Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of "system Alert" Taskbar Popup!


  • Please log in to reply
3 replies to this topic

#1 Venom_0728

Venom_0728

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 18 May 2007 - 04:39 AM

Hello, I am new here. Just today, I am seeing an icon in my taskbar like this:

Posted Image

Every few minutes or so, a popup shows up saying "System Alert" and says things like there are viruses on my computer and use a certain type of software to get rid of these parasite programs. It looks like this:

Posted Image

I also get this message:

Posted Image

I tried my Spyware (AVG), Adaware (Lavasoft), and Anti-Virus (AVG also) programs and got no results. After I restarted after using these programs, I get these new icons on my desktop:

Posted Image


Here is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:34:13 AM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Dan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSDNS System - {27A7FB75-FB40-4f94-BCF6-4945BCC8BAAF} - C:\WINDOWS\tlhelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\tmp22.tmp.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {8dd0d07a-1325-4fb6-a138-a7dd3a674d7b} - C:\WINDOWS\system32\editgmt.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Speed Video Splitter\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\efddca.dll",realset
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [ui] rundll32.exe "C:\WINDOWS\vtutqr.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: editgmt - editgmt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: iebrowser - {4DACF5D8-D6FB-44F8-A8BE-896371E7E373} - C:\WINDOWS\iebrowser.dll (file missing)
O21 - SSODL: msdns - {E9863FAC-67F5-46A7-B326-1451B3A35F8B} - C:\WINDOWS\msdns.dll
O21 - SSODL: iedns - {13E686FD-94BB-4AEC-A16E-FEEA558B9213} - C:\WINDOWS\iedns.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: MS Common Service - Unknown owner - C:\WINDOWS\system32\mscomserv.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


Please help me. This is my last resort before I am reformatting.

ALSO!!! I "FIXED" ALL OF THE FILES HIJACKTHIS FOUND AFTER CREATING RESTORE POINT AND IT IS STILL THERE!

Edited by Venom_0728, 18 May 2007 - 06:25 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 18 May 2007 - 07:28 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Venom_0728 :thumbsup:

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

********************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

********************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


********************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 Venom_0728

Venom_0728
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 18 May 2007 - 04:07 PM

Here's the SDFix log:


SDFix: Version 1.84

Run by Dan - Fri 05/18/2007 - 12:36:56.31

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:




Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\Dan\LOCALS~1\Temp\tmp21.tmp.exe - Deleted
C:\DOCUME~1\Dan\LOCALS~1\Temp\tmp22.tmp.exe - Deleted
C:\DOCUME~1\Dan\LOCALS~1\Temp\tmp42.tmp.exe - Deleted
C:\DOCUME~1\Dan\LOCALS~1\Temp\abc123.pid - Deleted
C:\DOCUME~1\Dan\LOCALS~1\Temp\hd-log.txt - Deleted
C:\WINDOWS\domain-access-time.txt - Deleted
C:\WINDOWS\dxdiag.dll - Deleted
C:\WINDOWS\iedns.dll - Deleted
C:\WINDOWS\msdns.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\Replay AV 8\cygwin1.dll
C:\Program Files\Replay AV 8\cygz.dll
C:\WINDOWS\system32\AVSredirect.dll

Finished



Here's the VundoFix log:


VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 12:56:59 PM 5/18/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp128.tmp.dll
C:\WINDOWS\system32\tmp1C.tmp.dll
C:\WINDOWS\system32\tmp39.tmp.dll

Beginning removal...

VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 1:10:34 PM 5/18/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp128.tmp.dll
C:\WINDOWS\system32\tmp1C.tmp.dll
C:\WINDOWS\system32\tmp39.tmp.dll

Beginning removal...

Performing Repairs to the registry.
Done!


Here's the ComboFix log:

"Dan" - 2007-05-18 13:31:35 Service Pack 2
ComboFix 07-05.18.1.V - Running from: "C:\Documents and Settings\Dan\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tmp22.tmp.dll


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-18 ))))))))))))))))))))))))))))))))))


2007-05-18 12:56 <DIR> d-------- C:\VundoFix Backups
2007-05-18 04:24 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-18 04:23 <DIR> d-------- C:\DOCUME~1\Dan\.housecall6.6
2007-05-17 23:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-17 15:25 106,638 --a------ C:\WINDOWS\vtutqr.dll
2007-05-17 00:05 <DIR> d-------- C:\Program Files\URUSoft
2007-05-16 23:58 299,520 --a------ C:\WINDOWS\uninst.exe
2007-05-16 23:58 18,991 --a------ C:\WINDOWS\system32\Vmscnt3.dll
2007-05-16 23:58 <DIR> d-------- C:\Program Files\Sub Station Alpha v4.08
2007-05-16 23:56 <DIR> d-------- C:\Program Files\Gabest
2007-05-16 15:39 <DIR> d-------- C:\Program Files\Subtitles Creator
2007-05-13 14:48 <DIR> d-------- C:\WINDOWS\ydkjtv
2007-05-13 14:48 <DIR> d-------- C:\Program Files\ydkj television
2007-05-13 14:37 <DIR> d-------- C:\Program Files\Joost
2007-05-13 14:37 <DIR> d-------- C:\DOCUME~1\Dan\APPLIC~1\Joost
2007-05-12 03:20 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-05-11 21:27 <DIR> d-------- C:\Program Files\AnalogX
2007-05-06 19:18 <DIR> d-------- C:\Downloads
2007-05-06 19:16 <DIR> d-------- C:\Program Files\Orbitdownloader
2007-05-06 19:16 <DIR> d-------- C:\DOCUME~1\Dan\APPLIC~1\Orbit
2007-05-06 13:43 <DIR> d-------- C:\Program Files\Max Payne
2007-05-04 10:42 <DIR> d-------- C:\GBA
2007-04-30 22:22 <DIR> d-------- C:\Program Files\directx
2007-04-30 17:33 <DIR> d-------- C:\DOCUME~1\Dan\APPLIC~1\com.finetune.apollo.FinetuneDesktop
2007-04-30 17:32 <DIR> d-------- C:\Program Files\Common Files\Adobe Apollo
2007-04-29 12:49 <DIR> d-------- C:\DOCUME~1\Dan\APPLIC~1\Ulead Systems
2007-04-29 01:22 <DIR> d-------- C:\Program Files\Windows Media Components
2007-04-29 01:19 <DIR> d-------- C:\Program Files\Ulead Systems
2007-04-29 01:19 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2007-04-29 01:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems
2007-04-28 16:58 <DIR> d-------- C:\Program Files\Eidos
2007-04-28 00:12 <DIR> d-------- C:\Program Files\Absolute Sound Recorder
2007-04-27 11:11 <DIR> d-------- C:\Program Files\DOOM
2007-04-26 21:16 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2007-04-26 21:16 1,233,920 --a------ C:\WINDOWS\system32\msxml4.dll
2007-04-26 19:23 344,064 -ra------ C:\WINDOWS\system32\msvcr70.dll
2007-04-26 19:23 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-04-26 19:12 <DIR> d-------- C:\Program Files\PowerISO
2007-04-25 00:27 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-04-25 00:23 <DIR> d-------- C:\Program Files\Microsoft Works
2007-04-25 00:22 <DIR> d-------- C:\Program Files\MSBuild
2007-04-25 00:12 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-04-25 00:08 <DIR> dr-h----- C:\MSOCache
2007-04-24 19:21 <DIR> d-------- C:\DOCUME~1\Dan\APPLIC~1\Media Player Classic
2007-04-24 18:13 <DIR> d-------- C:\Program Files\Eidos Interactive
2007-04-24 15:10 <DIR> d-------- C:\Program Files\Replay AV 8
2007-04-24 14:42 <DIR> d-------- C:\Temp
2007-04-24 13:43 153 --a------ C:\WINDOWS\system32\mscomserv.bin
2007-04-23 23:03 212,992 --a------ C:\WINDOWS\ALCHUNIN.EXE
2007-04-23 23:03 <DIR> d-------- C:\Program Files\Alchemy Mindworks
2007-04-23 22:54 <DIR> d-------- C:\DOCUME~1\Dan\APPLIC~1\CyberLink
2007-04-23 22:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-04-23 22:51 <DIR> d-------- C:\Program Files\CyberLink
2007-04-23 22:42 <DIR> d-------- C:\Program Files\Satsuki Decoder Pack
2007-04-23 22:41 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2007-04-23 22:40 <DIR> d-------- C:\WINDOWS\system32\C2MP
2007-04-23 22:39 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-04-23 22:39 654,848 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-04-23 22:39 639,066 --a------ C:\WINDOWS\system32\divx.dll
2007-04-23 22:39 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-04-23 22:39 438,272 --a------ C:\WINDOWS\system32\vp6vfw.dll
2007-04-23 22:39 39,936 --a------ C:\WINDOWS\system32\huffyuv.dll
2007-04-23 22:39 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-04-23 22:39 217,088 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-04-23 22:39 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-04-23 22:39 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-04-23 22:39 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-23 22:39 144,384 --a------ C:\WINDOWS\system32\Iacenc.dll
2007-04-23 22:39 1,565,480 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2007-04-23 22:39 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-04-23 22:39 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-04-23 22:39 <DIR> d-------- C:\DOCUME~1\Dan\APPLIC~1\Real
2007-04-23 22:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-04-23 22:32 <DIR> d-------- C:\Program Files\Artful GIF Animator
2007-04-23 22:27 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-04-23 22:26 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-04-23 22:23 <DIR> d-------- C:\Program Files\Common Files\Xuisoft
2007-04-23 00:40 <DIR> d-------- C:\DOCUME~1\Dan\APPLIC~1\AdobeUM
2007-04-23 00:36 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-04-22 23:17 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-04-22 23:16 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-04-22 23:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-04-22 15:34 <DIR> d-------- C:\DOCUME~1\Dan\Incomplete
2007-04-22 01:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-22 00:54 <DIR> d-------- C:\Program Files\Bonjour
2007-04-22 00:39 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-22 00:32 <DIR> d-------- C:\Program Files\Adobe CS3
2007-04-22 00:16 <DIR> d-------- C:\Program Files\Desktop Sidebar
2007-04-22 00:15 <DIR> d-------- C:\Program Files\RhinoSoft.com
2007-04-21 22:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-21 17:43 <DIR> d-------- C:\Program Files\MDickie
2007-04-20 21:57 <DIR> d-------- C:\Program Files\3impact3demos
2007-04-20 09:23 4,194,304 --a------ C:\DOCUME~1\Dan\ntuser.dat
2007-04-19 17:50 <DIR> d-------- C:\Program Files\Steam
2007-04-18 19:37 <DIR> d-------- C:\DOCUME~1\Dan\APPLIC~1\Help


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-18 19:29:41 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\uTorrent
2007-05-18 11:15:45 -------- d-----w C:\Program Files\FlashFXP
2007-05-18 08:39:22 -------- d-----w C:\Program Files\Norton Internet Security
2007-05-18 08:39:16 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-12 00:48:28 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-10 00:14:08 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\LimeWire
2007-05-07 07:11:59 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\U3
2007-04-29 08:28:00 -------- d-----w C:\Program Files\QuickTime
2007-04-29 03:59:33 -------- d-----w C:\Program Files\Apache2
2007-04-27 05:13:28 -------- d-----w C:\Program Files\Apoint2K
2007-04-22 07:14:44 -------- d-----w C:\Program Files\thriXXX
2007-04-17 23:47:36 -------- d-----w C:\Program Files\Valve
2007-04-17 23:24:39 -------- d-----w C:\Program Files\Counter-Strike 1.6
2007-04-16 04:40:44 9 ----a-w C:\WINDOWS\system32\msade41.dll
2007-04-16 01:20:27 -------- d-----w C:\Program Files\Total Video Converter
2007-04-15 08:59:03 -------- d-----w C:\Program Files\CPQ
2007-04-15 07:24:17 -------- d-----w C:\Program Files\WinAVIVideoConverter
2007-04-14 21:04:41 -------- d-----w C:\Program Files\Pegasys Inc
2007-04-14 20:37:42 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\FlashFXP
2007-04-14 09:53:37 -------- d-----w C:\Program Files\uTorrent
2007-04-14 07:30:00 -------- d-----w C:\Program Files\Speed Video Splitter
2007-04-14 06:16:50 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\InterVideo
2007-04-14 05:16:47 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\Ahead
2007-04-14 03:33:30 -------- d-----w C:\Program Files\Ahead
2007-04-14 03:25:31 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-14 01:10:37 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\Desktop Sidebar
2007-04-13 06:33:02 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\CursorArts
2007-04-13 06:27:39 -------- d-----w C:\Program Files\DVD Decrypter
2007-04-12 09:18:37 0 ----a-w C:\WINDOWS\nsreg.dat
2007-04-12 03:33:09 172,544 ----a-w C:\WINDOWS\system32\cncs32.dll
2007-04-12 02:01:40 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\Lavasoft
2007-04-12 02:01:20 -------- d-----w C:\Program Files\Lavasoft
2007-04-11 19:19:04 -------- d-----w C:\Program Files\CD_DVD-ROM Generator 1.20
2007-04-11 18:27:09 -------- d-----w C:\Program Files\Elaborate Bytes
2007-04-11 10:57:01 -------- d-----w C:\Program Files\Alcohol Soft
2007-04-11 10:25:33 -------- d-----w C:\Program Files\UltraISO
2007-04-11 10:25:33 -------- d-----w C:\Program Files\Common Files\EZB Systems
2007-04-11 03:30:51 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\Anvil Studio
2007-04-10 02:12:52 -------- d-----w C:\Program Files\LimeWire
2007-04-09 21:25:28 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\vlc
2007-04-09 21:24:29 -------- d-----w C:\Program Files\VideoLAN
2007-04-09 09:28:54 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\OnReally
2007-04-09 08:22:22 -------- d-----w C:\Program Files\iTunes
2007-04-09 08:22:14 -------- d-----w C:\Program Files\Messenger
2007-04-09 04:29:41 -------- d-----w C:\Program Files\QuickPar
2007-04-09 04:28:47 -------- d-----w C:\Program Files\NewsLeecher
2007-04-09 02:18:17 -------- d-----w C:\Program Files\HPQ
2007-04-09 02:16:59 -------- d-----w C:\Program Files\Intel
2007-04-09 02:10:42 -------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-04-09 02:10:41 -------- d-----w C:\Program Files\Sonic
2007-04-09 02:10:35 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-09 02:07:31 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-04-09 02:03:30 50 ----a-w C:\AUTOEXEC.BAT
2007-04-09 02:03:21 -------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-04-09 02:03:10 -------- d-----w C:\Program Files\muvee Technologies
2007-04-09 02:02:29 -------- d-----w C:\Program Files\Zone.com
2007-04-09 02:02:00 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\Apple Computer
2007-04-09 02:00:49 -------- d-----w C:\Program Files\iPod
2007-04-09 01:59:38 -------- d-----w C:\Program Files\Hp
2007-04-09 01:59:38 -------- d-----w C:\Program Files\Hewlett-Packard
2007-04-09 01:50:20 -------- d-----w C:\Program Files\Symantec
2007-04-09 01:47:59 -------- d-----w C:\DOCUME~1\Dan\APPLIC~1\Symantec
2007-04-09 01:44:37 -------- d-----w C:\Program Files\Analog Devices
2007-04-09 01:27:14 -------- d-----w C:\Program Files\microsoft frontpage
2007-04-09 01:27:01 0 --sha-r C:\MSDOS.SYS
2007-04-09 01:27:01 0 --sha-r C:\IO.SYS
2007-04-09 01:27:01 0 ----a-w C:\CONFIG.SYS
2007-04-09 01:25:12 -------- d--h--w C:\Program Files\WindowsUpdate
2007-04-09 01:25:06 -------- d-----w C:\Program Files\Online Services
2007-04-09 01:24:04 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-04-09 01:23:52 -------- d-----w C:\Program Files\Movie Maker
2007-04-09 01:23:14 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-09 01:22:01 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-04-09 01:21:51 -------- d-----w C:\Program Files\Windows NT
2007-04-08 18:13:57 -------- d-----w C:\Program Files\Common Files\ODBC
2007-04-08 18:13:52 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-22 03:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-22 03:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-22 03:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 00:27:08 200,704 ----a-w C:\WINDOWS\setup1.exe
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-26 21:24:30 239,616 ----a-w C:\WINDOWS\system32\gdsmux.exe
2007-02-26 21:24:20 220,672 ----a-w C:\WINDOWS\system32\dxr.dll
2007-02-26 21:23:36 104,960 ----a-w C:\WINDOWS\system32\dsmux.exe
2007-02-26 21:22:42 150,528 ----a-w C:\WINDOWS\system32\mkx.dll
2007-02-26 21:22:36 110,592 ----a-w C:\WINDOWS\system32\avi.dll
2007-02-26 21:22:34 106,496 ----a-w C:\WINDOWS\system32\avss.dll
2007-02-26 21:22:30 141,312 ----a-w C:\WINDOWS\system32\mp4.dll
2007-02-26 21:22:24 123,392 ----a-w C:\WINDOWS\system32\ogm.dll
2007-02-26 21:22:14 159,744 ----a-w C:\WINDOWS\system32\mmfinfo.dll
2007-02-26 21:22:08 135,168 ----a-w C:\WINDOWS\system32\mkv2vfr.exe
2007-02-26 21:22:04 151,552 ----a-w C:\WINDOWS\system32\ts.dll
2007-02-26 21:21:46 99,840 ----a-w C:\WINDOWS\system32\avs.dll
2007-02-26 21:21:38 79,360 ----a-w C:\WINDOWS\system32\mkzlib.dll
2007-02-26 21:21:38 23,552 ----a-w C:\WINDOWS\system32\mkunicode.dll
2007-02-21 20:00:28 10,752 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-02-12 19:21:22 96,256 ----a-w C:\WINDOWS\system32\ff_libdts.dll
2007-02-12 19:21:22 64,000 ----a-w C:\WINDOWS\system32\ff_realaac.dll
2007-02-12 19:21:22 59,904 ----a-w C:\WINDOWS\system32\ff_theora.dll
2007-02-12 19:21:22 54,784 ----a-w C:\WINDOWS\system32\ff_libmad.dll
2007-02-12 19:21:22 39,424 ----a-w C:\WINDOWS\system32\ff_kernelDeint.dll
2007-02-12 19:21:22 38,400 ----a-w C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-02-12 19:21:22 38,400 ----a-w C:\WINDOWS\system32\ff_unrar.dll
2007-02-12 19:21:22 36,352 ----a-w C:\WINDOWS\system32\libmpeg2_ff.dll
2007-02-12 19:21:22 200,192 ----a-w C:\WINDOWS\system32\audxlib.dll
2007-02-12 19:21:22 19,456 ----a-w C:\WINDOWS\system32\ff_liba52.dll
2007-02-12 19:21:22 15,360 ----a-w C:\WINDOWS\system32\ff_wmv9.dll
2007-02-12 19:21:22 125,952 ----a-w C:\WINDOWS\system32\ff_x264.dll
2007-02-12 19:21:22 123,904 ----a-w C:\WINDOWS\system32\libmplayer.dll
2007-02-12 19:21:22 122,880 ----a-w C:\WINDOWS\system32\ff_samplerate.dll
2007-02-12 19:21:22 1,196,544 ----a-w C:\WINDOWS\system32\libavcodec.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{033673d6-e645-11db-976f-00904bf6e582}]
Shell\AutoRun\command G:\LaunchU3.exe -a



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070518-041539-466
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

backup-20070518-041539-462
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

backup-20070518-041539-960
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

backup-20070518-041539-367
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

backup-20070518-041539-887
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

backup-20070518-041539-303
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

backup-20070518-041539-638
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

backup-20070518-041539-346
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

backup-20070518-041539-354
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

backup-20070518-041539-672
O23 - Service: MS Common Service - Unknown owner - C:\WINDOWS\system32\mscomserv.exe (file missing)

backup-20070518-041539-149
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

backup-20070518-041539-171
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

backup-20070518-041539-417
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

backup-20070518-041539-289
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

backup-20070518-041539-556
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

backup-20070518-041539-158
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe

backup-20070518-041539-754
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

backup-20070518-041539-380
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

backup-20070518-041539-523
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

backup-20070518-041539-715
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

backup-20070518-041539-220
O21 - SSODL: iedns - {13E686FD-94BB-4AEC-A16E-FEEA558B9213} - C:\WINDOWS\iedns.dll

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{13E686FD-94BB-4AEC-A16E-FEEA558B9213}]

[HKEY_CLASSES_ROOT\CLSID\{13E686FD-94BB-4AEC-A16E-FEEA558B9213}\InProcServer32]
@="C:\\WINDOWS\\iedns.dll"



backup-20070518-041539-726
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

backup-20070518-041539-167
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

backup-20070518-041539-771
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

backup-20070518-041539-762
O21 - SSODL: msdns - {E9863FAC-67F5-46A7-B326-1451B3A35F8B} - C:\WINDOWS\msdns.dll

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E9863FAC-67F5-46A7-B326-1451B3A35F8B}]

[HKEY_CLASSES_ROOT\CLSID\{E9863FAC-67F5-46A7-B326-1451B3A35F8B}\InProcServer32]
@="C:\\WINDOWS\\msdns.dll"



backup-20070518-041539-155
O21 - SSODL: iebrowser - {4DACF5D8-D6FB-44F8-A8BE-896371E7E373} - C:\WINDOWS\iebrowser.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4DACF5D8-D6FB-44F8-A8BE-896371E7E373}]

[HKEY_CLASSES_ROOT\CLSID\{4DACF5D8-D6FB-44F8-A8BE-896371E7E373}\InProcServer32]
@="C:\\WINDOWS\\iebrowser.dll"



backup-20070518-041538-326
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,77,eb,b2,69,c7,c4,ba,43,9d,a1,0b,0e,4f,ec,72,3a,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,8a,ec,f4,90,ef,ff,6e,85,\
1c,53,82,90,c5,e8,ff,43,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,3e,\
cc,97,f8,f4,fe,47,cc,d1,25,41,6c,9a,a7,48,69,b0,01,00,00,70,18,fd,10,5e,da,\
30,0e,83,ee,28,32,f0,3b,3c,2d,78,04,2f,9e,9f,15,e9,b0,89,bb,47,64,f1,d0,79,\
dc,6b,98,12,67,f9,bd,71,aa,29,3e,81,e8,27,45,2d,5c,03,88,fa,48,2f,1c,73,63,\
19,97,66,72,17,e7,95,dd,fe,b2,0b,20,e5,3a,64,a0,be,b9,22,0b,51,3a,ff,59,6d,\
0c,f4,12,22,42,da,55,aa,57,57,80,81,39,02,55,b4,f4,66,a0,81,57,77,55,2b,4b,\
b9,a4,8b,45,b6,d1,7a,91,3e,4e,f3,9d,ed,cc,60,c6,44,38,85,c2,90,f5,9e,f7,44,\
c1,1a,28,b2,12,9f,45,f2,20,b5,35,cc,d6,0e,90,f5,bc,03,7e,a7,dc,13,6b,22,d9,\
f1,47,63,f6,54,5c,4d,4c,8e,e5,06,5e,0b,0e,f0,b0,72,16,03,9b,41,03,84,c1,a9,\
38,35,b7,8f,b2,fc,62,ab,2a,a2,b3,72,35,6d,52,be,72,67,3c,10,8e,df,ca,bc,19,\
e8,03,da,39,10,f2,1c,28,34,a5,0c,be,ed,41,49,98,af,9b,6d,35,66,82,15,45,66,\
28,1b,ca,40,36,79,4d,ce,12,6d,d0,54,87,99,df,54,87,91,80,59,05,e7,90,8a,36,\
67,32,97,f5,3c,3c,3c,5a,24,01,41,06,52,7e,2e,1d,d2,ba,58,7d,8a,08,a7,70,52,\
88,9c,76,a2,6f,22,41,5e,8b,3d,db,69,2d,4f,ea,02,e3,6f,ed,2f,c6,9f,cd,76,8c,\
89,e3,15,2e,60,bb,28,30,13,e0,fb,d4,9e,10,11,02,5d,6a,b0,ab,05,00,db,f9,81,\
d2,05,fc,93,da,ed,72,7c,1c,67,1f,60,b7,36,9a,98,c8,b0,1d,7b,39,e9,07,a9,29,\
5d,18,4e,2e,d7,bc,90,7a,93,12,80,b4,4e,b6,d2,e7,52,b2,79,b0,a4,3f,ed,52,ef,\
84,79,b4,45,65,dd,d1,6d,7f,ee,94,a3,81,fa,07,a7,43,00,f5,88,ed,42,d5,cc,19,\
bf,4c,e4,a2,81,97,37,1d,a3,df,65,f8,40,ea,2f,67,69,dd,ca,f7,d6,67,6b,76,93,\
40,14,00,00,00,ad,57,e7,9b,d4,de,42,6b,47,ed,35,fe,1f,2f,09,95,0c,42,0c,f6



backup-20070518-041538-488
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"



backup-20070518-041538-708
O20 - Winlogon Notify: editgmt - editgmt.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\editgmt]
"Asynchronous"=dword:00000000
"Dllname"="editgmt.dll"
"Impersonate"=dword:00000000
"Startup"="NotifyStartup"
"Shutdown"="NotifyShutdown"



backup-20070518-041537-857
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

backup-20070518-041537-596
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

backup-20070518-041537-992
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL

backup-20070518-041537-281
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop

backup-20070518-041536-943
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

???????????????????????????????????????????4????????????????????????????????????????????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070518-041536-165
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

???????????????????????????????????????????4????????????????????????????????????????????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070518-041536-748
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

???????????????????????????????????????????4?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070518-041536-161
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

???????????????????????????????????????????4?????????????????????????????????????????????????????=?????????????????????????????=???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070518-041536-112
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

???????????????????????????????????????????4?????????????????????????????????????????????????????=?????????????????????????????=???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070518-041536-463
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll

???????????????????????????????????????????4??????????????????????????????????????????????°???????????????????????????????4???=??????????????????????°??????????????????????????????°?????????????????????????????????????????????????????????????????????

backup-20070518-041536-800
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll

???????????????????????????????????????????4??????????????????????????????????????????????°???????????????????????????????4???=??????????????????????°??????????????????????????????°?????????????????????????????????????????????????????????????????????

backup-20070518-041536-693
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

???????????????????????????????????????????4????????????????????????????????????????????=????????????????????????????????????????????????????????

backup-20070518-041535-978
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

???????????????????????????????????????????4????????????????????????????????????????????=????????????????????????????????????????????????????????

backup-20070518-041535-110
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

backup-20070518-041535-676
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

backup-20070518-041535-839
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

backup-20070518-041535-210
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

backup-20070518-041535-803
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe

backup-20070518-041535-149
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

backup-20070518-041535-540
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

backup-20070518-041535-562
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

backup-20070518-041535-654
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

backup-20070518-041535-647
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

backup-20070518-041535-579
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

backup-20070518-041535-865
O4 - HKLM\..\Run: [ui] rundll32.exe "C:\WINDOWS\vtutqr.dll",realset

backup-20070518-041535-987
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

backup-20070518-041535-293
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

backup-20070518-041535-250
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\efddca.dll",realset

backup-20070518-041535-795
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

backup-20070518-041535-716
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

backup-20070518-041535-898
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

backup-20070518-041535-193
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

backup-20070518-041535-167
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

backup-20070518-041535-523
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Speed Video Splitter\msdxm.ocx

backup-20070518-041534-467
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

backup-20070518-041535-248
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

backup-20070518-041534-292
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

backup-20070518-041534-235
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL

backup-20070518-041534-769
O2 - BHO: (no name) - {8dd0d07a-1325-4fb6-a138-a7dd3a674d7b} - C:\WINDOWS\system32\editgmt.dll (file missing)

backup-20070518-041533-629
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\tmp22.tmp.dll

backup-20070518-041533-982
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll

backup-20070518-041533-795
O2 - BHO: MSDNS System - {27A7FB75-FB40-4f94-BCF6-4945BCC8BAAF} - C:\WINDOWS\tlhelper.dll

backup-20070518-041532-487
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

backup-20070518-041532-438
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

backup-20070518-041532-664
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

backup-20070518-041532-850
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

backup-20070518-041532-659
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/hp/
Contents of the 'Scheduled Tasks' folder
2007-04-09 01:51:16 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-18 13:41:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-18 13:44:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-18 13:44


--- E O F ---



Here's the SmitFraud log:

SmitFraudFix v2.183

Scan done at 13:47:49.62, Fri 05/18/2007
Run from C:\Documents and Settings\Dan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dan


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Dan\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{21275835-9B68-4EAD-B64F-7E549B2C4DEA}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{21275835-9B68-4EAD-B64F-7E549B2C4DEA}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{21275835-9B68-4EAD-B64F-7E549B2C4DEA}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



And finally here's the HiJackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 14:00, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/hp/
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



The icon seems to be gone, so hopefully it worked. Thanks for your help! :thumbsup:

Edited by Venom_0728, 18 May 2007 - 04:13 PM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 18 May 2007 - 04:59 PM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\WINDOWS\vtutqr.dll

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

****************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
Exit Hijackthis.

****************************

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

***************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
C:\QooBox
C:\VundoFix Backups
C:\SDFix
Vundofix
Combofix
Smitfraudfix
SDFix


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users