Tech Support Forum - View Single Post - Pop ups

jsundlof · 05-12-2007, 10:54 AM

thank you. I deleted the items as instructed and now here is the log from ComboFix which will be followed in the next post by the new scanlog from hijackthis after doing ComboFix:

ComboFix log:
"Owner" - 2007-05-12 11:27:14 Service Pack 2
ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Owner\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\webhancer\whAgent_update.exe
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\Program Files\Common Files\{3047D~1\Bar888.dll
C:\Program Files\Common Files\{3047D~1\toolbardll.lzma
C:\Program Files\Common Files\{3047D~1\UnInstall.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wnststr.exe
C:\Program Files\outerinfo
C:\Program Files\webhancer
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\Program Files\Common Files\{3047D~1
C:\Program Files\Common Files\{5047D~2
C:\Program Files\Common Files\{5047D~1
C:\WINDOWS\system32\drivers\core.sys
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Owner
C:\qoobox\purity\C\DOCUME~1\Owner\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\Owner\APPLIC~1\MCROSO~1
C:\qoobox\purity\C\DOCUME~1\Owner\APPLIC~1\STEM~1
C:\qoobox\purity\C\DOCUME~1\Owner\APPLIC~1\STEM~1\r?ndll32.exe
C:\qoobox\purity\C\Program Files\SCURIT~1
C:\qoobox\purity\C\Program Files\Common Files\MANTEC~1
C:\qoobox\purity\C\Program Files\Common Files\STEM~1
C:\qoobox\purity\C\WINDOWS\system32\SMBOLS~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\COM+ Messages
-------\core

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 ))))))))))))))))))))))))))))))))))

2007-05-05 13:37 <DIR> d-------- C:\Deckard
2007-05-05 13:09 21,312 --a------ C:\WINDOWS\choice.exe
2007-05-05 13:05 <DIR> d-------- C:\ie-spyad2
2007-05-05 12:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-05 12:04 <DIR> d-------- C:\Program Files\InterMute
2007-04-26 09:49 85,504 --------- C:\WINDOWS\system32\evolusbn.dll
2007-04-26 09:49 21,984 --a------ C:\WINDOWS\system32\drivers\evolusb.sys
2007-04-26 09:34 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-04-26 09:34 <DIR> d-------- C:\Program Files\SmartMusic
2007-04-26 09:33 <DIR> d-------- C:\Psfonts
2007-04-26 09:33 <DIR> d-------- C:\Program Files\Finale 2003
2007-04-26 09:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-26 09:32 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-04-26 09:31 <DIR> d-------- C:\Program Files\M-Audio Uno
2007-04-22 11:47 1,829 --a------ C:\WINDOWS\mozver.dat
2007-04-22 11:47 <DIR> d-------- C:\DOCUME~1\PSUNDL~1\APPLIC~1\Snapfish
2007-04-18 10:35 <DIR> d-------- C:\Program Files\iTunes
2007-04-18 10:35 <DIR> d-------- C:\Program Files\iPod
2007-04-18 10:27 <DIR> d-------- C:\DOCUME~1\PSUNDL~1\APPLIC~1\iCloner
2007-04-18 09:49 <DIR> d-------- C:\DOCUME~1\PSUNDL~1\APPLIC~1\CopyTrans

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-12 16:32:28 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000003-00000000-00000001-00001102-00000004-20041102}.dat
2007-05-12 16:32:28 384 ----a-w C:\WINDOWS\system32\DVCState-{00000003-00000000-00000001-00001102-00000004-20041102}.dat
2007-05-05 18:20:39 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-05 17:45:05 -------- d-----w C:\Program Files\Common Files\aolshare
2007-04-26 14:32:16 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 15:34:28 -------- d-----w C:\Program Files\QuickTime
2007-04-18 15:33:11 -------- d-----w C:\Program Files\Apple Software Update
2007-03-23 03:56:41 2 ----a-w C:\WINDOWS\system32\wnstssv32.exe
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-10 20:02:33 -------- d-----w C:\Program Files\Quicken
2007-03-10 20:02:24 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Intuit
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"="MIDIDEF.EXE"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^acrobat assistant.lnk
C:\PROGRA~1\Adobe\ACROBA~2.0\Distillr\AcroTray.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe gamma loader.exe.lnk
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^america online 9.0 tray icon.lnk
C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^d-link reg utility.lnk
C:\PROGRA~1\DWL-G5~1\Reg.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^dwl-g520m wireless 108g mimo pci adapter utility.lnk
C:\PROGRA~1\DWL-G5~1\AIRPLUS.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^exif launcher.lnk
C:\PROGRA~1\FINEPI~1\QuickDCF.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^pinnacle pctv scheduler.lnk
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\PCLESC~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^smartui.lnk
C:\PROGRA~1\Scansoft\PAPERP~1\SmartUI\SmartUI.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atimodechange
Ati2mdxx.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atipta
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cjzjyb
C:\WINDOWS\system32\s?mbols\c?rss.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cthelper
CTHELPER.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hostmanager
C:\Program Files\Common Files\AOL\1157917618\ee\AOLSoftware.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\indexsearch
C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iphsend
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipwins
C:\Program Files\Ipwindows\ipwins.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ltho
"C:\PROGRA~1\COMMON~1\MANTEC~1\mshta.exe" -vt yazb

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mrmq
C:\PROGRA~1\COMMON~1\mrmq\mrmqm.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\MSMSGS.EXE" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\paperport ptd
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pctvremote
C:\Program Files\Pinnacle\Pinnacle PCTV Deluxe\Remote\Remoterm.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pinnacledrivercheck
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pronomgr.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\realtray
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regshave
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\remotecontrol
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setdefprt
C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\storageguard
"C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5047de6a-0c77-1033-0421-040305220001}
"C:\Program Files\Common Files\{5047DE6A-0C77-1033-0421-040305220001}\Update.exe" te-110-12-0000245

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5047de6a-0c78-1033-0421-040305220001}
"C:\Program Files\Common Files\{5047DE6A-0C78-1033-0421-040305220001}\Update.exe" te-110-12-0000245

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-12 11:44:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-12 11:44:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-12 11:44

05-12-2007, 10:54 AM	#3 (permalink)
jsundlof Registered User Join Date: May 2007 Posts: 9 OS: xp home sp2	Re: Pop ups - zedo.com outerinfo.com thank you. I deleted the items as instructed and now here is the log from ComboFix which will be followed in the next post by the new scanlog from hijackthis after doing ComboFix: ComboFix log: "Owner" - 2007-05-12 11:27:14 Service Pack 2 ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Owner\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe C:\WINDOWS\uninstall_nmon.vbs C:\Program Files\outerinfo\OiUninstaller.exe C:\Program Files\outerinfo\outerinfo.ico C:\Program Files\outerinfo\Terms.rtf C:\Program Files\webhancer\whAgent_update.exe C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt C:\Program Files\Common Files\{3047D~1\Bar888.dll C:\Program Files\Common Files\{3047D~1\toolbardll.lzma C:\Program Files\Common Files\{3047D~1\UnInstall.exe C:\WINDOWS\system32\unsvchosts.lzma C:\WINDOWS\system32\wnststr.exe C:\Program Files\outerinfo C:\Program Files\webhancer C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon C:\Program Files\Common Files\{3047D~1 C:\Program Files\Common Files\{5047D~2 C:\Program Files\Common Files\{5047D~1 C:\WINDOWS\system32\drivers\core.sys ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\DOCUME~1 C:\qoobox\purity\C\DOCUME~1\Owner C:\qoobox\purity\C\DOCUME~1\Owner\APPLIC~1 C:\qoobox\purity\C\DOCUME~1\Owner\APPLIC~1\MCROSO~1 C:\qoobox\purity\C\DOCUME~1\Owner\APPLIC~1\STEM~1 C:\qoobox\purity\C\DOCUME~1\Owner\APPLIC~1\STEM~1\r?ndll32.exe C:\qoobox\purity\C\Program Files\SCURIT~1 C:\qoobox\purity\C\Program Files\Common Files\MANTEC~1 C:\qoobox\purity\C\Program Files\Common Files\STEM~1 C:\qoobox\purity\C\WINDOWS\system32\SMBOLS~1 ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CMDSERVICE -------\LEGACY_COM+_MESSAGES -------\LEGACY_CORE -------\LEGACY_NETWORK_MONITOR -------\cmdService -------\COM+ Messages -------\core ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 )))))))))))))))))))))))))))))))))) 2007-05-05 13:37 <DIR> d-------- C:\Deckard 2007-05-05 13:09 21,312 --a------ C:\WINDOWS\choice.exe 2007-05-05 13:05 <DIR> d-------- C:\ie-spyad2 2007-05-05 12:57 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-05-05 12:04 <DIR> d-------- C:\Program Files\InterMute 2007-04-26 09:49 85,504 --------- C:\WINDOWS\system32\evolusbn.dll 2007-04-26 09:49 21,984 --a------ C:\WINDOWS\system32\drivers\evolusb.sys 2007-04-26 09:34 86,016 --a------ C:\WINDOWS\unvise32.exe 2007-04-26 09:34 <DIR> d-------- C:\Program Files\SmartMusic 2007-04-26 09:33 <DIR> d-------- C:\Psfonts 2007-04-26 09:33 <DIR> d-------- C:\Program Files\Finale 2003 2007-04-26 09:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-26 09:32 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2007-04-26 09:31 <DIR> d-------- C:\Program Files\M-Audio Uno 2007-04-22 11:47 1,829 --a------ C:\WINDOWS\mozver.dat 2007-04-22 11:47 <DIR> d-------- C:\DOCUME~1\PSUNDL~1\APPLIC~1\Snapfish 2007-04-18 10:35 <DIR> d-------- C:\Program Files\iTunes 2007-04-18 10:35 <DIR> d-------- C:\Program Files\iPod 2007-04-18 10:27 <DIR> d-------- C:\DOCUME~1\PSUNDL~1\APPLIC~1\iCloner 2007-04-18 09:49 <DIR> d-------- C:\DOCUME~1\PSUNDL~1\APPLIC~1\CopyTrans (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-12 16:32:28 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000003-00000000-00000001-00001102-00000004-20041102}.dat 2007-05-12 16:32:28 384 ----a-w C:\WINDOWS\system32\DVCState-{00000003-00000000-00000001-00001102-00000004-20041102}.dat 2007-05-05 18:20:39 -------- d-----w C:\Program Files\Common Files\AOL 2007-05-05 17:45:05 -------- d-----w C:\Program Files\Common Files\aolshare 2007-04-26 14:32:16 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-04-18 15:34:28 -------- d-----w C:\Program Files\QuickTime 2007-04-18 15:33:11 -------- d-----w C:\Program Files\Apple Software Update 2007-03-23 03:56:41 2 ----a-w C:\WINDOWS\system32\wnstssv32.exe 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-10 20:02:33 -------- d-----w C:\Program Files\Quicken 2007-03-10 20:02:24 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Intuit 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys 2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "SetDefaultMidi"="MIDIDEF.EXE" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^acrobat assistant.lnk C:\PROGRA~1\Adobe\ACROBA~2.0\Distillr\AcroTray.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe gamma loader.exe.lnk C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^america online 9.0 tray icon.lnk C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^d-link reg utility.lnk C:\PROGRA~1\DWL-G5~1\Reg.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^dwl-g520m wireless 108g mimo pci adapter utility.lnk C:\PROGRA~1\DWL-G5~1\AIRPLUS.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^exif launcher.lnk C:\PROGRA~1\FINEPI~1\QuickDCF.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^pinnacle pctv scheduler.lnk C:\PROGRA~1\Pinnacle\SHARED~1\Programs\PCLESC~1.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^smartui.lnk C:\PROGRA~1\Scansoft\PAPERP~1\SmartUI\SmartUI.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atimodechange Ati2mdxx.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atipta C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa} "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cjzjyb C:\WINDOWS\system32\s?mbols\c?rss.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe C:\WINDOWS\system32\ctfmon.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cthelper CTHELPER.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hostmanager C:\Program Files\Common Files\AOL\1157917618\ee\AOLSoftware.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\indexsearch C:\Program Files\Scansoft\PaperPort\IndexSearch.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iphsend C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipwins C:\Program Files\Ipwindows\ipwins.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper "C:\Program Files\iTunes\iTunesHelper.exe" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ltho "C:\PROGRA~1\COMMON~1\MANTEC~1\mshta.exe" -vt yazb HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mrmq C:\PROGRA~1\COMMON~1\mrmq\mrmqm.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs "C:\Program Files\Messenger\MSMSGS.EXE" /background HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\paperport ptd C:\Program Files\Scansoft\PaperPort\pptd40nt.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pctvremote C:\Program Files\Pinnacle\Pinnacle PCTV Deluxe\Remote\Remoterm.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pinnacledrivercheck C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pronomgr.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task "C:\Program Files\QuickTime\qttask.exe" -atboottime HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\realtray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regshave C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\remotecontrol "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setdefprt C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\storageguard "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5047de6a-0c77-1033-0421-040305220001} "C:\Program Files\Common Files\{5047DE6A-0C77-1033-0421-040305220001}\Update.exe" te-110-12-0000245 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5047de6a-0c78-1033-0421-040305220001} "C:\Program Files\Common Files\{5047DE6A-0C78-1033-0421-040305220001}\Update.exe" te-110-12-0000245 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HTTPFilter HTTPFilter\0\0 DcomLaunch DcomLaunch\0TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-12 11:44:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 2007-05-12 11:44:52 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-05-12 11:44