Tech Support Forum - View Single Post

nikeman · 04-27-2007, 08:01 PM

"Robert Wilmoth" - 07-04-27 21:55:58 Service Pack 2
ComboFix 07-04-28.V - Running from: "C:\Documents and Settings\Robert Wilmoth\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\doyqkkaj.dll
C:\WINDOWS\system32\koflxace.dll
C:\WINDOWS\system32\mpdwphmr.dll
C:\WINDOWS\system32\mxjlkomt.dll
C:\WINDOWS\system32\udlnkdbe.dll
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.tmp
C:\WINDOWS\system32\jmllm.bak1
C:\WINDOWS\system32\jmllm.bak2
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\tmokljxm.ini
C:\WINDOWS\system32\ebdknldu.ini
C:\WINDOWS\system32\iifecdb.dll
C:\WINDOWS\system32\mllmj.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))

2007-04-26 01:57 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-26 01:57 90,112 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-04-26 01:57 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-26 01:57 733,824 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-26 01:57 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-26 01:57 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-26 01:57 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-26 01:49 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-04-26 01:49 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-04-26 01:48 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-04-26 01:42 <DIR> d-------- C:\Program Files\Alwil Software
2007-04-26 01:01 <DIR> d-------- C:\{00002394-0000-0000-ADE5-5878E49419C8}
2007-04-24 12:01 <DIR> d-------- C:\Program Files\CCleaner
2007-04-24 02:27 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2007-04-21 03:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-20 09:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-04-19 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Geek Squad
2007-04-19 13:54 503,808 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-19 13:54 <DIR> d-------- C:\WINDOWS\pss
2007-04-13 14:45 <DIR> d-------- C:\Deckard
2007-04-13 14:20 <DIR> d-------- C:\VundoFix Backups
2007-04-11 14:49 620,544 --a------ C:\WINDOWS\system32\stlpmt45.dll
2007-04-11 14:49 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-04-11 14:49 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-04-11 14:49 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-04-11 14:49 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-04-11 14:49 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll
2007-04-11 14:49 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-11 14:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-04-11 11:43 <DIR> d-------- C:\hijackthis
2007-04-11 02:26 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-11 02:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\PC Tools
2007-04-11 02:07 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-04-11 02:07 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-04-11 02:07 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-04-11 02:07 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-04-11 02:07 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-04-11 02:07 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-04-11 02:07 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\PC Tools
2007-04-11 01:09 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Comodo
2007-04-10 14:08 <DIR> d-------- C:\Program Files\Belkin(2)
2007-04-10 01:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-10 01:42 <DIR> d-------- C:\Program Files\Comodo
2007-04-09 01:32 <DIR> d-------- C:\Program Files\VisiWave Site Survey
2007-04-05 14:12 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Image Zone Express
2007-04-05 14:08 <DIR> d-------- C:\Program Files\Common Files\HP
2007-04-04 14:31 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Talkback
2007-04-01 18:07 <DIR> d-------- C:\Program Files\Pure Networks
2007-04-01 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pure Networks
2007-04-01 02:48 3,919,872 --a------ C:\DOCUME~1\ROBERT~1\ntuser.dat
2007-04-01 02:48 229,376 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-03-31 11:30 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Apple Computer
2007-03-29 23:46 21,124 --------- C:\WINDOWS\hpomdl07.dat
2007-03-29 23:46 112,886 --a------ C:\WINDOWS\hpoins07.dat
2007-03-29 20:08 <DIR> d-------- C:\Program Files\NETGEAR Print Server
2007-03-29 18:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-03-29 11:22 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-03-28 14:50 32,768 --a------ C:\WINDOWS\system32\drivers\nvcoi.dll
2007-03-28 14:50 300,032 --a------ C:\WINDOWS\system32\drivers\idecoi.dll
2007-03-28 14:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Drivers Headquarters
2007-03-28 10:30 <DIR> d-------- C:\Program Files\Common Files\Hypnotizer
2007-03-28 10:29 <DIR> d-------- C:\Program Files\QuickTime
2007-03-28 10:29 <DIR> d-------- C:\Program Files\Apple Software Update
2007-03-28 10:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-03-28 10:24 706,048 --a------ C:\WINDOWS\system32\libmcl-3.1.1.dll
2007-03-28 10:24 3,423,744 --a------ C:\WINDOWS\system32\libfilefmt-1.1.0.dll
2007-03-28 10:24 20,480 --a------ C:\WINDOWS\system32\libavi-dd-1.2.0.dll
2007-03-28 10:19 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2007-03-28 10:19 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-28 01:07 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-03-28 01:00 <DIR> d-------- C:\DOCUME~1\ROBERT~1\SecurityScans
2007-03-27 14:48 <DIR> d-------- C:\Program Files\Windows Live Safety Center

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-26 01:50 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-04-24 02:27 -------- d-------- C:\Program Files\limewire
2007-04-24 02:27 -------- d-------- C:\Program Files\azureus
2007-04-24 02:27 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\azureus
2007-04-24 02:26 -------- d-------- C:\Program Files\gamenow
2007-04-24 01:32 -------- d--h----- C:\Program Files\installshield installation information
2007-04-21 11:50 -------- d-------- C:\Program Files\windows defender
2007-04-20 22:32 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\dmcache
2007-04-11 01:31 -------- d-------- C:\Program Files\dvdxsoft sound recorder xp
2007-04-11 01:09 -------- d-------- C:\Program Files\Common Files\installshield
2007-04-07 01:02 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\limewire
2007-04-05 14:08 -------- d-------- C:\Program Files\hp
2007-04-05 14:07 71725 --a------ C:\DOCUME~1\ROBERT~1\APPLIC~1\patchupdate_hp_counterreport_update_hpsu.log
2007-04-05 14:07 2167 --a------ C:\DOCUME~1\ROBERT~1\APPLIC~1\hpsu_48bitscanupdate.log
2007-04-05 14:04 69339 --a------ C:\DOCUME~1\ROBERT~1\APPLIC~1\update_hp_redboxhprblog_hpsu.log
2007-04-05 14:04 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll
2007-03-29 18:55 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\hp
2007-03-28 14:21 -------- d-------- C:\Program Files\setup files
2007-03-25 19:00 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-03-25 18:11 -------- d-------- C:\Program Files\lavasoft
2007-03-25 18:11 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\lavasoft
2007-03-25 18:06 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-24 19:14 18432 --a------ C:\WINDOWS\ss3unstl.exe
2007-03-24 18:41 -------- d-------- C:\Program Files\pmg
2007-03-21 02:01 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\styler
2007-03-21 01:58 -------- d-------- C:\Program Files\lclock
2007-03-21 01:58 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\stardock
2007-03-21 01:22 -------- d-------- C:\Program Files\nero
2007-03-20 13:34 60416 --a------ C:\WINDOWS\alcfdrtm.exe
2007-03-20 13:23 -------- d-------- C:\Program Files\microsoft activesync
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 13:16 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\real
2007-03-14 13:11 -------- d-------- C:\Program Files\real
2007-03-14 13:11 -------- d-------- C:\Program Files\Common Files\xing shared
2007-03-14 13:11 -------- d-------- C:\Program Files\Common Files\real
2007-03-12 02:44 -------- d-------- C:\Program Files\msi
2007-03-12 02:33 -------- d-------- C:\Program Files\realtek ac97
2007-03-12 02:04 -------- d-------- C:\Program Files\astra32
2007-03-11 15:18 -------- d-------- C:\Program Files\zone.com deluxe games
2007-03-11 14:15 -------- d-------- C:\Program Files\msxml 4.0
2007-03-11 00:00 -------- d-------- C:\Program Files\wildtangent
2007-03-10 18:25 1407 --a------ C:\WINDOWS\mozver.dat
2007-03-10 17:59 -------- d-------- C:\Program Files\siber systems
2007-03-10 17:49 -------- d-------- C:\Program Files\Common Files\hewlett-packard
2007-03-10 17:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-10 16:39 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-03-10 16:39 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-03-10 12:31 -------- d-------- C:\Program Files\messenger
2007-03-10 11:55 -------- d-------- C:\Program Files\movie maker
2007-03-10 11:51 -------- d-------- C:\Program Files\microsoft frontpage
2007-03-10 11:50 0 -rahs---- C:\MSDOS.SYS
2007-03-10 11:50 0 -rahs---- C:\IO.SYS
2007-03-10 11:50 0 --a------ C:\CONFIG.SYS
2007-03-10 11:50 0 --a------ C:\AUTOEXEC.BAT
2007-03-10 11:49 -------- d--h----- C:\Program Files\windowsupdate
2007-03-10 11:49 -------- d-------- C:\Program Files\Common Files\mssoap
2007-03-10 11:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-10 11:47 -------- d-------- C:\Program Files\windows nt
2007-03-10 11:47 -------- d-------- C:\Program Files\online services
2007-03-10 11:47 -------- d-------- C:\Program Files\msn gaming zone
2007-03-10 00:44 -------- d-------- C:\Program Files\Common Files\speechengines
2007-03-10 00:44 -------- d-------- C:\Program Files\Common Files\odbc
2007-03-10 00:43 62 --ahs---- C:\DOCUME~1\ROBERT~1\APPLIC~1\desktop.ini
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
"{724d43a9-0d85-11d4-9908-00400523e39a}"="C:\Program Files\Siber Systems\AI RoboForm\roboform.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"SoundMan"="SOUNDMAN.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"LClock"="C:\\Program Files\\LClock\\LClock.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MRI_DISABLED

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bdc893dd-ceb7-11db-b71e-806d6172696f}]

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-27 21:59:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-27 21:59:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-27 21:59

Logfile of HijackThis v1.99.1
Scan saved at 10:01:23 PM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert Wilmoth\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: (no name) - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - Winlogon Notify: MRI_DISABLED - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

04-27-2007, 08:01 PM	#4 (permalink)
nikeman Registered User Join Date: Oct 2006 Posts: 360 OS: Win XP	Re: i got virtumundo "Robert Wilmoth" - 07-04-27 21:55:58 Service Pack 2 ComboFix 07-04-28.V - Running from: "C:\Documents and Settings\Robert Wilmoth\Desktop\" (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\awvts.dll C:\WINDOWS\system32\doyqkkaj.dll C:\WINDOWS\system32\koflxace.dll C:\WINDOWS\system32\mpdwphmr.dll C:\WINDOWS\system32\mxjlkomt.dll C:\WINDOWS\system32\udlnkdbe.dll C:\WINDOWS\system32\stvwa.bak1 C:\WINDOWS\system32\stvwa.bak2 C:\WINDOWS\system32\stvwa.ini C:\WINDOWS\system32\stvwa.ini2 C:\WINDOWS\system32\stvwa.tmp C:\WINDOWS\system32\jmllm.bak1 C:\WINDOWS\system32\jmllm.bak2 C:\WINDOWS\system32\jmllm.ini C:\WINDOWS\system32\tmokljxm.ini C:\WINDOWS\system32\ebdknldu.ini C:\WINDOWS\system32\iifecdb.dll C:\WINDOWS\system32\mllmj.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 )))))))))))))))))))))))))))))))))) 2007-04-26 01:57 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-26 01:57 90,112 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-04-26 01:57 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-26 01:57 733,824 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-04-26 01:57 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-26 01:57 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-26 01:57 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-26 01:49 75,512 --a------ C:\WINDOWS\zllsputility.exe 2007-04-26 01:49 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll 2007-04-26 01:48 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs 2007-04-26 01:42 <DIR> d-------- C:\Program Files\Alwil Software 2007-04-26 01:01 <DIR> d-------- C:\{00002394-0000-0000-ADE5-5878E49419C8} 2007-04-24 12:01 <DIR> d-------- C:\Program Files\CCleaner 2007-04-24 02:27 <DIR> d-------- C:\WINDOWS\system32\VIRepair 2007-04-21 03:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-04-20 09:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot 2007-04-19 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Geek Squad 2007-04-19 13:54 503,808 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-04-19 13:54 <DIR> d-------- C:\WINDOWS\pss 2007-04-13 14:45 <DIR> d-------- C:\Deckard 2007-04-13 14:20 <DIR> d-------- C:\VundoFix Backups 2007-04-11 14:49 620,544 --a------ C:\WINDOWS\system32\stlpmt45.dll 2007-04-11 14:49 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll 2007-04-11 14:49 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll 2007-04-11 14:49 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-04-11 14:49 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll 2007-04-11 14:49 1,497,088 --a------ C:\WINDOWS\system32\cc3260mt.dll 2007-04-11 14:49 <DIR> d-------- C:\Program Files\Common Files\AVSMedia 2007-04-11 14:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2007-04-11 11:43 <DIR> d-------- C:\hijackthis 2007-04-11 02:26 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-04-11 02:26 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\PC Tools 2007-04-11 02:07 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-04-11 02:07 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-11 02:07 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-04-11 02:07 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-04-11 02:07 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys 2007-04-11 02:07 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-04-11 02:07 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\PC Tools 2007-04-11 01:09 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Comodo 2007-04-10 14:08 <DIR> d-------- C:\Program Files\Belkin(2) 2007-04-10 01:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo 2007-04-10 01:42 <DIR> d-------- C:\Program Files\Comodo 2007-04-09 01:32 <DIR> d-------- C:\Program Files\VisiWave Site Survey 2007-04-05 14:12 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Image Zone Express 2007-04-05 14:08 <DIR> d-------- C:\Program Files\Common Files\HP 2007-04-04 14:31 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Talkback 2007-04-01 18:07 <DIR> d-------- C:\Program Files\Pure Networks 2007-04-01 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pure Networks 2007-04-01 02:48 3,919,872 --a------ C:\DOCUME~1\ROBERT~1\ntuser.dat 2007-04-01 02:48 229,376 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat 2007-03-31 11:30 <DIR> d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\Apple Computer 2007-03-29 23:46 21,124 --------- C:\WINDOWS\hpomdl07.dat 2007-03-29 23:46 112,886 --a------ C:\WINDOWS\hpoins07.dat 2007-03-29 20:08 <DIR> d-------- C:\Program Files\NETGEAR Print Server 2007-03-29 18:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-03-29 11:22 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2007-03-28 14:50 32,768 --a------ C:\WINDOWS\system32\drivers\nvcoi.dll 2007-03-28 14:50 300,032 --a------ C:\WINDOWS\system32\drivers\idecoi.dll 2007-03-28 14:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Drivers Headquarters 2007-03-28 10:30 <DIR> d-------- C:\Program Files\Common Files\Hypnotizer 2007-03-28 10:29 <DIR> d-------- C:\Program Files\QuickTime 2007-03-28 10:29 <DIR> d-------- C:\Program Files\Apple Software Update 2007-03-28 10:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer 2007-03-28 10:24 706,048 --a------ C:\WINDOWS\system32\libmcl-3.1.1.dll 2007-03-28 10:24 3,423,744 --a------ C:\WINDOWS\system32\libfilefmt-1.1.0.dll 2007-03-28 10:24 20,480 --a------ C:\WINDOWS\system32\libavi-dd-1.2.0.dll 2007-03-28 10:19 178,408 --a------ C:\WINDOWS\system32\muweb.dll 2007-03-28 10:19 127,208 --a------ C:\WINDOWS\system32\mucltui.dll 2007-03-28 01:07 <DIR> d-------- C:\WINDOWS\network diagnostic 2007-03-28 01:00 <DIR> d-------- C:\DOCUME~1\ROBERT~1\SecurityScans 2007-03-27 14:48 <DIR> d-------- C:\Program Files\Windows Live Safety Center (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-26 01:50 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-04-24 02:27 -------- d-------- C:\Program Files\limewire 2007-04-24 02:27 -------- d-------- C:\Program Files\azureus 2007-04-24 02:27 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\azureus 2007-04-24 02:26 -------- d-------- C:\Program Files\gamenow 2007-04-24 01:32 -------- d--h----- C:\Program Files\installshield installation information 2007-04-21 11:50 -------- d-------- C:\Program Files\windows defender 2007-04-20 22:32 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\dmcache 2007-04-11 01:31 -------- d-------- C:\Program Files\dvdxsoft sound recorder xp 2007-04-11 01:09 -------- d-------- C:\Program Files\Common Files\installshield 2007-04-07 01:02 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\limewire 2007-04-05 14:08 -------- d-------- C:\Program Files\hp 2007-04-05 14:07 71725 --a------ C:\DOCUME~1\ROBERT~1\APPLIC~1\patchupdate_hp_counterreport_update_hpsu.log 2007-04-05 14:07 2167 --a------ C:\DOCUME~1\ROBERT~1\APPLIC~1\hpsu_48bitscanupdate.log 2007-04-05 14:04 69339 --a------ C:\DOCUME~1\ROBERT~1\APPLIC~1\update_hp_redboxhprblog_hpsu.log 2007-04-05 14:04 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll 2007-03-29 18:55 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\hp 2007-03-28 14:21 -------- d-------- C:\Program Files\setup files 2007-03-25 19:00 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-03-25 18:11 -------- d-------- C:\Program Files\lavasoft 2007-03-25 18:11 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\lavasoft 2007-03-25 18:06 -------- d-------- C:\Program Files\Common Files\wise installation wizard 2007-03-24 19:14 18432 --a------ C:\WINDOWS\ss3unstl.exe 2007-03-24 18:41 -------- d-------- C:\Program Files\pmg 2007-03-21 02:01 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\styler 2007-03-21 01:58 -------- d-------- C:\Program Files\lclock 2007-03-21 01:58 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\stardock 2007-03-21 01:22 -------- d-------- C:\Program Files\nero 2007-03-20 13:34 60416 --a------ C:\WINDOWS\alcfdrtm.exe 2007-03-20 13:23 -------- d-------- C:\Program Files\microsoft activesync 2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-14 13:16 -------- d-------- C:\DOCUME~1\ROBERT~1\APPLIC~1\real 2007-03-14 13:11 -------- d-------- C:\Program Files\real 2007-03-14 13:11 -------- d-------- C:\Program Files\Common Files\xing shared 2007-03-14 13:11 -------- d-------- C:\Program Files\Common Files\real 2007-03-12 02:44 -------- d-------- C:\Program Files\msi 2007-03-12 02:33 -------- d-------- C:\Program Files\realtek ac97 2007-03-12 02:04 -------- d-------- C:\Program Files\astra32 2007-03-11 15:18 -------- d-------- C:\Program Files\zone.com deluxe games 2007-03-11 14:15 -------- d-------- C:\Program Files\msxml 4.0 2007-03-11 00:00 -------- d-------- C:\Program Files\wildtangent 2007-03-10 18:25 1407 --a------ C:\WINDOWS\mozver.dat 2007-03-10 17:59 -------- d-------- C:\Program Files\siber systems 2007-03-10 17:49 -------- d-------- C:\Program Files\Common Files\hewlett-packard 2007-03-10 17:32 0 --a------ C:\WINDOWS\nsreg.dat 2007-03-10 16:39 499712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-03-10 16:39 348160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-03-10 12:31 -------- d-------- C:\Program Files\messenger 2007-03-10 11:55 -------- d-------- C:\Program Files\movie maker 2007-03-10 11:51 -------- d-------- C:\Program Files\microsoft frontpage 2007-03-10 11:50 0 -rahs---- C:\MSDOS.SYS 2007-03-10 11:50 0 -rahs---- C:\IO.SYS 2007-03-10 11:50 0 --a------ C:\CONFIG.SYS 2007-03-10 11:50 0 --a------ C:\AUTOEXEC.BAT 2007-03-10 11:49 -------- d--h----- C:\Program Files\windowsupdate 2007-03-10 11:49 -------- d-------- C:\Program Files\Common Files\mssoap 2007-03-10 11:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-03-10 11:47 -------- d-------- C:\Program Files\windows nt 2007-03-10 11:47 -------- d-------- C:\Program Files\online services 2007-03-10 11:47 -------- d-------- C:\Program Files\msn gaming zone 2007-03-10 00:44 -------- d-------- C:\Program Files\Common Files\speechengines 2007-03-10 00:44 -------- d-------- C:\Program Files\Common Files\odbc 2007-03-10 00:43 62 --ahs---- C:\DOCUME~1\ROBERT~1\APPLIC~1\desktop.ini 2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys 2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" "{724d43a9-0d85-11d4-9908-00400523e39a}"="C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "SoundMan"="SOUNDMAN.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe" "LClock"="C:\\Program Files\\LClock\\LClock.exe" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" "RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\"" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MRI_DISABLED HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bdc893dd-ceb7-11db-b71e-806d6172696f}] Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\MP Scheduled Scan.job ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-04-27 21:59:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 07-04-27 21:59:21 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 07-04-27 21:59 Logfile of HijackThis v1.99.1 Scan saved at 10:01:23 PM, on 4/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\LClock\LClock.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Robert Wilmoth\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - MRI_DISABLED - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: (no name) - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - (no file) O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: http://www.msi.com.tw O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O20 - Winlogon Notify: MRI_DISABLED - C:\WINDOWS\ O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe (file missing) O23 - Service: Spyware Doctor Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe