------- C:\DOCUME~1\rratn02s\Contacts
2007-04-06 19:19 <DIR> d-------- C:\Files
2007-04-06 19:00 <DIR> d-------- C:\Program Files\MSBuild
2007-04-06 18:56 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-04-06 18:56 <DIR> d-------- C:\WINDOWS\system32\bak
2007-04-06 18:56 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-04-06 18:55 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-04-06 18:54 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-06 18:54 <DIR> d-------- C:\59f5049322f8ee4b3f71
2007-04-06 18:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-06 18:53 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-06 18:48 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-06 18:42 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-06 18:42 <DIR> d-------- C:\d608ff6be638f6eed95a7f2d0fc5d0
2007-04-06 18:34 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-04-06 18:27 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-04-06 18:27 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-04-06 18:27 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-04-06 18:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-06 18:12 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-04-06 18:12 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-04-06 18:07 <DIR> d--hs---- C:\DOCUME~1\rratn02s\UserData
2007-04-06 18:06 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-06 18:00 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2007-04-06 18:00 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2007-04-06 18:00 5,606 --a------ C:\WINDOWS\system32\stci.dll
2007-04-06 18:00 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2007-04-06 18:00 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys
2007-04-06 18:00 <DIR> d-------- C:\Program Files\Thomson
2007-04-06 17:49 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-04-06 17:49 2,621,440 --ah----- C:\DOCUME~1\rratn02s\NTUSER.DAT
2007-04-06 17:49 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\You've Got Pictures Screensaver
2007-04-06 17:49 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Symantec
2007-04-06 17:49 <DIR> d-------- C:\DOCUME~1\rratn02s\APPLIC~1\Real
2007-04-06 17:48 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-04-06 17:48 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver
2007-04-06 17:48 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Symantec
2007-04-06 17:48 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Real


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-05 13:05:32 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Lavasoft
2007-04-29 17:10:50 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Apple Computer
2007-04-18 20:02:02 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\AdobeUM
2007-04-18 18:56:08 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\acccore
2007-04-09 17:27:37 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\CyberLink
2007-04-07 19:19:34 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Microsoft Web Folders
2007-04-07 19:17:08 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Help
2007-04-07 00:37:50 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\You've Got Pictures Screensaver
2007-04-06 17:33:06 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Real
2007-04-06 16:52:23 -------- d-----w C:\DOCUME~1\rratn02s\APPLIC~1.\Symantec
2007-03-23 05:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
"{59fa9a62-57fd-4ba8-af33-27df06e64ae8}"="C:\WINDOWS\system32\acc290.dll"
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"="c:\program files\mcafee\virusscan\scriptcl.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SoundMan"="SOUNDMAN.EXE"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"PCMService"="\"c:\\Apps\\Powercinema\\PCMService.exe\""
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNOTIFY.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"EPSON Stylus DX5000 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIBVE.EXE /FU \"C:\\WINDOWS\\TEMP\\E_S8F.tmp\" /EF \"HKLM\""
"EmailChecker"="C:\\APPS\\EmailChecker\\ech.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1177437422\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"EPSON Stylus DX5000 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIBVE.EXE /FU \"C:\\DOCUME~1\\rratn02s\\LOCALS~1\\Temp\\E_S7F.tmp\" /EF \"HKCU\""
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-GB ee://aol/imApp"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acc290

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0




*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SBHR
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_TMCOMM
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_VSMON


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 20:55:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-06 20:55:49
C:\ComboFix-quarantined-files.txt ... 2007-05-06 20:55

AWF log:


Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\APPS\POWERC~1\BAK

28/01/2005 11:10 110,740 PCMService.exe
1 File(s) 110,740 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

04/08/2004 14:00 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

27/08/2004 22:22 58,488 ccApp.exe
1 File(s) 58,488 bytes

Directory of C:\PROGRA~1\THOMSON\SPEEDT~1\BAK

26/01/2004 11:38 866,816 Dragdiag.exe
1 File(s) 866,816 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

04/08/2004 14:00 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

12/07/2005 20:57 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

03/06/2004 22:05 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

04/08/2004 14:00 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

110740 28 Jan 2005 "C:\APPS\Powercinema\bak\PCMService.exe"
15360 4 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 4 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
58488 27 Aug 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
866816 26 Jan 2004 "C:\Program Files\Thomson\SpeedTouch USB\bak\Dragdiag.exe"
208952 4 Aug 2004 "C:\WINDOWS\ime\IMJP8_1\imjpmig.exe"
208952 4 Aug 2004 "C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
180269 12 Jul 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32881 3 Jun 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\bak\jusched.exe"
455168 4 Aug 2004 "C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe"
455168 4 Aug 2004 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"


end of report

Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 22:51:36, on 06/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1177437422\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1177437422\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-GB ee://aol/imApp
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,...pdatePortal.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 06 May 2007 - 08:28 PM

Hi,

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Example:

C:\WINDOWS\system32\ctfmon.exe << original location, file replaced by an infected one
C:\WINDOWS\system32\bak\igfxtray.exe << original file moved to the bak folder

So the files present in the BAK-folders are the GOOD ones. We'll be restoring those files, but before doing that I would like the infected files removed first.

Please print these instructions so that you can have access to them while you're in Safe Mode later, and follow them in the order they are presented.

====================================

Please download Posted ImageAVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Anti Spyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

====================================

Safe Mode

Reboot your computer in Safe Mode using the F8 method below.
a. If the computer is running, shut down Windows, and then turn off the power.
b. Wait 30 seconds, and then turn the computer on.
c. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
d. Ensure that the Safe Mode option is selected.
e. Press Enter. The computer then begins to start in Safe mode.

====================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

====================================

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Stay in Safe Mode

===========================================

Now we'll move the clean files back to the places they belong...

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

====================================================

Go to My Computer and browse to the following folder:
C:\WINDOWS\system32\bak\
Inside the BAK folder is a file named ctfmon.exe
Right click it with your mouse and choose Cut
Then go back to the main folder, C:\WINDOWS\system32\folder
Click the background with your mouse, choose Paste
Now you should have the ctfmon.exe file in the C:\WINDOWS\system32\folder
Now go ahead and delete the BAK folder

Do the same thing for other files:

Go to My Computer and browse to the following folder:
C:\WINDOWS\ime\IMJP8_1\bak\
Inside the BAK folder is a file named IMJPMIG.EXE
Right click it with your mouse and choose Cut
Then go back to the main folder, C:\WINDOWS\ime\IMJP8_1\folder
Click the background with your mouse, choose Paste
Now you should have the ctfmon.exe file in the C:\WINDOWS\ime\IMJP8_1\folder
Now go ahead and delete the BAK folder

Next file:

Go to My Computer and browse to the following folder:
C:\WINDOWS\system32\IME\TINTLGNT\bak\
Inside the BAK folder is a file named TINTSETP.EXE
Right click it with your mouse and choose Cut
Then go back to the main folder, C:\WINDOWS\system32\IME\TINTLGNT\folder
Click the background with your mouse, choose Paste
Now you should have the ctfmon.exe file in the C:\WINDOWS\system32\IME\TINTLGNT\folder
Now go ahead and delete the BAK folder

Next file:

Go to My Computer and browse to the following folder:
C:\Program Files\Common Files\Symantec Shared\bak\
Inside the BAK folder is a file named ccApp.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\Common Files\Symantec Shared\folder
Click the background with your mouse, choose Paste
Now you should have the ccApp.exe file in the C:\Program Files\Common Files\Symantec Shared\folder.
Now go ahead and delete the BAK folder

Next file:

Go to My Computer and browse to the following folder:
C:\Program Files\Thomson\SpeedTouch USB\bak\
Inside the BAK folder is a file named cDragdiag.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\Thomson\SpeedTouch USB\folder
Click the background with your mouse, choose Paste
Now you should have the cDragdiag.exe file in the C:\Program Files\Thomson\SpeedTouch USB\folder
Now go ahead and delete the BAK folder

Next file:

Go to My Computer and browse to the following folder:
C:\Program Files\Common Files\Real\Update_OB\bak
Inside the BAK folder is the file named realsched.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\Common Files\Real\Update_OB\ folder
Click the background with your mouse, choose Paste
Now you should have the realsched.exe file in the C:\Program Files\Common Files\Real\Update_OB\folder
Now go ahead and delete the BAK folder

Next file:

Go to My Computer and browse to the following folder:
C:\APPS\Powercinema\bak
Inside the BAK folder is a file named PCMService.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\APPS\Powercinemafolder
Click the background with your mouse, choose Paste
Now you should have the PCMService.exe file in the C:\APPS\Powercinema\ folder.
Now go ahead and delete the BAK folder

Next file:

Note: It *could be possible, when you replace a file back into the original folder, that the file is already present in the original folder, but that *may be the bad one. So just let it overwrite it with the good file from the BAK folder.

==============================

Scan with HijackThis and put a checkmark against the following entries:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - (no file)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O20 - AppInit_DLLs:


Click on "fix checked". Exit HijackThis but stay in Safe Mode.

=============================

Then, * Clean your Cache and Cookies in IE:
Make sure that all instances of Outlook Express and Internet Explorer are closed.
Go to Start > Control Panel > Internet Options > General tab
Under Browsing History, click "Delete".
Click "Delete Files", "Delete cookies" and "Delete history"
Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
Go to Tools > Options.
Click Privacy in the menu..
Click the Clear now button below.. A new window will popup what to clear.
Select all and click the Clear button again.
Click OK to close the Options window

* Clean other Temporary files + Recycle bin
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

==============================

Restart the computer in Normal Mode.

==============================

Download Deldomains and place it on your desktop.
Right click the file and select install, that will reset the zone settings that have been altered

==============================

Download: ResetProtocolDefaults.reg

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt).

===============================

Next, please follow these steps to remove older versions of Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The JSE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6.0 windows-i586-p.exe to install the newest version.

================================

Scan with AVG Anti Spyware again and save the report. (This time it can be done in Normal Mode.)

================================

Rescan with FindAWF

================================

Please post the logs from AVG Anti Spyware and FindAWF in your next reply together with a new Hijackthis log.

#7 missionverdana

missionverdana
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 07 May 2007 - 07:28 AM

The listed files were placed in their proper folders. Here are the logs as requested:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:19:39 07/05/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} -> Adware.2020Search : Cleaned with backup (quarantined).
HKU\S-1-5-21-1778884206-3478162789-4270813744-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} -> Adware.2020Search : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\acc290.dll.vir -> Downloader.ConHook.bf : Cleaned with backup (quarantined).


::Report end

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:17:04 07/05/2007

+ Scan result:



C:\Documents and Settings\rratn02s\Cookies\rratn02s@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.


::Report end



Find AWF report by noahdfear 2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

03/06/2004 22:05 32,881 jusched.exe
1 File(s) 32,881 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

83608 14 Mar 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
32881 3 Jun 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\bak\jusched.exe"


end of report

Logfile of HijackThis v1.99.1
Scan saved at 13:19:51, on 07/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1177437422\ee\AOLSoftware.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1177437422\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-GB ee://aol/imApp
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,...pdatePortal.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{681CFF44-24B2-4204-A3AB-46A5C8E5E30C}: NameServer = 212.139.132.23 212.139.132.22
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 07 May 2007 - 08:08 AM

Hi,

Well done. :thumbsup: j2re1.4.2 is an old version of Java. Please check to see if it's still in the Add/Remove Programs list in Control Panel and remove it if there. Then check to see if the folder is present, and remove that too.

C:\Program Files\Java\j2re1.4.2_05

Next, perform an online scan using Internet Explorer with Panda ActiveScan
  • Click on Posted Image located at the bottom of the page.
  • A "pop up" window will appear. Please ensure that your pop up blocker doesn't block it
  • Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place
Begin the scan by selecting Posted Image
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on Posted Image then click Posted Image and post back the contents please.
Also let me know how the computer is running now.

#9 missionverdana

missionverdana
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 07 May 2007 - 09:35 AM

I have not had any further issues with pop ups since I used AVG Anti Spyware. The music has not returned either (since I used HouseCall, before I posted this topic).

Scan results:

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\rratn02s\Cookies\rratn02s@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\rratn02s\Cookies\rratn02s@doubleclick[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\rratn02s\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 07 May 2007 - 09:52 AM

Hi,

What Panda is reporting is a couple of cookies and a file that's part of one of the tools I asked you to download. Nothing to worry about.

Please remove/delete all the tools I asked you to download, except AVG Anti Spyware and Ccleaner. Use Add/Remove Programs to remove if listed there otherwise just delete them and empty recycle bin.

Since AVG Anti Spyware is a trial version, the realtime guard and automatic update will stop functioning after the trial period. That is why we are not installing the guard so it will not interfere with the cleanup or the malware removal process. You can use AVG-AS as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan.

Ccleaner is also a useful tool to keep for cleaning your cookies and temp files on a regular basis.

Re-enable all the realtime scanners I may have asked you to disable.

Remember to hide your system files again.

Start>My Computer>Tools>Folder Options>View
Under the Hidden files and Folders heading uncheck Show hidden files and folders.
check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
check the Hide file extensions for known file types.
Click OK.
=============================
Create a new System Restore point to prevent reinfection from old restore points.

Go to Start>Run and type sysdm.cpl. Press Enter
  • Select the System Restore Tab
  • Place a check in "Turn off System Restore on all drives"
  • Click Apply
  • next, uncheck the same checkbox.
  • Click Apply
  • Click OK
You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

A colleague of ours has excellent information and tips on the prevention of malware here and more on improving speed/system performance after malware removal here .

Happy Surfing! :thumbsup:

#11 missionverdana

missionverdana
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 07 May 2007 - 10:05 AM

I have completed the steps you have outlined, and will be checking out the links. Thank you very much for helping me with this issue :thumbsup:

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 07 May 2007 - 10:22 AM

You're very welcome. Glad we could help. Stay safe! :thumbsup:

#13 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:49 AM

Posted 10 May 2007 - 02:36 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread, and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users