Tech Support Forum - View Single Post

elau1026 · 08-06-2007, 08:23 PM

Here is the ComboFix log:

ComboFix 07-08-07.2 - "Eric" 2007-08-06 22:00:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.533 [GMT -4:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\bold.log
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode
C:\DOCUME~1\Eric\APPLIC~1\tmp4CA.tmp.exe
C:\DOCUME~1\Eric\APPLIC~1\tmp4CC.tmp.exe
C:\DOCUME~1\Eric\APPLIC~1\tmp4CD.tmp.exe
C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\avtasks.dat
C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\CookieList.dat
C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\history.db
C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\Logs\update.log
C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log
C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat
C:\Program Files\Common Files\winantivirus pro 2007
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\wnsxs~1
C:\WINDOWS\icroso~1
C:\WINDOWS\system32\mqoadur.dll
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\U5U617vR.exe
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\Tasks.\At25.job
C:\WINDOWS\Tasks.\At26.job
C:\WINDOWS\Tasks.\At27.job
C:\WINDOWS\Tasks.\At28.job
C:\WINDOWS\Tasks.\At29.job
C:\WINDOWS\Tasks.\At30.job
C:\WINDOWS\Tasks.\At31.job
C:\WINDOWS\Tasks.\At32.job
C:\WINDOWS\Tasks.\At33.job
C:\WINDOWS\Tasks.\At34.job
C:\WINDOWS\Tasks.\At35.job
C:\WINDOWS\Tasks.\At36.job
C:\WINDOWS\Tasks.\At37.job
C:\WINDOWS\Tasks.\At38.job
C:\WINDOWS\Tasks.\At39.job
C:\WINDOWS\Tasks.\At40.job
C:\WINDOWS\Tasks.\At41.job
C:\WINDOWS\Tasks.\At42.job
C:\WINDOWS\Tasks.\At43.job
C:\WINDOWS\Tasks.\At44.job
C:\WINDOWS\Tasks.\At45.job
C:\WINDOWS\Tasks.\At46.job
C:\WINDOWS\Tasks.\At47.job
C:\WINDOWS\Tasks.\At48.job
C:\WINDOWS\xhelper.dll
C:\WINDOWS\xmlhelper.dll
C:\WINDOWS\xmlhelper2.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))

2007-08-06 22:12 105,428 --a------ C:\WINDOWS\system32\mljjh.exe
2007-08-06 21:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 13:15 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-05 13:15 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-05 13:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-08-04 00:45 18 --a------ C:\WINDOWS\system32\dn184537be.dat
2007-08-04 00:40 13,380 --a------ C:\WINDOWS\system32\pmnligf.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-06 22:13 92702 --a------ C:\WINDOWS\system32\kbduiu.dll
2007-08-06 21:56 --------- d-------- C:\Program Files\Diablo II
2007-08-06 21:03 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-03 16:01 --------- d-------- C:\Program Files\Warcraft III
2007-07-06 14:47 --------- d-------- C:\Program Files\Google
2007-06-29 18:02 --------- d-------- C:\Program Files\7-Zip
2007-06-12 15:36 --------- d-------- C:\DOCUME~1\Eric\APPLIC~1\Viewpoint
2007-06-09 11:32 --------- d-------- C:\Program Files\Viewpoint
2007-06-09 11:32 --------- d-------- C:\Program Files\AIM6
2007-06-09 11:30 --------- d-------- C:\DOCUME~1\Eric\APPLIC~1\Comodo
2007-06-09 11:07 --------- d-------- C:\Program Files\Comodo
2007-06-08 21:07 --------- d-------- C:\Program Files\Alwil Software
2007-06-08 20:47 192587 --a------ C:\WINDOWS\system32\mwinrndt.exe
2007-06-08 20:35 --------- d-------- C:\Program Files\Go!Zilla
2006-12-04 00:31 23 --a------ C:\WINDOWS\java\Packages\Data\UBNF1R9F.DAT
2006-12-04 00:31 1245 --a------ C:\WINDOWS\java\Packages\Data\AJ3ZN1ZZ.DAT
2006-03-29 20:56 2814 --a------ C:\WINDOWS\java\Packages\Data\7BN7VRFB.DAT
2006-03-29 20:56 23 --a------ C:\WINDOWS\java\Packages\Data\C9Z9JFLR.DAT
2006-03-29 17:50 23 --a------ C:\WINDOWS\java\Packages\Data\UVR13F5J.DAT
2006-03-29 17:50 1105 --a------ C:\WINDOWS\java\Packages\Data\AN9RB7RF.DAT
2006-02-04 05:01 23 --a------ C:\WINDOWS\java\Packages\Data\V7B577P3.DAT
2006-02-04 05:01 1105 --a------ C:\WINDOWS\java\Packages\Data\31VTBZTV.DAT
2004-01-22 23:57 2814 --a------ C:\WINDOWS\java\Packages\Data\PR57JNLB.DAT
2004-01-22 23:57 23 --a------ C:\WINDOWS\java\Packages\Data\TRP3JZBR.DAT
2004-01-21 18:56 23 --a------ C:\WINDOWS\java\Packages\Data\53N1JHBR.DAT
2004-01-21 18:56 1324 --a------ C:\WINDOWS\java\Packages\Data\HV133RHV.DAT
2004-01-21 18:50 23 --a------ C:\WINDOWS\java\Packages\Data\K6Y13DNX.DAT
2004-01-21 18:50 1105 --a------ C:\WINDOWS\java\Packages\Data\Z1BBNJ5Z.DAT
2003-12-12 00:50 1105 --a------ C:\WINDOWS\java\Packages\Data\TVLNLFF1.DAT
2003-06-06 01:09 1324 --a------ C:\WINDOWS\java\Packages\Data\P3LRBL3P.DAT
2003-04-22 19:40 2678 --a------ C:\WINDOWS\java\Packages\Data\XV713P75.DAT
2003-04-22 19:40 2678 --a------ C:\WINDOWS\java\Packages\Data\XRPB3XBH.DAT
2003-04-22 19:40 2678 --a------ C:\WINDOWS\java\Packages\Data\VRB1RPBH.DAT
2003-04-22 19:40 2678 --a------ C:\WINDOWS\java\Packages\Data\GNL7FFP3.DAT
2003-04-22 19:40 2678 --a------ C:\WINDOWS\java\Packages\Data\5F7T7DNH.DAT
2003-01-28 14:21 17144 --a------ C:\DOCUME~1\Eric\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-01-17 12:22 3513 --a------ C:\Program Files\setuplog.txt
2003-01-16 13:10 23 --a------ C:\WINDOWS\java\Packages\Data\6LV793NX.DAT
2003-01-16 13:10 23 --a------ C:\WINDOWS\java\Packages\Data\4DRLV57D.DAT
2003-01-16 13:10 1299 --a------ C:\WINDOWS\java\Packages\Data\ZV3P3PBD.DAT
2003-01-16 13:10 1299 --a------ C:\WINDOWS\java\Packages\Data\7BV9V1RV.DAT
2002-06-17 13:48 538810 --a------ C:\Program Files\wait.bmp
2001-11-23 08:08 712704 -ra------ C:\WINDOWS\inf\OTHER\audio3d.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-01-28 12:16 C:\WINDOWS\mixer.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 12:35]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"DeadAIM"="C:\Program Files\AIM95\\DeadAIM.ocm" [2003-02-24 16:11]
"CTRegRun"="C:\WINDOWS\CTRegRun.EXE" [1999-10-10 13:01]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\ctnotify.exe" []
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 04:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-09 11:07]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-02-24 08:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares Lite Edition\Ares.exe" [2005-02-22 22:52]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-28 23:41]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 14:47]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-05 13:09:29]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2003-10-09 15:08:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbduiu]
kbduiu.dll 2007-08-06 22:13 92702 C:\WINDOWS\system32\kbduiu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\pmnligf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\376@NXN5X72WT@]
C:\WINDOWS\System32\Qdxc4jKS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

R0 Inspect;Comodo Network Engine;C:\WINDOWS\System32\DRIVERS\inspect.sys
R1 NPPTNT;NPPTNT;\??\C:\WINDOWS\System32\npptNT.sys
R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys
R3 cmpci;C-Media PCI Audio Driver (WDM);C:\WINDOWS\System32\drivers\cmaudio.sys
R3 NAVAP;NAVAP;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys
S3 AMDPCI;AMDPCI;\??\C:\DOCUME~1\Eric\LOCALS~1\Temp\AMDPCI.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 FTDIBUS;USB Serial Converter Driver;C:\WINDOWS\System32\drivers\ftdibus.sys
S3 FTSER2K;USB Serial Port Driver;C:\WINDOWS\System32\drivers\ftser2k.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\System32\DRIVERS\NMnt.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys
S3 Ptserli;PCTEL Serial Device Driver for INTEL;C:\WINDOWS\System32\DRIVERS\ptserli.sys
S3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\System32\Drivers\RootMdm.sys
S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys

Contents of the 'Scheduled Tasks' folder
2007-08-05 22:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-06 04:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 13:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 14:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-06 15:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 16:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 17:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 18:00:00 C:\WINDOWS\Tasks\At15.job
2007-08-06 19:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 20:00:00 C:\WINDOWS\Tasks\At17.job
2007-08-06 21:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 22:00:00 C:\WINDOWS\Tasks\At19.job
2007-08-06 05:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 23:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-07 00:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-07 01:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-07 02:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 03:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 06:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 07:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 08:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 09:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\System32\6WVn3nnY.exe
2007-08-06 10:00:00 C:\WINDOWS\Tasks\At7.job
2007-08-06 11:00:00 C:\WINDOWS\Tasks\At8.job
2007-08-06 12:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\System32\6WVn3nnY.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 22:13:03
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-06 22:15:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-06 22:15

--- E O F ---

And here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:22:39 PM, on 8/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Eric\Desktop\Yay\analyze.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/gam...ts/y/tt5_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/game...ts/y/ot0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/game...ts/y/wt0_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...gCode=en&pers=
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://cam.cs.cmu.edu/kxhcm10.ocx
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.cgsinc.com/iNotes6W.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/Sa.../WalletCab.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web591.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1186334110578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab55579.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2873BC0F-45A5-4ECB-AC7F-126E7784A40E}: NameServer = 66.92.159.2,216.231.41.2
O20 - AppInit_DLLs: c:\windows\system32\pmnligf.dll
O20 - Winlogon Notify: kbduiu - C:\WINDOWS\SYSTEM32\kbduiu.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8826 bytes

08-06-2007, 08:23 PM	#3 (permalink)
elau1026 Registered User Join Date: Aug 2007 Posts: 10 OS: Win XP	Re: Help...!! Pop ups and viruses.... Here is the ComboFix log: ComboFix 07-08-07.2 - "Eric" 2007-08-06 22:00:42.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.533 [GMT -4:00] * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\bold.log C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007 C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode C:\DOCUME~1\Eric\APPLIC~1\tmp4CA.tmp.exe C:\DOCUME~1\Eric\APPLIC~1\tmp4CC.tmp.exe C:\DOCUME~1\Eric\APPLIC~1\tmp4CD.tmp.exe C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007 C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\avtasks.dat C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\CookieList.dat C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\history.db C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\Logs\update.log C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\Logs\wa7Support.log C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log C:\DOCUME~1\Eric\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat C:\Program Files\Common Files\winantivirus pro 2007 C:\Program Files\outerinfo C:\Program Files\outerinfo\Terms.rtf C:\Program Files\wnsxs~1 C:\WINDOWS\icroso~1 C:\WINDOWS\system32\mqoadur.dll C:\WINDOWS\system32\qwerty12.exe C:\WINDOWS\system32\U5U617vR.exe C:\WINDOWS\system32\wnsapisv32.exe C:\WINDOWS\Tasks.\At25.job C:\WINDOWS\Tasks.\At26.job C:\WINDOWS\Tasks.\At27.job C:\WINDOWS\Tasks.\At28.job C:\WINDOWS\Tasks.\At29.job C:\WINDOWS\Tasks.\At30.job C:\WINDOWS\Tasks.\At31.job C:\WINDOWS\Tasks.\At32.job C:\WINDOWS\Tasks.\At33.job C:\WINDOWS\Tasks.\At34.job C:\WINDOWS\Tasks.\At35.job C:\WINDOWS\Tasks.\At36.job C:\WINDOWS\Tasks.\At37.job C:\WINDOWS\Tasks.\At38.job C:\WINDOWS\Tasks.\At39.job C:\WINDOWS\Tasks.\At40.job C:\WINDOWS\Tasks.\At41.job C:\WINDOWS\Tasks.\At42.job C:\WINDOWS\Tasks.\At43.job C:\WINDOWS\Tasks.\At44.job C:\WINDOWS\Tasks.\At45.job C:\WINDOWS\Tasks.\At46.job C:\WINDOWS\Tasks.\At47.job C:\WINDOWS\Tasks.\At48.job C:\WINDOWS\xhelper.dll C:\WINDOWS\xmlhelper.dll C:\WINDOWS\xmlhelper2.dll ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\LEGACY_FOPN -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 ))))))))))))))))))))))))))))))) 2007-08-06 22:12 105,428 --a------ C:\WINDOWS\system32\mljjh.exe 2007-08-06 21:58 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-05 13:15 43,352 --a------ C:\WINDOWS\system32\wups2.dll 2007-08-05 13:15 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-08-05 13:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater 2007-08-04 00:45 18 --a------ C:\WINDOWS\system32\dn184537be.dat 2007-08-04 00:40 13,380 --a------ C:\WINDOWS\system32\pmnligf.dll (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-06 22:13 92702 --a------ C:\WINDOWS\system32\kbduiu.dll 2007-08-06 21:56 --------- d-------- C:\Program Files\Diablo II 2007-08-06 21:03 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll 2007-08-03 16:01 --------- d-------- C:\Program Files\Warcraft III 2007-07-06 14:47 --------- d-------- C:\Program Files\Google 2007-06-29 18:02 --------- d-------- C:\Program Files\7-Zip 2007-06-12 15:36 --------- d-------- C:\DOCUME~1\Eric\APPLIC~1\Viewpoint 2007-06-09 11:32 --------- d-------- C:\Program Files\Viewpoint 2007-06-09 11:32 --------- d-------- C:\Program Files\AIM6 2007-06-09 11:30 --------- d-------- C:\DOCUME~1\Eric\APPLIC~1\Comodo 2007-06-09 11:07 --------- d-------- C:\Program Files\Comodo 2007-06-08 21:07 --------- d-------- C:\Program Files\Alwil Software 2007-06-08 20:47 192587 --a------ C:\WINDOWS\system32\mwinrndt.exe 2007-06-08 20:35 --------- d-------- C:\Program Files\Go!Zilla 2006-12-04 00:31 23 --a------ C:\WINDOWS\java\Packages\Data\UBNF1R9F.DAT 2006-12-04 00:31 1245 --a------ C:\WINDOWS\java\Packages\Data\AJ3ZN1ZZ.DAT 2006-03-29 20:56 2814 --a------ C:\WINDOWS\java\Packages\Data\7BN7VRFB.DAT 2006-03-29 20:56 23 --a------ C:\WINDOWS\java\Packages\Data\C9Z9JFLR.DAT 2006-03-29 17:50 23 --a------ C:\WINDOWS\java\Packages\Data\UVR13F5J.DAT 2006-03-29 17:50 1105 --a------ C:\WINDOWS\java\Packages\Data\AN9RB7RF.DAT 2006-02-04 05:01 23 --a------ C:\WINDOWS\java\Packages\Data\V7B577P3.DAT 2006-02-04 05:01 1105 --a------ C:\WINDOWS\java\Packages\Data\31VTBZTV.DAT 2004-01-22 23:57 2814 --a------ C:\WINDOWS\java\Packages\Data\PR57JNLB.DAT 2004-01-22 23:57 23 --a------ C:\WINDOWS\java\Packages\Data\TRP3JZBR.DAT 2004-01-21 18:56 23 --a------ C:\WINDOWS\java\Packages\Data\53N1JHBR.DAT 2004-01-21 18:56 1324 --a------ C:\WINDOWS\java\Packages\Data\HV133RHV.DAT 2004-01-21 18:50 23 --a------ C:\WINDOWS\java\Packages\Data\K6Y13DNX.DAT 2004-01-21 18:50 1105 --a------ C:\WINDOWS\java\Packages\Data\Z1BBNJ5Z.DAT 2003-12-12 00:50 1105 --a------ C:\WINDOWS\java\Packages\Data\TVLNLFF1.DAT 2003-06-06 01:09 1324 --a------ C:\WINDOWS\java\Packages\Data\P3LRBL3P.DAT 2003-04-22 19:40 2678 --a------ C:\WINDOWS\java\Packages\Data\XV713P75.DAT 2003-04-22 19:40 2678 --a------ C:\WINDOWS\java\Packages\Data\XRPB3XBH.DAT 2003-04-22 19:40 2678 --a------ C:\WINDOWS\java\Packages\Data\VRB1RPBH.DAT 2003-04-22 19:40 2678 --a------ C:\WINDOWS\java\Packages\Data\GNL7FFP3.DAT 2003-04-22 19:40 2678 --a------ C:\WINDOWS\java\Packages\Data\5F7T7DNH.DAT 2003-01-28 14:21 17144 --a------ C:\DOCUME~1\Eric\APPLIC~1\GDIPFONTCACHEV1.DAT 2003-01-17 12:22 3513 --a------ C:\Program Files\setuplog.txt 2003-01-16 13:10 23 --a------ C:\WINDOWS\java\Packages\Data\6LV793NX.DAT 2003-01-16 13:10 23 --a------ C:\WINDOWS\java\Packages\Data\4DRLV57D.DAT 2003-01-16 13:10 1299 --a------ C:\WINDOWS\java\Packages\Data\ZV3P3PBD.DAT 2003-01-16 13:10 1299 --a------ C:\WINDOWS\java\Packages\Data\7BV9V1RV.DAT 2002-06-17 13:48 538810 --a------ C:\Program Files\wait.bmp 2001-11-23 08:08 712704 -ra------ C:\WINDOWS\inf\OTHER\audio3d.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "C-Media Mixer"="Mixer.exe" [2002-01-28 12:16 C:\WINDOWS\mixer.exe] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 12:35] "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50] "DeadAIM"="C:\Program Files\AIM95\\DeadAIM.ocm" [2003-02-24 16:11] "CTRegRun"="C:\WINDOWS\CTRegRun.EXE" [1999-10-10 13:01] "Disc Detector"="C:\Program Files\Creative\ShareDLL\ctnotify.exe" [] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 04:51] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05] "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-09 11:07] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-02-24 08:32] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ares"="C:\Program Files\Ares Lite Edition\Ares.exe" [2005-02-22 22:52] "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-28 23:41] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17] "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 14:47] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-05 13:09:29] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04] Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2003-10-09 15:08:32] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] @= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbduiu] kbduiu.dll 2007-08-06 22:13 92702 C:\WINDOWS\system32\kbduiu.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=c:\windows\system32\pmnligf.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\376@NXN5X72WT@] C:\WINDOWS\System32\Qdxc4jKS.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background R0 Inspect;Comodo Network Engine;C:\WINDOWS\System32\DRIVERS\inspect.sys R1 NPPTNT;NPPTNT;\??\C:\WINDOWS\System32\npptNT.sys R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys R3 cmpci;C-Media PCI Audio Driver (WDM);C:\WINDOWS\System32\drivers\cmaudio.sys R3 NAVAP;NAVAP;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys S3 AMDPCI;AMDPCI;\??\C:\DOCUME~1\Eric\LOCALS~1\Temp\AMDPCI.sys S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys S3 FTDIBUS;USB Serial Converter Driver;C:\WINDOWS\System32\drivers\ftdibus.sys S3 FTSER2K;USB Serial Port Driver;C:\WINDOWS\System32\drivers\ftser2k.sys S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys S3 nm;Network Monitor Driver;C:\WINDOWS\System32\DRIVERS\NMnt.sys S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys S3 Ptserli;PCTEL Serial Device Driver for INTEL;C:\WINDOWS\System32\DRIVERS\ptserli.sys S3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\System32\Drivers\RootMdm.sys S3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys Contents of the 'Scheduled Tasks' folder 2007-08-05 22:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe 2007-08-06 04:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 13:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 14:00:00 C:\WINDOWS\Tasks\At11.job 2007-08-06 15:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 16:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 17:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 18:00:00 C:\WINDOWS\Tasks\At15.job 2007-08-06 19:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 20:00:00 C:\WINDOWS\Tasks\At17.job 2007-08-06 21:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 22:00:00 C:\WINDOWS\Tasks\At19.job 2007-08-06 05:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 23:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-07 00:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-07 01:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-07 02:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 03:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 06:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 07:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 08:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 09:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\System32\6WVn3nnY.exe 2007-08-06 10:00:00 C:\WINDOWS\Tasks\At7.job 2007-08-06 11:00:00 C:\WINDOWS\Tasks\At8.job 2007-08-06 12:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\System32\6WVn3nnY.exe ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-06 22:13:03 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-08-06 22:15:16 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-06 22:15 --- E O F --- And here is the new HJT log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 10:22:39 PM, on 8/6/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\3M\PSNLite\PsnLite.exe C:\PROGRA~1\3M\PSNLite\PSNGive.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Winamp\winamp.exe C:\Documents and Settings\Eric\Desktop\Yay\analyze.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\ctnotify.exe O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/game...s/y/grt5_x.cab O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/gam...ts/y/tt5_x.cab O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/game...ts/y/ot0_x.cab O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/game...ts/y/wt0_x.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...gCode=en&pers= O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://cam.cs.cmu.edu/kxhcm10.ocx O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.cgsinc.com/iNotes6W.cab O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/Sa.../WalletCab.CAB O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web591.cab O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/game...lugin11USA.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1186334110578 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab55579.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2873BC0F-45A5-4ECB-AC7F-126E7784A40E}: NameServer = 66.92.159.2,216.231.41.2 O20 - AppInit_DLLs: c:\windows\system32\pmnligf.dll O20 - Winlogon Notify: kbduiu - C:\WINDOWS\SYSTEM32\kbduiu.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 8826 bytes