Tech Support Forum - View Single Post - Trojans, popups galore--response time awful

Mrshudson9 · 10-16-2007, 07:20 AM

Here are the logs. Took a very long time.

Received error a few times: "sed.cfexe has encountred a problem and needs to close."

Combofix

ComboFix 07-10-15.1 - Administrator 2007-10-15 22:21:07.3 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Administrator\desktop\combofix.exe
Command switches used :: /killall
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\xxwxv.dll
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Application Data\install.dat
C:\Documents and Settings\Administrator\Application Data\install.dat
C:\Documents and Settings\Administrator\Application Data\install.dat
C:\Documents and Settings\Administrator\Application Data\install.dat
C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2006
C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2006\Logs\update.log
C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2006\Logs\update.log
C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2006\Logs\update.log
C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2006\Logs\update.log
C:\Documents and Settings\Administrator\Application Data\WinTouch
C:\Documents and Settings\Administrator\Application Data\WinTouch\config.cfg.2b82ea157a79b6c683e63636c56949c8
C:\Documents and Settings\Administrator\Application Data\WinTouch\config.cfg.2b82ea157a79b6c683e63636c56949c8
C:\Documents and Settings\Administrator\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Administrator\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Administrator\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Administrator\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Administrator\Desktop\internet.lnk
C:\Documents and Settings\Administrator\Desktop\internet.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ta_start.lnk
C:\Program Files\Common Files\kuri
C:\Program Files\Common Files\kuri\kuria.lck
C:\Program Files\Common Files\kuri\kurid\class-barrel
C:\Program Files\Common Files\kuri\kurid\kuric.dll
C:\Program Files\Common Files\kuri\kurih
C:\Program Files\Common Files\kuri\kuril.lck
C:\Program Files\Common Files\kuri\kurim.exe
C:\Program Files\Common Files\kuri\kurim.lck
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1165531313.old
C:\Program Files\WinBudget\bin\crap.1166027910.old
C:\Program Files\WinBudget\bin\crap.1166123077.old
C:\Program Files\WinBudget\bin\crap.1166537617.old
C:\Program Files\WinBudget\bin\crap.1166873098.old
C:\Program Files\WinBudget\bin\crap.1167150496.old
C:\Program Files\WinBudget\bin\crap.1167373093.old
C:\Program Files\WinBudget\bin\crap.1167750079.old
C:\Program Files\WinBudget\bin\crap.1168009318.old
C:\Program Files\WinBudget\bin\crap.1168255314.old
C:\Program Files\WinBudget\bin\crap.1169127126.old
C:\Program Files\WinBudget\bin\matrix.dll.1166027910.old
C:\Program Files\WinBudget\bin\matrix.dll.1166123077.old
C:\Program Files\WinBudget\bin\matrix.dll.1166537617.old
C:\Program Files\WinBudget\bin\matrix.dll.1166873097.old
C:\Program Files\WinBudget\bin\matrix.dll.1167150495.old
C:\Program Files\WinBudget\bin\matrix.dll.1167373093.old
C:\Program Files\WinBudget\bin\matrix.dll.1167750078.old
C:\Program Files\WinBudget\bin\matrix.dll.1168009317.old
C:\Program Files\WinBudget\bin\matrix.dll.1168255313.old
C:\Program Files\WinBudget\bin\matrix.dll.1169127125.old
C:\Program Files\WinBudget\bin\matrix.dll.1190154258.old
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINNT\cookies.ini
C:\WINNT\IA
C:\WINNT\IA\asappsrv.dll
C:\WINNT\IA\command.exe
C:\WINNT\IA\KE.vbs
C:\WINNT\kuri
C:\WINNT\kuri\kuri.dat
C:\WINNT\kuri\wu
C:\WINNT\sks~1
C:\WINNT\system32\adymwcri.exe
C:\WINNT\system32\aripsseu.exe
C:\WINNT\system32\atmtd.dll
C:\WINNT\system32\atmtd.dll._
C:\WINNT\system32\blwfptje.dll
C:\WINNT\system32\configs
C:\WINNT\system32\ctailsbv.dll
C:\WINNT\system32\danaxemf.exe
C:\WINNT\system32\dpysfjxx.ini
C:\WINNT\system32\dqbtctki.dll
C:\WINNT\system32\driver
C:\WINNT\system32\dsvcqylv.ini
C:\WINNT\system32\dvnlvlpc.exe
C:\WINNT\system32\ejtpfwlb.ini
C:\WINNT\system32\eluofjec.exe
C:\WINNT\system32\f02WtR
C:\WINNT\system32\fdonvofr.exe
C:\WINNT\system32\fggufqjl.exe
C:\WINNT\system32\fiiecuho.exe
C:\WINNT\system32\fryqcvbm.dll
C:\WINNT\system32\gowrlisl.exe
C:\WINNT\system32\hlnlmcnp.exe
C:\WINNT\system32\hreplxfe.dll
C:\WINNT\system32\htjkowmv.exe
C:\WINNT\system32\htvsrwjr.dll
C:\WINNT\system32\iktctbqd.ini
C:\WINNT\system32\iuqivssy.exe
C:\WINNT\system32\iuywkkeq.ini
C:\WINNT\system32\jhysfwdr.ini
C:\WINNT\system32\kwinnmdt.exe
C:\WINNT\system32\llbvpfxv.ini
C:\WINNT\system32\mbvcqyrf.ini
C:\WINNT\system32\nnhsgpfp.exe
C:\WINNT\system32\oenksekp.exe
C:\WINNT\system32\ooyrehbe.exe
C:\WINNT\system32\pwvewulu.ini
C:\WINNT\system32\qekkwyui.dll
C:\WINNT\system32\rdwfsyhj.dll
C:\WINNT\system32\rjqpxxbw.ini
C:\WINNT\system32\rjwrsvth.ini
C:\WINNT\system32\ulrpmjdo.exe
C:\WINNT\system32\uluwevwp.dll
C:\WINNT\system32\ummnnkbd.exe
C:\WINNT\system32\unhtglxm.exe
C:\WINNT\system32\usahqrav.dll
C:\WINNT\system32\vbsliatc.ini
C:\WINNT\system32\vlyqcvsd.dll
C:\WINNT\system32\vxfpvbll.dll
C:\WINNT\system32\vxwxx.bak1
C:\WINNT\system32\vxwxx.bak1
C:\WINNT\system32\vxwxx.bak1
C:\WINNT\system32\vxwxx.bak2
C:\WINNT\system32\vxwxx.bak2
C:\WINNT\system32\vxwxx.bak2
C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.ini
C:\WINNT\system32\vxwxx.ini2
C:\WINNT\system32\vxwxx.ini2
C:\WINNT\system32\vxwxx.ini2
C:\WINNT\system32\vxwxx.ini2
C:\WINNT\system32\vxwxx.ini2
C:\WINNT\system32\vxwxx.tmp
C:\WINNT\system32\vxwxx.tmp
C:\WINNT\system32\vxwxx.tmp
C:\WINNT\system32\wbxxpqjr.dll
C:\WINNT\system32\xxjfsypd.dll
C:\WINNT\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-15 20:57 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-11 20:34 <DIR> d-------- C:\Deckard
2007-10-11 20:27 <DIR> d-------- C:\Program Files\HijackThis--by Becky
2007-10-11 20:19 <DIR> d-------- C:\WINNT\LastGood
2007-10-11 00:41 313,856 --a------ C:\WINNT\system32\dx3j.dll
2007-10-11 00:41 171,280 --a------ C:\WINNT\system32\jit.dll
2007-10-11 00:41 139,536 --a------ C:\WINNT\system32\javaee.dll
2007-10-11 00:41 46,352 --a------ C:\WINNT\setdebug.exe
2007-10-11 00:41 6,550 --a------ C:\WINNT\jautoexp.dat
2007-10-11 00:41 113 --a------ C:\WINNT\system32\zonedon.reg
2007-10-11 00:41 113 --a------ C:\WINNT\system32\zonedoff.reg
2007-10-11 00:19 991,232 --a------ C:\WINNT\system32\esent.dll
2007-10-11 00:04 <DIR> d-------- C:\WINNT\LastGood.Tmp
2007-10-10 23:47 <DIR> d-------- C:\ie-spyad_zo
2007-10-10 23:40 <DIR> d-------- C:\Program Files\IE-Spyad by Becky
2007-10-10 23:24 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-10 23:24 118,784 --a------ C:\WINNT\system32\MSSTDFMT.DLL
2007-10-09 23:49 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-10-09 20:46 <DIR> d--h----- C:\WINNT\$hf_mig$
2007-10-09 20:46 22,752 --a------ C:\WINNT\system32\spupdsvc.exe
2007-10-09 20:43 <DIR> d-------- C:\WINNT\system32\bits
2007-10-09 20:42 361,984 --a------ C:\WINNT\system32\dllcache\qmgr.dll
2007-10-09 20:42 331,776 --a------ C:\WINNT\system32\winhttp.dll
2007-10-09 20:42 331,776 --a------ C:\WINNT\system32\dllcache\winhttp.dll
2007-10-09 20:42 17,408 --a------ C:\WINNT\system32\qmgrprxy.dll
2007-10-09 20:42 17,408 --a------ C:\WINNT\system32\dllcache\qmgrprxy.dll
2007-10-09 20:42 7,680 --------- C:\WINNT\system32\dllcache\bitsprx2.dll
2007-10-09 20:42 7,680 --a------ C:\WINNT\system32\bitsprx2.dll
2007-10-09 20:42 7,168 --------- C:\WINNT\system32\dllcache\bitsprx3.dll
2007-10-09 20:42 7,168 --a------ C:\WINNT\system32\bitsprx3.dll
2007-10-09 20:36 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-10-09 20:36 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-10-09 20:36 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-10-09 20:36 33,624 --a------ C:\WINNT\system32\wups.dll
2007-10-06 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-06 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-06 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 11:58 --------- d-----w C:\Program Files\QuickTime
2007-10-10 11:55 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-10 11:54 --------- d-----w C:\Program Files\iTunes
2007-10-10 11:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-10 11:49 --------- d-----w C:\Program Files\AIM
2007-10-10 04:01 --------- d-----w C:\Program Files\FilmLoop Player
2007-10-10 01:09 --------- d-----w C:\Program Files\Viewpoint
2007-10-10 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 17:55 --------- d-----w C:\Program Files\Full Tilt Poker
2002-11-01 19

38 32 --sha-w C:\WINNT\{7C9C949C-F6AC-4CBA-941B-D3251B92CECE}.dat
2002-11-01 19

38 32 --sha-w C:\WINNT\system32\{C1248350-C897-4F83-9123-E8EDC393A253}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 15:45]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINNT\System32\LgNotify.dll 2003-02-28 17:01 110592 C:\WINNT\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
"C:\Program Files\Gateway Utilities\GWInkMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

R3 GTWModem;GTW Modem;C:\WINNT\System32\DRIVERS\GWMDM.sys
R3 Intel_MIPMNMP;Intel Adapter Switching Driver;C:\WINNT\System32\DRIVERS\mipmnxp.sys
R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver;C:\WINNT\System32\DRIVERS\w70n51.sys
S3 allegro;ESS Allegro Audio Driver (WDM);C:\WINNT\System32\drivers\es198x.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINNT\System32\DRIVERS\wlluc48.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 01:29:47 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2003-10-09 22:07:52 C:\WINNT\Tasks\ISP signup reminder 2.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2003-10-09 22:07:53 C:\WINNT\Tasks\ISP signup reminder 3.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2003-10-10 02:39:52 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 09:02:23
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 9:04:17 - machine was rebooted
.
--- E O F ---

HijackThis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:16:16 AM, on 10/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ICEOWS\ViewUpd\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191976536220
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.free-computer-wallpapers.com/beach.5.jpg

--
End of file - 6947 bytes

10-16-2007, 07:20 AM	#3 (permalink)
Mrshudson9 Registered User Join Date: Oct 2004 Posts: 8 OS: Win2000	Re: Trojans, popups galore--response time awful Here are the logs. Took a very long time. Received error a few times: "sed.cfexe has encountred a problem and needs to close." Combofix ComboFix 07-10-15.1 - Administrator 2007-10-15 22:21:07.3 - NTFSx86 Script execution time was exceeded on script "C:\ComboFix\osid.vbs". Script execution was terminated. Running from: C:\Documents and Settings\Administrator\desktop\combofix.exe Command switches used :: /killall . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINNT\system32\xxwxv.dll . ---- Previous Run ------- . C:\Documents and Settings\Administrator\Application Data\install.dat C:\Documents and Settings\Administrator\Application Data\install.dat C:\Documents and Settings\Administrator\Application Data\install.dat C:\Documents and Settings\Administrator\Application Data\install.dat C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2006 C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2006\Logs\update.log C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2006\Logs\update.log C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2006\Logs\update.log C:\Documents and Settings\Administrator\Application Data\WinAntiSpyware 2006\Logs\update.log C:\Documents and Settings\Administrator\Application Data\WinTouch C:\Documents and Settings\Administrator\Application Data\WinTouch\config.cfg.2b82ea157a79b6c683e63636c56949c8 C:\Documents and Settings\Administrator\Application Data\WinTouch\config.cfg.2b82ea157a79b6c683e63636c56949c8 C:\Documents and Settings\Administrator\Application Data\WinTouch\wintouch.cfg C:\Documents and Settings\Administrator\Application Data\WinTouch\wintouch.cfg C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe C:\Documents and Settings\Administrator\Application Data\WinTouch\WinTouch.exe C:\Documents and Settings\Administrator\Application Data\WinTouch\WTUninstaller.exe C:\Documents and Settings\Administrator\Application Data\WinTouch\WTUninstaller.exe C:\Documents and Settings\Administrator\Desktop\internet.lnk C:\Documents and Settings\Administrator\Desktop\internet.lnk C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ta_start.lnk C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TA_Start.lnk C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ta_start.lnk C:\Program Files\Common Files\kuri C:\Program Files\Common Files\kuri\kuria.lck C:\Program Files\Common Files\kuri\kurid\class-barrel C:\Program Files\Common Files\kuri\kurid\kuric.dll C:\Program Files\Common Files\kuri\kurih C:\Program Files\Common Files\kuri\kuril.lck C:\Program Files\Common Files\kuri\kurim.exe C:\Program Files\Common Files\kuri\kurim.lck C:\Program Files\Insider C:\Program Files\Insider\Insider.exe C:\Program Files\Temporary C:\Program Files\WinAble C:\Program Files\WinBudget C:\Program Files\WinBudget\bin\crap.1165531313.old C:\Program Files\WinBudget\bin\crap.1166027910.old C:\Program Files\WinBudget\bin\crap.1166123077.old C:\Program Files\WinBudget\bin\crap.1166537617.old C:\Program Files\WinBudget\bin\crap.1166873098.old C:\Program Files\WinBudget\bin\crap.1167150496.old C:\Program Files\WinBudget\bin\crap.1167373093.old C:\Program Files\WinBudget\bin\crap.1167750079.old C:\Program Files\WinBudget\bin\crap.1168009318.old C:\Program Files\WinBudget\bin\crap.1168255314.old C:\Program Files\WinBudget\bin\crap.1169127126.old C:\Program Files\WinBudget\bin\matrix.dll.1166027910.old C:\Program Files\WinBudget\bin\matrix.dll.1166123077.old C:\Program Files\WinBudget\bin\matrix.dll.1166537617.old C:\Program Files\WinBudget\bin\matrix.dll.1166873097.old C:\Program Files\WinBudget\bin\matrix.dll.1167150495.old C:\Program Files\WinBudget\bin\matrix.dll.1167373093.old C:\Program Files\WinBudget\bin\matrix.dll.1167750078.old C:\Program Files\WinBudget\bin\matrix.dll.1168009317.old C:\Program Files\WinBudget\bin\matrix.dll.1168255313.old C:\Program Files\WinBudget\bin\matrix.dll.1169127125.old C:\Program Files\WinBudget\bin\matrix.dll.1190154258.old C:\Program Files\Words C:\Program Files\Words\list.txt C:\Program Files\Words\script.txt C:\Program Files\Words\UnInstall.exe C:\Program Files\Words\Words.exe C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\fse C:\Temp\fse\tmpZTF.log C:\WINNT\cookies.ini C:\WINNT\IA C:\WINNT\IA\asappsrv.dll C:\WINNT\IA\command.exe C:\WINNT\IA\KE.vbs C:\WINNT\kuri C:\WINNT\kuri\kuri.dat C:\WINNT\kuri\wu C:\WINNT\sks~1 C:\WINNT\system32\adymwcri.exe C:\WINNT\system32\aripsseu.exe C:\WINNT\system32\atmtd.dll C:\WINNT\system32\atmtd.dll._ C:\WINNT\system32\blwfptje.dll C:\WINNT\system32\configs C:\WINNT\system32\ctailsbv.dll C:\WINNT\system32\danaxemf.exe C:\WINNT\system32\dpysfjxx.ini C:\WINNT\system32\dqbtctki.dll C:\WINNT\system32\driver C:\WINNT\system32\dsvcqylv.ini C:\WINNT\system32\dvnlvlpc.exe C:\WINNT\system32\ejtpfwlb.ini C:\WINNT\system32\eluofjec.exe C:\WINNT\system32\f02WtR C:\WINNT\system32\fdonvofr.exe C:\WINNT\system32\fggufqjl.exe C:\WINNT\system32\fiiecuho.exe C:\WINNT\system32\fryqcvbm.dll C:\WINNT\system32\gowrlisl.exe C:\WINNT\system32\hlnlmcnp.exe C:\WINNT\system32\hreplxfe.dll C:\WINNT\system32\htjkowmv.exe C:\WINNT\system32\htvsrwjr.dll C:\WINNT\system32\iktctbqd.ini C:\WINNT\system32\iuqivssy.exe C:\WINNT\system32\iuywkkeq.ini C:\WINNT\system32\jhysfwdr.ini C:\WINNT\system32\kwinnmdt.exe C:\WINNT\system32\llbvpfxv.ini C:\WINNT\system32\mbvcqyrf.ini C:\WINNT\system32\nnhsgpfp.exe C:\WINNT\system32\oenksekp.exe C:\WINNT\system32\ooyrehbe.exe C:\WINNT\system32\pwvewulu.ini C:\WINNT\system32\qekkwyui.dll C:\WINNT\system32\rdwfsyhj.dll C:\WINNT\system32\rjqpxxbw.ini C:\WINNT\system32\rjwrsvth.ini C:\WINNT\system32\ulrpmjdo.exe C:\WINNT\system32\uluwevwp.dll C:\WINNT\system32\ummnnkbd.exe C:\WINNT\system32\unhtglxm.exe C:\WINNT\system32\usahqrav.dll C:\WINNT\system32\vbsliatc.ini C:\WINNT\system32\vlyqcvsd.dll C:\WINNT\system32\vxfpvbll.dll C:\WINNT\system32\vxwxx.bak1 C:\WINNT\system32\vxwxx.bak1 C:\WINNT\system32\vxwxx.bak1 C:\WINNT\system32\vxwxx.bak2 C:\WINNT\system32\vxwxx.bak2 C:\WINNT\system32\vxwxx.bak2 C:\WINNT\system32\vxwxx.ini C:\WINNT\system32\vxwxx.ini C:\WINNT\system32\vxwxx.ini C:\WINNT\system32\vxwxx.ini2 C:\WINNT\system32\vxwxx.ini2 C:\WINNT\system32\vxwxx.ini2 C:\WINNT\system32\vxwxx.ini2 C:\WINNT\system32\vxwxx.ini2 C:\WINNT\system32\vxwxx.tmp C:\WINNT\system32\vxwxx.tmp C:\WINNT\system32\vxwxx.tmp C:\WINNT\system32\wbxxpqjr.dll C:\WINNT\system32\xxjfsypd.dll C:\WINNT\system32\zxdnt3d.cfg . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_CMDSERVICE -------\LEGACY_DOMAINSERVICE -------\LEGACY_NETWORK_MONITOR -------\cmdService -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 ))))))))))))))))))))))))))))))) . 2007-10-15 20:57 51,200 --a------ C:\WINNT\NirCmd.exe 2007-10-11 20:34 <DIR> d-------- C:\Deckard 2007-10-11 20:27 <DIR> d-------- C:\Program Files\HijackThis--by Becky 2007-10-11 20:19 <DIR> d-------- C:\WINNT\LastGood 2007-10-11 00:41 313,856 --a------ C:\WINNT\system32\dx3j.dll 2007-10-11 00:41 171,280 --a------ C:\WINNT\system32\jit.dll 2007-10-11 00:41 139,536 --a------ C:\WINNT\system32\javaee.dll 2007-10-11 00:41 46,352 --a------ C:\WINNT\setdebug.exe 2007-10-11 00:41 6,550 --a------ C:\WINNT\jautoexp.dat 2007-10-11 00:41 113 --a------ C:\WINNT\system32\zonedon.reg 2007-10-11 00:41 113 --a------ C:\WINNT\system32\zonedoff.reg 2007-10-11 00:19 991,232 --a------ C:\WINNT\system32\esent.dll 2007-10-11 00:04 <DIR> d-------- C:\WINNT\LastGood.Tmp 2007-10-10 23:47 <DIR> d-------- C:\ie-spyad_zo 2007-10-10 23:40 <DIR> d-------- C:\Program Files\IE-Spyad by Becky 2007-10-10 23:24 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-10-10 23:24 118,784 --a------ C:\WINNT\system32\MSSTDFMT.DLL 2007-10-09 23:49 <DIR> d-------- C:\WINNT\system32\ActiveScan 2007-10-09 20:46 <DIR> d--h----- C:\WINNT\$hf_mig$ 2007-10-09 20:46 22,752 --a------ C:\WINNT\system32\spupdsvc.exe 2007-10-09 20:43 <DIR> d-------- C:\WINNT\system32\bits 2007-10-09 20:42 361,984 --a------ C:\WINNT\system32\dllcache\qmgr.dll 2007-10-09 20:42 331,776 --a------ C:\WINNT\system32\winhttp.dll 2007-10-09 20:42 331,776 --a------ C:\WINNT\system32\dllcache\winhttp.dll 2007-10-09 20:42 17,408 --a------ C:\WINNT\system32\qmgrprxy.dll 2007-10-09 20:42 17,408 --a------ C:\WINNT\system32\dllcache\qmgrprxy.dll 2007-10-09 20:42 7,680 --------- C:\WINNT\system32\dllcache\bitsprx2.dll 2007-10-09 20:42 7,680 --a------ C:\WINNT\system32\bitsprx2.dll 2007-10-09 20:42 7,168 --------- C:\WINNT\system32\dllcache\bitsprx3.dll 2007-10-09 20:42 7,168 --a------ C:\WINNT\system32\bitsprx3.dll 2007-10-09 20:36 549,720 --a------ C:\WINNT\system32\wuapi.dll 2007-10-09 20:36 325,976 --a------ C:\WINNT\system32\wucltui.dll 2007-10-09 20:36 43,352 --a------ C:\WINNT\system32\wups2.dll 2007-10-09 20:36 33,624 --a------ C:\WINNT\system32\wups.dll 2007-10-06 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot 2007-10-06 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot 2007-10-06 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-10 11:58 --------- d-----w C:\Program Files\QuickTime 2007-10-10 11:55 --------- d-----w C:\Program Files\Norton AntiVirus 2007-10-10 11:54 --------- d-----w C:\Program Files\iTunes 2007-10-10 11:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-10-10 11:49 --------- d-----w C:\Program Files\AIM 2007-10-10 04:01 --------- d-----w C:\Program Files\FilmLoop Player 2007-10-10 01:09 --------- d-----w C:\Program Files\Viewpoint 2007-10-10 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-09-28 17:55 --------- d-----w C:\Program Files\Full Tilt Poker 2002-11-01 1938 32 --sha-w C:\WINNT\{7C9C949C-F6AC-4CBA-941B-D3251B92CECE}.dat 2002-11-01 1938 32 --sha-w C:\WINNT\system32\{C1248350-C897-4F83-9123-E8EDC393A253}.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "@"="" [] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 15:45] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "<NO NAME>"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] C:\WINNT\System32\LgNotify.dll 2003-02-28 17:01 110592 C:\WINNT\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"= [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange] Ati2mdxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG] GWMDMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe R3 GTWModem;GTW Modem;C:\WINNT\System32\DRIVERS\GWMDM.sys R3 Intel_MIPMNMP;Intel Adapter Switching Driver;C:\WINNT\System32\DRIVERS\mipmnxp.sys R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver;C:\WINNT\System32\DRIVERS\w70n51.sys S3 allegro;ESS Allegro Audio Driver (WDM);C:\WINNT\System32\drivers\es198x.sys S3 wlluc48;Wireless LAN PC Card Driver;C:\WINNT\System32\DRIVERS\wlluc48.sys . Contents of the 'Scheduled Tasks' folder "2007-10-10 01:29:47 C:\WINNT\Tasks\AppleSoftwareUpdate.job" "2003-10-09 22:07:52 C:\WINNT\Tasks\ISP signup reminder 2.job" - C:\WINNT\System32\OOBE\oobebaln.exe "2003-10-09 22:07:53 C:\WINNT\Tasks\ISP signup reminder 3.job" - C:\WINNT\System32\OOBE\oobebaln.exe "2003-10-10 02:39:52 C:\WINNT\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-16 09:02:23 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-10-16 9:04:17 - machine was rebooted . --- E O F --- HijackThis Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 9:16:16 AM, on 10/16/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\S24EvMon.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\RegSrvc.exe C:\WINNT\System32\RoamMgr.exe C:\WINNT\System32\svchost.exe C:\WINNT\wanmpsvc.exe C:\Program Files\Intel\Switching\User\RoamSvc.exe C:\WINNT\system32\ZCfgSvc.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\wuauclt.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ICEOWS\ViewUpd\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191976536220 O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab O20 - AppInit_DLLs: O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe O24 - Desktop Component 0: (no name) - http://www.free-computer-wallpapers.com/beach.5.jpg -- End of file - 6947 bytes