Thread: trojan.virtumonde - popups
View Single Post
Old 06-28-2008, 08:26 AM   #9 (permalink)
treetopshot
Registered User
 
Join Date: Jun 2008
Posts: 7
OS: XP


Re: trojan.virtumonde - popups
So I followed your instructions to a 'T' and I would like to tell you how much I appreciate all your help. I can now use google and such so at first glance things seem to be working a lot better. Below are the requested logs.

Virus Total Results:
Virustotal. MD5: 8737f6f4c8ec1e2a9ea5516f1b3ae1ad | עברית | | Slovenščina |
Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska |
Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates
the quick detection of viruses, worms, trojans, and all kinds of malware
detected by antivirus engines. More information...
File 002983_.tmp received on 06.18.2008 07:23:49 (CET)
Current status: finished

Result: 0/33 (0.00%)
Compact Print results
AntivirusVersionLast UpdateResult
AhnLab-V32008.6.18.02008.06.17-
AntiVir7.8.0.552008.06.17-
Authentium5.1.0.42008.06.18-
Avast4.8.1195.02008.06.17-
AVG7.5.0.5162008.06.17-
BitDefender7.22008.06.18-
CAT-QuickHeal9.502008.06.17-
ClamAV0.93.12008.06.18-
DrWeb4.44.0.091702008.06.17-
eSafe7.0.15.02008.06.17-
eTrust-Vet31.6.58812008.06.17-
Ewido4.02008.06.17-
F-Prot4.4.4.562008.06.18-
F-Secure6.70.13260.02008.06.18-
Fortinet3.14.0.02008.06.18-
GData2.0.7306.10232008.06.18-
IkarusT3.1.1.26.02008.06.18-
Kaspersky7.0.0.1252008.06.18-
McAfee53192008.06.17-
Microsoft1.36042008.06.18-
NOD32v231952008.06.17-
Norman5.80.022008.06.17-
Panda9.0.0.42008.06.18-
Prevx1V22008.06.18-
Rising20.49.12.002008.06.17-
Sophos4.30.02008.06.18-
Sunbelt3.0.1153.12008.06.15-
Symantec102008.06.18-

F:\ComboFix.txt results:
ComboFix 08-06-20.4 - Nemesis 2008-06-27 19:42:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.90 [GMT -6:00]
Running from: F:\Documents and Settings\Nemesis\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\Nemesis\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\BMa3a82bcb.xml
F:\WINDOWS\pskt.ini
F:\WINDOWS\system32\fhkUuBeg.ini
F:\WINDOWS\system32\fhkUuBeg.ini2
F:\WINDOWS\system32\henerbtw.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

2008-06-27 19:29 . 2008-06-27 19:29 <DIR> d-------- F:\Program Files\Google
2008-06-27 19:29 . 2008-06-27 19:29 <DIR> d-------- F:\Program Files\First Class Flurry
2008-06-27 19:29 . 2008-06-27 19:29 <DIR> d-------- F:\Documents and Settings\Nemesis\Application Data\PlayFirst
2008-06-27 19:29 . 2008-06-27 19:29 <DIR> d-------- F:\Documents and Settings\Nemesis\Application Data\Ludia
2008-06-27 19:29 . 2008-06-27 19:29 <DIR> d-------- F:\Documents and Settings\Nemesis\Application Data\Earthsim
2008-06-27 19:29 . 2008-06-27 19:29 <DIR> d-------- F:\Deckard
2008-06-27 19:28 . 2008-06-27 19:29 <DIR> d-------- F:\Program Files\Spyware Doctor
2008-06-27 19:28 . 2008-06-27 19:28 <DIR> d-------- F:\Documents and Settings\Nemesis\Application Data\PC Tools
2008-06-27 19:23 . 2008-06-27 19:23 <DIR> d--h----- F:\WINDOWS\$hf_mig$
2008-06-27 19:22 . 2008-06-27 19:28 <DIR> d-------- F:\Program Files\TomTom HOME 2
2008-06-26 20:29 . 2008-06-26 20:29 <DIR> d-------- F:\WINDOWS\$hf_mig$(2)
2008-06-26 17:38 . 2008-06-26 17:38 0 --a------ F:\WINDOWS\nsreg.dat
2008-06-26 17:37 . 2008-06-27 19:22 <DIR> d-------- F:\Program Files\Mozilla Firefox(2)
2008-06-23 08:48 . 2008-06-23 08:48 91,488 --a------ F:\WINDOWS\system32\fktjnsrn.dll
2008-06-22 15:49 . 2008-06-22 15:49 101,728 --a------ F:\WINDOWS\system32\cfgeoifc.dll
2008-06-22 15:47 . 2008-06-22 15:47 90,464 --a------ F:\WINDOWS\system32\ohtwjnhp.dll
2008-06-22 15:47 . 2008-06-22 15:47 84,336 --------- F:\WINDOWS\system32\fepjaiia.dll
2008-06-20 16:18 . 2004-05-14 16:53 462,848 --a------ F:\WINDOWS\system32\ltkrn13n.dll
2008-06-20 16:18 . 2004-05-14 16:53 450,560 --a------ F:\WINDOWS\system32\ltimg13n.dll
2008-06-20 16:18 . 2004-05-14 16:53 401,408 --a------ F:\WINDOWS\system32\lfcmp13n.dll
2008-06-20 16:18 . 2004-05-14 16:53 299,008 --a------ F:\WINDOWS\system32\ltdis13n.dll
2008-06-20 16:18 . 2004-01-12 02:09 206,336 --a------ F:\WINDOWS\system32\ltefx13n.dll
2008-06-20 16:18 . 2004-05-14 16:53 163,840 --a------ F:\WINDOWS\system32\ltfil13n.dll
2008-06-20 16:18 . 2003-11-04 15:10 69,632 --a------ F:\WINDOWS\system32\lfgif13n.dll
2008-06-20 16:18 . 2004-05-14 16:53 57,344 --a------ F:\WINDOWS\system32\lfbmp13n.dll
2008-06-19 19:14 . 2008-06-27 19:31 <DIR> d-------- F:\Documents and Settings\Administrator
2008-06-18 21:35 . 2008-06-18 21:35 <DIR> d-------- F:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-18 20:40 . 2008-06-18 20:40 <DIR> d-------- F:\Program Files\Enigma Software Group
2008-06-17 22:15 . 2008-06-13 05:05 272,128 -----c--- F:\WINDOWS\system32\dllcache\bthport.sys
2008-06-17 22:15 . 2008-05-08 08:02 203,136 -----c--- F:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-15 20:27 . 2007-12-10 13:53 81,288 --a------ F:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-15 20:27 . 2007-12-10 13:53 66,952 --a------ F:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-15 20:27 . 2008-02-01 11:55 42,376 --a------ F:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-15 20:27 . 2007-12-10 13:53 29,576 --a------ F:\WINDOWS\system32\drivers\kcom.sys
2008-06-14 09:35 . 2008-04-13 22:06 144,384 --------- F:\WINDOWS\system32\drivers\hdaudbus.sys
2008-06-14 09:35 . 2008-04-14 00:10 10,240 --------- F:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-14 09:33 . 2006-12-29 00:31 19,569 --a------ F:\WINDOWS\003275_.tmp
2008-06-13 06:47 . 2008-06-13 06:47 <DIR> d-------- F:\Program Files\Lavasoft
2008-06-13 06:47 . 2008-06-13 06:48 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-13 06:46 . 2008-06-13 06:46 <DIR> d-------- F:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 19:38 . 2008-06-13 16:16 946 ---hs---- F:\WINDOWS\system32\ybimeeph.ini
2008-06-11 18:05 . 2008-06-11 18:05 0 --a------ F:\WINDOWS\vpc32.INI
2008-06-10 20:39 . 2006-09-18 17:55 109,744 --a------ F:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-10 20:39 . 2006-09-18 17:55 48,816 --a------ F:\WINDOWS\system32\S32EVNT1.DLL
2008-06-10 20:38 . 2008-06-27 19:41 <DIR> d-------- F:\Program Files\Symantec AntiVirus
2008-06-10 20:38 . 2008-06-10 20:39 <DIR> d-------- F:\Program Files\Symantec
2008-06-10 20:38 . 2008-06-27 19:35 <DIR> d-------- F:\Program Files\Common Files\Symantec Shared
2008-06-10 20:38 . 2008-06-10 20:38 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Symantec
2008-06-10 20:37 . 2008-06-10 20:37 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Avg7
2008-06-07 21:01 . 2008-06-07 21:01 <DIR> d-------- F:\Documents and Settings\Nemesis\Application Data\ViquaSoft
2008-05-30 20:16 . 2008-05-30 20:17 <DIR> d-------- F:\WINDOWS\system32\vntiho05
2008-05-30 17:29 . 2008-05-30 17:29 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Ludia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 16:47 --------- d-----w F:\Program Files\Windows Live
2008-06-26 16:47 --------- d-----w F:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-25 04:04 --------- d---a-w F:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 16:30 --------- d-----w F:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-19 14:08 --------- d-----w F:\Program Files\Java
2008-06-13 11:05 272,128 ------w F:\WINDOWS\system32\drivers\bthport.sys
2008-05-26 23:42 --------- d-----w F:\Program Files\MSXML 6.0
2008-05-26 23:40 --------- d-----w F:\Program Files\MSXML 4.0
2008-05-23 22:46 --------- d-----w F:\Documents and Settings\Nemesis\Application Data\TomTom
2008-05-23 22:46 --------- d-----w F:\Documents and Settings\All Users\Application Data\TomTom
2008-05-23 22:45 --------- d-----w F:\Program Files\TomTom DesktopSuite
2008-05-16 17:58 12,632 ----a-w F:\WINDOWS\system32\lsdelete.exe
2008-05-08 14:02 203,136 ----a-w F:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w F:\WINDOWS\system32\quartz.dll
2008-05-06 01:45 --------- d-----w F:\Program Files\Realtek AC97
2008-04-29 17:20 15,648 ----a-w F:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w F:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w F:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 04:16 826,368 ----a-w F:\WINDOWS\system32\wininet.dll
2008-04-14 11:55 1,804 ----a-w F:\WINDOWS\system32\dcache.bin
2008-04-14 11:46 329,728 ----a-w F:\WINDOWS\system32\netsetup.exe
2008-04-14 11:43 92,424 ----a-w F:\WINDOWS\system32\rdpdd.dll
2008-04-14 11:43 87,176 ----a-w F:\WINDOWS\system32\rdpwsx.dll
2008-04-14 11:43 299,520 ----a-w F:\WINDOWS\system32\drmclien.dll
2008-04-14 11:43 12,168 ----a-w F:\WINDOWS\system32\tsddd.dll
2008-04-14 11:41 98,304 ----a-w F:\WINDOWS\system32\actxprxy.dll
2008-04-14 11:40 53,279 ----a-w F:\WINDOWS\system32\odbcji32.dll
2008-04-14 11:40 4,126 ----a-w F:\WINDOWS\system32\msdxmlc.dll
2008-04-14 11:40 3,584 ----a-w F:\WINDOWS\system32\msafd.dll
2008-04-14 08:30 103,424 ----a-w F:\WINDOWS\system32\dpcdll.dll
2008-04-14 07:00 1,845,632 ----a-w F:\WINDOWS\system32\win32k.sys
2008-04-14 06:57 2,188,928 ----a-w F:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 06:15 17,664 ----a-w F:\WINDOWS\system32\watchdog.sys
2008-04-14 06:05 24,064 ----a-w F:\WINDOWS\system32\pidgen.dll
2008-04-14 06:01 7,424 ----a-w F:\WINDOWS\system32\kd1394.dll
2008-04-14 06:01 2,065,792 ----a-w F:\WINDOWS\system32\ntkrnlpa.exe
2008-04-14 06:00 61,440 ----a-w F:\WINDOWS\system32\msvcrt40.dll
2008-04-14 05:45 76,800 ------w F:\WINDOWS\system32\msshavmsg.dll
2008-04-14 05:09 438,784 ------w F:\WINDOWS\system32\xpob2res.dll
2008-04-14 05:09 2,897,920 ------w F:\WINDOWS\system32\xpsp2res.dll
2008-04-14 05:09 187,392 ----a-w F:\WINDOWS\system32\xpsp1res.dll
2008-04-14 05:07 208,384 ----a-w F:\WINDOWS\system32\rsaenh.dll
2008-04-14 05:07 138,752 ----a-w F:\WINDOWS\system32\dssenh.dll
2008-04-14 04:57 79,872 ----a-w F:\WINDOWS\system32\msxml6r.dll
2008-04-14 04:56 94,208 ----a-w F:\WINDOWS\system32\odbcint.dll
2008-04-14 04:56 12,288 ----a-w F:\WINDOWS\system32\odbcp32r.dll
2008-04-14 04:56 12,288 ----a-w F:\WINDOWS\system32\mscpx32r.dll
2008-04-14 04:54 20,480 ----a-w F:\WINDOWS\system32\msorc32r.dll
2008-04-14 04:51 733,696 ----a-w F:\WINDOWS\system32\qedwipes.dll
2008-04-14 04:39 4,096 ------w F:\WINDOWS\system32\dsprpres.dll
2008-04-14 04:33 63,488 ----a-w F:\WINDOWS\system32\browselc.dll
2008-04-14 04:33 549,376 ----a-w F:\WINDOWS\system32\shdoclc.dll
2008-04-14 04:18 1,647,616 ------w F:\WINDOWS\system32\winbrand.dll
2008-04-14 04:15 216,064 ----a-w F:\WINDOWS\system32\moricons.dll
2008-04-14 03:53 48,128 ----a-w F:\WINDOWS\system32\msprivs.dll
2008-04-14 03:52 48,128 ----a-w F:\WINDOWS\system32\inetres.dll
2008-04-14 03:09 884,736 ----a-w F:\WINDOWS\system32\msimsg.dll
2008-04-06 15:57 499,712 ----a-w F:\WINDOWS\system32\msvcp71.dll
2008-04-06 15:57 348,160 ----a-w F:\WINDOWS\system32\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"Nero PhotoShow Media Manager"="F:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-10 13:52 249856]
"TomTomHOME.exe"="F:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 02:42 202088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 F:\WINDOWS\soundman.exe]
"ccApp"="F:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896]
"vptray"="F:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33 125168]
"ISTray"="F:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"BMa3a82bcb"="F:\WINDOWS\system32\fktjnsrn.dll" [2008-06-23 08:48 91488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 05:42 15360]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqNHASI]
urqNHASI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"F:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"F:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"F:\\Program Files\\Azureus\\Azureus.exe"=
"F:\\Program Files\\iTunes\\iTunes.exe"=
"F:\\Program Files\\LimeWire\\LimeWire.exe"=
"F:\\Program Files\\Messenger\\msmsgs.exe"=

R2 MSCamSvc;MSCamSvc;"F:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 15:45]
R3 VX1000;VX-1000;F:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 15:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7cdf09c-2919-11dd-b55e-000fea80d216}]
\Shell\AutoRun\command - C:\InstallTomTomHOME.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - ERASERUTILDRV10741
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 19:43:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-27 19:46:12
ComboFix-quarantined-files.txt 2008-06-28 01:46:08
ComboFix2.txt 2008-06-23 14:51:51

Pre-Run: 119,337,160,704 bytes free
Post-Run: 119,311,953,920 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
F:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

199 --- E O F --- 2008-06-20 04:16:14

Kaspersky report results:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 28, 2008 01:37:56
Records in database: 893619
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 42765
Threat name: 4
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 01:33:43


File name / Threat name / Threats count
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C300000\4C7F3C30.VBN Infected: Trojan-Downloader.WMA.GetCodec.b 1
F:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C300001\4C7F3CE9.VBN Infected: Trojan-Downloader.WMA.Wimad.n 1
F:\Documents and Settings\Nemesis\Desktop\Alexandria's music\Alexandria's ELA Project\Copy of Hellogoodbye - All of your love.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
F:\Documents and Settings\Nemesis\Desktop\Alexandria's music\Alexandria's ELA Project\Hellogoodbye - All of your love.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
F:\Documents and Settings\Nemesis\Desktop\Alexandria's music\its never too late hedley.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
F:\Documents and Settings\Nemesis\Desktop\Donna Music\its never too late hedley.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
F:\Program Files\Windows Live\Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg 1
F:\Program Files\Windows Live\Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj 1

The selected area was scanned.

HijackThis log results:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:25 AM, on 28/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Microsoft LifeCam\MSCamS32.exe
F:\Program Files\Spyware Doctor\pctsAuxs.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
F:\Program Files\TomTom HOME 2\HOMERunner.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\WINDOWS\explorer.exe
F:\Documents and Settings\Nemesis\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISTray] "F:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] F:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "F:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZUman000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207279563360
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7291 bytes


Thanks again,

DC
treetopshot is offline