Tech Support Forum - View Single Post - please help

alex___h · 06-30-2007, 05:04 PM

well here they are:

1. Fresh Hijackthis log taken just before replying

Logfile of HijackThis v1.99.1
Scan saved at 01:57:52, on 01/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [dedgrqbe.exe] C:\Documents and Settings\All Users\Application Data\dedgrqbe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155649420288
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

2. Online scan from KAspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 01, 2007 1:56:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 1/07/2007
Kaspersky Anti-Virus database records: 356048
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 44424
Number of viruses found: 15
Number of infected objects: 47 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:44:27

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\97625.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\NeroDemo12547\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\wnd2AA.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\wnd2C7.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580000.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580001.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580002.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580003.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A740000.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0000.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0001.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0002.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0003.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0004.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ACC0000.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180000.VBN Infected: Trojan.Win32.Inject.br skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180001.VBN Infected: Trojan.Win32.Inject.br skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA00000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA00001.VBN Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0000.VBN Infected: Trojan.Win32.Agent.anr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0001.VBN Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0002.VBN Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0003.VBN Infected: Trojan-Downloader.Win32.Alphabet.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC40000.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC40001.VBN Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Application Data\Babylon\log_file.txt Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012007070120070702\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\QooBox\Quarantine\C\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\QooBox\Quarantine\C\WINDOWS\avp.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.f skipped
C:\QooBox\Quarantine\C\WINDOWS\mgrs.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkjhfc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvussr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winbug32.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000079.exe Infected: Trojan-Downloader.Win32.Alphabet.f skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000080.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000086.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000163.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000165.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000166.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\USER-4PVWJAMKRZ.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6A55F351-C60D-4524-B1DF-3BF22097289C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT05f8f.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Nero_1.Burning.Rom.Reloaded.v7.8.5.0.Incl.Keygen-FFF.rar\Setup.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
D:\Nero_1.Burning.Rom.Reloaded.v7.8.5.0.Incl.Keygen-FFF.rar\Setup.exe RAR: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\change.log Object is locked skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kq skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/patch.exe Infected: Trojan-Downloader.Win32.Agent.btq skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/crack.exe Infected: Trojan.Win32.Inject.br skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar Infected: Trojan-Downloader.Win32.Small.eqn skipped
D:\temp\Nero_7.8.5.0_Premium_keygen.exe RarSFX: infected - 5 skipped

Scan process completed.

3. ComboFix's log

"user" - 2007-07-01 0:56:09 - ComboFix 07-07-01 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\user\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1\dedgrqbe.exe
C:\DOCUME~1\user\APPLIC~1\knob owns love
C:\DOCUME~1\user\APPLIC~1\knob owns love\9928565B
C:\Program Files\AskTBar
C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL
C:\Program Files\AskTBar\bar\Cache\002477E0
C:\Program Files\AskTBar\bar\Cache\00247BC8
C:\Program Files\AskTBar\bar\Cache\00247DBC.bin
C:\Program Files\AskTBar\bar\Cache\002480AA.bin
C:\Program Files\AskTBar\bar\Cache\0024828E.bin
C:\Program Files\AskTBar\bar\Cache\files.ini
C:\Program Files\AskTBar\bar\History\search2
C:\Program Files\AskTBar\bar\Settings\prevcfg2.htm
C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
C:\WINDOWS\system32\winbug32.dll
C:\WINDOWS\tasks\B03EB53497FD26C0.job

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))

2007-06-30 23:22 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-30 21:55 <DIR> d-------- C:\Deckard
2007-06-30 20:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-30 19:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-30 18:59 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-30 11:30 77,312 --a------ C:\WINDOWS\ua2.dll
2007-06-30 11:03 <DIR> d-------- C:\Program Files\Nero
2007-06-30 11:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-06-30 10:40 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-06-30 09:58 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Ahead
2007-06-29 20:28 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\U3
2007-06-29 20:03 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-29 18:40 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-29 17:05 <DIR> d-------- C:\b76a1af87dd2b90be1bf687fb745454f
2007-06-29 16:52 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-06-29 16:52 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2007-06-29 16:52 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-06-29 16:50 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-06-29 16:50 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-06-29 16:50 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-06-29 16:50 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-06-29 16:50 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-06-29 16:50 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-06-29 16:50 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-06-29 16:50 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-06-29 16:50 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-06-29 16:50 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-06-29 16:50 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-06-29 16:50 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-06-29 16:50 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-06-29 16:50 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-06-29 16:50 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-06-29 16:50 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-06-29 16:50 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-06-29 16:50 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-06-29 16:48 <DIR> d-------- C:\WINDOWS\pss
2007-06-29 16:44 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-06-29 16:32 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-06-29 16:32 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-06-29 16:17 <DIR> d-------- C:\WINDOWS\OemDir
2007-06-29 14:55 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-29 14:52 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-06-29 14:52 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-06-29 14:52 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-06-29 14:52 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-06-29 14:52 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-06-29 14:52 678,400 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-06-29 14:52 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-06-29 14:52 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-06-29 14:52 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-06-29 14:52 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-06-29 14:52 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-06-29 14:52 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-06-29 14:52 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-06-29 14:52 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-06-29 14:52 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-06-29 14:52 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-06-29 14:52 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-06-29 14:52 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-06-29 14:52 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-06-29 14:52 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-06-29 14:52 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-06-29 14:52 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-06-29 14:52 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-06-29 14:52 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-06-29 14:52 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-06-29 14:52 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-06-29 14:51 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-06-29 14:51 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-06-29 14:51 89,600 --a------ C:\WINDOWS\system32\comrepl.dll
2007-06-29 14:51 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-06-29 14:51 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-06-29 14:51 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-06-29 14:51 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2007-06-29 14:51 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-06-29 14:51 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-06-29 14:51 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-06-29 14:51 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-06-29 14:51 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-06-29 14:51 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2007-06-29 14:51 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-06-29 14:51 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-06-29 14:51 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-06-29 14:51 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-06-29 14:51 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-06-29 14:51 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2007-06-29 14:51 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2007-06-29 14:51 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-06-29 14:51 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2007-06-29 14:51 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-06-29 14:51 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-06-29 14:51 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2007-06-29 14:51 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2007-06-29 14:51 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-06-29 14:51 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-06-29 14:51 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-06-29 14:51 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2007-06-29 14:51 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-06-29 14:51 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-06-29 14:51 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 22:50:17 -------- d-----w C:\Program Files\BitDownload
2007-06-30 22:15:38 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-30 22:15:26 -------- d-----w C:\Program Files\QuickTime
2007-06-30 22:14:16 -------- d-----w C:\Program Files\Multi_Media
2007-06-30 22:12:25 -------- d-----w C:\Program Files\Messenger
2007-06-30 22:11:10 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-30 22:10:06 -------- d-----w C:\Program Files\Babylon
2007-06-30 19:09:39 49,776 ----a-w C:\DOCUME~1\user\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-30 09:05:30 -------- d-----w C:\Program Files\Common Files\Ahead
2007-06-29 18:07:03 -------- d-----w C:\Program Files\MSN Messenger
2007-06-29 17:50:42 -------- d-----w C:\Program Files\Movie Maker
2007-06-29 17:50:34 -------- d-----w C:\Program Files\Windows NT
2007-06-29 14:28:48 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-29 12:51:28 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-06-07 21:59:30 -------- d-----w C:\Program Files\eMule
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 19:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 19:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2005-09-24 06:12 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-12-15 02:23 440056 --a------ C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b5146c40-189a-4311-bda9-fbae3e023187}]
2007-03-19 10:50 1297432 --a------ C:\Program Files\Multi_Media\tbMult.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-03-03 20:50 C:\WINDOWS\system32\SiSPower.dll]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-11 04:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-31 00:19]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 09:46]
"Babylon Client"="C:\Program Files\Babylon\Babylon.exe" [2005-01-23 23:51]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 02:23]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 12:20 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"dedgrqbe.exe"="C:\Documents and Settings\All Users\Application Data\dedgrqbe.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-09-19 07:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

Contents of the 'Scheduled Tasks' folder
2007-06-19 17:56:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 00:57:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [3300]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-01 0:57:27
C:\ComboFix-quarantined-files.txt ... 2007-07-01 00:57
C:\ComboFix2.txt ... 2007-06-30 23:35

--- E O F ---
thanks , Alex

06-30-2007, 05:04 PM	#5 (permalink)
alex___h Registered User Join Date: Jun 2007 Posts: 7 OS: XP	Re: please help - infected machines #1 well here they are: 1. Fresh Hijackthis log taken just before replying Logfile of HijackThis v1.99.1 Scan saved at 01:57:52, on 01/07/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Babylon\Babylon.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Zone Labs\Integrity Client\iclient.exe C:\WINDOWS\system32\sistray.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/ R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMult.dll O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [dedgrqbe.exe] C:\Documents and Settings\All Users\Application Data\dedgrqbe.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155649420288 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe 2. Online scan from KAspersky ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, July 01, 2007 1:56:03 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 1/07/2007 Kaspersky Anti-Virus database records: 356048 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ G:\ Scan Statistics: Total number of scanned objects: 44424 Number of viruses found: 15 Number of infected objects: 47 / 0 Number of suspicious objects: 0 Duration of the scan process: 00:44:27 Infected Object Name / Virus Name / Last Action C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\97625.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\NeroDemo12547\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\wnd2AA.tmp Infected: Trojan.Win32.Dialer.qn skipped C:\Deckard\System Scanner\backup\DOCUME~1\user\LOCALS~1\Temp\wnd2C7.tmp Infected: Trojan.Win32.Dialer.qn skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580000.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580001.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580002.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580003.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A740000.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0000.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0001.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0002.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0003.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AAC0004.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ACC0000.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180000.VBN Infected: Trojan.Win32.Inject.br skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B180001.VBN Infected: Trojan.Win32.Inject.br skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA00000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA00001.VBN Infected: Trojan.Win32.Agent.aoy skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0000.VBN Infected: Trojan.Win32.Agent.anr skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0001.VBN Infected: Trojan-Downloader.Win32.Alphabet.c skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0002.VBN Infected: Trojan-Downloader.Win32.Alphabet.c skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C6C0003.VBN Infected: Trojan-Downloader.Win32.Alphabet.c skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC40000.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC40001.VBN Infected: Trojan.Win32.Obfuscated.en skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\user\Application Data\Babylon\log_file.txt Object is locked skipped C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012007070120070702\index.dat Object is locked skipped C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped C:\QooBox\Quarantine\C\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped C:\QooBox\Quarantine\C\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped C:\QooBox\Quarantine\C\WINDOWS\avp.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.f skipped C:\QooBox\Quarantine\C\WINDOWS\mgrs.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\jkkjhfc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\tuvussr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\WINDOWS\system32\winbug32.dll.vir Infected: Trojan.Win32.Dialer.qn skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000079.exe Infected: Trojan-Downloader.Win32.Alphabet.f skipped C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000080.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000086.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000163.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000165.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\A0000166.dll Infected: Trojan.Win32.Dialer.qn skipped C:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\Internet Logs\USER-4PVWJAMKRZ.ldb Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{6A55F351-C60D-4524-B1DF-3BF22097289C}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped C:\WINDOWS\system32\config\sam Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\security Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\ZLT05f8f.TMP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\Nero_1.Burning.Rom.Reloaded.v7.8.5.0.Incl.Keygen-FFF.rar\Setup.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped D:\Nero_1.Burning.Rom.Reloaded.v7.8.5.0.Incl.Keygen-FFF.rar\Setup.exe RAR: infected - 1 skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{7ADCEB0A-162C-404B-997A-93C21878A907}\RP1\change.log Object is locked skipped D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.kq skipped D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/patch.exe Infected: Trojan-Downloader.Win32.Agent.btq skipped D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/crack.exe Infected: Trojan.Win32.Inject.br skipped D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped D:\temp\Nero_7.8.5.0_Premium_keygen.exe/data.rar Infected: Trojan-Downloader.Win32.Small.eqn skipped D:\temp\Nero_7.8.5.0_Premium_keygen.exe RarSFX: infected - 5 skipped Scan process completed. 3. ComboFix's log "user" - 2007-07-01 0:56:09 - ComboFix 07-07-01 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\user\Desktop\ComboFix-Do.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ALLUSE~1\APPLIC~1\dedgrqbe.exe C:\DOCUME~1\user\APPLIC~1\knob owns love C:\DOCUME~1\user\APPLIC~1\knob owns love\9928565B C:\Program Files\AskTBar C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL C:\Program Files\AskTBar\bar\Cache\002477E0 C:\Program Files\AskTBar\bar\Cache\00247BC8 C:\Program Files\AskTBar\bar\Cache\00247DBC.bin C:\Program Files\AskTBar\bar\Cache\002480AA.bin C:\Program Files\AskTBar\bar\Cache\0024828E.bin C:\Program Files\AskTBar\bar\Cache\files.ini C:\Program Files\AskTBar\bar\History\search2 C:\Program Files\AskTBar\bar\Settings\prevcfg2.htm C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL C:\WINDOWS\system32\winbug32.dll C:\WINDOWS\tasks\B03EB53497FD26C0.job ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 ))))))))))))))))))))))))))))))) 2007-06-30 23:22 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-30 21:55 <DIR> d-------- C:\Deckard 2007-06-30 20:57 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-06-30 19:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-06-30 18:59 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-06-30 11:30 77,312 --a------ C:\WINDOWS\ua2.dll 2007-06-30 11:03 <DIR> d-------- C:\Program Files\Nero 2007-06-30 11:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero 2007-06-30 10:40 <DIR> d-------- C:\WINDOWS\system32\appmgmt 2007-06-30 09:58 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Ahead 2007-06-29 20:28 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\U3 2007-06-29 20:03 <DIR> d-------- C:\WINDOWS\Prefetch 2007-06-29 18:40 <DIR> d--hs---- C:\WINDOWS\CSC 2007-06-29 17:05 <DIR> d-------- C:\b76a1af87dd2b90be1bf687fb745454f 2007-06-29 16:52 614,912 --a------ C:\WINDOWS\system32\h323msp.dll 2007-06-29 16:52 39,936 --a------ C:\WINDOWS\system32\mf3216.dll 2007-06-29 16:52 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll 2007-06-29 16:50 947,472 --a------ C:\WINDOWS\system32\msjava.dll 2007-06-29 16:50 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll 2007-06-29 16:50 6,550 --a------ C:\WINDOWS\jautoexp.dat 2007-06-29 16:50 49,424 --a------ C:\WINDOWS\system32\clspack.exe 2007-06-29 16:50 46,352 --a------ C:\WINDOWS\setdebug.exe 2007-06-29 16:50 404,752 --a------ C:\WINDOWS\system32\javart.dll 2007-06-29 16:50 313,856 --a------ C:\WINDOWS\system32\dx3j.dll 2007-06-29 16:50 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll 2007-06-29 16:50 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll 2007-06-29 16:50 187,152 --a------ C:\WINDOWS\system32\javacypt.dll 2007-06-29 16:50 172,304 --a------ C:\WINDOWS\system32\jview.exe 2007-06-29 16:50 171,792 --a------ C:\WINDOWS\system32\wjview.exe 2007-06-29 16:50 171,280 --a------ C:\WINDOWS\system32\jit.dll 2007-06-29 16:50 154,384 --a------ C:\WINDOWS\system32\msawt.dll 2007-06-29 16:50 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe 2007-06-29 16:50 139,536 --a------ C:\WINDOWS\system32\javaee.dll 2007-06-29 16:50 113 --a------ C:\WINDOWS\system32\zonedon.reg 2007-06-29 16:50 113 --a------ C:\WINDOWS\system32\zonedoff.reg 2007-06-29 16:48 <DIR> d-------- C:\WINDOWS\pss 2007-06-29 16:44 1,082,368 --a------ C:\WINDOWS\system32\esent.dll 2007-06-29 16:32 351,232 --a------ C:\WINDOWS\system32\winhttp.dll 2007-06-29 16:32 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll 2007-06-29 16:17 <DIR> d-------- C:\WINDOWS\OemDir 2007-06-29 14:55 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-06-29 14:52 81,920 --a------ C:\WINDOWS\system32\isign32.dll 2007-06-29 14:52 81,920 --a------ C:\WINDOWS\system32\ils.dll 2007-06-29 14:52 73,728 --a------ C:\WINDOWS\system32\icwdial.dll 2007-06-29 14:52 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys 2007-06-29 14:52 69,632 --a------ C:\WINDOWS\system32\msconf.dll 2007-06-29 14:52 678,400 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-06-29 14:52 67,584 --a------ C:\WINDOWS\system32\srclient.dll 2007-06-29 14:52 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll 2007-06-29 14:52 48,128 --a------ C:\WINDOWS\system32\inetres.dll 2007-06-29 14:52 45,568 --a------ C:\WINDOWS\system32\safrslv.dll 2007-06-29 14:52 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll 2007-06-29 14:52 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll 2007-06-29 14:52 382,464 --a------ C:\WINDOWS\system32\qmgr.dll 2007-06-29 14:52 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll 2007-06-29 14:52 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe 2007-06-29 14:52 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll 2007-06-29 14:52 29,696 --a------ C:\WINDOWS\system32\safrdm.dll 2007-06-29 14:52 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll 2007-06-29 14:52 274,944 --a------ C:\WINDOWS\system32\mstask.dll 2007-06-29 14:52 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll 2007-06-29 14:52 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll 2007-06-29 14:52 239,104 --a------ C:\WINDOWS\system32\srrstr.dll 2007-06-29 14:52 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll 2007-06-29 14:52 170,496 --a------ C:\WINDOWS\system32\srsvc.dll 2007-06-29 14:52 12,288 --a------ C:\WINDOWS\system32\mstinit.exe 2007-06-29 14:52 105,984 --a------ C:\WINDOWS\system32\msoert2.dll 2007-06-29 14:51 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll 2007-06-29 14:51 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll 2007-06-29 14:51 89,600 --a------ C:\WINDOWS\system32\comrepl.dll 2007-06-29 14:51 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll 2007-06-29 14:51 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll 2007-06-29 14:51 67,072 --a------ C:\WINDOWS\system32\rdshost.exe 2007-06-29 14:51 655,360 --a------ C:\WINDOWS\system32\mstscax.dll 2007-06-29 14:51 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe 2007-06-29 14:51 60,416 --a------ C:\WINDOWS\system32\remotepg.dll 2007-06-29 14:51 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll 2007-06-29 14:51 6,144 --a------ C:\WINDOWS\system32\msdtc.exe 2007-06-29 14:51 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll 2007-06-29 14:51 56,320 --a------ C:\WINDOWS\system32\servdeps.dll 2007-06-29 14:51 540,160 --a------ C:\WINDOWS\system32\comuid.dll 2007-06-29 14:51 538,624 --a------ C:\WINDOWS\system32\spider.exe 2007-06-29 14:51 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-06-29 14:51 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe 2007-06-29 14:51 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll 2007-06-29 14:51 407,552 --a------ C:\WINDOWS\system32\mstsc.exe 2007-06-29 14:51 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll 2007-06-29 14:51 343,040 --a------ C:\WINDOWS\system32\mspaint.exe 2007-06-29 14:51 295,424 --a------ C:\WINDOWS\system32\termsrv.dll 2007-06-29 14:51 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys 2007-06-29 14:51 20,480 --a------ C:\WINDOWS\system32\qprocess.exe 2007-06-29 14:51 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll 2007-06-29 14:51 185,344 --a------ C:\WINDOWS\system32\cmprops.dll 2007-06-29 14:51 183,808 --a------ C:\WINDOWS\system32\accwiz.exe 2007-06-29 14:51 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll 2007-06-29 14:51 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2007-06-29 14:51 147,968 --a------ C:\WINDOWS\system32\rdchost.dll 2007-06-29 14:51 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe 2007-06-29 14:51 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys 2007-06-29 14:51 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-30 22:50:17 -------- d-----w C:\Program Files\BitDownload 2007-06-30 22:15:38 -------- d-----w C:\Program Files\Symantec AntiVirus 2007-06-30 22:15:26 -------- d-----w C:\Program Files\QuickTime 2007-06-30 22:14:16 -------- d-----w C:\Program Files\Multi_Media 2007-06-30 22:12:25 -------- d-----w C:\Program Files\Messenger 2007-06-30 22:11:10 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-06-30 22:10:06 -------- d-----w C:\Program Files\Babylon 2007-06-30 19:09:39 49,776 ----a-w C:\DOCUME~1\user\APPLIC~1\GDIPFONTCACHEV1.DAT 2007-06-30 09:05:30 -------- d-----w C:\Program Files\Common Files\Ahead 2007-06-29 18:07:03 -------- d-----w C:\Program Files\MSN Messenger 2007-06-29 17:50:42 -------- d-----w C:\Program Files\Movie Maker 2007-06-29 17:50:34 -------- d-----w C:\Program Files\Windows NT 2007-06-29 14:28:48 -------- d--h--w C:\Program Files\WindowsUpdate 2007-06-29 12:51:28 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat 2007-06-07 21:59:30 -------- d-----w C:\Program Files\eMule 2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-04-16 19:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-04-16 19:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2005-09-24 06:12 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] 2006-12-15 02:23 440056 --a------ C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b5146c40-189a-4311-bda9-fbae3e023187}] 2007-03-19 10:50 1297432 --a------ C:\Program Files\Multi_Media\tbMult.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSPower"="SiSPower.dll" [2005-03-03 20:50 C:\WINDOWS\system32\SiSPower.dll] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-11 04:02] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-12-31 00:19] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 09:46] "Babylon Client"="C:\Program Files\Babylon\Babylon.exe" [2005-01-23 23:51] "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51] "DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 02:23] "SoundMan"="SOUNDMAN.EXE" [2004-11-15 12:20 C:\WINDOWS\SOUNDMAN.EXE] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53] "dedgrqbe.exe"="C:\Documents and Settings\All Users\Application Data\dedgrqbe.exe" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-09-19 07:14] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] AutoRun\command- E:\LaunchU3.exe -a Contents of the 'Scheduled Tasks' folder 2007-06-19 17:56:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-01 00:57:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... cmd.exe [3300] scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-07-01 0:57:27 C:\ComboFix-quarantined-files.txt ... 2007-07-01 00:57 C:\ComboFix2.txt ... 2007-06-30 23:35 --- E O F --- thanks , Alex