Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde & Trojan_low.zone


  • Please log in to reply
30 replies to this topic

#1 SixTen

SixTen

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 26 June 2007 - 10:48 AM

Hello,

I typically can get rid of viruses, worms, malware etc by reading the forums and following the advice given, but in this case I have tried all of the removal methods given and still get pop-ups and notifications from Norton regarding low.zone.

I appreciate all that you guys do here, any help would be greatly appreciated.

Here is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:43:47 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16baac29-a9ea-4f59-a3ea-66954d12b560} - C:\WINDOWS\system32\batlui.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\tmp14B6.tmp.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WootAgent] C:\Program Files\Woot Agent\WootAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\batlui.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\batlui.dll (file missing)
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\batlui.dll (file missing)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\batlui.dll (file missing)
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\SixTen\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Thanks again for your help.
SixTen

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 26 June 2007 - 02:05 PM

Welcome to the forum, I would like to take a look at this log for you and will get back to you as soon as I can.

Thank You.

#3 SixTen

SixTen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 27 June 2007 - 06:15 PM

Thank you! Here are the logs from the other fixes I ran...(prior to the HJT log)


[06/26/2007, 3:03:13] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\SixTen\Desktop\VirtumundoBeGone.exe" )
[06/26/2007, 3:03:17] - Detected System Information:
[06/26/2007, 3:03:17] - Windows Version: 5.1.2600, Service Pack 2
[06/26/2007, 3:03:17] - Current Username: SixTen (Admin)
[06/26/2007, 3:03:17] - Windows is in NORMAL mode.
[06/26/2007, 3:03:17] - Searching for Browser Helper Objects:
[06/26/2007, 3:03:17] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[06/26/2007, 3:03:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:17] - No filename found. Continuing.
[06/26/2007, 3:03:17] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/26/2007, 3:03:17] - BHO 3: {16baac29-a9ea-4f59-a3ea-66954d12b560} ()
[06/26/2007, 3:03:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:17] - Checking for HKLM\...\Winlogon\Notify\batlui
[06/26/2007, 3:03:17] - Key not found: HKLM\...\Winlogon\Notify\batlui, continuing.
[06/26/2007, 3:03:17] - BHO 4: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[06/26/2007, 3:03:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:17] - Checking for HKLM\...\Winlogon\Notify\NppBho
[06/26/2007, 3:03:17] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[06/26/2007, 3:03:17] - BHO 5: {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} ()
[06/26/2007, 3:03:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:17] - Checking for HKLM\...\Winlogon\Notify\tmp14B6.tmp
[06/26/2007, 3:03:17] - Key not found: HKLM\...\Winlogon\Notify\tmp14B6.tmp, continuing.
[06/26/2007, 3:03:17] - BHO 6: {2F85D76C-0569-466F-A488-493E6BD0E955} (dsWebAllowBHO Class)
[06/26/2007, 3:03:17] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} ()
[06/26/2007, 3:03:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:17] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[06/26/2007, 3:03:17] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[06/26/2007, 3:03:17] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/26/2007, 3:03:17] - BHO 9: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/26/2007, 3:03:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:17] - No filename found. Continuing.
[06/26/2007, 3:03:17] - BHO 10: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/26/2007, 3:03:17] - BHO 11: {A7327C09-B521-4EDB-8509-7D2660C9EC98} (Viewpoint Toolbar BHO)
[06/26/2007, 3:03:17] - BHO 12: {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} (TwcToolbarBhoApp Class)
[06/26/2007, 3:03:17] - BHO 13: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/26/2007, 3:03:17] - BHO 14: {d8ed75c6-9fbe-47d9-85f8-070c9a4db1b8} (MSEvents Object)
[06/26/2007, 3:03:17] - ALERT: Found MSEvents Object!
[06/26/2007, 3:03:17] - Finished Searching Browser Helper Objects
[06/26/2007, 3:03:17] - *** Detected MSEvents Object
[06/26/2007, 3:03:17] - Trying to remove MSEvents Object...
[06/26/2007, 3:03:18] - Terminating Process: IEXPLORE.EXE
[06/26/2007, 3:03:20] - Terminating Process: RUNDLL32.EXE
[06/26/2007, 3:03:20] - Disabling Automatic Shell Restart
[06/26/2007, 3:03:20] - Terminating Process: EXPLORER.EXE
[06/26/2007, 3:03:20] - Suspending the NT Session Manager System Service
[06/26/2007, 3:03:20] - Terminating Windows NT Logon/Logoff Manager
[06/26/2007, 3:03:21] - Re-enabling Automatic Shell Restart
[06/26/2007, 3:03:21] - File to disable: C:\WINDOWS\system32\l3cstp.dll
[06/26/2007, 3:03:21] - Renaming C:\WINDOWS\system32\l3cstp.dll -> C:\WINDOWS\system32\l3cstp.dll.vir
[06/26/2007, 3:03:21] - File successfully renamed!
[06/26/2007, 3:03:21] - Removing HKLM\...\Browser Helper Objects\{d8ed75c6-9fbe-47d9-85f8-070c9a4db1b8}
[06/26/2007, 3:03:21] - Removing HKCR\CLSID\{d8ed75c6-9fbe-47d9-85f8-070c9a4db1b8}
[06/26/2007, 3:03:21] - Adding Kill Bit for ActiveX for GUID: {d8ed75c6-9fbe-47d9-85f8-070c9a4db1b8}
[06/26/2007, 3:03:21] - Deleting ATLEvents/MSEvents Registry entries
[06/26/2007, 3:03:21] - Removing HKLM\...\Winlogon\Notify\l3cstp
[06/26/2007, 3:03:21] - Searching for Browser Helper Objects:
[06/26/2007, 3:03:21] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[06/26/2007, 3:03:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:21] - No filename found. Continuing.
[06/26/2007, 3:03:21] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/26/2007, 3:03:21] - BHO 3: {16baac29-a9ea-4f59-a3ea-66954d12b560} ()
[06/26/2007, 3:03:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:21] - Checking for HKLM\...\Winlogon\Notify\batlui
[06/26/2007, 3:03:21] - Key not found: HKLM\...\Winlogon\Notify\batlui, continuing.
[06/26/2007, 3:03:21] - BHO 4: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[06/26/2007, 3:03:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:21] - Checking for HKLM\...\Winlogon\Notify\NppBho
[06/26/2007, 3:03:21] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[06/26/2007, 3:03:21] - BHO 5: {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} ()
[06/26/2007, 3:03:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:22] - Checking for HKLM\...\Winlogon\Notify\tmp14B6.tmp
[06/26/2007, 3:03:22] - Key not found: HKLM\...\Winlogon\Notify\tmp14B6.tmp, continuing.
[06/26/2007, 3:03:22] - BHO 6: {2F85D76C-0569-466F-A488-493E6BD0E955} (dsWebAllowBHO Class)
[06/26/2007, 3:03:22] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} ()
[06/26/2007, 3:03:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:22] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[06/26/2007, 3:03:22] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[06/26/2007, 3:03:22] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/26/2007, 3:03:22] - BHO 9: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/26/2007, 3:03:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:03:22] - No filename found. Continuing.
[06/26/2007, 3:03:22] - BHO 10: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/26/2007, 3:03:22] - BHO 11: {A7327C09-B521-4EDB-8509-7D2660C9EC98} (Viewpoint Toolbar BHO)
[06/26/2007, 3:03:22] - BHO 12: {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} (TwcToolbarBhoApp Class)
[06/26/2007, 3:03:22] - BHO 13: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/26/2007, 3:03:22] - Finished Searching Browser Helper Objects
[06/26/2007, 3:03:22] - Finishing up...
[06/26/2007, 3:03:22] - A restart is needed.
[06/26/2007, 3:03:25] - Attempting to Restart via STOP error (Blue Screen!)

[06/26/2007, 3:06:34] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\SixTen\Desktop\VirtumundoBeGone.exe" )
[06/26/2007, 3:06:38] - User choose NOT to continue. Exiting...

[06/26/2007, 3:07:19] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\SixTen\Desktop\VirtumundoBeGone.exe" )
[06/26/2007, 3:07:21] - Detected System Information:
[06/26/2007, 3:07:21] - Windows Version: 5.1.2600, Service Pack 2
[06/26/2007, 3:07:21] - Current Username: SixTen (Admin)
[06/26/2007, 3:07:21] - Windows is in NORMAL mode.
[06/26/2007, 3:07:21] - Searching for Browser Helper Objects:
[06/26/2007, 3:07:21] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[06/26/2007, 3:07:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:07:21] - No filename found. Continuing.
[06/26/2007, 3:07:21] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/26/2007, 3:07:21] - BHO 3: {16baac29-a9ea-4f59-a3ea-66954d12b560} ()
[06/26/2007, 3:07:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:07:21] - Checking for HKLM\...\Winlogon\Notify\batlui
[06/26/2007, 3:07:21] - Key not found: HKLM\...\Winlogon\Notify\batlui, continuing.
[06/26/2007, 3:07:21] - BHO 4: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[06/26/2007, 3:07:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:07:21] - Checking for HKLM\...\Winlogon\Notify\NppBho
[06/26/2007, 3:07:21] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[06/26/2007, 3:07:21] - BHO 5: {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} ()
[06/26/2007, 3:07:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:07:21] - Checking for HKLM\...\Winlogon\Notify\tmp14B6.tmp
[06/26/2007, 3:07:21] - Key not found: HKLM\...\Winlogon\Notify\tmp14B6.tmp, continuing.
[06/26/2007, 3:07:21] - BHO 6: {2F85D76C-0569-466F-A488-493E6BD0E955} (dsWebAllowBHO Class)
[06/26/2007, 3:07:21] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} ()
[06/26/2007, 3:07:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:07:21] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[06/26/2007, 3:07:21] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[06/26/2007, 3:07:21] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/26/2007, 3:07:21] - BHO 9: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/26/2007, 3:07:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2007, 3:07:21] - No filename found. Continuing.
[06/26/2007, 3:07:21] - BHO 10: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/26/2007, 3:07:21] - BHO 11: {A7327C09-B521-4EDB-8509-7D2660C9EC98} (Viewpoint Toolbar BHO)
[06/26/2007, 3:07:21] - BHO 12: {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} (TwcToolbarBhoApp Class)
[06/26/2007, 3:07:21] - BHO 13: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/26/2007, 3:07:21] - Finished Searching Browser Helper Objects
[06/26/2007, 3:07:21] - Finishing up...
[06/26/2007, 3:07:21] - Nothing found! Exiting...

VundoFix V6.5.1

Checking Java version...

Scan started at 3:00:05 AM 6/26/2007

Listing files found while scanning....

No infected files were found.

I ran Panda and Bit Defender, but could not get Housecall to start...I have used housecall in the past and have never had any issues. (I tried it with IE7 and Mozilla Firefox)

Thanks again for your help!
SixTen

#4 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 28 June 2007 - 06:22 PM

Hello SixTen

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Step 1

Before we can use this You must place "HijackThis" into it's own folder, If we ever need to restore any Item then this folder will safely store all entries and enable us to then use the "Back-up" feature that HijackThis offers

To Create a New Folder HijackThis on the C: drive,

Open My Computer ( Windows key + E )
then double click on Local Disk (C:)
Now right click and select
New > Folder and name it HJT.

Please now move HijackThis.exe into the new HJT folder.
Do this BEFORE you proceed!


Step 2

Download ComboFix.exe to your desktop.
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post this log in your next reply

Thank you.

#5 SixTen

SixTen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 28 June 2007 - 09:21 PM

Thank you! Here is the log from ComboFix:

ComboFix 07-06-18.2 - C:\Documents and Settings\SixTen\Desktop\ComboFix.exe
"SixTen" - 2007-06-28 22:24:07 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 )))))))))))))))))))))))))))))))


2007-06-28 22:14 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-28 22:12 <DIR> d-------- C:\HJT
2007-06-27 19:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-27 19:34 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-27 19:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-26 03:14 <DIR> d-------- C:\WINDOWS\CSC
2007-06-26 02:52 <DIR> d-------- C:\backups
2007-06-26 02:22 59,480 --a------ C:\WINDOWS\system32\tmp14B6.tmp.dll
2007-06-25 19:58 59,480 --a------ C:\WINDOWS\system32\tmp12C1.tmp.dll
2007-06-25 10:06 59,480 --a------ C:\WINDOWS\system32\tmp699.tmp.dll
2007-06-25 02:36 59,480 --a------ C:\WINDOWS\system32\tmp54.tmp.dll
2007-06-25 02:15 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-06-25 01:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-25 01:42 59,480 --a------ C:\WINDOWS\system32\tmp141.tmp.dll
2007-06-25 01:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-24 10:55 135,018 --a------ C:\WINDOWS\ssqoml.dll
2007-06-24 10:01 59,435 --a------ C:\WINDOWS\system32\tmpF3.tmp.dll
2007-06-24 01:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-23 01:11 49,252 --a------ C:\WINDOWS\system32\ddaby.exe
2007-06-23 01:11 38,232 --a------ C:\WINDOWS\system32\l3cstp.dll.vir
2007-06-23 00:51 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-21 03:11 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Sonic
2007-06-21 03:08 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Leadertech
2007-06-18 02:39 <DIR> d-------- C:\Program Files\FLVPlayer
2007-06-12 01:48 <DIR> d-------- C:\Program Files\ffdshow
2007-06-10 01:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sophos
2007-06-10 01:48 <DIR> d-------- C:\savxpsa
2007-06-09 21:34 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-06-06 19:12 <DIR> d-------- C:\Program Files\LegendSoftware
2007-06-02 01:43 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Yahoo!
2007-06-02 01:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-02 01:30 <DIR> d-------- C:\Program Files\Yahoo!
2007-05-31 01:08 91,136 --a------ C:\WINDOWS\system32\icam4com.dll
2007-05-31 01:08 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-31 01:08 61,952 --a------ C:\WINDOWS\system32\Icam4EXT.dll
2007-05-31 01:08 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-31 01:08 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-31 01:08 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-31 01:08 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-31 01:08 154,496 --a------ C:\WINDOWS\system32\drivers\Icam4USB.sys
2007-05-31 01:08 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-31 01:08 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-31 01:08 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-29 02:08:24 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-27 23:03:11 -------- d-----w C:\Program Files\GSAK
2007-06-26 06:25:20 218,112 ----a-w C:\HijackThis.exe
2007-06-25 09:37:30 -------- d-----w C:\Program Files\Windows Desktop Search
2007-06-25 09:36:07 -------- d-----w C:\Program Files\Sony Handheld
2007-06-25 09:31:48 -------- d-----w C:\Program Files\Norton Internet Security
2007-06-25 09:24:10 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-06-23 14:25:48 -------- d-----w C:\Program Files\QuickTime
2007-06-23 07:58:23 -------- d-----w C:\Program Files\music_now
2007-06-21 07:10:47 -------- d-----w C:\Program Files\Sonic
2007-06-21 07:10:41 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-06-10 01:27:01 -------- d--h--w C:\DOCUME~1\SixTen\APPLIC~1\Move Networks
2007-05-16 21:16:13 -------- d-----w C:\Program Files\HP
2007-05-16 21:15:36 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 19:23:06 -------- d-----w C:\DOCUME~1\SixTen\APPLIC~1\Arcsoft
2007-05-09 07:02:47 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 23:14:06 -------- d-----w C:\Program Files\The Weather Channel Toolbar
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-20 15:56:41 3,683 ----a-w C:\WINDOWS\mozver.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-08-10 01:45:53 80 --sh--r C:\WINDOWS\system32\7D88E784F1.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{16baac29-a9ea-4f59-a3ea-66954d12b560}=C:\WINDOWS\system32\batlui.dll []
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}=C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll [2006-09-06 01:18]
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}=C:\WINDOWS\system32\tmp14B6.tmp.dll [2007-06-26 02:22]
{2F85D76C-0569-466F-A488-493E6BD0E955}=C:\Program Files\Windows Desktop Search\dsWebAllow.dll [2006-03-26 22:44]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 13:29]
{AA1F9DDB-E605-4ba6-81D4-E427DEE012AD}=C:\WINDOWS\system32\TwcToolbarBho.dll [2006-10-26 07:12]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2006-10-12 11:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 00:05]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 16:50]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 14:39]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 11:57]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 17:26]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-28 20:09]
"WootAgent"="C:\Program Files\Woot Agent\WootAgent.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00]
"Aim6"="" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 13:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winubg32]
winubg32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-23 00:00:00 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - SixTen.job
2007-06-25 16:00:00 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-06-26 04:00:00 C:\WINDOWS\tasks\Symantec Drmc.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 22:24:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????<????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-28 22:25:17
C:\ComboFix-quarantined-files.txt ... 2007-06-28 22:25
C:\ComboFix2.txt ... 2007-06-28 22:17

--- E O F ---

Edited by SixTen, 28 June 2007 - 09:27 PM.


#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 29 June 2007 - 02:25 PM

Hello SixTen :thumbsup:

Please "Right-Click" on the Attached File below

Select "Save Link As" (in IE it's "Save Target As") in order to download and Save this as Filename ComboFix-Do.txt onto your desktop

Posted Image

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

Run ComboFix again and post the resultant log file please with a fresh HJT log

Thank you.

Attached Files



#7 SixTen

SixTen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 30 June 2007 - 02:20 AM

Thank you!

I downloaded the file to my desktop, and dragged it into combofix.exe, it automatically ran combofix when I did, hopefully that's what it was supposed to do...

Here is the log:

ComboFix 07-06-18.2 - C:\Documents and Settings\SixTen\Desktop\ComboFix.exe
"SixTen" - 2007-06-30 3:10:20 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\SixTen\Desktop\ComboFix_Do.txt


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-28 23:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-28 22:14 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-28 22:12 <DIR> d-------- C:\HJT
2007-06-27 19:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-27 19:34 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-27 19:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-26 03:14 <DIR> d-------- C:\WINDOWS\CSC
2007-06-26 02:52 <DIR> d-------- C:\backups
2007-06-26 02:22 59,480 --a------ C:\WINDOWS\system32\tmp14B6.tmp.dll
2007-06-25 19:58 59,480 --a------ C:\WINDOWS\system32\tmp12C1.tmp.dll
2007-06-25 10:06 59,480 --a------ C:\WINDOWS\system32\tmp699.tmp.dll
2007-06-25 02:36 59,480 --a------ C:\WINDOWS\system32\tmp54.tmp.dll
2007-06-25 02:15 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-06-25 01:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-25 01:42 59,480 --a------ C:\WINDOWS\system32\tmp141.tmp.dll
2007-06-25 01:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-24 10:55 135,018 --a------ C:\WINDOWS\ssqoml.dll
2007-06-24 10:01 59,435 --a------ C:\WINDOWS\system32\tmpF3.tmp.dll
2007-06-24 01:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-23 01:11 49,252 --a------ C:\WINDOWS\system32\ddaby.exe
2007-06-23 01:11 38,232 --a------ C:\WINDOWS\system32\l3cstp.dll.vir
2007-06-23 00:51 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-21 03:11 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Sonic
2007-06-21 03:08 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Leadertech
2007-06-18 02:39 <DIR> d-------- C:\Program Files\FLVPlayer
2007-06-12 01:48 <DIR> d-------- C:\Program Files\ffdshow
2007-06-10 01:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sophos
2007-06-10 01:48 <DIR> d-------- C:\savxpsa
2007-06-09 21:34 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-06-06 19:12 <DIR> d-------- C:\Program Files\LegendSoftware
2007-06-02 01:43 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Yahoo!
2007-06-02 01:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-02 01:30 <DIR> d-------- C:\Program Files\Yahoo!
2007-05-31 01:08 91,136 --a------ C:\WINDOWS\system32\icam4com.dll
2007-05-31 01:08 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-31 01:08 61,952 --a------ C:\WINDOWS\system32\Icam4EXT.dll
2007-05-31 01:08 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-31 01:08 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-31 01:08 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-31 01:08 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-31 01:08 154,496 --a------ C:\WINDOWS\system32\drivers\Icam4USB.sys
2007-05-31 01:08 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-31 01:08 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-31 01:08 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-14 15:43 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\MySpace
2007-05-14 15:43 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-05-14 15:41 1,048,576 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT
2007-05-14 15:41 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Real
2007-05-14 15:41 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Logitech
2007-05-14 15:41 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Intuit
2007-05-13 15:23 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Arcsoft
2007-05-09 03:02 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 19:13 940,304 --a------ C:\WINDOWS\system32\msjava.dll
2007-05-07 19:13 77,824 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll
2007-05-07 19:13 249,856 --a------ C:\WINDOWS\system32\TwcToolbarIe7.dll
2007-05-07 19:13 <DIR> d-------- C:\Program Files\The Weather Channel Toolbar


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 07:12:57 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-27 23:03:11 -------- d-----w C:\Program Files\GSAK
2007-06-26 06:25:20 218,112 ----a-w C:\HijackThis.exe
2007-06-25 09:37:30 -------- d-----w C:\Program Files\Windows Desktop Search
2007-06-25 09:36:07 -------- d-----w C:\Program Files\Sony Handheld
2007-06-25 09:31:48 -------- d-----w C:\Program Files\Norton Internet Security
2007-06-25 09:24:10 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-06-23 14:25:48 -------- d-----w C:\Program Files\QuickTime
2007-06-23 07:58:23 -------- d-----w C:\Program Files\music_now
2007-06-21 07:10:47 -------- d-----w C:\Program Files\Sonic
2007-06-21 07:10:41 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-06-10 01:27:01 -------- d--h--w C:\DOCUME~1\SixTen\APPLIC~1\Move Networks
2007-05-16 21:16:13 -------- d-----w C:\Program Files\HP
2007-05-16 21:15:36 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-20 15:56:41 3,683 ----a-w C:\WINDOWS\mozver.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-08-10 01:45:53 80 --sh--r C:\WINDOWS\system32\7D88E784F1.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-05-30 17:18]
{16baac29-a9ea-4f59-a3ea-66954d12b560}=C:\WINDOWS\system32\batlui.dll []
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}=C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll [2006-09-06 01:18]
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}=C:\WINDOWS\system32\tmp14B6.tmp.dll [2007-06-26 02:22]
{2F85D76C-0569-466F-A488-493E6BD0E955}=C:\Program Files\Windows Desktop Search\dsWebAllow.dll [2006-03-26 22:44]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 13:29]
{AA1F9DDB-E605-4ba6-81D4-E427DEE012AD}=C:\WINDOWS\system32\TwcToolbarBho.dll [2006-10-26 07:12]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2006-10-12 11:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 00:05]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 16:50]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 14:39]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 11:57]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 17:26]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-28 20:09]
"WootAgent"="C:\Program Files\Woot Agent\WootAgent.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00]
"Aim6"="" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 13:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winubg32]
winubg32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-23 00:00:00 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - SixTen.job
2007-06-25 16:00:00 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-06-29 04:00:00 C:\WINDOWS\tasks\Symantec Drmc.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 03:14:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????<????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-30 3:15:30
C:\ComboFix-quarantined-files.txt ... 2007-06-30 03:14
C:\ComboFix2.txt ... 2007-06-28 22:25
C:\ComboFix3.txt ... 2007-06-28 22:17

--- E O F ---


Thanks,
SixTen

#8 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 01 July 2007 - 07:54 AM

Hello SixTen :thumbsup:

Hmm.. didn't quite go to plan I'm afraid, Let's try this again but can you please ensure that you are logged on into this forum before downloading the file attachment and the can you repeat my last instruction's..

Please run ComboFix and post the resultant log file along with a fresh HijackThis log

Thank you..

#9 SixTen

SixTen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 02 July 2007 - 12:20 AM

Ok...I tried it again, and it did the same thing. When I drag the txt file into the exe file, the exe file opens.

Here is the log:

ComboFix 07-06-18.2 - C:\Documents and Settings\SixTen\Desktop\ComboFix.exe
"SixTen" - 2007-07-02 1:15:16 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\SixTen\Desktop\ComboFix_Do.txt


((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))


2007-06-28 23:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-28 22:14 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-28 22:12 <DIR> d-------- C:\HJT
2007-06-27 19:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-27 19:34 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-27 19:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-26 03:14 <DIR> d-------- C:\WINDOWS\CSC
2007-06-26 02:52 <DIR> d-------- C:\backups
2007-06-26 02:22 59,480 --a------ C:\WINDOWS\system32\tmp14B6.tmp.dll
2007-06-25 19:58 59,480 --a------ C:\WINDOWS\system32\tmp12C1.tmp.dll
2007-06-25 10:06 59,480 --a------ C:\WINDOWS\system32\tmp699.tmp.dll
2007-06-25 02:36 59,480 --a------ C:\WINDOWS\system32\tmp54.tmp.dll
2007-06-25 02:15 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-06-25 01:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-25 01:42 59,480 --a------ C:\WINDOWS\system32\tmp141.tmp.dll
2007-06-25 01:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-24 10:55 135,018 --a------ C:\WINDOWS\ssqoml.dll
2007-06-24 10:01 59,435 --a------ C:\WINDOWS\system32\tmpF3.tmp.dll
2007-06-24 01:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-23 01:11 49,252 --a------ C:\WINDOWS\system32\ddaby.exe
2007-06-23 01:11 38,232 --a------ C:\WINDOWS\system32\l3cstp.dll.vir
2007-06-23 00:51 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-21 03:11 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Sonic
2007-06-21 03:08 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Leadertech
2007-06-18 02:39 <DIR> d-------- C:\Program Files\FLVPlayer
2007-06-12 01:48 <DIR> d-------- C:\Program Files\ffdshow
2007-06-10 01:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sophos
2007-06-10 01:48 <DIR> d-------- C:\savxpsa
2007-06-09 21:34 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-06-06 19:12 <DIR> d-------- C:\Program Files\LegendSoftware
2007-06-02 01:43 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Yahoo!
2007-06-02 01:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-06-02 01:30 <DIR> d-------- C:\Program Files\Yahoo!


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 19:43:24 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-27 23:03:11 -------- d-----w C:\Program Files\GSAK
2007-06-26 06:25:20 218,112 ----a-w C:\HijackThis.exe
2007-06-25 09:37:30 -------- d-----w C:\Program Files\Windows Desktop Search
2007-06-25 09:36:07 -------- d-----w C:\Program Files\Sony Handheld
2007-06-25 09:31:48 -------- d-----w C:\Program Files\Norton Internet Security
2007-06-25 09:24:10 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-06-23 14:25:48 -------- d-----w C:\Program Files\QuickTime
2007-06-23 07:58:23 -------- d-----w C:\Program Files\music_now
2007-06-21 07:10:47 -------- d-----w C:\Program Files\Sonic
2007-06-21 07:10:41 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-06-10 01:27:01 -------- d--h--w C:\DOCUME~1\SixTen\APPLIC~1\Move Networks
2007-05-16 21:16:13 -------- d-----w C:\Program Files\HP
2007-05-16 21:15:36 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 19:23:06 -------- d-----w C:\DOCUME~1\SixTen\APPLIC~1\Arcsoft
2007-05-09 07:02:47 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 23:14:06 -------- d-----w C:\Program Files\The Weather Channel Toolbar
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-20 15:56:41 3,683 ----a-w C:\WINDOWS\mozver.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-08-10 01:45:53 80 --sh--r C:\WINDOWS\system32\7D88E784F1.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-05-30 17:18]
{16baac29-a9ea-4f59-a3ea-66954d12b560}=C:\WINDOWS\system32\batlui.dll []
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}=C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll [2006-09-06 01:18]
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1}=C:\WINDOWS\system32\tmp14B6.tmp.dll [2007-06-26 02:22]
{2F85D76C-0569-466F-A488-493E6BD0E955}=C:\Program Files\Windows Desktop Search\dsWebAllow.dll [2006-03-26 22:44]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 13:29]
{AA1F9DDB-E605-4ba6-81D4-E427DEE012AD}=C:\WINDOWS\system32\TwcToolbarBho.dll [2006-10-26 07:12]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2006-10-12 11:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 00:05]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 16:50]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 14:39]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 11:57]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 17:26]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-28 20:09]
"WootAgent"="C:\Program Files\Woot Agent\WootAgent.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00]
"Aim6"="" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 13:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winubg32]
winubg32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-23 00:00:00 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - SixTen.job
2007-06-25 16:00:00 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-07-02 04:00:00 C:\WINDOWS\tasks\Symantec Drmc.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 01:17:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????<????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-02 1:18:32
C:\ComboFix-quarantined-files.txt ... 2007-07-02 01:18
C:\ComboFix2.txt ... 2007-06-30 03:15
C:\ComboFix3.txt ... 2007-06-28 22:25

--- E O F ---

Edited by SixTen, 02 July 2007 - 12:21 AM.


#10 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 02 July 2007 - 02:14 PM

Hello SixTen :thumbsup:

Thank you for doing that for me let's try this now

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Please download the OTMoveIt from here:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\tmp14B6.tmp.dll
C:\WINDOWS\system32\tmp12C1.tmp.dll
C:\WINDOWS\system32\tmp699.tmp.dll
C:\WINDOWS\system32\tmp54.tmp.dll
C:\WINDOWS\system32\tmp141.tmp.dll
C:\WINDOWS\system32\tmpF3.tmp.dll
C:\WINDOWS\system32\ddaby.exe
C:\WINDOWS\system32\batlui.dll



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Re-scan with HijackThis and post the new log and can you please let me know how your system is Running

Thank you..

#11 SixTen

SixTen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 03 July 2007 - 01:12 PM

Thank you!

Here are the results from the OTmoveit:

DllUnregisterServer procedure not found in C:\WINDOWS\system32\tmp14B6.tmp.dll
C:\WINDOWS\system32\tmp14B6.tmp.dll NOT unregistered.
C:\WINDOWS\system32\tmp14B6.tmp.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tmp12C1.tmp.dll
C:\WINDOWS\system32\tmp12C1.tmp.dll NOT unregistered.
C:\WINDOWS\system32\tmp12C1.tmp.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tmp699.tmp.dll
C:\WINDOWS\system32\tmp699.tmp.dll NOT unregistered.
C:\WINDOWS\system32\tmp699.tmp.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tmp54.tmp.dll
C:\WINDOWS\system32\tmp54.tmp.dll NOT unregistered.
C:\WINDOWS\system32\tmp54.tmp.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tmp141.tmp.dll
C:\WINDOWS\system32\tmp141.tmp.dll NOT unregistered.
C:\WINDOWS\system32\tmp141.tmp.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tmpF3.tmp.dll
C:\WINDOWS\system32\tmpF3.tmp.dll NOT unregistered.
C:\WINDOWS\system32\tmpF3.tmp.dll moved successfully.
C:\WINDOWS\system32\ddaby.exe moved successfully.
File/Folder C:\WINDOWS\system32\batlui.dll not found.

Created on 07/03/2007 14:02:05

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:07:53 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16baac29-a9ea-4f59-a3ea-66954d12b560} - C:\WINDOWS\system32\batlui.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\tmp14B6.tmp.dll (file missing)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WootAgent] C:\Program Files\Woot Agent\WootAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\SixTen\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Thank you, i'm assuming i'll need to check some of the items and have HJT fix them, but I'll wait for you to let me know which ones. :thumbsup:

#12 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 04 July 2007 - 09:36 AM

Hello SixTen :thumbsup:

Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Step 1

Yes a few things to clear up but you still need to create a New Folder for HijackThis on the C: drive before we can use it,

Open My Computer ( Windows key + E )
then double click on Local Disk (C:)
Now right click and select
New > Folder and name it HJT.

Please now move HijackThis.exe into the new HJT folder.


once you have done that Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

02 - BHO: (no name) - {16baac29-a9ea-4f59-a3ea-66954d12b560} - C:\WINDOWS\system32\batlui.dll (file missing)
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\tmp14B6.tmp.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O14 - IERESET.INF:
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) -
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)

Close any Explorer windows which may be open and click the "Fix Checked" button.


Step 2

Now Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a new HijackThis log


#13 SixTen

SixTen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 05 July 2007 - 02:26 PM

Hello, Here is the log from the Kapersky scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 05, 2007 3:21:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 5/07/2007
Kaspersky Anti-Virus database records: 358727
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 82190
Number of viruses found: 7
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 01:17:57

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0314\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-07-05_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00DC2FFA.exe Infected: not-a-virus:AdWare.Win32.180Solutions.as skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F24179/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aki skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F24179/stream Infected: Trojan-Downloader.Win32.Zlob.aki skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F24179 NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F24179 UPX: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F24179 CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F91572.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aki skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F91572.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aki skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F91572.exe NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F91572.exe UPX: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\12F91572.exe CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\5AAEEAA9.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\77D06C80.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\SixTen\Application Data\MySpace\IM\Logs\MySpaceIM-20070626-031744.log Object is locked skipped
C:\Documents and Settings\SixTen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\History\History.IE5\MSHist012007070520070706\index.dat Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Temp\~DF1647.tmp Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Temp\~DFA2F5.tmp Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Temp\~DFA99F.tmp Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Temp\~DFC57A.tmp Object is locked skipped
C:\Documents and Settings\SixTen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SixTen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\SixTen\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\QooBox\Quarantine\C\DOCUME~1\SixTen\APPLIC~1\tmp21.tmp.exe.vir Infected: Trojan.Win32.BHO.bd skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe/WISE0010.BIN/WISE0008.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe/WISE0010.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe WiseSFX: infected - 2 skipped
C:\SWSETUP\MedCtrFP\Extras\ESPN\motionsetupmce.exe WiseSFX Dropper: infected - 2 skipped
C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi/ESPNInst/WISE0010.BIN/WISE0008.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi/ESPNInst/WISE0010.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi/ESPNInst Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\SWSETUP\MedCtrFP\Samples\BonusDVD.msi Embedded: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_AC97 Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B0E4E808-19CC-4A65-8BEE-410DC692E28D}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\ssqoml.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\l3cstp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\ddaby.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.af skipped
D:\Recycled\NPROTECT\NPROTECT.LOG Object is locked skipped

Scan process completed.


And the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:26:18 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WootAgent] C:\Program Files\Woot Agent\WootAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\SixTen\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Thank you!

#14 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 06 July 2007 - 02:23 PM

Hello SixTen :thumbsup:

Can you delete everything that Norton has Quarantined

Step 1

Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\ssqoml.dll
C:\WINDOWS\system32\l3cstp.dll.vir


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Step 2

Download the latest SmitfraudFix by S!Ri from either of these mirrors to your desktop:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip
http://siri.geekstogo.com/SmitfraudFix.zip

Right click SmitfraudFix.zip and Extract (unzip) the SmitfraudFix folder inside to your desktop.
Open the SmitfraudFix folder and double-click "smitfraudfix.cmd"
Select option #1 - "Search" by typing "1" and press "Enter".
Please copy & paste the SmitfraudFix text file which appears back here please.



Step 3

Run HijackThis, click on Open the Misc Tools Section
Click on Open ADS Spy
Uncheck the "Quick Scan"
Uncheck the "Ignore safe system info data streams"
Finally, click Scan button. ADS Spy will scan the system and report all the ADS present in the system.
More information with a screenshot, can be found here.
Click Save log. I will need that later on.



Step 4

Please can you re-run ComboFix again and post the resultant log file

In your next reply please post

A new HJT log
The new ComboFix log
The smitrem log
and the ADS Spy log

Thank you.

#15 SixTen

SixTen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:29 PM

Posted 07 July 2007 - 12:48 AM

Thank you!

Here is the info you requested:

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:24:32 AM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WootAgent] C:\Program Files\Woot Agent\WootAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\SixTen\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

ComboFix Log:
"SixTen" - 2007-07-07 1:20:38 - ComboFix 07-07-04.4 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000025_.tmp.dll


((((((((((((((((((((((((( Files Created from 2007-06-07 to 2007-07-07 )))))))))))))))))))))))))))))))


2007-06-28 23:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-28 22:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-06-28 22:12 <DIR> d-------- C:\HJT
2007-06-27 19:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-27 19:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-26 03:14 <DIR> d-------- C:\WINDOWS\CSC
2007-06-26 02:52 <DIR> d-------- C:\backups
2007-06-25 02:15 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-06-25 01:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-25 01:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-24 01:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-23 00:51 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-21 03:11 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Sonic
2007-06-21 03:08 <DIR> d-------- C:\DOCUME~1\SixTen\APPLIC~1\Leadertech
2007-06-18 02:39 <DIR> d-------- C:\Program Files\FLVPlayer
2007-06-12 01:48 <DIR> d-------- C:\Program Files\ffdshow
2007-06-10 01:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sophos
2007-06-10 01:48 <DIR> d-------- C:\savxpsa
2007-06-09 21:34 1,152 --a------ C:\WINDOWS\system32\windrv.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-07 05:12:10 3,210 ----a-w C:\WINDOWS\system32\tmp.reg
2007-07-07 03:10:50 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-29 02:59:35 -------- d-----w C:\Program Files\Yahoo!
2007-06-27 23:03:11 -------- d-----w C:\Program Files\GSAK
2007-06-25 09:37:30 -------- d-----w C:\Program Files\Windows Desktop Search
2007-06-25 09:36:07 -------- d-----w C:\Program Files\Sony Handheld
2007-06-25 09:31:48 -------- d-----w C:\Program Files\Norton Internet Security
2007-06-25 09:24:10 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-06-23 14:25:48 -------- d-----w C:\Program Files\QuickTime
2007-06-23 07:58:23 -------- d-----w C:\Program Files\music_now
2007-06-21 07:10:47 -------- d-----w C:\Program Files\Sonic
2007-06-21 07:10:41 -------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-06-10 01:42:58 -------- d-----w C:\DOCUME~1\SixTen\APPLIC~1\Yahoo!
2007-06-10 01:27:01 -------- d--h--w C:\DOCUME~1\SixTen\APPLIC~1\Move Networks
2007-06-06 23:12:20 -------- d-----w C:\Program Files\LegendSoftware
2007-05-16 21:16:13 -------- d-----w C:\Program Files\HP
2007-05-16 21:15:36 -------- d-----w C:\Program Files\Hewlett-Packard
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 19:23:06 -------- d-----w C:\DOCUME~1\SixTen\APPLIC~1\Arcsoft
2007-05-09 07:02:47 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-07 23:14:06 -------- d-----w C:\Program Files\The Weather Channel Toolbar
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-20 15:56:41 3,683 ----a-w C:\WINDOWS\mozver.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2006-08-10 01:45:53 80 --sh--r C:\WINDOWS\system32\7D88E784F1.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
2007-05-30 17:18 808472 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]
2006-09-06 01:18 93400 -ra------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F85D76C-0569-466F-A488-493E6BD0E955}]
2006-03-26 22:44 265432 --------- C:\Program Files\Windows Desktop Search\dsWebAllow.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-07-07 13:29 324416 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1F9DDB-E605-4ba6-81D4-E427DEE012AD}]
2006-10-26 07:12 77824 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2006-10-12 11:38 2108480 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 00:05]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 16:50]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 14:39]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 11:57]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 17:26]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 16:45]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-28 20:09]
"WootAgent"="C:\Program Files\Woot Agent\WootAgent.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00]
"Aim6"="" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 21:34]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 13:11]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-23 00:00:00 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - SixTen.job
2007-06-25 16:00:00 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-07-07 04:00:00 C:\WINDOWS\tasks\Symantec Drmc.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-07 01:21:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????0?6?9?2??@???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-07 1:22:31
C:\ComboFix-quarantined-files.txt ... 2007-07-07 01:22
C:\ComboFix2.txt ... 2007-07-02 01:18
C:\ComboFix3.txt ... 2007-06-30 03:15

--- E O F ---

Smitfraud Log:
SmitFraudFix v2.200

Scan done at 1:11:54.67, Sat 07/07/2007
Run from C:\Documents and Settings\SixTen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\SixTen


C:\Documents and Settings\SixTen\Application Data


Start Menu


C:\DOCUME~1\SixTen\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1C10345B-1B4D-4EF3-9324-C03660747CC0}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1C10345B-1B4D-4EF3-9324-C03660747CC0}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1C10345B-1B4D-4EF3-9324-C03660747CC0}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Scanning for wininet.dll infection


End

ADS Spy Log:
C:\Documents and Settings\SixTen\Desktop\ComboFix.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\Desktop\ComboFixDo.txt : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\Desktop\OTMoveIt.exe : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\Desktop\SmitfraudFix.zip : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\Favorites\99 Novi Ice Cats.url : favicon (3638 bytes)
C:\Documents and Settings\SixTen\Favorites\Geocaching - The Official Global GPS Cache Hunt Site.url : favicon (7886 bytes)
C:\Documents and Settings\SixTen\Favorites\Guinness Wide Strip LS Rugby Shirt (Olive-Black).url : favicon (894 bytes)
C:\Documents and Settings\SixTen\Favorites\Michigan Geocaching Organization.url : favicon (894 bytes)
C:\Documents and Settings\SixTen\Favorites\My Prepay Account Online Login - Verizon Wireless.url : favicon (1406 bytes)
C:\Documents and Settings\SixTen\Local Settings\Application Data\Microsoft\ehome\Image.db : encryptable (0 bytes)
C:\Documents and Settings\SixTen\Local Settings\Application Data\Microsoft\ehome\musicThumbs.db : encryptable (0 bytes)
C:\Documents and Settings\SixTen\Local Settings\Temporary Internet Files\Content.IE5\HIXNPSPD\GlennMitSchedule.xls : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Pictures\Pics\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\SixTen\My Documents\My Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\SixTen\My Documents\My Received Files\Lever.jpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Received Files\Ses.jpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Received Files\Myspace Lillie 1.jpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Received Files\pumpkin.jpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Received Files\pumpkin (light).jpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Received Files\pumpkin2.jpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Received Files\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\3.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\7.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Angels.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\baddest.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Bat.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Big.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Bigs.mpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\BiggieSmalls.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\BigFish.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Black.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\BlackandWhite.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Blocked.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Blocked2.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Brazil.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\College.mpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Coupler.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Cut.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Cut2.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Dance.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Dirt.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\em.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Fingers.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\fruit.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Hear.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Home.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Home2.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Home3.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Home4.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Home5.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Home6.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Hundred.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\JulezSantana.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Melt.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Me.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Nest.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Nest1.mov : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Nice.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Perm.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Perm2.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Punk.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Sangria.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\sell.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Shaker.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Stain.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Stand.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Step.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Sunshine.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Tarp.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Tints.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\till.mov : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Top.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\TwoinOne.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam1.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam1.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam10.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\WebCam12.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam121.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam123.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam1483-01.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam1484-01.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam15.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam152.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam153.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam15301.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam2.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam21.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam28.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam3.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam4.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam5.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam695.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam696.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam697.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\webcam698.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam7.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam772.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam774.flv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam775.flv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam776.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam8.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam841.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam876.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam877.flv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam89.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam9.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\Webcam99.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\WebcamPR.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\WebcamTruth.wmv : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\My Documents\My Videos\XMAS.avi : Zone.Identifier (26 bytes)
C:\Documents and Settings\SixTen\NetHood\My Pictures on DESKTOP (Glenn)\Thumbs.db : encryptable (0 bytes)
C:\HJT\HijackThis.exe : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\about : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\ACM\lame.ico : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\ACM\lameACM.acm : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\ACM\LameACM.inf : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\ACM\lame_acm.xml : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\ACM\readme.txt : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\ACM\TODO : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\COPYING : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\FILE_ID.DIZ : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\basic.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\contributors.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\examples.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\history.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\id3.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\index.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\lame.css : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\modes.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\node6.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\presets.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\html\switchs.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\lame.exe : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\lame_enc.dll : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\LICENSE : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\misc\lame.bat : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\misc\Lame.vbs : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\misc\lame4dos.bat : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\misc\lameGUI.html : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\misc\lame_enc.ini : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\README : Zone.Identifier (26 bytes)
C:\Program Files\Audacity\USAGE : Zone.Identifier (26 bytes)
C:\Program Files\GSAK\favicon.ico : Zone.Identifier (26 bytes)
C:\Program Files\Hijackthis\HiJackThis_v2.exe : Zone.Identifier (26 bytes)
C:\Program Files\Internet Explorer\PLUGINS\weatherbug.gadget : Zone.Identifier (26 bytes)
C:\Program Files\Klient\bleepX.ksp : Zone.Identifier (26 bytes)
C:\Program Files\muvee Technologies\muvee autoProducer 4.5 - SE\Samples\Thumbs.db : encryptable (0 bytes)
C:\RECYCLER\NPROTECT\00019824.exe : Zone.Identifier (26 bytes)
C:\RECYCLER\NPROTECT\00019825.exe : Zone.Identifier (26 bytes)
C:\RECYCLER\S-1-5-21-1897967027-1181069208-4185554001-1005\Dc10.gpx : Zone.Identifier (26 bytes)
C:\RECYCLER\S-1-5-21-1897967027-1181069208-4185554001-1005\Dc11.gpx : Zone.Identifier (26 bytes)
C:\RECYCLER\S-1-5-21-1897967027-1181069208-4185554001-1005\Dc6.exe : Zone.Identifier (26 bytes)



Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users