Tech Support Forum - View Single Post - Internet explore opening popup adds at random

Kizlan · 01-24-2008, 03:42 AM

Combofix log

ComboFix 08-01-23.2 - Kizlan 2008-01-25 4:08:24.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.654 [GMT -6:00]
Running from: C:\Documents and Settings\Kizlan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 04:19 . 2008-01-25 04:19 <DIR> d-------- C:\Temp\tn3
2008-01-23 20:08 . 2008-01-23 20:08 <DIR> d-------- C:\Program Files\Java
2008-01-23 20:08 . 2008-01-23 20:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-23 20:08 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-20 13:23 . 2008-01-20 13:23 <DIR> d-------- C:\Deckard
2008-01-14 12:42 . 2008-01-25 04:22 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-13 15:58 . 2008-01-15 18:56 4,566 --a------ C:\WINDOWS\imsins.BAK
2008-01-13 15:55 . 2007-07-09 07:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-12 14:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 12:15 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-12 11:06 . 2008-01-14 13:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-11 22:55 . 2008-01-11 22:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-11 20:13 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-11 20:07 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\keurhjbavoio.sys
2008-01-11 19:52 . 2008-01-11 22:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-11 19:52 . 2008-01-11 19:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-11 19:52 . 2008-01-11 19:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-11 19:52 . 2008-01-11 19:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-11 15:49 . 2008-01-11 15:51 495,616 --a------ C:\WINDOWS\system32\hphmon05 .exe
2008-01-11 10:30 . 2008-01-11 10:30 86,016 --a------ C:\WINDOWS\system32\drivers\avg7coree.sys
2007-12-30 02:13 . 2007-12-30 02:13 <DIR> d-------- C:\Program Files\Rosetta Stone

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 02:35 --------- d-----w C:\Program Files\GetRight
2008-01-12 17:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 04:07 --------- d-----w C:\Program Files\MagicISO
2008-01-12 03:55 --------- d-----w C:\Program Files\7-Zip
2007-12-30 08:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-13 17:25 --------- d-----w C:\Program Files\WoW UI Designer
2007-12-13 03:42 1,208 ----a-w C:\drmHeader.bin
2007-12-08 21:47 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-08 21:47 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-08 21:47 --------- d-----w C:\Program Files\Hero Editor
2005-10-11 11:12 251 ----a-w C:\Program Files\wt3d.ini
2001-10-20 06:23 135,168 ----a-w C:\Program Files\POREdit_1_9.exe
.

Code:

<pre>
----a-w           495,616 2008-01-11 21:51:59  C:\WINDOWS\system32\hphmon05 .exe
----a-w           176,128 2008-01-11 21:51:58  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe
</pre>

((((((((((((((((((((((((((((( snapshot_2008-01-14_12.28.16.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-12 20:28:22 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-25 10:07:57 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-12 20:28:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-25 10:07:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-12 20:28:22 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-25 10:07:57 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-12 20:28:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-25 10:07:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-12 20:28:22 14,213,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-25 10:07:58 14,422,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-12 20:28:23 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-25 10:07:58 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2006-11-08 03:01:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2007-08-14 00:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
- 2006-11-07 09:26:44 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2007-08-14 00:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
- 2008-01-10 23:51:09 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
+ 2008-01-21 05:57:14 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
- 2006-11-07 09:26:44 71,680 ------w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2007-08-14 00:39:20 71,680 ----a-w C:\WINDOWS\system32\dllcache\admparse.dll
- 2006-11-08 03:03:36 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll
+ 2007-08-14 00:54:10 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll
- 2006-10-17 17:58:06 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-08-14 00:35:46 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2006-10-17 17:44:36 60,416 ------w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2007-08-14 00:18:02 60,416 ----a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
- 2006-10-17 18:04:50 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-14 00:44:02 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2006-10-17 18

00 78,336 ------w C:\WINDOWS\system32\dllcache\ieencode.dll
+ 2007-08-14 00:45:18 78,336 ----a-w C:\WINDOWS\system32\dllcache\ieencode.dll
- 2006-11-08 03:03:36 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-08-14 00:54:10 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2006-11-07 09:26:42 55,296 ------w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2007-08-14 00:39:12 55,296 ----a-w C:\WINDOWS\system32\dllcache\iesetup.dll
- 2006-10-17 17:57:58 36,352 ------w C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2007-08-14 00:36:06 36,352 ----a-w C:\WINDOWS\system32\dllcache\imgutil.dll
- 2006-11-07 09:26:24 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-08-14 00:39:02 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2006-10-17 18:00:00 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-08-14 00:38:04 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2006-10-17 18:05:10 40,960 ------w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2007-08-14 00:44:18 40,960 ----a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2006-10-17 17:56:10 45,568 ------w C:\WINDOWS\system32\dllcache\mshta.exe
+ 2007-08-14 00:32:30 45,568 ----a-w C:\WINDOWS\system32\dllcache\mshta.exe
- 2006-10-17 17:28:56 48,128 ------w C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2007-08-14 00:01:12 48,128 ----a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2006-11-08 03:03:36 156,160 ------w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2007-08-14 00:54:10 156,160 ----a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2006-10-17 17:58:08 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-08-14 00:36:12 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2006-11-08 03:03:36 413,696 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-08-14 00:54:10 413,696 ----a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2006-10-17 17:58:06 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-08-14 00:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2006-10-17 18

00 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
+ 2007-08-14 00:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
- 2006-11-08 03:03:36 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-14 00:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2006-11-07 09:26:42 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2007-08-14 00:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
- 2006-11-08 03:03:36 180,736 ------w C:\WINDOWS\system32\ieui.dll
+ 2007-08-14 00:54:10 180,736 ----a-w C:\WINDOWS\system32\ieui.dll
- 2006-10-17 17:57:58 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2007-08-14 00:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2006-11-07 09:26:24 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-08-14 00:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-12-14 06:57:22 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-12-14 06:57:24 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-12-14 07:59:16 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2006-10-17 18:00:00 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-08-14 00:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
- 2006-10-17 18:05:10 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2007-08-14 00:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
- 2006-10-17 17:58:32 12,288 ------w C:\WINDOWS\system32\msfeedssync.exe
+ 2007-08-14 00:36:40 12,288 ----a-w C:\WINDOWS\system32\msfeedssync.exe
- 2006-10-17 17:56:10 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2007-08-14 00:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
- 2006-10-17 17:28:56 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
+ 2007-08-14 00:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2006-11-08 03:03:36 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2007-08-14 00:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
- 2008-01-14 09:03:10 63,860 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-24 02:37:24 63,860 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-14 09:03:10 405,310 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-24 02:37:24 405,310 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2006-10-17 17:58:08 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-08-14 00:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-11-08 03:03:36 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-08-14 00:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2006-10-17 18:05:58 206,336 ------w C:\WINDOWS\system32\WinFXDocObj.exe
+ 2007-08-14 00:45:16 206,336 ----a-w C:\WINDOWS\system32\WinFXDocObj.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-11 16:45 204288]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-11 16:45 90112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-01-11 16:45 139264]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56 64512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 02:11 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Plextor!\PlexTools Professional.lnk
backup=C:\WINDOWS\pss\PlexTools Professional.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-01-11 16:45 152872 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2005-05-19 07:47 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-11-17 05:53 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 16:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 07:50 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetscapeClient]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 09:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2005-05-31 00:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2008-01-11 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)

R1 avg7coree;avg7coree;C:\WINDOWS\system32\drivers\avg7coree.sys [2008-01-11 10:30]
R3 SetupSys;Conexant Setup API;C:\WINDOWS\system32\drivers\SetupSys.sys [2001-01-09 08:58]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys []
S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2eef52-2005-11db-ab27-00038a000015}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2006-06-12 14:30:00 C:\WINDOWS\Tasks\abc.job"
- C:\Program Files\ABC\abc.exe
"2008-01-25 06:54:02 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 04:23:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Hijackthis log--

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:41, on 2008-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Kizlan\Desktop\Kizlan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://forums.worldofwarcraft.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200089204515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7190 bytes

01-24-2008, 03:42 AM	#15 (permalink)
Kizlan Registered User Join Date: Jan 2008 Posts: 12 OS: xp sp2	Re: Internet explore opening popup adds at random Combofix log ComboFix 08-01-23.2 - Kizlan 2008-01-25 4:08:24.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.654 [GMT -6:00] Running from: C:\Documents and Settings\Kizlan\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\temp\tn3 C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 ))))))))))))))))))))))))))))))) . 2008-01-25 04:19 . 2008-01-25 04:19 <DIR> d-------- C:\Temp\tn3 2008-01-23 20:08 . 2008-01-23 20:08 <DIR> d-------- C:\Program Files\Java 2008-01-23 20:08 . 2008-01-23 20:08 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-23 20:08 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-01-20 13:23 . 2008-01-20 13:23 <DIR> d-------- C:\Deckard 2008-01-14 12:42 . 2008-01-25 04:22 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk 2008-01-13 15:58 . 2008-01-15 18:56 4,566 --a------ C:\WINDOWS\imsins.BAK 2008-01-13 15:55 . 2007-07-09 07:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-01-12 14:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-12 12:15 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-12 11:06 . 2008-01-14 13:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-01-11 22:55 . 2008-01-11 22:59 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-11 20:13 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-11 20:07 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\keurhjbavoio.sys 2008-01-11 19:52 . 2008-01-11 22:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-11 19:52 . 2008-01-11 19:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-11 19:52 . 2008-01-11 19:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-11 19:52 . 2008-01-11 19:52 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-11 15:49 . 2008-01-11 15:51 495,616 --a------ C:\WINDOWS\system32\hphmon05 .exe 2008-01-11 10:30 . 2008-01-11 10:30 86,016 --a------ C:\WINDOWS\system32\drivers\avg7coree.sys 2007-12-30 02:13 . 2007-12-30 02:13 <DIR> d-------- C:\Program Files\Rosetta Stone . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-16 02:35 --------- d-----w C:\Program Files\GetRight 2008-01-12 17:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-12 04:07 --------- d-----w C:\Program Files\MagicISO 2008-01-12 03:55 --------- d-----w C:\Program Files\7-Zip 2007-12-30 08:14 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-13 17:25 --------- d-----w C:\Program Files\WoW UI Designer 2007-12-13 03:42 1,208 ----a-w C:\drmHeader.bin 2007-12-08 21:47 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-12-08 21:47 249,856 ------w C:\WINDOWS\Setup1.exe 2007-12-08 21:47 --------- d-----w C:\Program Files\Hero Editor 2005-10-11 11:12 251 ----a-w C:\Program Files\wt3d.ini 2001-10-20 06:23 135,168 ----a-w C:\Program Files\POREdit_1_9.exe . Code: <pre> ----a-w 495,616 2008-01-11 21:51:59 C:\WINDOWS\system32\hphmon05 .exe ----a-w 176,128 2008-01-11 21:51:58 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09 .exe </pre> ((((((((((((((((((((((((((((( snapshot_2008-01-14_12.28.16.65 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-12 20:28:22 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-25 10:07:57 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-12 20:28:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-25 10:07:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-12 20:28:22 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat + 2008-01-25 10:07:57 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat - 2008-01-12 20:28:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-25 10:07:57 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-12 20:28:22 14,213,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat + 2008-01-25 10:07:58 14,422,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat - 2008-01-12 20:28:23 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-25 10:07:58 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat - 2006-11-08 03:01:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe + 2007-08-14 00:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe - 2006-11-07 09:26:44 71,680 ----a-w C:\WINDOWS\system32\admparse.dll + 2007-08-14 00:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll - 2008-01-10 23:51:09 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll + 2008-01-21 05:57:14 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll - 2006-11-07 09:26:44 71,680 ------w C:\WINDOWS\system32\dllcache\admparse.dll + 2007-08-14 00:39:20 71,680 ----a-w C:\WINDOWS\system32\dllcache\admparse.dll - 2006-11-08 03:03:36 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll + 2007-08-14 00:54:10 33,792 ----a-w C:\WINDOWS\system32\dllcache\custsat.dll - 2006-10-17 17:58:06 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll + 2007-08-14 00:35:46 346,624 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll - 2006-10-17 17:44:36 60,416 ------w C:\WINDOWS\system32\dllcache\hmmapi.dll + 2007-08-14 00:18:02 60,416 ----a-w C:\WINDOWS\system32\dllcache\hmmapi.dll - 2006-10-17 18:04:50 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe + 2007-08-14 00:44:02 69,120 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe - 2006-10-17 1800 78,336 ------w C:\WINDOWS\system32\dllcache\ieencode.dll + 2007-08-14 00:45:18 78,336 ----a-w C:\WINDOWS\system32\dllcache\ieencode.dll - 2006-11-08 03:03:36 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll + 2007-08-14 00:54:10 191,488 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll - 2006-11-07 09:26:42 55,296 ------w C:\WINDOWS\system32\dllcache\iesetup.dll + 2007-08-14 00:39:12 55,296 ----a-w C:\WINDOWS\system32\dllcache\iesetup.dll - 2006-10-17 17:57:58 36,352 ------w C:\WINDOWS\system32\dllcache\imgutil.dll + 2007-08-14 00:36:06 36,352 ----a-w C:\WINDOWS\system32\dllcache\imgutil.dll - 2006-11-07 09:26:24 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll + 2007-08-14 00:39:02 92,672 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll - 2006-10-17 18:00:00 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll + 2007-08-14 00:38:04 491,520 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll - 2006-10-17 18:05:10 40,960 ------w C:\WINDOWS\system32\dllcache\licmgr10.dll + 2007-08-14 00:44:18 40,960 ----a-w C:\WINDOWS\system32\dllcache\licmgr10.dll - 2006-10-17 17:56:10 45,568 ------w C:\WINDOWS\system32\dllcache\mshta.exe + 2007-08-14 00:32:30 45,568 ----a-w C:\WINDOWS\system32\dllcache\mshta.exe - 2006-10-17 17:28:56 48,128 ------w C:\WINDOWS\system32\dllcache\mshtmler.dll + 2007-08-14 00:01:12 48,128 ----a-w C:\WINDOWS\system32\dllcache\mshtmler.dll - 2006-11-08 03:03:36 156,160 ------w C:\WINDOWS\system32\dllcache\msls31.dll + 2007-08-14 00:54:10 156,160 ----a-w C:\WINDOWS\system32\dllcache\msls31.dll - 2006-10-17 17:58:08 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll + 2007-08-14 00:36:12 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll - 2006-11-08 03:03:36 413,696 ------w C:\WINDOWS\system32\dllcache\vbscript.dll + 2007-08-14 00:54:10 413,696 ----a-w C:\WINDOWS\system32\dllcache\vbscript.dll - 2006-10-17 17:58:06 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll + 2007-08-14 00:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll - 2006-10-17 1800 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll + 2007-08-14 00:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll - 2006-11-08 03:03:36 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll + 2007-08-14 00:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll - 2006-11-07 09:26:42 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll + 2007-08-14 00:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll - 2006-11-08 03:03:36 180,736 ------w C:\WINDOWS\system32\ieui.dll + 2007-08-14 00:54:10 180,736 ----a-w C:\WINDOWS\system32\ieui.dll - 2006-10-17 17:57:58 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll + 2007-08-14 00:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll - 2006-11-07 09:26:24 92,672 ----a-w C:\WINDOWS\system32\inseng.dll + 2007-08-14 00:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll - 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\system32\java.exe + 2007-12-14 06:57:22 135,168 ----a-w C:\WINDOWS\system32\java.exe - 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\system32\javaw.exe + 2007-12-14 06:57:24 135,168 ----a-w C:\WINDOWS\system32\javaw.exe + 2007-12-14 07:59:16 139,264 ----a-w C:\WINDOWS\system32\javaws.exe - 2006-10-17 18:00:00 491,520 ----a-w C:\WINDOWS\system32\jscript.dll + 2007-08-14 00:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll - 2006-10-17 18:05:10 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll + 2007-08-14 00:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll - 2006-10-17 17:58:32 12,288 ------w C:\WINDOWS\system32\msfeedssync.exe + 2007-08-14 00:36:40 12,288 ----a-w C:\WINDOWS\system32\msfeedssync.exe - 2006-10-17 17:56:10 45,568 ----a-w C:\WINDOWS\system32\mshta.exe + 2007-08-14 00:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe - 2006-10-17 17:28:56 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll + 2007-08-14 00:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll - 2006-11-08 03:03:36 156,160 ----a-w C:\WINDOWS\system32\msls31.dll + 2007-08-14 00:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll - 2008-01-14 09:03:10 63,860 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-01-24 02:37:24 63,860 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-01-14 09:03:10 405,310 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-01-24 02:37:24 405,310 ----a-w C:\WINDOWS\system32\perfh009.dat - 2006-10-17 17:58:08 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll + 2007-08-14 00:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll - 2006-11-08 03:03:36 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll + 2007-08-14 00:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll - 2006-10-17 18:05:58 206,336 ------w C:\WINDOWS\system32\WinFXDocObj.exe + 2007-08-14 00:45:16 206,336 ----a-w C:\WINDOWS\system32\WinFXDocObj.exe . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-11 16:45 204288] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-11 16:45 90112] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-01-11 16:45 139264] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [ ] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [ ] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:56 64512] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 02:11 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PlexTools Professional.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Plextor!\PlexTools Professional.lnk backup=C:\WINDOWS\pss\PlexTools Professional.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2008-01-11 16:45 152872 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] --a------ 2005-05-19 07:47 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-11-17 05:53 171464 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] --a------ 2004-08-22 16:05 81920 C:\Program Files\D-Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --------- 2005-02-23 15:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05] C:\WINDOWS\system32\hphmon05.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2004-09-14 07:50 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetscapeClient] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash] --a------ 2004-11-11 09:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --a------ 2005-05-31 00:04 1415824 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] --a------ 2008-01-11 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "AOL ACS"=2 (0x2) R1 avg7coree;avg7coree;C:\WINDOWS\system32\drivers\avg7coree.sys [2008-01-11 10:30] R3 SetupSys;Conexant Setup API;C:\WINDOWS\system32\drivers\SetupSys.sys [2001-01-09 08:58] S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [] S3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys [] S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2eef52-2005-11db-ab27-00038a000015}] \Shell\AutoRun\command - G:\setupSNK.exe . Contents of the 'Scheduled Tasks' folder "2006-06-12 14:30:00 C:\WINDOWS\Tasks\abc.job" - C:\Program Files\ABC\abc.exe "2008-01-25 06:54:02 C:\WINDOWS\Tasks\HP Usg Daily.job" - C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-25 04:23:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Hijackthis log-- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 04:41, on 2008-01-25 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\msiexec.exe C:\Documents and Settings\Kizlan\Desktop\Kizlan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://forums.worldofwarcraft.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200089204515 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 7190 bytes