Tech Support Forum - View Single Post - Help - Win32:SecBar-B, Win32:Tiny-JC, dday.dll

wildkingcobra · 12-03-2007, 04:15 PM

Greetings TheBruce
I have done as requested. During the ComboFix run it seemed to repeatedly try and install my MYOB accounting package.... could do nothing but hit the cancel button. Thus there were mouse clicks during the ComboFix scan.

The two files - Java and TVAnts appeared to be deleted without fuss.

I also needed to cold boot the machine as at the end nothing appeared on my machine except the windows wallpaper.

The logs as requested follow:
ComboFix 07-12-02.7 - SHS 2007-12-04 9:56:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1520 [GMT 11:00]
Running from: C:\Documents and Settings\SHS\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\beqomain.dll
C:\WINDOWS\system32\damfopyy.ini
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\khfccyy.dll
C:\WINDOWS\system32\nwkvgvxs.ini
C:\WINDOWS\system32\rgwmgpsq.exe
C:\WINDOWS\system32\sxvgvkwn.dll
C:\WINDOWS\system32\tpdqxbix.dll
C:\WINDOWS\system32\uflcgjjd.dll
C:\WINDOWS\system32\yyadd.ini
C:\WINDOWS\system32\yyadd.ini2
C:\WINDOWS\system32\yypofmad.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-12-04 08:46 . 2007-12-04 08:46 <DIR> d-------- C:\Deckard
2007-12-03 20:34 . 2007-12-03 20:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-03 20:34 . 2007-12-03 20:34 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-03 13:20 . 2007-12-03 13:20 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-03 13:20 . 2007-12-03 13:38 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-03 13:20 . 2007-12-03 13:38 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-03 13:20 . 2007-12-03 13:38 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-01 16:17 . 2007-12-01 16:17 <DIR> d-------- C:\VundoFix Backups
2007-12-01 15:22 . 2007-12-01 15:22 <DIR> d-------- C:\Documents and Settings\SHS\Application Data\Grisoft
2007-12-01 15:22 . 2007-12-01 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-01 15:22 . 2007-05-30 23:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-01 15:10 . 2007-12-01 15:10 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-01 14:06 . 2007-12-01 14:21 <DIR> d-------- C:\Documents and Settings\SHS\.housecall6.6
2007-12-01 14:06 . 2007-12-01 14:06 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-29 19:25 . 2007-11-29 19:25 <DIR> d-------- C:\Documents and Settings\SHS\Application Data\DivX
2007-11-29 19:09 . 2007-11-29 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2007-11-29 19:08 . 2007-11-29 19:08 <DIR> d-------- C:\Program Files\Bonjour
2007-11-29 18:43 . 2007-11-29 18:44 <DIR> d-------- C:\Program Files\MagicISO
2007-11-29 17:37 . 2007-11-29 17:37 <DIR> d-------- C:\Program Files\PowerISO
2007-11-29 17:24 . 2007-11-29 17:24 <DIR> d-------- C:\Program Files\DivX
2007-11-27 19:25 . 2007-11-27 19:25 <DIR> d-------- C:\Program Files\eBay
2007-11-27 19:25 . 2007-11-27 19:25 <DIR> d-------- C:\Documents and Settings\All Users\eBay
2007-11-25 17:10 . 2007-11-25 17:33 <DIR> d-------- C:\Documents and Settings\SHS\Application Data\FileZilla
2007-11-25 17:09 . 2007-11-25 17:09 <DIR> d-------- C:\Program Files\FileZilla Client
2007-11-24 16:36 . 2007-11-24 16:36 <DIR> d-------- C:\Program Files\Easy Thumbnails
2007-11-24 16:36 . 2007-11-24 16:56 <DIR> d-------- C:\Documents and Settings\SHS\Application Data\Easy Thumbnails

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 23:01 --------- d-----w C:\Documents and Settings\SHS\Application Data\Free Download Manager
2007-12-01 05:22 --------- d-----w C:\Program Files\Free Download Manager
2007-11-29 08:08 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 08:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 09:22 --------- d-----w C:\Documents and Settings\SHS\Application Data\gtk-2.0
2007-11-23 04:07 --------- d-----w C:\Program Files\Powerbullet
2007-11-23 03:55 14,317 ----a-w C:\Program Files\Shower Therm Front 28c (211 x 451).jpg
2007-10-31 10:09 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-30 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-29 11:44 --------- d-----w C:\Program Files\7-Zip
2007-10-25 15:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 15:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 15:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 15:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 14:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-21 23:02 --------- d-----w C:\Program Files\Java
2007-10-21 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-09 00:48 --------- d-----w C:\Program Files\Yahoo!
2007-10-07 06:49 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-06 09:52 --------- d-----w C:\Program Files\Inkscape
2007-10-06 09:50 --------- d-----w C:\Documents and Settings\SHS\Application Data\Bullzip
2007-10-06 09:49 --------- d-----w C:\Program Files\Bullzip
2007-10-06 09:48 --------- d-----w C:\Program Files\gs
2007-10-06 09:44 --------- d-----w C:\Program Files\Acro Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2007-09-01 00:13]
"Free Upload Manager"="C:\Program Files\Free Download Manager\fum\fum.exe" [2007-07-29 21:13]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 16:55]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 16:52]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 16:55]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 20:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 21:04 C:\WINDOWS\SkyTel.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-26 01:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 07:24]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 11:05]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 12:10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

.
Contents of the 'Scheduled Tasks' folder
"2007-09-23 23

35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 10:01:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 10:02:16 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:24 AM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Free Download Manager\fum\fum.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188817036593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188817027671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 7742 bytes

Thanks for the support and super turnaround time!!
wildkingcobra

12-03-2007, 04:15 PM	#6 (permalink)
wildkingcobra Registered User Join Date: Dec 2007 Location: Sydney - Australia Posts: 15 OS: XP SP2	Re: Help - Win32:SecBar-B, Win32:Tiny-JC, dday.dll Greetings TheBruce I have done as requested. During the ComboFix run it seemed to repeatedly try and install my MYOB accounting package.... could do nothing but hit the cancel button. Thus there were mouse clicks during the ComboFix scan. The two files - Java and TVAnts appeared to be deleted without fuss. I also needed to cold boot the machine as at the end nothing appeared on my machine except the windows wallpaper. The logs as requested follow: ComboFix 07-12-02.7 - SHS 2007-12-04 9:56:33.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1520 [GMT 11:00] Running from: C:\Documents and Settings\SHS\desktop\combofix.exe Command switches used :: /killall * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\cookies.ini C:\WINDOWS\system32\beqomain.dll C:\WINDOWS\system32\damfopyy.ini C:\WINDOWS\system32\ddayy.dll C:\WINDOWS\system32\khfccyy.dll C:\WINDOWS\system32\nwkvgvxs.ini C:\WINDOWS\system32\rgwmgpsq.exe C:\WINDOWS\system32\sxvgvkwn.dll C:\WINDOWS\system32\tpdqxbix.dll C:\WINDOWS\system32\uflcgjjd.dll C:\WINDOWS\system32\yyadd.ini C:\WINDOWS\system32\yyadd.ini2 C:\WINDOWS\system32\yypofmad.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 ))))))))))))))))))))))))))))))) . 2007-12-04 08:46 . 2007-12-04 08:46 <DIR> d-------- C:\Deckard 2007-12-03 20:34 . 2007-12-03 20:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-03 20:34 . 2007-12-03 20:34 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-03 13:20 . 2007-12-03 13:20 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-03 13:20 . 2007-12-03 13:38 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-12-03 13:20 . 2007-12-03 13:38 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-12-03 13:20 . 2007-12-03 13:38 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-12-01 16:17 . 2007-12-01 16:17 <DIR> d-------- C:\VundoFix Backups 2007-12-01 15:22 . 2007-12-01 15:22 <DIR> d-------- C:\Documents and Settings\SHS\Application Data\Grisoft 2007-12-01 15:22 . 2007-12-01 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-01 15:22 . 2007-05-30 23:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-12-01 15:10 . 2007-12-01 15:10 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-01 14:06 . 2007-12-01 14:21 <DIR> d-------- C:\Documents and Settings\SHS\.housecall6.6 2007-12-01 14:06 . 2007-12-01 14:06 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-11-29 19:25 . 2007-11-29 19:25 <DIR> d-------- C:\Documents and Settings\SHS\Application Data\DivX 2007-11-29 19:09 . 2007-11-29 19:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM 2007-11-29 19:08 . 2007-11-29 19:08 <DIR> d-------- C:\Program Files\Bonjour 2007-11-29 18:43 . 2007-11-29 18:44 <DIR> d-------- C:\Program Files\MagicISO 2007-11-29 17:37 . 2007-11-29 17:37 <DIR> d-------- C:\Program Files\PowerISO 2007-11-29 17:24 . 2007-11-29 17:24 <DIR> d-------- C:\Program Files\DivX 2007-11-27 19:25 . 2007-11-27 19:25 <DIR> d-------- C:\Program Files\eBay 2007-11-27 19:25 . 2007-11-27 19:25 <DIR> d-------- C:\Documents and Settings\All Users\eBay 2007-11-25 17:10 . 2007-11-25 17:33 <DIR> d-------- C:\Documents and Settings\SHS\Application Data\FileZilla 2007-11-25 17:09 . 2007-11-25 17:09 <DIR> d-------- C:\Program Files\FileZilla Client 2007-11-24 16:36 . 2007-11-24 16:36 <DIR> d-------- C:\Program Files\Easy Thumbnails 2007-11-24 16:36 . 2007-11-24 16:56 <DIR> d-------- C:\Documents and Settings\SHS\Application Data\Easy Thumbnails . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-03 23:01 --------- d-----w C:\Documents and Settings\SHS\Application Data\Free Download Manager 2007-12-01 05:22 --------- d-----w C:\Program Files\Free Download Manager 2007-11-29 08:08 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-27 08:26 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-25 09:22 --------- d-----w C:\Documents and Settings\SHS\Application Data\gtk-2.0 2007-11-23 04:07 --------- d-----w C:\Program Files\Powerbullet 2007-11-23 03:55 14,317 ----a-w C:\Program Files\Shower Therm Front 28c (211 x 451).jpg 2007-10-31 10:09 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2007-10-30 10:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet 2007-10-29 11:44 --------- d-----w C:\Program Files\7-Zip 2007-10-25 15:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-25 15:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-25 15:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-25 15:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-25 14:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-21 23:02 --------- d-----w C:\Program Files\Java 2007-10-21 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2007-10-09 00:48 --------- d-----w C:\Program Files\Yahoo! 2007-10-07 06:49 --------- d-----w C:\Program Files\MSXML 6.0 2007-10-06 09:52 --------- d-----w C:\Program Files\Inkscape 2007-10-06 09:50 --------- d-----w C:\Documents and Settings\SHS\Application Data\Bullzip 2007-10-06 09:49 --------- d-----w C:\Program Files\Bullzip 2007-10-06 09:48 --------- d-----w C:\Program Files\gs 2007-10-06 09:44 --------- d-----w C:\Program Files\Acro Software . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2007-09-01 00:13] "Free Upload Manager"="C:\Program Files\Free Download Manager\fum\fum.exe" [2007-07-29 21:13] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 16:55] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 16:52] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 16:55] "RTHDCPL"="RTHDCPL.EXE" [2006-11-14 20:21 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 21:04 C:\WINDOWS\SkyTel.exe] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-26 01:20] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 07:24] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 11:05] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 20:25] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 12:10:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) . Contents of the 'Scheduled Tasks' folder "2007-09-23 2335 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 10:01:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-12-04 10:02:16 - machine was rebooted . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:07:24 AM, on 4/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Free Download Manager\fdm.exe C:\Program Files\Free Download Manager\fum\fum.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188817036593 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188817027671 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- End of file - 7742 bytes Thanks for the support and super turnaround time!! wildkingcobra