Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log Help Would Be Appreciated


  • Please log in to reply
3 replies to this topic

#1 ofyjustin

ofyjustin

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 02 July 2007 - 08:02 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:00:25 PM, on 7/2/2003
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\uqmbksuu.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\justin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\saihfptm.dll",realset
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\justin\Local Settings\Temp\{116D89E7-DF0E-49E2-A348-57424B13C697}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: iniwin32.dll c:\windows\system32\winspool.dll scanregw.dll c:\windows\system32\scanregw.dll wuauclt.dll C:\WINDOWS\system32\winspool.dll C:\WINDOWS\system32\wuauclt.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\anVzdGlu\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dhcpapi32 - Unknown owner - C:\WINDOWS\dhcpapi32.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\uqmbksuu.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - C:\Documents and Settings\justin\Desktop\SFUninstaller(2).exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: wsmon32 - Unknown owner - C:\WINDOWS\wsmon32.exe (file missing)

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 03 July 2007 - 06:40 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum ofyjustin :thumbsup:

First please delete:
C:\Documents and Settings\justin\Desktop\HijackThis.exe

Now download and install Hijackthis.
This is a self-extracting version which will automatically install HJT to C:\Program Files\Hijackthis by default.
A desktop shortcut can be created during install under 'Select Additional Tasks'.

============================

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player


Then restart your pc.

============================

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop DomainService
sc delete DomainService
sc stop wsmon32
sc delete wsmon32
sc stop cmdService
sc delete cmdService
sc stop SmartFinder_Uninstall
sc delete SmartFinder_Uninstall

Restart your pc.

============================

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

============================

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


============================

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

Edited by RichieUK, 03 July 2007 - 06:47 AM.

Posted Image
Posted Image

#3 ofyjustin

ofyjustin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 03 July 2007 - 08:58 PM

"justin" - 2003-07-03 21:43:54 - ComboFix 07-07-04.1 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\yvvrjcsi.exe
C:\WINDOWS\system32\winzoa32.dll
C:\WINDOWS\system32\CmdGMT.dll
C:\WINDOWS\system32\yayvstq.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\justin\APPLIC~1.\asembl~1
C:\DOCUME~1\justin\APPLIC~1\NetMon
C:\DOCUME~1\justin\APPLIC~1\NetMon\domains.txt
C:\DOCUME~1\justin\APPLIC~1\NetMon\log.txt
C:\DOCUME~1\justin\MYDOCU~1.\appatc~1
C:\DOCUME~1\justin\MYDOCU~1.\mantec~1
C:\DOCUME~1\justin\MYDOCU~1.\mantec~1\dexplore.exe
C:\DOCUME~1\justin\MYDOCU~1.\mantec~1\MANTEC~1\!update-4115.0000
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\log.txt
C:\drsmartload45a.exe
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\s?chost.exe
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\ppatch~2
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\tsks~1
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1716OinAdmin.exe
C:\Program Files\Common Files\Yazzle1716OinUninstaller.exe
C:\Program Files\Common Files\ymbols~1
C:\Program Files\crosof~1.net
C:\Program Files\e2g
C:\Program Files\e2g\IeBHOs.dll
C:\Program Files\fnts~1
C:\Program Files\inetget2
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\pppatc~1
C:\Program Files\racle~1
C:\Program Files\scurit~1
C:\Program Files\sstem~1
C:\Program Files\stem32~1
C:\Program Files\stem32~1\wuaclt.exe
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\whagent.ex_
C:\Program Files\Windows NT\hokesod58441.dll
C:\snowballwarsinstaller.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\veracruz.exe
C:\WINDOWS\asks~1
C:\WINDOWS\asks~2
C:\WINDOWS\avp.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\crosof~1.net
C:\WINDOWS\crosof~1.net\netdde.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\curity~1
C:\WINDOWS\DOWNLO~1.\rave
C:\WINDOWS\DOWNLO~1.\rave\avirexe.vdm
C:\WINDOWS\DOWNLO~1.\rave\avirscr.vdm
C:\WINDOWS\DOWNLO~1.\rave\base.vdm
C:\WINDOWS\DOWNLO~1.\rave\daily.vdm
C:\WINDOWS\DOWNLO~1.\rave\daily.vdt
C:\WINDOWS\DOWNLO~1.\rave\filters.vdm
C:\WINDOWS\DOWNLO~1.\rave\kernel.vdk
C:\WINDOWS\DOWNLO~1.\rave\keyring.vdk
C:\WINDOWS\DOWNLO~1.\rave\mapi_vdm.vdm
C:\WINDOWS\DOWNLO~1.\rave\modules.vdk
C:\WINDOWS\DOWNLO~1.\rave\rav8def.vdm
C:\WINDOWS\DOWNLO~1.\rave\rufs.vdm
C:\WINDOWS\DOWNLO~1.\rave\rufsplg.vdm
C:\WINDOWS\DOWNLO~1.\rave\unarch.vdm
C:\WINDOWS\DOWNLO~1.\rave\unmail.vdm
C:\WINDOWS\DOWNLO~1.\rave\unpack.vdm
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\ecurit~1
C:\WINDOWS\fnts~1
C:\WINDOWS\icroso~1
C:\WINDOWS\icroso~1.net
C:\WINDOWS\keyboard11.exe
C:\WINDOWS\keyboard111.dat
C:\WINDOWS\mgrs.exe
C:\WINDOWS\mousepad11.exe
C:\WINDOWS\newname.dat
C:\WINDOWS\pi1_36.exe
C:\WINDOWS\ppatch~1
C:\WINDOWS\pppatc~1
C:\WINDOWS\ssembl~1
C:\WINDOWS\stem~1
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\driver.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drsmartload637a.exe
C:\WINDOWS\system32\ft_silentsudokuinstaller.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\iniwin32.dll
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mcroso~1.net
C:\WINDOWS\system32\mlno.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\o05PrEz
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\setup94.exe
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\wcpsvit.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winspool.dll
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wuauclt.dll
C:\WINDOWS\teller2.chk
C:\WINDOWS\uninst2.htm
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\unist1.htm
C:\WINDOWS\vcttc012.exe
C:\WINDOWS\wr.txt
C:\WINDOWS\xmlhelper2.dll
C:\WINDOWS\ymbols~1
C:\WINDOWS\ystem3~1


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2003-06-04 to 2003-07-04 )))))))))))))))))))))))))))))))


2003-07-30 23:29 61,440 --a------ C:\WINDOWS\SYSTEM32\comLyricGetter.dll
2003-07-03 21:49 <DIR> d-------- C:\Program Files\E2G
2003-07-03 21:38 51,200 --a------ C:\WINDOWS\nircmd.exe
2003-07-03 21:36 <DIR> d-------- C:\VundoFix Backups
2003-07-03 07:09 28,672 --a------ C:\WINDOWS\SYSTEM32\syswin.exe
2003-07-02 23:03 <DIR> d-------- C:\Program Files\CCP
2003-07-01 20:53 56,320 --a------ C:\WINDOWS\pkill.exe
2003-07-01 20:53 274,424 --a------ C:\WINDOWS\us2.exe
2003-06-30 21:22 <DIR> d-------- C:\Program Files\MSXML 4.0
2003-06-30 21:22 <DIR> d-------- C:\cb3992ac3149f27c4bff219a
2003-06-30 09:26 <DIR> d-------- C:\Program Files\YourWare Solutions
2003-06-30 09:21 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
2003-06-28 22:16 <DIR> d-------- C:\Program Files\Wizards of the Coast
2003-06-27 21:34 306,392 --a------ C:\WINDOWS\SYSTEM32\javasr32.dll
2003-06-27 21:33 10,752 --a------ C:\WINDOWS\SYSTEM32\tmrsrv32.exe
2003-06-06 10:21 81,920 --a------ C:\WINDOWS\SYSTEM32\eSellerateControl350.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 20:05:25 22,080 ----a-w C:\WINDOWS\system32\k4oQw85R.exe
2007-06-21 10:34:48 -------- d-----w C:\Program Files\Common Files\rwwo
2007-06-15 19:43:08 53,248 ----a-w C:\WINDOWS\uni_eh43.exe
2007-05-31 22:00:54 -------- d-----w C:\DOCUME~1\justin\APPLIC~1\Paltalk
2007-05-21 19:57:38 -------- d-----w C:\Program Files\Paltalk Messenger
2007-05-04 01:17:32 -------- d-----w C:\Program Files\AIM
2007-05-01 13:45:16 -------- d-----w C:\Program Files\AIM6
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-11 22:40:33 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-03-15 09:14:16 -------- d-----w C:\Program Files\Picasa2
2007-03-07 17:45:34 -------- d-----w C:\Program Files\ICQLite
2007-03-06 13:42:23 -------- d-----w C:\DOCUME~1\justin\APPLIC~1\Viewpoint
2007-03-02 16:14:41 -------- d-----w C:\Program Files\mIRC
2007-02-21 03:06:11 -------- d-----w C:\Program Files\MSN Messenger
2007-02-19 11:01:20 252,356 ----a-w C:\WINDOWS\b128.exe
2007-02-07 02:08:07 -------- d-----w C:\Program Files\Yazzle Snowball Wars
2007-02-04 03:41:07 -------- d-----w C:\DOCUME~1\justin\APPLIC~1\Talkback
2007-01-27 14:21:47 5,506 ----a-w C:\WINDOWS\mozver.dat
2007-01-19 17:53:04 51,056 ----a-w C:\WINDOWS\system32\sirenacm.dll
2006-12-31 00:34:16 -------- d-----w C:\Program Files\iTunes
2006-12-31 00:34:12 -------- d-----w C:\Program Files\iPod
2006-12-31 00:33:08 -------- d-----w C:\Program Files\QuickTime
2006-12-31 00:23:45 -------- d-----w C:\Program Files\Apple Software Update
2006-12-18 23:11:58 -------- d-----w C:\Program Files\Common Files\AOL
2006-12-02 13:09:35 391,519 ----a-w C:\WINDOWS\b129.exe
2006-11-20 17:03:13 -------- d-----w C:\Program Files\Virtools Web Player 3.0
2006-11-15 17:30:13 -------- d-----w C:\Program Files\Siber Systems
2006-11-14 04:40:43 -------- d-----w C:\Program Files\AOD
2006-11-08 05:06:13 679,424 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-11-04 18:14:00 1,245,696 ----a-w C:\WINDOWS\system32\msxml4.dll
2006-10-19 13:56:32 713,216 ----a-w C:\WINDOWS\system32\sxs.dll
2006-10-13 12:35:12 142,336 ----a-w C:\WINDOWS\system32\nwprovau.dll
2006-10-05 02:42:42 2,560 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2006-10-05 02:42:42 2,432 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2006-09-27 21:53:22 36,560 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2006-09-19 20:44:04 15,664 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2006-09-19 20:43:58 109,360 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2006-09-13 05:01:56 1,084,416 ----a-w C:\WINDOWS\system32\msxml3.dll
2006-09-08 12:45:29 -------- d-----w C:\Program Files\ICQToolbar
2006-09-01 09:32:37 84,697 ----a-w C:\WINDOWS\b104.exe
2006-09-01 09:32:35 72,094 ----a-w C:\WINDOWS\b103.exe
2006-08-27 02:55:42 -------- d-----w C:\DOCUME~1\justin\APPLIC~1\Ideazon
2006-08-27 02:54:43 -------- d-----w C:\Program Files\Ideazon
2006-08-25 15:45:58 617,472 ----a-w C:\WINDOWS\system32\comctl32.dll
2006-08-22 08:05:26 498,742 ----a-w C:\WINDOWS\system32\dxmasf.dll
2006-08-21 13:52:08 246,814 ----a-w C:\WINDOWS\system32\strmdll.dll
2006-08-21 12:21:06 16,896 ----a-w C:\WINDOWS\system32\fltlib.dll
2006-08-21 09:14:58 23,040 ----a-w C:\WINDOWS\system32\fltmc.exe
2006-08-21 09:14:58 128,896 ----a-w C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 14:29:03 -------- d-----w C:\Program Files\Turbine
2006-08-20 03:49:28 -------- d-----w C:\DOCUME~1\justin\APPLIC~1\Azureus
2006-08-17 12:28:27 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2006-08-17 12:28:27 132,096 ----a-w C:\WINDOWS\system32\wkssvc.dll
2006-08-16 11:58:05 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
2006-08-16 09:37:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2006-08-14 10:34:41 332,928 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2006-07-27 01:30:40 0 ----a-w C:\WINDOWS\system32\pre2.exe
2006-07-27 01:27:12 707 ----a-w C:\WINDOWS\_DEFAULT.PIF
2006-07-25 23:10:09 1,154 ----a-w C:\WINDOWS\checkip.dat
2006-07-21 08:24:43 72,704 ----a-w C:\WINDOWS\system32\hlink.dll
2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2006-07-13 05:16:12 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2006-07-06 16:48:36 -------- d-----w C:\Program Files\Common Files\xing shared
2006-07-06 16:48:31 -------- d-----w C:\Program Files\Common Files\Real
2006-06-28 15:12:19 139,264 ----a-w C:\WINDOWS\system32\lluhbaon.dll
2006-06-24 13:05:32 -------- d-----w C:\Program Files\MySpace
2006-06-24 01:55:55 -------- d-----w C:\DOCUME~1\justin\APPLIC~1\Google
2006-06-24 01:52:48 176,282 ----a-w C:\WINDOWS\GalleryPlayer Images Uninstaller.exe
2006-06-24 01:47:37 159,737 ----a-w C:\WINDOWS\Google Pack Screensaver Uninstaller.exe
2006-06-22 05:06:30 1,435,648 ----a-w C:\WINDOWS\system32\query.dll
2006-06-22 05:06:29 69,120 ----a-w C:\WINDOWS\system32\ciodm.dll
2006-06-14 09:00:45 82,944 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2006-06-14 08:47:46 6,400 ----a-w C:\WINDOWS\system32\drivers\splitter.sys
2006-06-14 08:47:45 172,416 ----a-w C:\WINDOWS\system32\drivers\kmixer.sys
2006-06-04 20:10:36 -------- d-----w C:\DOCUME~1\justin\APPLIC~1\MySpace
2006-05-24 03:07:30 362 ----a-w C:\WINDOWS\eecjk.dll
2006-05-14 18:21:33 -------- d-----w C:\Program Files\TrackMania Nations ESWC
2006-05-08 19:47:57 139,264 ----a-w C:\WINDOWS\system32\zvohte.dll
2006-05-05 09:47:57 174,592 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2006-05-05 09:41:45 453,120 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2006-04-27 03:43:34 20,480 ----a-w C:\WINDOWS\stub_track4.exe
2006-04-24 03:25:16 -------- d-----w C:\DOCUME~1\justin\APPLIC~1\Jasc Software Inc
2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2006-04-17 20:29:15 -------- d-----w C:\Program Files\DivX
2006-04-17 20:28:53 -------- d-----w C:\Program Files\XviD
2006-04-17 01:17:47 -------- d-----w C:\DOCUME~1\justin\APPLIC~1\Newsoft
2006-04-16 18:59:25 53 ----a-w C:\WINDOWS\bovewl.dat
2006-04-16 18:58:42 42,944 ----a-w C:\WINDOWS\pop06ap2.exe
2006-04-16 18:58:14 114,171 ----a-w C:\WINDOWS\chadch.exe
2006-04-16 18:57:39 67,528 ----a-w C:\WINDOWS\system32\mmxp2passion.exe
2006-04-13 06:56:58 778,240 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2006-04-13 06:56:58 778,240 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2006-04-13 06:56:58 761,856 ----a-w C:\WINDOWS\system32\divx_xx11.dll
1989-12-12 15:10:10 210,000 --sh--r C:\WINDOWS\eetbvak.exe
1989-12-12 15:10:10 440,000 --sh--r C:\WINDOWS\ttcspqs.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{805B5372-5E8D-06EA-8F76-4E177E2F0426}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 22:49]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 17:31]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" []
"Sen"="C:\DOCUME~1\justin\MYDOCU~1\MANTEC~1\dexplore.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"LDM"=C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
"rwwo"=C:\PROGRA~1\COMMON~1\rwwo\rwwom.exe
"Sen"="C:\DOCUME~1\MOMAND~1\MYDOCU~1\CROSOF~1.NET\wuauboot.exe" -vt ndrv
"Myohehf"=C:\Documents and Settings\Mom and Dad\Application Data\?dobe\l?gonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634C7583-74C6-4FEF-BD06-9721761A6815}"="C:\WINDOWS\system32\yayvstq.dll" []


Contents of the 'Scheduled Tasks' folder
2007-06-23 22:20:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-27 04:01:33 C:\WINDOWS\tasks\At1.job
2007-06-24 13:00:30 C:\WINDOWS\tasks\At10.job
2007-06-24 14:00:30 C:\WINDOWS\tasks\At11.job
2007-06-24 15:00:30 C:\WINDOWS\tasks\At12.job
2007-06-24 16:01:25 C:\WINDOWS\tasks\At13.job
2007-06-24 17:00:30 C:\WINDOWS\tasks\At14.job
2007-06-24 18:00:30 C:\WINDOWS\tasks\At15.job
2007-06-24 19:00:30 C:\WINDOWS\tasks\At16.job
2007-06-26 20:01:56 C:\WINDOWS\tasks\At17.job
2007-06-26 21:00:30 C:\WINDOWS\tasks\At18.job
2007-06-26 22:00:30 C:\WINDOWS\tasks\At19.job
2007-06-27 05:00:30 C:\WINDOWS\tasks\At2.job
2007-06-27 23:01:54 C:\WINDOWS\tasks\At20.job
2007-06-28 00:00:30 C:\WINDOWS\tasks\At21.job
2007-06-28 01:00:30 C:\WINDOWS\tasks\At22.job
2007-06-27 02:00:52 C:\WINDOWS\tasks\At23.job
2007-06-27 03:01:30 C:\WINDOWS\tasks\At24.job
2007-06-27 06:00:30 C:\WINDOWS\tasks\At3.job
2007-06-27 07:00:30 C:\WINDOWS\tasks\At4.job
2007-06-27 08:00:30 C:\WINDOWS\tasks\At5.job
2007-06-27 09:01:33 C:\WINDOWS\tasks\At6.job
2007-06-27 10:00:30 C:\WINDOWS\tasks\At7.job
2007-06-27 11:00:30 C:\WINDOWS\tasks\At8.job
2007-06-24 12:00:30 C:\WINDOWS\tasks\At9.job
2005-09-03 00:25:50 C:\WINDOWS\tasks\XoftSpy.job

**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2003-07-03 21:51:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\updspapi.log:dgurw 36866 bytes executable
C:\WINDOWS\dhgax.log:kgmnj 36866 bytes executable
C:\WINDOWS\cdPlayer.ini:jqeci 35310 bytes executable
C:\WINDOWS\SETUPAPI.DEL:eqqrl 36866 bytes executable
C:\WINDOWS\SETUPERR.DEL:xeajbc 134048 bytes executable
C:\WINDOWS\SETUPLOG.DEL:urgzyy 66048 bytes executable
C:\WINDOWS\setuplog.txt:pekodm 11895 bytes executable
C:\WINDOWS\MSGSOCM.LOG:hwqrex 11758 bytes executable
C:\WINDOWS\MSGSOCM.LOG:ltrfyu 68608 bytes executable
C:\WINDOWS\COM+.log:nmcffv 66560 bytes executable
C:\WINDOWS\COMSETUP.LOG:rsddw 36866 bytes executable
C:\WINDOWS\CONTROL.INI:zmbcm 114485 bytes executable
C:\WINDOWS\rngctmp.txt:vpcjt 114485 bytes executable
C:\WINDOWS\stub20.ini:blmrgk 114485 bytes executable
C:\WINDOWS\afzzn.txt:qtrjgu 12123 bytes executable
C:\WINDOWS\aolback.exe.lnk:juboaf 36866 bytes executable
C:\WINDOWS\aolback.exe.lnk:vvmaim 114669 bytes executable
C:\WINDOWS\stub29.ini:sjwovm 68608 bytes executable
C:\WINDOWS\stub3.ini:noeodb 114485 bytes executable
C:\WINDOWS\stub35.ini:yqhzao 12558 bytes executable
C:\WINDOWS\stub5.ini:hlgoe 135321 bytes executable
C:\WINDOWS\stub53.ini:ohfse 134385 bytes executable
C:\WINDOWS\stub54.ini:syjej 114485 bytes executable
C:\WINDOWS\stub60.ini:dznof 36866 bytes executable
C:\WINDOWS\stub61.ini:sbbiu 36866 bytes executable
C:\WINDOWS\awmou.dat:nwfgcw 12123 bytes executable
C:\WINDOWS\bdoscandellang.ini:egzmn 35310 bytes executable
C:\WINDOWS\Blue Lace 16.bmp:oqiff 114659 bytes executable
C:\WINDOWS\Blue Lace 16.bmp:yluuvp 66560 bytes executable
C:\WINDOWS\ztsew.log:qkclo 35447 bytes executable
C:\WINDOWS\zufyx.log:ktnquc 12558 bytes executable
C:\WINDOWS\_DEFAULT.PIF:afksrs 66560 bytes executable
C:\WINDOWS\_DEFAULT.PIF:gwies 84502 bytes executable
C:\WINDOWS\_DEFAULT.PIF:hwhpkm 66560 bytes executable
C:\WINDOWS\_DEFAULT.PIF:nolil 84502 bytes executable
C:\WINDOWS\_DEFAULT.PIF:tfvbq 84502 bytes executable
C:\WINDOWS\_DEFAULT.PIF:tktyn 84502 bytes executable
C:\WINDOWS\_DEFAULT.PIF:wlwqj 35310 bytes executable
C:\WINDOWS\_DEFAULT.PIF:wtvgq 84502 bytes executable
C:\WINDOWS\_DEFAULT.PIF:yflysn 66048 bytes executable
C:\WINDOWS\_DEFAULT.PIF:yqoti 35310 bytes executable
C:\WINDOWS\_DEFAULT.PIF:zuhzn 35310 bytes executable
C:\WINDOWS\~GLH0000.TMP:adfrhd 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:aftwbe 68608 bytes executable
C:\WINDOWS\~GLH0000.TMP:agpwnf 66560 bytes executable
C:\WINDOWS\~GLH0000.TMP:ajmtl 35310 bytes executable
C:\WINDOWS\~GLH0000.TMP:ajymi 114669 bytes executable
C:\WINDOWS\~GLH0000.TMP:aoxlwr 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:arwyn 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:aweqqu 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:awqbs 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:axsrk 134385 bytes executable
C:\WINDOWS\~GLH0000.TMP:badazn 134234 bytes executable
C:\WINDOWS\~GLH0000.TMP:bdeoqs 134597 bytes executable
C:\WINDOWS\~GLH0000.TMP:bfnqpg 114659 bytes executable
C:\WINDOWS\~GLH0000.TMP:blkuy 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:brhey 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:cfslx 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:ctkuk 134385 bytes executable
C:\WINDOWS\~GLH0000.TMP:cwaonj 66048 bytes executable
C:\WINDOWS\~GLH0000.TMP:czdwbg 68608 bytes executable
C:\WINDOWS\~GLH0000.TMP:dbapq 114659 bytes executable
C:\WINDOWS\~GLH0000.TMP:dmvjwd 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:ekrqy 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:ffeuys 12123 bytes executable
C:\WINDOWS\~GLH0000.TMP:fhcbx 87486 bytes executable
C:\WINDOWS\~GLH0000.TMP:fjgug 84502 bytes executable
C:\WINDOWS\~GLH0000.TMP:fngsb 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:ftsxuj 133798 bytes executable
C:\WINDOWS\~GLH0000.TMP:fufamw 114485 bytes executable
C:\WINDOWS\~GLH0000.TMP:gdcrx 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:gddhe 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:gjwbrb 68608 bytes executable
C:\WINDOWS\~GLH0000.TMP:gsncjc 11758 bytes executable
C:\WINDOWS\~GLH0000.TMP:gyigb 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:hjflqn 66048 bytes executable
C:\WINDOWS\~GLH0000.TMP:hptajj 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:hwmknj 87598 bytes executable
C:\WINDOWS\~GLH0000.TMP:hwzmq 134385 bytes executable
C:\WINDOWS\~GLH0000.TMP:hxmvu 134597 bytes executable
C:\WINDOWS\~GLH0000.TMP:iatafx 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:imawk 84502 bytes executable
C:\WINDOWS\~GLH0000.TMP:iwwmlr 68608 bytes executable
C:\WINDOWS\~GLH0000.TMP:iybjr 86920 bytes executable
C:\WINDOWS\~GLH0000.TMP:jdsboy 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:jhefxa 12558 bytes executable
C:\WINDOWS\~GLH0000.TMP:jkkos 134385 bytes executable
C:\WINDOWS\~GLH0000.TMP:jpkmf 134385 bytes executable
C:\WINDOWS\~GLH0000.TMP:jukjb 35310 bytes executable
C:\WINDOWS\~GLH0000.TMP:jvbrlb 68608 bytes executable
C:\WINDOWS\~GLH0000.TMP:kagrgk 66560 bytes executable
C:\WINDOWS\~GLH0000.TMP:keief 114659 bytes executable
C:\WINDOWS\~GLH0000.TMP:kghurs 87636 bytes executable
C:\WINDOWS\~GLH0000.TMP:kjxva 87124 bytes executable
C:\WINDOWS\~GLH0000.TMP:kmdiwr 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:krnwkn 66560 bytes executable
C:\WINDOWS\~GLH0000.TMP:kzitt 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:lemid 134385 bytes executable
C:\WINDOWS\~GLH0000.TMP:llcwcb 12123 bytes executable
C:\WINDOWS\~GLH0000.TMP:loxqe 114659 bytes executable
C:\WINDOWS\~GLH0000.TMP:lqjweh 12123 bytes executable
C:\WINDOWS\~GLH0000.TMP:lzvkh 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:mtlnvs 66560 bytes executable
C:\WINDOWS\~GLH0000.TMP:mysex 87124 bytes executable
C:\WINDOWS\~GLH0000.TMP:nayud 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:nhsis 134415 bytes executable
C:\WINDOWS\~GLH0000.TMP:njuge 87124 bytes executable
C:\WINDOWS\~GLH0000.TMP:nlmmw 84502 bytes executable
C:\WINDOWS\~GLH0000.TMP:nmvnh 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:nxadhb 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:odaek 35310 bytes executable
C:\WINDOWS\~GLH0000.TMP:oeepa 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:ooavgz 12123 bytes executable
C:\WINDOWS\~GLH0000.TMP:ovfin 134647 bytes executable
C:\WINDOWS\~GLH0000.TMP:ozfuh 114659 bytes executable
C:\WINDOWS\~GLH0000.TMP:pitov 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:pqlgr 134415 bytes executable
C:\WINDOWS\~GLH0000.TMP:pvfrv 114659 bytes executable
C:\WINDOWS\~GLH0000.TMP:pwkjlx 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:qbgmt 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:qljfd 35310 bytes executable
C:\WINDOWS\~GLH0000.TMP:qoqvkr 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:qtrvmr 11758 bytes executable
C:\WINDOWS\~GLH0000.TMP:rdanuo 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:rdmpdm 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:relab 87124 bytes executable
C:\WINDOWS\~GLH0000.TMP:rglsvy 114485 bytes executable
C:\WINDOWS\~GLH0000.TMP:rjotb 87598 bytes executable
C:\WINDOWS\~GLH0000.TMP:rmhsb 134234 bytes executable
C:\WINDOWS\~GLH0000.TMP:rqvlag 11758 bytes executable
C:\WINDOWS\~GLH0000.TMP:seomvi 68608 bytes executable
C:\WINDOWS\~GLH0000.TMP:smkvtg 12123 bytes executable
C:\WINDOWS\~GLH0000.TMP:tdnhp 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:tggvkj 12558 bytes executable
C:\WINDOWS\~GLH0000.TMP:toepg 35310 bytes executable
C:\WINDOWS\~GLH0000.TMP:ubwgtx 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:ugaztc 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:uqkmd 86827 bytes executable
C:\WINDOWS\~GLH0000.TMP:uwxtsv 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:uzirz 133798 bytes executable
C:\WINDOWS\~GLH0000.TMP:vbzga 134126 bytes executable
C:\WINDOWS\~GLH0000.TMP:vdouhh 66048 bytes executable
C:\WINDOWS\~GLH0000.TMP:vrcjyr 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:vwqyfq 134647 bytes executable
C:\WINDOWS\~GLH0000.TMP:vylpb 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:wruops 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:xatkv 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:xgwzad 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:xivbo 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:xogtu 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:xrbnoz 68608 bytes executable
C:\WINDOWS\~GLH0000.TMP:xzjudm 134597 bytes executable
C:\WINDOWS\~GLH0000.TMP:yfmkv 35447 bytes executable
C:\WINDOWS\~GLH0000.TMP:yibip 84502 bytes executable
C:\WINDOWS\~GLH0000.TMP:yjgjc 87114 bytes executable
C:\WINDOWS\~GLH0000.TMP:ypmoa 134234 bytes executable
C:\WINDOWS\~GLH0000.TMP:yshye 84502 bytes executable
C:\WINDOWS\~GLH0000.TMP:ytkcou 11895 bytes executable
C:\WINDOWS\~GLH0000.TMP:yvpoog 12558 bytes executable
C:\WINDOWS\~GLH0000.TMP:zaqmd 36866 bytes executable
C:\WINDOWS\~GLH0000.TMP:zltkjb 87598 bytes executable
C:\WINDOWS\~GLH0000.TMP:zwqbj 35447 bytes executable
C:\WINDOWS\stub69.ini:uokocr 114659 bytes executable
C:\WINDOWS\stub70.ini:csvnut 12558 bytes executable
C:\WINDOWS\stub72.ini:ixqrjy 68608 bytes executable
C:\WINDOWS\stub74.ini:finzye 12558 bytes executable
C:\WINDOWS\stub78.ini:nmktk 134385 bytes executable
C:\WINDOWS\stub87.ini:roorj 36866 bytes executable
C:\WINDOWS\WIASERVC.LOG:nghcf 35447 bytes executable
C:\WINDOWS\sessmgr.setup.log:gqncp 36866 bytes executable
C:\WINDOWS\KB822603.log:recdw 114485 bytes executable
C:\WINDOWS\KB887472.log:okgffp 114659 bytes executable
C:\WINDOWS\KB887742.log:kqqpaz 114659 bytes executable
C:\WINDOWS\KB890046.log:crbuuj 12558 bytes executable
C:\WINDOWS\KB890046.log:ugybu 36866 bytes executable
C:\WINDOWS\tdlp32.ini:bryhim 11758 bytes executable
C:\WINDOWS\Thumbs.db:rlbzm 86810 bytes executable
C:\WINDOWS\SchedLgU.Txt:tongp 114485 bytes executable
C:\WINDOWS\SETUPACT.DEL:qgikqc 11758 bytes executable
C:\WINDOWS\stub26.ini:mnxcdf 12558 bytes executable
C:\WINDOWS\VBADDIN.INI:frjsff 66560 bytes executable
C:\WINDOWS\zgivn.log:rsdlzr 11895 bytes executable
C:\WINDOWS\ODBCINST.INI:ijqjpo 11758 bytes executable
C:\WINDOWS\ORUN32.ISU:elcjqm 11895 bytes executable
C:\WINDOWS\EXPLORER.SCF:geyfa 35310 bytes executable
C:\WINDOWS\xwdkf.log:nignx 87486 bytes executable
C:\WINDOWS\Zapotec.bmp:bjswcy 11758 bytes executable
C:\WINDOWS\DELL.BMP:vdvve 84502 bytes executable
C:\WINDOWS\IIS6.LOG:ofzcdr 68608 bytes executable
**************************************************************************

Completion time: 2003-07-03 21:54:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2003-07-03 21:53

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 9:57:14 PM, on 7/3/2003
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\abc.bat.exe
C:\WINDOWS\system32\cmd.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {805B5372-5E8D-06EA-8F76-4E177E2F0426} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\justin\MYDOCU~1\MANTEC~1\dexplore.exe" -vt yazb
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\justin\Local Settings\Temp\{116D89E7-DF0E-49E2-A348-57424B13C697}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dhcpapi32 - Unknown owner - C:\WINDOWS\dhcpapi32.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 04 July 2007 - 08:45 AM

Warning.
There are several Backdoor Trojans present on your pc.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

==============================

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop dhcpapi32
sc delete dhcpapi32


Restart your pc.

==============================

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\SYSTEM32\syswin.exe
C:\WINDOWS\SYSTEM32\javasr32.dll
C:\WINDOWS\SYSTEM32\tmrsrv32.exe
C:\WINDOWS\system32\k4oQw85R.exe
C:\WINDOWS\system32\lluhbaon.dll
C:\WINDOWS\system32\mmxp2passion.exe
C:\WINDOWS\system32\zvohte.dll
C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\chadch.exe
C:\WINDOWS\stub_track4.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b129.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\eecjk.dll
C:\WINDOWS\bovewl.dat
C:\WINDOWS\eetbvak.exe
C:\WINDOWS\ttcspqs.exe

Folders to delete:
C:\DOCUME~1\justin\APPLIC~1\Viewpoint
C:\Program Files\Yazzle Snowball Wars

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

==============================

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

==============================

Download 'Blacklight Beta graphical user interface version' to your desktop:
https://europe.f-secure.com/blacklight/try.shtml
Accept the agreement,then download the program.
Click on Blacklight Beta on your desktop,accept that agreement,then hit Scan.
You'll see a list of all items found.
Don't choose rename yet!
I want to see the log first,legit items may be present.
There will be a log on your desktop with the name 'fsbl---log'
Post the contents of that log in your next reply.

Also post a new Hijackthis log please.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users