Tech Support Forum - View Single Post - new notebook

Berighteous · 05-06-2007, 12:46 AM

"Owner" - 2007-05-06 0:32:55 Service Pack 2
ComboFix 07-05.06.1.V - Running from: "C:\Documents and Settings\Owner.notebook\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\awtrsst.dll
C:\WINDOWS\system32\evjfiaom.dll
C:\WINDOWS\system32\jgepcvhb.dll
C:\WINDOWS\system32\mljkkkj.dll
C:\WINDOWS\system32\mpcfancr.dll
C:\WINDOWS\system32\qommmmj.dll
C:\WINDOWS\system32\ssqqnmj.dll
C:\WINDOWS\system32\ssqqonk.dll
C:\WINDOWS\system32\ssqqqqn.dll
C:\WINDOWS\system32\ssqronl.dll
C:\WINDOWS\system32\vtuutts.dll
C:\WINDOWS\system32\bhvcpegj.ini
C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\yayywtu.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\IA\command.exe
C:\WINDOWS\IA\asappsrv.dll
C:\Program Files\outerinfo\Terms.rtf
C:\DOCUME~1\OWNER~1.NOT\Desktop\internet.lnk
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\APPLIC~1\SSTEM~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1\?xplorer.exe
C:\qoobox\purity\C\Program Files\DOBE~1
C:\qoobox\purity\C\Program Files\Common Files\WNSXS~1
C:\qoobox\purity\C\WINDOWS\FNTS~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService

((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))

2007-05-06 00:38 49,204 --a------ C:\WINDOWS\system32\luyhsser.dll
2007-05-06 00:38 132,660 --a------ C:\WINDOWS\system32\jnhbbfuk.dll
2007-05-05 21:17 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-05 21:17 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-05-05 21:17 <DIR> d-------- C:\Program Files\Xvid
2007-05-05 17:31 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-05-05 17:26 <DIR> d-------- C:\Program Files\Serious Magic
2007-05-05 16:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-05 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
2007-05-04 00:28 <DIR> d-------- C:\roms
2007-05-03 20:09 <DIR> d-------- C:\Deckard
2007-05-03 20:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-03 19:44 60,928 --a------ C:\WINDOWS\system32\rzhjmkud.dll
2007-05-03 19:44 2 --a------ C:\WINDOWS\system32\wnstssv32.exe
2007-05-03 19:44 <DIR> d-------- C:\WINDOWS\system32\àdobe
2007-05-03 18:46 <DIR> d-------- C:\Program Files\IrfanView
2007-05-02 23:53 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-02 23:53 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-02 23:53 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-02 23:53 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-02 23:53 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-02 23:53 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-02 23:53 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-02 23:52 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-02 23:52 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-05-02 23:52 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-05-02 23:52 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-05-02 22:47 76,412 --a------ C:\WINDOWS\system32\jspvkdql.dll
2007-05-02 22:41 86,016 --a------ C:\WINDOWS\system32\jdzsnmj.dll
2007-05-02 22:41 63,488 --a------ C:\WINDOWS\system32\bpqsrdi.dll
2007-05-02 22:06 <DIR> d-------- C:\Program Files\Common Files\çasks
2007-05-02 21:51 <DIR> d-------- C:\WINDOWS\wozu
2007-05-02 21:51 <DIR> d-------- C:\Program Files\Common Files\wozu
2007-05-02 21:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-02 21:36 <DIR> d--hs---- C:\WINDOWS\IA
2007-04-30 22:51 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-04-30 22:32 <DIR> d-------- C:\Program Files\ABBYY FineReader 4.0 Sprint
2007-04-30 22:30 <DIR> d-------- C:\WINDOWS\Profiles
2007-04-30 22:28 995,383 --a------ C:\WINDOWS\system\MFC42.DLL
2007-04-30 22:28 95,232 --a------ C:\WINDOWS\system\Lfkodak.dll
2007-04-30 22:28 933,888 --a------ C:\WINDOWS\system\MFC40.DLL
2007-04-30 22:28 93,184 --a------ C:\WINDOWS\system\Lftif70n.dll
2007-04-30 22:28 81,946 --a------ C:\WINDOWS\system32\vb5ko.dll
2007-04-30 22:28 81,920 --a------ C:\WINDOWS\system\CAPI2032.DLL
2007-04-30 22:28 81,408 --a------ C:\WINDOWS\system\Ltimg70n.dll
2007-04-30 22:28 76,800 --a------ C:\WINDOWS\system\lffax10N.dll
2007-04-30 22:28 70,656 --a------ C:\WINDOWS\system\MSVCIRT.DLL
2007-04-30 22:28 57,344 --a------ C:\WINDOWS\system\BPEnhan.dll
2007-04-30 22:28 55,808 --a------ C:\WINDOWS\system\Lffax70n.dll
2007-04-30 22:28 55,296 --a------ C:\WINDOWS\system\Ltfil70n.dll
2007-04-30 22:28 53,248 --a------ C:\WINDOWS\system32\A32usd.dll
2007-04-30 22:28 45,056 --a------ C:\WINDOWS\Gtwatch.exe
2007-04-30 22:28 350,208 --a------ C:\WINDOWS\system\Ltkrn70n.dll
2007-04-30 22:28 35,840 --a------ C:\WINDOWS\system\lflma10N.dll
2007-04-30 22:28 35,328 --a------ C:\WINDOWS\system\lttwn10N.dll
2007-04-30 22:28 35,328 --a------ C:\WINDOWS\system\Lffpx70n.dll
2007-04-30 22:28 344,064 --a------ C:\WINDOWS\system\MSVCRT40.DLL
2007-04-30 22:28 34,304 --a------ C:\WINDOWS\system\lfbmp10N.dll
2007-04-30 22:28 33,280 --a------ C:\WINDOWS\system\lfpcx10N.dll
2007-04-30 22:28 32,768 --a------ C:\WINDOWS\system\Lfgif70n.dll
2007-04-30 22:28 31,232 --a------ C:\WINDOWS\system\lflmb10N.dll
2007-04-30 22:28 306,688 --a------ C:\WINDOWS\system\LFFPX7.DLL
2007-04-30 22:28 297,472 --a------ C:\WINDOWS\system\ltkrn10N.dll
2007-04-30 22:28 28,672 --a------ C:\WINDOWS\system\Lflma70n.dll
2007-04-30 22:28 28,160 --a------ C:\WINDOWS\system\lfwmf10N.dll
2007-04-30 22:28 266,752 --a------ C:\WINDOWS\system\Lfcmp10n.dll
2007-04-30 22:28 266,293 --a------ C:\WINDOWS\system\MSVCRT.DLL
2007-04-30 22:28 26,112 --a------ C:\WINDOWS\system\Lfica70n.dll
2007-04-30 22:28 25,600 --a------ C:\WINDOWS\system\Lttwn70n.dll
2007-04-30 22:28 25,088 --a------ C:\WINDOWS\system\Lflmb70n.dll
2007-04-30 22:28 24,576 --a------ C:\WINDOWS\system\Lfpcx70n.dll
2007-04-30 22:28 24,576 --a------ C:\WINDOWS\system\Lfbmp70n.dll
2007-04-30 22:28 24,064 --a------ C:\WINDOWS\system\Lfpct70n.dll
2007-04-30 22:28 24,064 --a------ C:\WINDOWS\system\Lfeps70n.dll
2007-04-30 22:28 228,864 --a------ C:\WINDOWS\system\LTDIS10N.dll
2007-04-30 22:28 224,768 --a------ C:\WINDOWS\system\Lfcmp70n.dll
2007-04-30 22:28 221,696 --a------ C:\WINDOWS\system\ltefx10N.dll
2007-04-30 22:28 22,016 --a------ C:\WINDOWS\system\Lfpsd70n.dll
2007-04-30 22:28 212,480 --a------ C:\WINDOWS\system\Pcdlib32.dll
2007-04-30 22:28 20,992 --a------ C:\WINDOWS\system\Lftga70n.dll
2007-04-30 22:28 20,480 --a------ C:\WINDOWS\system\Lfwpg70n.dll
2007-04-30 22:28 20,480 --a------ C:\WINDOWS\system\LFIMG70N.DLL
2007-04-30 22:28 19,968 --a------ C:\WINDOWS\system\Lfcal70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfras70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfpcd70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfmsp70n.dll
2007-04-30 22:28 18,944 --a------ C:\WINDOWS\system\Lfwfx70n.dll
2007-04-30 22:28 18,944 --a------ C:\WINDOWS\system\Lfmac70n.dll
2007-04-30 22:28 18,120 --a------ C:\WINDOWS\system32\drivers\gt681x.sys
2007-04-30 22:28 176,128 --a------ C:\WINDOWS\system32\PuzzSaver.scr
2007-04-30 22:28 172,032 --a------ C:\WINDOWS\system32\SpotSaver.scr
2007-04-30 22:28 17,920 --a------ C:\WINDOWS\system\Lfavi70n.dll
2007-04-30 22:28 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-30 22:28 135,168 --a------ C:\WINDOWS\system32\ParaSaver.scr
2007-04-30 22:28 122,368 --a------ C:\WINDOWS\system\lftif10N.dll
2007-04-30 22:28 111,104 --a------ C:\WINDOWS\system\Lfpng70n.dll
2007-04-30 22:28 109,578 --a------ C:\WINDOWS\system32\Xcdsfx32.bin
2007-04-30 22:28 103,424 --a------ C:\WINDOWS\system\ltfil10N.DLL
2007-04-30 22:28 <DIR> d-------- C:\WINDOWS\Puzzl'Em1.0Beta2
2007-04-30 22:28 <DIR> d-------- C:\WINDOWS\Crush'Em 2.0
2007-04-30 22:28 <DIR> d-------- C:\Program Files\ScanExpress A3 USB
2007-04-30 22:27 <DIR> d-------- C:\Program Files\Temp
2007-04-30 22:18 0 --a------ C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\wklnhst.dat
2007-04-30 22:18 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Template
2007-04-30 21:28 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Lavasoft
2007-04-30 21:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-30 21:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-30 19:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-30 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-30 14:16 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-04-30 02:39 86,528 --a------ C:\WINDOWS\system32\eswyvfl.dll
2007-04-30 02:39 63,488 --a------ C:\WINDOWS\system32\nhiiuxj.dll
2007-04-30 02:39 22,016 --a------ C:\WINDOWS\system32\winbfi32.dll
2007-04-30 02:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-30 01:58 <DIR> d-------- C:\Program Files\Bonjour
2007-04-30 01:50 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-30 01:29 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2007-04-30 01:29 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2007-04-30 01:29 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2007-04-30 01:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-04-30 01:28 <DIR> d-------- C:\Program Files\Futuremark
2007-04-29 20:48 <DIR> d-------- C:\Program Files\Common Files\Serious Magic
2007-04-29 20:28 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-04-29 20:28 <DIR> d-------- C:\WINDOWS\system32\windows media
2007-04-29 20:27 <DIR> d-------- C:\Program Files\Windows Media Components
2007-04-29 17:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-28 12:45 <DIR> d-------- C:\Program Files\BitTorrent
2007-04-28 12:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\BitTorrent
2007-04-28 12:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-28 12:26 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-04-28 01:39 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Google
2007-04-28 01:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall
2007-04-28 01:37 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\McAfee.com Personal Firewall
2007-04-28 01:33 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-28 01:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-27 21:38 2,621,440 --ah----- C:\DOCUME~1\OWNER~1.NOT\NTUSER.DAT
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\WINDOWS
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\You've Got Pictures Screensaver
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\SampleView
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\SampleView

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-05 22:41:41 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-05 22:38:16 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-04 00:37:11 -------- d-----w C:\Program Files\Common Files\?asks
2007-05-01 04:18:45 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Template
2007-05-01 04:18:42 0 ----a-w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\wklnhst.dat
2007-05-01 03:28:45 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Lavasoft
2007-05-01 02:10:42 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-04-30 20:22:02 -------- d-----w C:\Program Files\WildTangent
2007-04-30 20:21:34 -------- d-----w C:\Program Files\Gateway Games
2007-04-30 20:18:58 -------- d-----w C:\Program Files\Napster
2007-04-30 19:57:23 -------- d-----w C:\Program Files\BigFix
2007-04-30 19:21:29 -------- d-----w C:\Program Files\Pure Networks
2007-04-30 19:18:14 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-30 02:24:42 -------- d-----w C:\Program Files\Google
2007-04-29 23:28:18 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\BitTorrent
2007-04-28 18:26:35 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Google
2007-04-28 07:37:41 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\McAfee.com Personal Firewall
2007-03-22 02:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-22 02:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-22 02:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-19 11:01:20 252,356 ----a-w C:\WINDOWS\b128.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{1F2E261C-57B7-B31D-1628-04E59D79828A}"="C:\WINDOWS\system32\bpqsrdi.dll"
"{22D4A607-B97E-2EA8-0CA2-051A936DF118}"="C:\WINDOWS\system32\rnsckan.dll" [x]
"{524C2E36-0F4C-3B6C-799D-091CB79D050C}"="C:\WINDOWS\system32\nhiiuxj.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{689FF817-6AF1-1453-AB3B-69E33EE6AFCA}"="C:\WINDOWS\system32\rzhjmkud.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"xfxqeul.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\xfxqeul.dll,zmalub"
@="C:\\WINDOWS\\Gtwatch.exe"
"Gtwatch"="C:\\WINDOWS\\gtwatch.exe"
"SManager"="smanager.7.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"wozu"="C:\\PROGRA~1\\COMMON~1\\wozu\\wozum.exe"
"Ealb"="\"C:\\WINDOWS\\system32\\DOBE~1\\msdtc.exe\" -vt yazb"
"Idufba"="\"C:\\Documents and Settings\\Owner.notebook\\My Documents\\F?nts\\?xplorer.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbfi32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 00:41:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-06 0:42:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-06 00:42

==========================

Logfile of HijackThis v1.99.1
Scan saved at 12:47:03 AM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Gtwatch.exe
C:\WINDOWS\gtwatch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\DOBE~1\msdtc.exe
C:\WINDOWS\twain_32\L3U16\WATCH.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\??mbols\l?gonui.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F2E261C-57B7-B31D-1628-04E59D79828A} - C:\WINDOWS\system32\bpqsrdi.dll
O2 - BHO: (no name) - {22D4A607-B97E-2EA8-0CA2-051A936DF118} - C:\WINDOWS\system32\rnsckan.dll (file missing)
O2 - BHO: (no name) - {3795A24A-67F1-1455-F23B-69E33EE6ADCE} - C:\WINDOWS\system32\ypcos.dll
O2 - BHO: (no name) - {524C2E36-0F4C-3B6C-799D-091CB79D050C} - C:\WINDOWS\system32\nhiiuxj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [xfxqeul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\xfxqeul.dll,zmalub
O4 - HKLM\..\Run: [] C:\WINDOWS\Gtwatch.exe
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [wozu] C:\PROGRA~1\COMMON~1\wozu\wozum.exe
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\DOBE~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Idufba] "C:\Documents and Settings\Owner.notebook\My Documents\F?nts\?xplorer.exe"
O4 - HKCU\..\Run: [Xunqxlo] "C:\Program Files\??mbols\l?gonui.exe"
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\L3U16\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: vtuvtts - C:\WINDOWS\SYSTEM32\vtuvtts.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbfi32 - C:\WINDOWS\SYSTEM32\winbfi32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

05-06-2007, 12:46 AM	#5 (permalink)
Berighteous Registered User Join Date: Jan 2005 Posts: 48 OS: xp	Re: new notebook - spyware infestation "Owner" - 2007-05-06 0:32:55 Service Pack 2 ComboFix 07-05.06.1.V - Running from: "C:\Documents and Settings\Owner.notebook\Desktop\" (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\awtrsst.dll C:\WINDOWS\system32\evjfiaom.dll C:\WINDOWS\system32\jgepcvhb.dll C:\WINDOWS\system32\mljkkkj.dll C:\WINDOWS\system32\mpcfancr.dll C:\WINDOWS\system32\qommmmj.dll C:\WINDOWS\system32\ssqqnmj.dll C:\WINDOWS\system32\ssqqonk.dll C:\WINDOWS\system32\ssqqqqn.dll C:\WINDOWS\system32\ssqronl.dll C:\WINDOWS\system32\vtuutts.dll C:\WINDOWS\system32\bhvcpegj.ini C:\WINDOWS\system32\dgjlm.bak1 C:\WINDOWS\system32\dgjlm.bak2 C:\WINDOWS\system32\dgjlm.ini C:\WINDOWS\system32\mljgd.dll C:\WINDOWS\system32\yayywtu.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Yazzle1162OinAdmin.exe C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe C:\WINDOWS\system32\atmtd.dll C:\WINDOWS\system32\atmtd.dll._ C:\WINDOWS\IA\command.exe C:\WINDOWS\IA\asappsrv.dll C:\Program Files\outerinfo\Terms.rtf C:\DOCUME~1\OWNER~1.NOT\Desktop\internet.lnk C:\Program Files\outerinfo ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\DOCUME~1 C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\APPLIC~1 C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1 C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\APPLIC~1\SSTEM~1 C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1 C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1\?xplorer.exe C:\qoobox\purity\C\Program Files\DOBE~1 C:\qoobox\purity\C\Program Files\Common Files\WNSXS~1 C:\qoobox\purity\C\WINDOWS\FNTS~1 ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CMDSERVICE -------\LEGACY_NETWORK_MONITOR -------\cmdService ((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 )))))))))))))))))))))))))))))))))) 2007-05-06 00:38 49,204 --a------ C:\WINDOWS\system32\luyhsser.dll 2007-05-06 00:38 132,660 --a------ C:\WINDOWS\system32\jnhbbfuk.dll 2007-05-05 21:17 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-05-05 21:17 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-05-05 21:17 <DIR> d-------- C:\Program Files\Xvid 2007-05-05 17:31 <DIR> d-------- C:\WINDOWS\LastGood.Tmp 2007-05-05 17:26 <DIR> d-------- C:\Program Files\Serious Magic 2007-05-05 16:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared 2007-05-05 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision 2007-05-04 00:28 <DIR> d-------- C:\roms 2007-05-03 20:09 <DIR> d-------- C:\Deckard 2007-05-03 20:02 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-05-03 19:44 60,928 --a------ C:\WINDOWS\system32\rzhjmkud.dll 2007-05-03 19:44 2 --a------ C:\WINDOWS\system32\wnstssv32.exe 2007-05-03 19:44 <DIR> d-------- C:\WINDOWS\system32\àdobe 2007-05-03 18:46 <DIR> d-------- C:\Program Files\IrfanView 2007-05-02 23:53 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys 2007-05-02 23:53 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys 2007-05-02 23:53 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS 2007-05-02 23:53 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys 2007-05-02 23:53 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys 2007-05-02 23:53 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys 2007-05-02 23:53 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys 2007-05-02 23:52 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll 2007-05-02 23:52 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys 2007-05-02 23:52 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys 2007-05-02 23:52 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys 2007-05-02 22:47 76,412 --a------ C:\WINDOWS\system32\jspvkdql.dll 2007-05-02 22:41 86,016 --a------ C:\WINDOWS\system32\jdzsnmj.dll 2007-05-02 22:41 63,488 --a------ C:\WINDOWS\system32\bpqsrdi.dll 2007-05-02 22:06 <DIR> d-------- C:\Program Files\Common Files\çasks 2007-05-02 21:51 <DIR> d-------- C:\WINDOWS\wozu 2007-05-02 21:51 <DIR> d-------- C:\Program Files\Common Files\wozu 2007-05-02 21:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems 2007-05-02 21:36 <DIR> d--hs---- C:\WINDOWS\IA 2007-04-30 22:51 33,280 --a------ C:\WINDOWS\system32\rundll32.exe 2007-04-30 22:32 <DIR> d-------- C:\Program Files\ABBYY FineReader 4.0 Sprint 2007-04-30 22:30 <DIR> d-------- C:\WINDOWS\Profiles 2007-04-30 22:28 995,383 --a------ C:\WINDOWS\system\MFC42.DLL 2007-04-30 22:28 95,232 --a------ C:\WINDOWS\system\Lfkodak.dll 2007-04-30 22:28 933,888 --a------ C:\WINDOWS\system\MFC40.DLL 2007-04-30 22:28 93,184 --a------ C:\WINDOWS\system\Lftif70n.dll 2007-04-30 22:28 81,946 --a------ C:\WINDOWS\system32\vb5ko.dll 2007-04-30 22:28 81,920 --a------ C:\WINDOWS\system\CAPI2032.DLL 2007-04-30 22:28 81,408 --a------ C:\WINDOWS\system\Ltimg70n.dll 2007-04-30 22:28 76,800 --a------ C:\WINDOWS\system\lffax10N.dll 2007-04-30 22:28 70,656 --a------ C:\WINDOWS\system\MSVCIRT.DLL 2007-04-30 22:28 57,344 --a------ C:\WINDOWS\system\BPEnhan.dll 2007-04-30 22:28 55,808 --a------ C:\WINDOWS\system\Lffax70n.dll 2007-04-30 22:28 55,296 --a------ C:\WINDOWS\system\Ltfil70n.dll 2007-04-30 22:28 53,248 --a------ C:\WINDOWS\system32\A32usd.dll 2007-04-30 22:28 45,056 --a------ C:\WINDOWS\Gtwatch.exe 2007-04-30 22:28 350,208 --a------ C:\WINDOWS\system\Ltkrn70n.dll 2007-04-30 22:28 35,840 --a------ C:\WINDOWS\system\lflma10N.dll 2007-04-30 22:28 35,328 --a------ C:\WINDOWS\system\lttwn10N.dll 2007-04-30 22:28 35,328 --a------ C:\WINDOWS\system\Lffpx70n.dll 2007-04-30 22:28 344,064 --a------ C:\WINDOWS\system\MSVCRT40.DLL 2007-04-30 22:28 34,304 --a------ C:\WINDOWS\system\lfbmp10N.dll 2007-04-30 22:28 33,280 --a------ C:\WINDOWS\system\lfpcx10N.dll 2007-04-30 22:28 32,768 --a------ C:\WINDOWS\system\Lfgif70n.dll 2007-04-30 22:28 31,232 --a------ C:\WINDOWS\system\lflmb10N.dll 2007-04-30 22:28 306,688 --a------ C:\WINDOWS\system\LFFPX7.DLL 2007-04-30 22:28 297,472 --a------ C:\WINDOWS\system\ltkrn10N.dll 2007-04-30 22:28 28,672 --a------ C:\WINDOWS\system\Lflma70n.dll 2007-04-30 22:28 28,160 --a------ C:\WINDOWS\system\lfwmf10N.dll 2007-04-30 22:28 266,752 --a------ C:\WINDOWS\system\Lfcmp10n.dll 2007-04-30 22:28 266,293 --a------ C:\WINDOWS\system\MSVCRT.DLL 2007-04-30 22:28 26,112 --a------ C:\WINDOWS\system\Lfica70n.dll 2007-04-30 22:28 25,600 --a------ C:\WINDOWS\system\Lttwn70n.dll 2007-04-30 22:28 25,088 --a------ C:\WINDOWS\system\Lflmb70n.dll 2007-04-30 22:28 24,576 --a------ C:\WINDOWS\system\Lfpcx70n.dll 2007-04-30 22:28 24,576 --a------ C:\WINDOWS\system\Lfbmp70n.dll 2007-04-30 22:28 24,064 --a------ C:\WINDOWS\system\Lfpct70n.dll 2007-04-30 22:28 24,064 --a------ C:\WINDOWS\system\Lfeps70n.dll 2007-04-30 22:28 228,864 --a------ C:\WINDOWS\system\LTDIS10N.dll 2007-04-30 22:28 224,768 --a------ C:\WINDOWS\system\Lfcmp70n.dll 2007-04-30 22:28 221,696 --a------ C:\WINDOWS\system\ltefx10N.dll 2007-04-30 22:28 22,016 --a------ C:\WINDOWS\system\Lfpsd70n.dll 2007-04-30 22:28 212,480 --a------ C:\WINDOWS\system\Pcdlib32.dll 2007-04-30 22:28 20,992 --a------ C:\WINDOWS\system\Lftga70n.dll 2007-04-30 22:28 20,480 --a------ C:\WINDOWS\system\Lfwpg70n.dll 2007-04-30 22:28 20,480 --a------ C:\WINDOWS\system\LFIMG70N.DLL 2007-04-30 22:28 19,968 --a------ C:\WINDOWS\system\Lfcal70n.dll 2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfras70n.dll 2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfpcd70n.dll 2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfmsp70n.dll 2007-04-30 22:28 18,944 --a------ C:\WINDOWS\system\Lfwfx70n.dll 2007-04-30 22:28 18,944 --a------ C:\WINDOWS\system\Lfmac70n.dll 2007-04-30 22:28 18,120 --a------ C:\WINDOWS\system32\drivers\gt681x.sys 2007-04-30 22:28 176,128 --a------ C:\WINDOWS\system32\PuzzSaver.scr 2007-04-30 22:28 172,032 --a------ C:\WINDOWS\system32\SpotSaver.scr 2007-04-30 22:28 17,920 --a------ C:\WINDOWS\system\Lfavi70n.dll 2007-04-30 22:28 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-04-30 22:28 135,168 --a------ C:\WINDOWS\system32\ParaSaver.scr 2007-04-30 22:28 122,368 --a------ C:\WINDOWS\system\lftif10N.dll 2007-04-30 22:28 111,104 --a------ C:\WINDOWS\system\Lfpng70n.dll 2007-04-30 22:28 109,578 --a------ C:\WINDOWS\system32\Xcdsfx32.bin 2007-04-30 22:28 103,424 --a------ C:\WINDOWS\system\ltfil10N.DLL 2007-04-30 22:28 <DIR> d-------- C:\WINDOWS\Puzzl'Em1.0Beta2 2007-04-30 22:28 <DIR> d-------- C:\WINDOWS\Crush'Em 2.0 2007-04-30 22:28 <DIR> d-------- C:\Program Files\ScanExpress A3 USB 2007-04-30 22:27 <DIR> d-------- C:\Program Files\Temp 2007-04-30 22:18 0 --a------ C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\wklnhst.dat 2007-04-30 22:18 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Template 2007-04-30 21:28 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Lavasoft 2007-04-30 21:27 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-30 21:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-30 19:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-04-30 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage 2007-04-30 14:16 <DIR> d-------- C:\WINDOWS\system32\appmgmt 2007-04-30 02:39 86,528 --a------ C:\WINDOWS\system32\eswyvfl.dll 2007-04-30 02:39 63,488 --a------ C:\WINDOWS\system32\nhiiuxj.dll 2007-04-30 02:39 22,016 --a------ C:\WINDOWS\system32\winbfi32.dll 2007-04-30 02:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet 2007-04-30 01:58 <DIR> d-------- C:\Program Files\Bonjour 2007-04-30 01:50 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2007-04-30 01:29 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys 2007-04-30 01:29 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys 2007-04-30 01:29 <DIR> d-------- C:\WINDOWS\system32\Futuremark 2007-04-30 01:28 1,156 --a------ C:\WINDOWS\mozver.dat 2007-04-30 01:28 <DIR> d-------- C:\Program Files\Futuremark 2007-04-29 20:48 <DIR> d-------- C:\Program Files\Common Files\Serious Magic 2007-04-29 20:28 <DIR> d--h----- C:\WINDOWS\msdownld.tmp 2007-04-29 20:28 <DIR> d-------- C:\WINDOWS\system32\windows media 2007-04-29 20:27 <DIR> d-------- C:\Program Files\Windows Media Components 2007-04-29 17:31 <DIR> d-------- C:\Program Files\MSXML 4.0 2007-04-28 12:45 <DIR> d-------- C:\Program Files\BitTorrent 2007-04-28 12:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\BitTorrent 2007-04-28 12:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-04-28 12:26 <DIR> d-------- C:\WINDOWS\system32\PreInstall 2007-04-28 01:39 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Google 2007-04-28 01:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall 2007-04-28 01:37 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\McAfee.com Personal Firewall 2007-04-28 01:33 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-04-28 01:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google 2007-04-27 21:38 2,621,440 --ah----- C:\DOCUME~1\OWNER~1.NOT\NTUSER.DAT 2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\WINDOWS 2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\You've Got Pictures Screensaver 2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\SampleView 2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver 2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\SampleView (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-05 22:41:41 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-05 22:38:16 -------- d-----w C:\Program Files\Common Files\InstallShield 2007-05-04 00:37:11 -------- d-----w C:\Program Files\Common Files\?asks 2007-05-01 04:18:45 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Template 2007-05-01 04:18:42 0 ----a-w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\wklnhst.dat 2007-05-01 03:28:45 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Lavasoft 2007-05-01 02:10:42 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-04-30 20:22:02 -------- d-----w C:\Program Files\WildTangent 2007-04-30 20:21:34 -------- d-----w C:\Program Files\Gateway Games 2007-04-30 20:18:58 -------- d-----w C:\Program Files\Napster 2007-04-30 19:57:23 -------- d-----w C:\Program Files\BigFix 2007-04-30 19:21:29 -------- d-----w C:\Program Files\Pure Networks 2007-04-30 19:18:14 -------- d-----w C:\Program Files\Common Files\AOL 2007-04-30 02:24:42 -------- d-----w C:\Program Files\Google 2007-04-29 23:28:18 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\BitTorrent 2007-04-28 18:26:35 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Google 2007-04-28 07:37:41 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\McAfee.com Personal Firewall 2007-03-22 02:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL 2007-03-22 02:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE 2007-03-22 02:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys 2007-02-19 11:01:20 252,356 ----a-w C:\WINDOWS\b128.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" "{1F2E261C-57B7-B31D-1628-04E59D79828A}"="C:\WINDOWS\system32\bpqsrdi.dll" "{22D4A607-B97E-2EA8-0CA2-051A936DF118}"="C:\WINDOWS\system32\rnsckan.dll" [x] "{524C2E36-0F4C-3B6C-799D-091CB79D050C}"="C:\WINDOWS\system32\nhiiuxj.dll" "{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll" "{689FF817-6AF1-1453-AB3B-69E33EE6AFCA}"="C:\WINDOWS\system32\rzhjmkud.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe" "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\ "Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\ "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY" "MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall" "xfxqeul.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\xfxqeul.dll,zmalub" @="C:\\WINDOWS\\Gtwatch.exe" "Gtwatch"="C:\\WINDOWS\\gtwatch.exe" "SManager"="smanager.7.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Power2GoExpress"="NA" "BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized" "wozu"="C:\\PROGRA~1\\COMMON~1\\wozu\\wozum.exe" "Ealb"="\"C:\\WINDOWS\\system32\\DOBE~1\\msdtc.exe\" -vt yazb" "Idufba"="\"C:\\Documents and Settings\\Owner.notebook\\My Documents\\F?nts\\?xplorer.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater] @="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\ 63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\ 6d,73,73,74,79,6c,65,73,00 "InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\ 73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbfi32 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost netsvcs Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\ISP signup reminder 2.job C:\WINDOWS\tasks\ISP signup reminder 3.job ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-06 00:41:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 2007-05-06 0:42:33 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-05-06 00:42 ========================== Logfile of HijackThis v1.99.1 Scan saved at 12:47:03 AM, on 5/6/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\Gtwatch.exe C:\WINDOWS\gtwatch.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\DOBE~1\msdtc.exe C:\WINDOWS\twain_32\L3U16\WATCH.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\??mbols\l?gonui.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1F2E261C-57B7-B31D-1628-04E59D79828A} - C:\WINDOWS\system32\bpqsrdi.dll O2 - BHO: (no name) - {22D4A607-B97E-2EA8-0CA2-051A936DF118} - C:\WINDOWS\system32\rnsckan.dll (file missing) O2 - BHO: (no name) - {3795A24A-67F1-1455-F23B-69E33EE6ADCE} - C:\WINDOWS\system32\ypcos.dll O2 - BHO: (no name) - {524C2E36-0F4C-3B6C-799D-091CB79D050C} - C:\WINDOWS\system32\nhiiuxj.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [xfxqeul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\xfxqeul.dll,zmalub O4 - HKLM\..\Run: [] C:\WINDOWS\Gtwatch.exe O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe O4 - HKLM\..\Run: [SManager] smanager.7.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Power2GoExpress] NA O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [wozu] C:\PROGRA~1\COMMON~1\wozu\wozum.exe O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\DOBE~1\msdtc.exe" -vt yazb O4 - HKCU\..\Run: [Idufba] "C:\Documents and Settings\Owner.notebook\My Documents\F?nts\?xplorer.exe" O4 - HKCU\..\Run: [Xunqxlo] "C:\Program Files\??mbols\l?gonui.exe" O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\L3U16\WATCH.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O20 - Winlogon Notify: vtuvtts - C:\WINDOWS\SYSTEM32\vtuvtts.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winbfi32 - C:\WINDOWS\SYSTEM32\winbfi32.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe