Tech Support Forum - View Single Post - Possible Trojan

Nothintolose · 10-07-2007, 11:33 PM

Here it is Reid, thanks again.

- Logfile MSNCleaner 1.4.2 by www.forospyware.com
- Created Logfile: 08/10/2007 on 1:10:16 AM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 2
Deleted file: 2
Undeleted Files: 0

C:\log.txt <--- Deleted
C:\WINDOWS\svchost.exe <--- Deleted

Host file Restored

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ComboFix 07-10-08.3 - Zach 2007-10-08 1:20:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1580 [GMT -4:00]
Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\install.dat
C:\Documents and Settings\LocalService\Application Data\install.dat
C:\Documents and Settings\NetworkService\Application Data\install.dat
C:\Documents and Settings\NetworkService\Application Data\install.dat
C:\Documents and Settings\Zach\Local Settings\Application Data.\n.ini
C:\Program Files\Movie Maker\rtemelo.html
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\SecCenter\scprot4.exe.bak
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\g32.txt
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\boa.dat
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\help.txt
C:\WINDOWS\system32\k.dat
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\n2.ini
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymante~1\?ymantec\
C:\WINDOWS\system32\Z1
C:\WINDOWS\ws386.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_ASC3550P
-------\LEGACY_ASPIMGR
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NTIO256
-------\LEGACY_NTMLSVC
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SMTPDRV
-------\aspimgr
-------\NtmlSvc

((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 01:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-08 01:09 <DIR> d-------- C:\BackUpMSNCleaner
2007-10-06 18:43 <DIR> d-------- C:\Deckard
2007-09-30 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-25 03:23 18,944 --a------ C:\WINDOWS\system32\pgd.dll
2007-09-16 01:26 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-09-16 01:22 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-09-16 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 01:06 --------- d-------- C:\Program Files\Warcraft III
2007-10-06 16:14 --------- d-------- C:\Program Files\Rogers
2007-10-03 23:08 --------- d-------- C:\Program Files\World of Warcraft
2007-09-30 23:47 --------- d-------- C:\Program Files\Steam
2007-09-28 15:47 --------- d-------- C:\Program Files\Tyzhnddw
2007-09-28 15:42 --------- d-------- C:\Program Files\Qoswziws
2007-09-28 15:42 --------- d-------- C:\Program Files\Pfpkguqy
2007-09-28 15:27 --------- d-------- C:\Program Files\Isebbczd
2007-09-28 15:22 --------- d-------- C:\Program Files\Gwzlwfym
2007-09-28 15:19 --------- d-------- C:\Program Files\Bhmoxunj
2007-09-23 21:56 --------- d-------- C:\Program Files\BitLord
2007-09-12 22:02 --------- d-------- C:\Program Files\MSN Messenger
2007-09-08 22:22 --------- d-------- C:\Program Files\WC3Banlist
2007-09-07 23:57 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-07 23:57 --------- d-------- C:\Program Files\Creative
2007-09-07 23:20 --------- d-------- C:\Documents and Settings\Zach\Application Data\Creative
2007-09-07 22:58 --------- d--h----- C:\Program Files\Creative Installation Information
2007-09-07 22:58 --------- d-------- C:\Program Files\Common Files\Creative
2007-09-06 19:19 --------- d-------- C:\Documents and Settings\Zach\Application Data\Google
2007-09-06 18:09 --------- d-------- C:\Documents and Settings\Zach\Application Data\Real
2007-09-06 18:03 --------- d-------- C:\Program Files\Google
2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\xing shared
2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\Real
2007-09-06 18:03 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-06 17:37 --------- d-------- C:\Program Files\Xilisoft
2007-09-06 17:37 --------- d-------- C:\Program Files\QuickTime
2007-09-06 17:22 --------- d-------- C:\Program Files\Avex
2007-09-06 06:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 06:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 06:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 06:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 06:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-29 14:02 --------- d-------- C:\Program Files\Alwil Software
2007-08-23 10:24 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-23 08:40 77312 --a------ C:\WINDOWS\ua2.dll
2007-08-23 08:34 --------- d-------- C:\Program Files\qnanojwt
2007-08-23 08:32 111 --a------ C:\WINDOWS\system32\drivers\fee
2007-08-15 18:03 --------- d-------- C:\Documents and Settings\Zach\Application Data\Apple Computer
2007-08-15 18:02 --------- d-------- C:\Program Files\Apple Software Update
2007-08-15 18:01 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-15 18:01 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-07-15 03:21 196608 --a------ C:\BNCSutil.dll
2006-03-06 05:03 456 --a------ C:\Program Files\INSTALL.LOG
2006-02-04 01:49 251 --a------ C:\Program Files\wt3d.ini
2006-02-03 22:23:15 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38D55A70-E975-996F-2411-01092EBA6C2B}]
C:\Program Files\Pfpkguqy\ytuluoee.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2290D4-C3F1-4bb5-91E6-D0B806A8663A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED12044A-04F8-44BF-A394-8D4D04B2F93D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F369DA09-FADE-44CB-987F-E2E0DEF51BCA}]
2007-09-25 03:23 18944 --a------ C:\WINDOWS\system32\pgd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 19:03]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-04 19:03]
"iss7328"="c:\ebmno.exe" []
"ykmyegiy"="C:\Program Files\Qoswziws\ykmyegiy.exe" []
"btmnixix"="C:\Program Files\Gwzlwfym\btmnixix.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]
"dcadqtgp"="C:\Program Files\Bhmoxunj\dcadqtgp.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-06 18:03]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 01:00]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-07 23:48]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 23:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Scbu"="C:\WINDOWS\system32\YMANTE~1\spoolsv.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjcr32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
"C:\Program Files\DISC\DISCover.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
"C:\Program Files\DISC\DiscUpdateMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
"c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
"C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2]
C:\WINDOWS\vsnpstd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSP Notifier]
"C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Fixer]
"C:\Program Files\Ultimate Fixer\UltimateFixer.exe" hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IAANTMON"=2 (0x2)
"CCALib8"=2 (0x2)
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"Pml Driver HPZ12"=0 (0x0)
"NVSvc"=2 (0x2)
"NMSAccess"=2 (0x2)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"ELService"=2 (0x2)
"AresChatServer"=3 (0x3)
"NtmlSvc"=2 (0x2)
"aspimgr"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys
S3 GENERICDRV;GENERICDRV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\pftF9.tmp\amifldrv.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-05 15:04:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-24 04:00:28 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 01:24:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 1:26:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 01:26
.
--- E O F ---

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:43 AM, on 08/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38D55A70-E975-996F-2411-01092EBA6C2B} - C:\Program Files\Pfpkguqy\ytuluoee.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: H - {5C2290D4-C3F1-4bb5-91E6-D0B806A8663A} - parety.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: 0 - {ED12044A-04F8-44BF-A394-8D4D04B2F93D} - (no file)
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iss7328] c:\ebmno.exe
O4 - HKLM\..\Run: [ykmyegiy] C:\Program Files\Qoswziws\ykmyegiy.exe
O4 - HKLM\..\Run: [btmnixix] C:\Program Files\Gwzlwfym\btmnixix.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dcadqtgp] C:\Program Files\Bhmoxunj\dcadqtgp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Scbu] "C:\WINDOWS\system32\YMANTE~1\spoolsv.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Scbu] "C:\WINDOWS\system32\YMANTE~1\spoolsv.exe" -vt yazb (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115w.bay115.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154570740090
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by123fd.bay123.hotmail.msn.co...x/HMAtchmt.ocx
O20 - Winlogon Notify: winjcr32 - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9247 bytes

10-07-2007, 11:33 PM	#9 (permalink)
Nothintolose Registered User Join Date: Oct 2007 Posts: 8 OS: Win Xp SP2	Re: Possible Trojan - PLS Help! Here it is Reid, thanks again. - Logfile MSNCleaner 1.4.2 by www.forospyware.com - Created Logfile: 08/10/2007 on 1:10:16 AM - Operative System: Windows XP - Boot mode: Safe mode _________________________________________ Detected files: 2 Deleted file: 2 Undeleted Files: 0 C:\log.txt <--- Deleted C:\WINDOWS\svchost.exe <--- Deleted Host file Restored ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ComboFix 07-10-08.3 - Zach 2007-10-08 1:20:12.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1580 [GMT -4:00] Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\LocalService\Application Data\install.dat C:\Documents and Settings\LocalService\Application Data\install.dat C:\Documents and Settings\NetworkService\Application Data\install.dat C:\Documents and Settings\NetworkService\Application Data\install.dat C:\Documents and Settings\Zach\Local Settings\Application Data.\n.ini C:\Program Files\Movie Maker\rtemelo.html C:\Program Files\SecCenter C:\Program Files\SecCenter\scprot4.exe C:\Program Files\SecCenter\scprot4.exe.bak C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\fse C:\Temp\fse\tmpZTF.log C:\WINDOWS\g32.txt C:\WINDOWS\IA C:\WINDOWS\IA\KE.vbs C:\WINDOWS\s32.txt C:\WINDOWS\system32\boa.dat C:\WINDOWS\system32\drivers\runtime2.sys C:\WINDOWS\system32\f06WtR C:\WINDOWS\system32\help.txt C:\WINDOWS\system32\k.dat C:\WINDOWS\system32\ldinfo.ldr C:\WINDOWS\system32\n.ini C:\WINDOWS\system32\n2.ini C:\WINDOWS\system32\ymante~1 C:\WINDOWS\system32\ymante~1\?ymantec\ C:\WINDOWS\system32\Z1 C:\WINDOWS\ws386.ini D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_ASC3550P -------\LEGACY_ASPIMGR -------\LEGACY_CMDSERVICE -------\LEGACY_NETWORK_MONITOR -------\LEGACY_NTIO256 -------\LEGACY_NTMLSVC -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 -------\LEGACY_SMTPDRV -------\aspimgr -------\NtmlSvc ((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 ))))))))))))))))))))))))))))))) . 2007-10-08 01:19 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-08 01:09 <DIR> d-------- C:\BackUpMSNCleaner 2007-10-06 18:43 <DIR> d-------- C:\Deckard 2007-09-30 06:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-09-25 03:23 18,944 --a------ C:\WINDOWS\system32\pgd.dll 2007-09-16 01:26 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint 2007-09-16 01:22 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro 2007-09-16 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-08 01:06 --------- d-------- C:\Program Files\Warcraft III 2007-10-06 16:14 --------- d-------- C:\Program Files\Rogers 2007-10-03 23:08 --------- d-------- C:\Program Files\World of Warcraft 2007-09-30 23:47 --------- d-------- C:\Program Files\Steam 2007-09-28 15:47 --------- d-------- C:\Program Files\Tyzhnddw 2007-09-28 15:42 --------- d-------- C:\Program Files\Qoswziws 2007-09-28 15:42 --------- d-------- C:\Program Files\Pfpkguqy 2007-09-28 15:27 --------- d-------- C:\Program Files\Isebbczd 2007-09-28 15:22 --------- d-------- C:\Program Files\Gwzlwfym 2007-09-28 15:19 --------- d-------- C:\Program Files\Bhmoxunj 2007-09-23 21:56 --------- d-------- C:\Program Files\BitLord 2007-09-12 22:02 --------- d-------- C:\Program Files\MSN Messenger 2007-09-08 22:22 --------- d-------- C:\Program Files\WC3Banlist 2007-09-07 23:57 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-09-07 23:57 --------- d-------- C:\Program Files\Creative 2007-09-07 23:20 --------- d-------- C:\Documents and Settings\Zach\Application Data\Creative 2007-09-07 22:58 --------- d--h----- C:\Program Files\Creative Installation Information 2007-09-07 22:58 --------- d-------- C:\Program Files\Common Files\Creative 2007-09-06 19:19 --------- d-------- C:\Documents and Settings\Zach\Application Data\Google 2007-09-06 18:09 --------- d-------- C:\Documents and Settings\Zach\Application Data\Real 2007-09-06 18:03 --------- d-------- C:\Program Files\Google 2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\xing shared 2007-09-06 18:03 --------- d-------- C:\Program Files\Common Files\Real 2007-09-06 18:03 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google 2007-09-06 17:37 --------- d-------- C:\Program Files\Xilisoft 2007-09-06 17:37 --------- d-------- C:\Program Files\QuickTime 2007-09-06 17:22 --------- d-------- C:\Program Files\Avex 2007-09-06 06:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-09-06 06:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-09-06 06:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-09-06 06:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-09-06 06:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-08-29 14:02 --------- d-------- C:\Program Files\Alwil Software 2007-08-23 10:24 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-08-23 08:40 77312 --a------ C:\WINDOWS\ua2.dll 2007-08-23 08:34 --------- d-------- C:\Program Files\qnanojwt 2007-08-23 08:32 111 --a------ C:\WINDOWS\system32\drivers\fee 2007-08-15 18:03 --------- d-------- C:\Documents and Settings\Zach\Application Data\Apple Computer 2007-08-15 18:02 --------- d-------- C:\Program Files\Apple Software Update 2007-08-15 18:01 --------- d-------- C:\Program Files\Common Files\Apple 2007-08-15 18:01 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple 2007-07-15 03:21 196608 --a------ C:\BNCSutil.dll 2006-03-06 05:03 456 --a------ C:\Program Files\INSTALL.LOG 2006-02-04 01:49 251 --a------ C:\Program Files\wt3d.ini 2006-02-03 22:23:15 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38D55A70-E975-996F-2411-01092EBA6C2B}] C:\Program Files\Pfpkguqy\ytuluoee.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2290D4-C3F1-4bb5-91E6-D0B806A8663A}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED12044A-04F8-44BF-A394-8D4D04B2F93D}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F369DA09-FADE-44CB-987F-E2E0DEF51BCA}] 2007-09-25 03:23 18944 --a------ C:\WINDOWS\system32\pgd.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 19:03] "nwiz"="nwiz.exe" [] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-04 19:03] "iss7328"="c:\ebmno.exe" [] "ykmyegiy"="C:\Program Files\Qoswziws\ykmyegiy.exe" [] "btmnixix"="C:\Program Files\Gwzlwfym\btmnixix.exe" [] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06] "dcadqtgp"="C:\Program Files\Bhmoxunj\dcadqtgp.exe" [] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-06 18:03] "itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08] "IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 01:00] "msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54] "ares"="C:\Program Files\Ares\Ares.exe" [2007-05-07 23:48] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 23:04] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Scbu"="C:\WINDOWS\system32\YMANTE~1\spoolsv.exe" -vt yazb [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjcr32] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP] ARPWRMSG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] "C:\Program Files\Ares\Ares.exe" -h [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover] "C:\Program Files\DISC\DISCover.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager] "C:\Program Files\DISC\DiscUpdateMgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] C:\WINDOWS\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] C:\HP\KBD\KBD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /installquiet /keeploaded /nodetect [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNPSTD2] C:\WINDOWS\vsnpstd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSP Notifier] "C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "C:\Program Files\Steam\Steam.exe" -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Fixer] "C:\Program Files\Ultimate Fixer\UltimateFixer.exe" hide [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "IAANTMON"=2 (0x2) "CCALib8"=2 (0x2) "iPodService"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "Viewpoint Manager Service"=2 (0x2) "Pml Driver HPZ12"=0 (0x0) "NVSvc"=2 (0x2) "NMSAccess"=2 (0x2) "MDM"=2 (0x2) "LightScribeService"=2 (0x2) "ELService"=2 (0x2) "AresChatServer"=3 (0x3) "NtmlSvc"=2 (0x2) "aspimgr"=2 (0x2) "Apple Mobile Device"=2 (0x2) R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys S3 GENERICDRV;GENERICDRV;\??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\pftF9.tmp\amifldrv.sys S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys S3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys S3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys . Contents of the 'Scheduled Tasks' folder "2007-10-05 15:04:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2007-09-24 04:00:28 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job" . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-08 01:24:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-10-08 1:26:17 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-10-08 01:26 . --- E O F --- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:30:43 AM, on 08/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\arservice.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {38D55A70-E975-996F-2411-01092EBA6C2B} - C:\Program Files\Pfpkguqy\ytuluoee.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: H - {5C2290D4-C3F1-4bb5-91E6-D0B806A8663A} - parety.dll (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: 0 - {ED12044A-04F8-44BF-A394-8D4D04B2F93D} - (no file) O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [iss7328] c:\ebmno.exe O4 - HKLM\..\Run: [ykmyegiy] C:\Program Files\Qoswziws\ykmyegiy.exe O4 - HKLM\..\Run: [btmnixix] C:\Program Files\Gwzlwfym\btmnixix.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [dcadqtgp] C:\Program Files\Bhmoxunj\dcadqtgp.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [Scbu] "C:\WINDOWS\system32\YMANTE~1\spoolsv.exe" -vt yazb (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Scbu] "C:\WINDOWS\system32\YMANTE~1\spoolsv.exe" -vt yazb (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://*.trymedia.com (HKLM) O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115w.bay115.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1154570740090 O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by123fd.bay123.hotmail.msn.co...x/HMAtchmt.ocx O20 - Winlogon Notify: winjcr32 - C:\WINDOWS\ O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 9247 bytes