Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojans, Programs Quitting, And Mycleanerpc (logfile Attached)


  • Please log in to reply
8 replies to this topic

#1 ComputerNooblet

ComputerNooblet

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 26 May 2007 - 03:01 PM

Help, i recently got a NoCD crack so i could play my S.T.A.L.K.E.R. game without the disc and once i ran the game, it stopped and a bunch of windows opened up (like 15 total) Heres the link to the crack i downloaded http://dl.gamecopyworld.com/?d=2007&f=vty-ssoc!rar (its not actually to download it... its the link to the mirrors for it)

I tried opening adware programs and stuff but nothing opened so i restarted the computer in safe mode with networking and ran spybot and housecall.trendmicro. Spybot found very few programs and fixed them all and upon a second scan they were gone. Housecall found a lot of trojans and some adware, but once i clicked the button to fix the problems the window froze and none were fixed, then it randomly exited. I ran housecall again and the same thing happened when i tried to fix the problems (it found the same problems as before).

Since i downloaded the crack i have been having random internet explorer popups for things like turbopc and registry cleaners. Also, i have been having a program open on startup and randomly while im on the computer called mycleanerpc and it opens up a process called MYCLEA~2.exe and once that process is going i get tons of popups and download prompts for random antivirus programs such as winantivirus.

Heres my hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 3:33:03 PM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Animation\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\WNSXS~1\spool32.exe
C:\WINDOWS\system32\S?mantec\d?xplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: run_startmenu.cmd
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Animation\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe



Please help when you get a chance and thanks in advance

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 AM

Posted 26 May 2007 - 03:34 PM

Rename HijackThis to random.exe

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

#3 ComputerNooblet

ComputerNooblet
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 31 May 2007 - 02:20 PM

VundoFix V6.4.1

Checking Java version...

Scan started at 2:41:03 PM 5/31/2007

Listing files found while scanning....

C:\WINDOWS\system32\blerhsve.dll
C:\WINDOWS\system32\evshrelb.ini
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\mljhfdb.dll
C:\WINDOWS\system32\nnnlmkl.dll
C:\WINDOWS\system32\nnnnnkl.dll
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\ssqnlig.dll
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\ttstv.bak2
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\ttstv.tmp
C:\WINDOWS\system32\urqomlm.dll
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\wvusqno.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\blerhsve.dll
C:\WINDOWS\system32\blerhsve.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\evshrelb.ini
C:\WINDOWS\system32\evshrelb.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljhfdb.dll
C:\WINDOWS\system32\mljhfdb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnlmkl.dll
C:\WINDOWS\system32\nnnlmkl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnnnkl.dll
C:\WINDOWS\system32\nnnnnkl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\pmnnl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqnlig.dll
C:\WINDOWS\system32\ssqnlig.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\ttstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttstv.bak2
C:\WINDOWS\system32\ttstv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\ttstv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttstv.tmp
C:\WINDOWS\system32\ttstv.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqomlm.dll
C:\WINDOWS\system32\urqomlm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvusqno.dll
C:\WINDOWS\system32\wvusqno.dll Has been deleted!

Performing Repairs to the registry.
Done!

---------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:16:07 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Animation\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\COMMON~1\WNSXS~1\spool32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\S?mantec\d?xplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Explorer.exe
C:\Documents and Settings\Owner\Desktop\random.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\nnnlmkl.dll (file missing)
O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6609DB7C-7360-4259-AFEA-B2E378B835CC} - C:\WINDOWS\system32\vtstt.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\agyjgoja.dll
O2 - BHO: (no name) - {E3084E3B-A0AA-F754-8A0F-8FADD8B177CC} - C:\WINDOWS\system32\hmkehf.dll
O2 - BHO: 0 - {E9D7E48A-418D-4C16-B8BD-94A84972B0F5} - C:\Program Files\Internet Explorer\labunu.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [A00F5D93C5B.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F5D93C5B.exe
O4 - HKCU\..\Run: [A00F5D93C6B.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F5D93C6B.exe
O4 - HKCU\..\Run: [A00F5D94043.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F5D94043.exe
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\COMMON~1\WNSXS~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: run_startmenu.cmd
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: __c006A8E6 - C:\WINDOWS\system32\__c006A8E6.dat
O20 - Winlogon Notify: __c00774F4 - C:\WINDOWS\system32\__c00774F4.dat
O20 - Winlogon Notify: __c008DF89 - C:\WINDOWS\system32\__c008DF89.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Animation\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe

Thanks!

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 AM

Posted 01 June 2007 - 04:06 AM

You do not appear to be running a realtime antivirus, this is leaving you open to infection
Please install one of the following free antivirus programs:Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#5 ComputerNooblet

ComputerNooblet
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 01 June 2007 - 01:52 PM

I ran both things but somehow i lost the ability to browse websites because it keeps saying cannot find server even though all lights are illuminated on my modem and router and trillian can still run
Now im in safe mode with networking just so i can post these logs

O and also i cannot run any games or anything either because i dbl click on it and nothing happens
I've also been getting a LOT of popups, especially by outerinfo and advertisement.onadinserver

Heres the logs:

----------------------------------------------------------------------------------------------------------
"Owner" - 2007-06-01 14:25:54 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Owner\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-01 to 2007-06-01 ))))))))))))))))))))))))))))))))))


2007-06-01 14:05 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-01 14:05 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-01 14:05 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-01 14:05 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-01 14:05 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-01 14:05 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-01 14:05 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-01 14:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-01 14:05 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-01 13:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-31 14:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-05-31 14:41 <DIR> d-------- C:\VundoFix Backups
2007-05-28 13:15 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-27 18:45 52,736 --a------ C:\WINDOWS\uy.exe
2007-05-27 18:45 35,840 --a------ C:\WINDOWS\system32\__c008DF89.dat
2007-05-27 18:45 35,840 --a------ C:\WINDOWS\system32\__c00774F4.dat
2007-05-27 18:45 35,840 --a------ C:\WINDOWS\system32\__c006A8E6.dat
2007-05-27 18:10 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-27 18:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-26 15:31 72,192 --a------ C:\WINDOWS\system32\zlib.dll
2007-05-26 15:31 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-05-26 12:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-26 12:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-26 12:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-05-26 11:54 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-26 11:54 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-05-26 11:54 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-05-26 11:54 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\McAfee
2007-05-26 11:49 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-05-26 11:49 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-05-26 11:38 951,920 -r-hs---- C:\WINDOWS\nucvegpA.exe
2007-05-26 11:37 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-05-26 11:37 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-26 11:37 <DIR> d-------- C:\WINDOWS\system32\T4
2007-05-26 11:37 <DIR> d-------- C:\WINDOWS\system32\T3
2007-05-26 11:37 <DIR> d-------- C:\WINDOWS\system32\pog
2007-05-26 11:36 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-05-26 11:36 <DIR> d-------- C:\TEMP\0b9
2007-05-26 11:30 19,520 --a------ C:\WINDOWS\system32\Dx2G0dX3.exe
2007-05-26 01:14 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-05-26 01:14 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-05-26 01:14 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-05-26 01:14 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-05-26 01:14 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-05-26 01:14 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-05-26 01:14 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-05-26 01:14 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-05-25 15:05 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-05-22 11:18 <DIR> d-------- C:\Program Files\QuickTime
2007-05-22 11:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-05-21 18:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-05-21 18:53 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-05-21 18:53 <DIR> d-------- C:\Program Files\Autodesk
2007-05-21 18:49 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-05-21 18:43 <DIR> d-------- C:\Program Files\PowerISO
2007-05-21 18:38 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-21 18:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-21 18:36 <DIR> d-------- C:\Program Files\Animation
2007-05-19 01:38 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-18 23:08 249,347 --a------ C:\WINDOWS\Alcohol_Toolbar_Uninstaller_9781.exe
2007-05-18 23:08 <DIR> d-------- C:\Program Files\Alcohol Toolbar
2007-05-18 23:08 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-05-18 23:05 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-05-18 17:32 508 --a------ C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-05-18 17:32 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Template
2007-05-16 22:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-05-16 22:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-05-16 22:10 <DIR> d-------- C:\Program Files\Azureus
2007-05-14 16:27 <DIR> d-------- C:\WINDOWS\pss
2007-05-14 15:45 <DIR> d-------- C:\Program Files\Games
2007-05-14 15:45 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-05-14 15:44 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-05-14 12:48 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2007-05-14 12:48 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
2007-05-12 23:00 <DIR> d-------- C:\Program Files\Trillian
2007-05-12 21:50 471,300 --a------ C:\WINDOWS\wallpe.exe
2007-05-12 21:50 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-05-12 21:50 18,000 --a------ C:\WINDOWS\BigFixClientOverride.dll
2007-05-12 21:50 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-05-12 21:50 <DIR> d-------- C:\Program Files\Google
2007-05-12 21:50 <DIR> d-------- C:\Program Files\CyberLink
2007-05-12 21:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-05-12 21:49 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2007-05-12 21:49 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2007-05-12 21:49 53,248 --a------ C:\WINDOWS\system32\NeroCo.dll
2007-05-12 21:49 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-05-12 21:49 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-05-12 21:49 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2007-05-12 21:49 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-05-12 21:49 118,784 --a------ C:\WINDOWS\system32\Msstdfmt.dll
2007-05-12 21:49 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-05-12 21:49 102,400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll
2007-05-12 21:49 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2007-05-12 21:49 1,658,880 --------- C:\WINDOWS\UNNeroBurnRights.exe
2007-05-12 21:49 <DIR> d-------- C:\WINDOWS\occache
2007-05-12 21:49 <DIR> d-------- C:\Program Files\Viewpoint
2007-05-12 21:49 <DIR> d-------- C:\Program Files\Learn2.com
2007-05-12 21:49 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-05-12 21:49 <DIR> d-------- C:\Program Files\Ahead
2007-05-12 21:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-05-12 21:48 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2007-05-12 21:48 54,784 --a------ C:\WINDOWS\system32\Inetwh32.dll
2007-05-12 21:48 1,044,480 --a------ C:\WINDOWS\system32\roboex32.dll
2007-05-12 21:48 <DIR> d-------- C:\Program Files\Real
2007-05-12 21:48 <DIR> d-------- C:\Program Files\Common Files\Real
2007-05-12 21:48 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-05-12 21:48 <DIR> d-------- C:\My Music
2007-05-12 21:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-05-12 21:47 335 --a------ C:\WINDOWS\nsreg.dat
2007-05-12 21:47 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-05-12 21:46 91,136 -ra------ C:\WINDOWS\system32\msls2.dll
2007-05-12 21:46 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2007-05-12 21:46 81,408 --a------ C:\WINDOWS\system32\LFFAX11N.DLL
2007-05-12 21:46 76,288 -ra------ C:\WINDOWS\system32\PUBOLE32.DLL
2007-05-12 21:46 716,288 -ra------ C:\WINDOWS\system32\Ltwvc11n.dll
2007-05-12 21:46 59,392 --a------ C:\WINDOWS\system32\LFWMF11N.DLL
2007-05-12 21:46 56,320 --a------ C:\WINDOWS\system32\LFPSD11N.DLL
2007-05-12 21:46 54,784 -ra------ C:\WINDOWS\system32\msvci70.dll
2007-05-12 21:46 5,632 -ra------ C:\WINDOWS\system32\mfcuia32.dll
2007-05-12 21:46 487,424 -ra------ C:\WINDOWS\system32\msvcp70.dll
2007-05-12 21:46 41,472 -ra------ C:\WINDOWS\system32\lfgif11n.dll
2007-05-12 21:46 392,192 --a------ C:\WINDOWS\system32\LTKRN11N.DLL
2007-05-12 21:46 37,888 -ra------ C:\WINDOWS\system32\ochlp30e.dll
2007-05-12 21:46 36,864 --a------ C:\WINDOWS\system32\LFBMP11N.DLL
2007-05-12 21:46 344,064 -ra------ C:\WINDOWS\system32\msvcr70.dll
2007-05-12 21:46 33,280 --a------ C:\WINDOWS\system32\LFPCX11N.DLL
2007-05-12 21:46 31,744 -ra------ C:\WINDOWS\system32\hlp95en.dll
2007-05-12 21:46 31,232 --a------ C:\WINDOWS\system32\LFEPS11N.DLL
2007-05-12 21:46 285,184 --a------ C:\WINDOWS\system32\LFCMP11n.DLL
2007-05-12 21:46 27,648 --a------ C:\WINDOWS\system32\LFTGA11N.DLL
2007-05-12 21:46 262,656 --a------ C:\WINDOWS\system32\LTDIS11n.dll
2007-05-12 21:46 26,112 --a------ C:\WINDOWS\system32\LFPCD11N.DLL
2007-05-12 21:46 212,480 -ra------ C:\WINDOWS\system32\PCDLIB32.DLL
2007-05-12 21:46 172,032 -ra------ C:\WINDOWS\system32\Lfpng11n.dll
2007-05-12 21:46 152,064 --a------ C:\WINDOWS\system32\LFTIF11N.DLL
2007-05-12 21:46 133,904 -ra------ C:\WINDOWS\system32\mfcans32.dll
2007-05-12 21:46 127,488 --a------ C:\WINDOWS\system32\LTIMG11N.DLL
2007-05-12 21:46 118,784 -ra------ C:\WINDOWS\system32\ltfil11n.DLL
2007-05-12 21:46 1,233,920 --a------ C:\WINDOWS\system32\msxml4.dll
2007-05-12 21:46 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-05-12 21:46 <DIR> d-------- C:\Program Files\Digital Media Reader
2007-05-12 21:45 9,319,936 --a------ C:\WINDOWS\system32\RTLCPL.EXE
2007-05-12 21:45 77,824 --a------ C:\WINDOWS\SOUNDMAN.EXE
2007-05-12 21:45 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-05-12 21:45 40,960 --------- C:\WINDOWS\system32\ChCfg.exe
2007-05-12 21:45 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-05-12 21:45 208,896 --------- C:\WINDOWS\alcupd.exe
2007-05-12 21:45 2,297,664 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2007-05-12 21:45 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2007-05-12 21:45 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-05-12 21:45 139,264 --------- C:\WINDOWS\alcrmv.exe
2007-05-12 21:45 <DIR> d-------- C:\Program Files\Microsoft Works
2007-05-12 21:39 543,232 --a------ C:\WINDOWS\zHotkey.exe
2007-05-12 21:39 532,544 --a------ C:\WINDOWS\PIC.dll
2007-05-12 21:39 36,864 --a------ C:\WINDOWS\ShowWnd.exe
2007-05-12 21:39 3,927 --a------ C:\WINDOWS\mHotkey.reg
2007-05-12 21:39 24,576 --a------ C:\WINDOWS\HKNTDLL.dll
2007-05-12 21:39 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-05-12 21:39 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-05-12 21:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-12 21:35 <DIR> d-------- C:\Program Files\Common Files\New Boundary
2007-05-12 21:33 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-05-12 21:31 7,168 --a------ C:\WINDOWS\system32\hccoin.dll
2007-05-12 21:31 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-05-12 21:31 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-05-12 21:31 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-05-12 21:31 26,624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2007-05-12 21:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-05-12 21:31 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2007-05-12 21:31 <DIR> d-------- C:\Program Files\CONEXANT
2007-05-12 21:29 <DIR> d--hs---- C:\System Volume Information
2007-05-12 21:28 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2007-05-12 21:28 685,056 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2007-05-12 21:28 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2007-05-12 21:28 39,018 --a------ C:\WINDOWS\system32\HSFCI011.dll
2007-05-12 21:28 220,032 --a------ C:\WINDOWS\system32\drivers\HSFHWBS2.sys
2007-05-12 21:28 13,059 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-05-12 21:28 1,041,536 --a------ C:\WINDOWS\system32\drivers\HSF_DP.sys
2007-05-12 21:28 <DIR> d-------- C:\WINDOWS\SMINST
2007-05-12 21:28 <DIR> d-------- C:\WINDOWS\creator
2007-05-12 21:27 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-05-12 21:27 <DIR> dr------- C:\Program Files
2007-05-12 21:27 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-05-12 21:24 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2007-05-12 21:20 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-05-12 21:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-05-12 21:14 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\WINDOWS
2007-05-12 21:14 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\SampleView
2007-05-12 21:14 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\McAfee
2007-05-12 18:57 <DIR> d--hs---- C:\RECYCLER
2007-05-12 18:55 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-05-12 18:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-05-12 18:54 67,072 --a------ C:\WINDOWS\POWERCFG.EXE
2007-05-12 18:54 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-05-12 18:54 <DIR> d-------- C:\Program Files\MSN Encarta Plus
2007-05-12 18:53 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-05-12 18:53 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-05-12 18:53 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-05-12 18:53 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-05-12 18:53 20,480 --a------ C:\WINDOWS\system32\Marker32.exe
2007-05-12 18:53 <DIR> d-------- C:\Program Files\Microsoft Money 2005
2007-05-12 18:52 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-05-12 18:52 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-05-12 18:52 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-05-12 18:52 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-05-12 18:52 351,526 --a------ C:\WINDOWS\WBDDA34I.DLL
2007-05-12 18:52 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-05-12 18:52 171,776 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-05-12 18:52 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-05-12 18:52 <DIR> d-------- C:\Program Files\ATI Technologies
2007-05-12 18:52 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SampleView


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-01 16:30:31 35,840 ----a-w C:\WINDOWS\system32\__c006A8E6.dat
2007-05-27 22:45:12 35,840 ----a-w C:\WINDOWS\system32\__c008DF89.dat
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-09 12:27:07 31,548 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 10:47]
{52D06F97-5511-43FA-8FDA-C481864FD26E}=C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll [2007-05-18 23:08]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{6609DB7C-7360-4259-AFEA-B2E378B835CC}=C:\WINDOWS\system32\vtstt.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-23 18:56]
{E3084E3B-A0AA-F754-8A0F-8FADD8B177CC}=C:\WINDOWS\system32\hmkehf.dll []
{E9D7E48A-418D-4C16-B8BD-94A84972B0F5}=C:\Program Files\Internet Explorer\labunu.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" []
"ShowWnd"="ShowWnd.exe" []
"SoundMan"="SOUNDMAN.EXE" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 00:10]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 08:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 18:56]
"Cpue"="C:\PROGRA~1\COMMON~1\WNSXS~1\spool32.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c006A8E6]
C:\WINDOWS\system32\__c006A8E6.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00774F4]
C:\WINDOWS\system32\__c00774F4.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c008DF89]
C:\WINDOWS\system32\__c008DF89.dat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
C:\WINDOWS\cfg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpue]
"C:\PROGRA~1\COMMON~1\WNSXS~1\spool32.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dgpxpp]
C:\WINDOWS\system32\S?mantec\d?xplore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\myCleanerPC]
C:\PROGRA~1\MYCLEA~1\myCleanerPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nucvegpA]
C:\WINDOWS\nucvegpA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - AAVMKER4
*Newly Created Service* - ASWMON2
*Newly Created Service* - ASWRDR
*Newly Created Service* - ASWTDI
*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER

Contents of the 'Scheduled Tasks' folder
2007-06-01 04:00:33 C:\WINDOWS\tasks\At1.job
2007-06-01 13:00:30 C:\WINDOWS\tasks\At10.job
2007-06-01 14:00:30 C:\WINDOWS\tasks\At11.job
2007-06-01 15:00:30 C:\WINDOWS\tasks\At12.job
2007-06-01 16:00:30 C:\WINDOWS\tasks\At13.job
2007-06-01 17:00:30 C:\WINDOWS\tasks\At14.job
2007-05-31 18:00:30 C:\WINDOWS\tasks\At15.job
2007-05-31 19:01:35 C:\WINDOWS\tasks\At16.job
2007-05-31 20:00:30 C:\WINDOWS\tasks\At17.job
2007-05-31 21:00:30 C:\WINDOWS\tasks\At18.job
2007-05-31 22:00:30 C:\WINDOWS\tasks\At19.job
2007-06-01 05:00:31 C:\WINDOWS\tasks\At2.job
2007-05-31 23:00:30 C:\WINDOWS\tasks\At20.job
2007-06-01 00:00:30 C:\WINDOWS\tasks\At21.job
2007-06-01 01:01:30 C:\WINDOWS\tasks\At22.job
2007-06-01 02:00:30 C:\WINDOWS\tasks\At23.job
2007-06-01 03:00:30 C:\WINDOWS\tasks\At24.job
2007-06-01 06:00:30 C:\WINDOWS\tasks\At3.job
2007-06-01 07:00:30 C:\WINDOWS\tasks\At4.job
2007-06-01 08:00:30 C:\WINDOWS\tasks\At5.job
2007-06-01 09:00:30 C:\WINDOWS\tasks\At6.job
2007-06-01 10:00:30 C:\WINDOWS\tasks\At7.job
2007-06-01 11:00:30 C:\WINDOWS\tasks\At8.job
2007-06-01 12:00:31 C:\WINDOWS\tasks\At9.job
2007-06-01 18:25:00 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-01 14:27:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-01 14:27:26
C:\ComboFix-quarantined-files.txt ... 2007-06-01 14:27

--- E O F ---
---------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:33:20 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Animation\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Owner\Desktop\random.exe.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\setup\avast01.setup
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6609DB7C-7360-4259-AFEA-B2E378B835CC} - C:\WINDOWS\system32\vtstt.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E3084E3B-A0AA-F754-8A0F-8FADD8B177CC} - C:\WINDOWS\system32\hmkehf.dll (file missing)
O2 - BHO: 0 - {E9D7E48A-418D-4C16-B8BD-94A84972B0F5} - C:\Program Files\Internet Explorer\labunu.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\COMMON~1\WNSXS~1\spool32.exe" -vt yazb
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: run_startmenu.cmd
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: __c006A8E6 - C:\WINDOWS\system32\__c006A8E6.dat
O20 - Winlogon Notify: __c00774F4 - C:\WINDOWS\system32\__c00774F4.dat
O20 - Winlogon Notify: __c008DF89 - C:\WINDOWS\system32\__c008DF89.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Animation\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe

-----------------------------------------------------------------------------------------------------------


Thanks for the help so far but its still not looking good =(

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 AM

Posted 02 June 2007 - 08:42 AM

Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

@echo off
attrib -r -s -h "C:\PROGRA~1\COMMON~1\WNSXS~1"
rmdir /q /s "C:\PROGRA~1\COMMON~1\WNSXS~1"


Save it to your Desktop as cleanup.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup.bat
  • Download Pocket Killbox by Option^Explicit from here
  • Double-click on Killbox.exe to start Pocket Killbox
  • Select the Delete on reboot option
  • Click on All Files
  • Select the text in the below codebox and press Ctrl+C to copy it to the clipboard
    C:\WINDOWS\system32\__c006A8E6.dat
    C:\WINDOWS\system32\__c00774F4.dat
    C:\WINDOWS\system32\__c008DF89.dat
  • Go back to Pocket Killbox and click File > Paste from clipboard
  • Click on the button in Pocket Killbox that looks like thisPosted Image
  • You will now get the prompt Files will be removed on reboot, Do you want reboot now?
  • Click Yes, this will restart your pc
  • Note: If your PC does not restart automatically, please restart it manually
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {6609DB7C-7360-4259-AFEA-B2E378B835CC} - C:\WINDOWS\system32\vtstt.dll (file missing)
O2 - BHO: (no name) - {E3084E3B-A0AA-F754-8A0F-8FADD8B177CC} - C:\WINDOWS\system32\hmkehf.dll (file missing)
O2 - BHO: 0 - {E9D7E48A-418D-4C16-B8BD-94A84972B0F5} - C:\Program Files\Internet Explorer\labunu.dll (file missing)
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\COMMON~1\WNSXS~1\spool32.exe" -vt yazb
O20 - Winlogon Notify: __c006A8E6 - C:\WINDOWS\system32\__c006A8E6.dat
O20 - Winlogon Notify: __c00774F4 - C:\WINDOWS\system32\__c00774F4.dat
O20 - Winlogon Notify: __c008DF89 - C:\WINDOWS\system32\__c008DF89.dat

Then close all windows except HijackThis and click Fix Checked

Restart

Locate cleanup.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal

Post a new HijackThis log

#7 ComputerNooblet

ComputerNooblet
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 02 June 2007 - 02:22 PM

Ok now i still cant open any games or internet (which i think the internet is a problem with the isp so im gonna call them and have them reset it, hopefully fixing it) but whenever i try to start a game or anything it says something about a java runtime environment from the c++ runtime library being aborted or terminated


Heres the Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:45:14 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Animation\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Owner\Desktop\random.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: run_startmenu.cmd
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Animation\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe


And i know ive said it before but thanks a ton for your help, i know you dont have to be contributing your time but you are anyways.

#8 ComputerNooblet

ComputerNooblet
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 03 June 2007 - 12:52 AM

I just tried having my isp reset the modem connection and it did not help at all so something is blocking my internet connection as well... whenever i try to open internet explorer it says page cannot be displayed and when i try to type in google or anything in the address bar in either inet explorer or in the my computer address bar, it stays blank and then says the internet explorer search page cannot be opened

#9 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 AM

Posted 03 June 2007 - 10:27 AM

go to start > run, type netsh winsock reset catalog and press enter, restart, now try to connect to the internet




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users