Tech Support Forum - View Single Post - Need to get rid of Errorsafe (and other bad stuff)

steve33809 · 07-01-2007, 07:23 PM

Ok sUBs, done. ComboFix ran for about 40 minutes before I got a log, I thought it had locked up...

Anyway, here ya go:

ComboFix Log:

"Owner" - 2007-07-01 20:37:00 - ComboFix 07-07-02.3 - Service Pack 2

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\abrvarbc.dll
C:\WINDOWS\system32\bovnjcet.dll
C:\WINDOWS\system32\dromnynw.dll
C:\WINDOWS\system32\jirkvrba.dll
C:\WINDOWS\system32\kyopwljo.dll
C:\WINDOWS\system32\lsjjiino.dll
C:\WINDOWS\system32\nwhikdfu.dll
C:\WINDOWS\system32\qnjiglhd.dll
C:\WINDOWS\system32\rvtokfif.dll
C:\WINDOWS\system32\vlbkkbai.dll
C:\WINDOWS\system32\vttaauky.dll
C:\WINDOWS\system32\xpyujbwl.dll
C:\WINDOWS\system32\mljigfd.dll
C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\vycdd.bak2
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\vycdd.tmp
C:\WINDOWS\system32\abrvkrij.ini
C:\WINDOWS\system32\ojlwpoyk.ini
C:\WINDOWS\system32\oniijjsl.ini
C:\WINDOWS\system32\ufdkihwn.ini
C:\WINDOWS\system32\dhlgijnq.ini
C:\WINDOWS\system32\fifkotvr.ini
C:\WINDOWS\system32\iabkkblv.ini
C:\WINDOWS\system32\ykuaattv.ini
C:\WINDOWS\system32\lwbjuypx.ini
C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\vycdd.bak2
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\vycdd.tmp
C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\vycdd.bak2
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\vycdd.tmp
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\hggebbx.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Owner\APPLIC~1.\appatc~1
C:\DOCUME~1\Owner\APPLIC~1.\asembl~1
C:\DOCUME~1\Owner\APPLIC~1.\asks~1
C:\DOCUME~1\Owner\APPLIC~1.\crosof~1
C:\DOCUME~1\Owner\APPLIC~1.\crosof~1.net
C:\DOCUME~1\Owner\APPLIC~1.\curity~1
C:\DOCUME~1\Owner\APPLIC~1.\dobe~1
C:\DOCUME~1\Owner\APPLIC~1.\ecurit~1
C:\DOCUME~1\Owner\APPLIC~1.\fnts~1
C:\DOCUME~1\Owner\APPLIC~1.\fnts~2
C:\DOCUME~1\Owner\APPLIC~1.\icroso~1.net
C:\DOCUME~1\Owner\APPLIC~1.\mantec~1
C:\DOCUME~1\Owner\APPLIC~1.\mcroso~1
C:\DOCUME~1\Owner\APPLIC~1.\racle~1
C:\DOCUME~1\Owner\APPLIC~1.\racle~2
C:\DOCUME~1\Owner\APPLIC~1.\scurit~1
C:\DOCUME~1\Owner\APPLIC~1.\smante~1
C:\DOCUME~1\Owner\APPLIC~1.\ssembl~1
C:\DOCUME~1\Owner\APPLIC~1.\sstem~1
C:\DOCUME~1\Owner\APPLIC~1.\sstem3~1
C:\DOCUME~1\Owner\APPLIC~1.\wnsxs~1
C:\DOCUME~1\Owner\APPLIC~1.\ymbols~1
C:\DOCUME~1\Owner\MYDOCU~1.\appatc~1
C:\DOCUME~1\Owner\MYDOCU~1.\asembl~1
C:\DOCUME~1\Owner\MYDOCU~1.\asks~1
C:\DOCUME~1\Owner\MYDOCU~1.\asks~2
C:\DOCUME~1\Owner\MYDOCU~1.\curity~1
C:\DOCUME~1\Owner\MYDOCU~1.\dobe~1
C:\DOCUME~1\Owner\MYDOCU~1.\dobe~2
C:\DOCUME~1\Owner\MYDOCU~1.\ecurit~1
C:\DOCUME~1\Owner\MYDOCU~1.\fnts~1
C:\DOCUME~1\Owner\MYDOCU~1.\icroso~1
C:\DOCUME~1\Owner\MYDOCU~1.\icroso~1.net
C:\DOCUME~1\Owner\MYDOCU~1.\icroso~2
C:\DOCUME~1\Owner\MYDOCU~1.\mbols~1
C:\DOCUME~1\Owner\MYDOCU~1.\ppatch~1
C:\DOCUME~1\Owner\MYDOCU~1.\pppatc~1
C:\DOCUME~1\Owner\MYDOCU~1.\racle~1
C:\DOCUME~1\Owner\MYDOCU~1.\racle~2
C:\DOCUME~1\Owner\MYDOCU~1.\smante~1
C:\DOCUME~1\Owner\MYDOCU~1.\ssembl~1
C:\DOCUME~1\Owner\MYDOCU~1.\sstem~1
C:\DOCUME~1\Owner\MYDOCU~1.\sstem3~1
C:\DOCUME~1\Owner\MYDOCU~1.\stem~1
C:\DOCUME~1\Owner\MYDOCU~1.\tsks~1
C:\DOCUME~1\Owner\MYDOCU~1.\wnsxs~1
C:\DOCUME~1\Owner\MYDOCU~1.\ymante~1
C:\DOCUME~1\Owner\MYDOCU~1.\ymbols~1
C:\Program Files\asks~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\dobe~2
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~2
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\smbols~1
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\sstem3~1
C:\Program Files\Common Files\stem~1
C:\Program Files\Common Files\tsks~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\ystem~1
C:\Program Files\curity~1
C:\Program Files\dobe~1
C:\Program Files\fnts~1
C:\Program Files\fnts~1\explorer.exe
C:\Program Files\icroso~1
C:\Program Files\icroso~1.net
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\ppatch~1
C:\Program Files\pppatc~1
C:\Program Files\sembly~1
C:\Program Files\sks~1
C:\Program Files\smbols~1
C:\Program Files\sstem3~1
C:\Program Files\wnsxs~1
C:\Program Files\ymbols~1
C:\Program Files\ystem~1
C:\Program Files\ystem3~1
C:\WINDOWS\asks~1
C:\WINDOWS\crosof~1.net
C:\WINDOWS\crosof~1.net\javaw.exe
C:\WINDOWS\ecurit~1
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~2
C:\WINDOWS\icroso~1
C:\WINDOWS\icroso~1.net
C:\WINDOWS\mantec~1
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\NDNuninstall5_64.exe
C:\WINDOWS\ppatch~1
C:\WINDOWS\pppatc~1
C:\WINDOWS\pppatc~2
C:\WINDOWS\scurit~1
C:\WINDOWS\smante~1
C:\WINDOWS\sstem3~1
C:\WINDOWS\stem~1
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\mcroso~1.net
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\racle~2
C:\WINDOWS\system32\sembly~1
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\stem~1
C:\WINDOWS\system32\taskmgr.dll
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\wnsxs~1
C:\WINDOWS\wr.txt
C:\WINDOWS\ymbols~1
C:\WINDOWS\ystem~1

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NM
-------\DomainService
-------\nm

((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))

2007-07-01 20:36 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-01 18:59 <DIR> d-------- C:\Deckard
2007-07-01 18:46 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-01 16:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-01 14:58 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-29 01:58 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-29 01:58 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-29 01:58 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-29 01:58 1,356 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-29 01:38 <DIR> d-------- C:\Program Files\RogueRemover
2007-06-29 00:34 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-25 00:52 66,176 --a------ C:\DOCUME~1\Ashley\ps.exe
2007-06-25 00:50 66,048 --a------ C:\DOCUME~1\Ashley\x.exe
2007-06-25 00:50 159,744 --a------ C:\DOCUME~1\Ashley\rm.exe
2007-06-22 14:14 <DIR> d-------- C:\bintheredunthat
2007-06-22 14:11 <DIR> d--hs---- C:\DOCUME~1\Owner\Complete
2007-06-15 13:42 <DIR> d-------- C:\New Samples
2007-06-06 01:28 <DIR> d-------- C:\Program Files\DVD Shrink
2007-06-06 01:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-06-06 00:46 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ImgBurn
2007-06-06 00:45 <DIR> d-------- C:\Program Files\ImgBurn
2007-06-06 00:40 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Common Files
2007-06-05 15:43 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-06-05 15:43 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-06-05 15:43 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-06-05 15:43 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-06-05 15:43 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-06-05 15:43 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-06-05 15:43 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-06-05 15:43 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-06-05 15:43 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-06-05 15:43 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-06-05 15:43 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-06-05 15:43 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-05 15:43 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-05 15:43 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-06-03 12:48 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\U3

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 00:34:54 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\wsInspector
2007-07-01 22:19:35 -------- d-----w C:\Program Files\tclockex
2007-07-01 22:19:07 -------- d-----w C:\Program Files\ScreenPrint32 v3
2007-07-01 22:00:22 -------- d-----w C:\Program Files\AdsGone
2007-06-28 04:05:32 -------- d-----w C:\Program Files\GIANT Company Software
2007-06-26 15:10:45 352,137 ----a-w C:\swlist.reg
2007-06-25 17:57:32 -------- d-----w C:\Program Files\Morpheus
2007-06-19 07:02:46 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-06-13 16:59:50 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-06-11 14:33:10 -------- d-----w C:\Program Files\Yahoo!
2007-06-11 14:32:44 -------- d--h--r C:\DOCUME~1\Owner\APPLIC~1\yahoo!
2007-06-11 14:29:29 -------- d-----w C:\Program Files\Windows Live Toolbar
2007-06-11 14:27:44 -------- d-----w C:\Program Files\Soulseek
2007-06-11 14:25:09 -------- d-----w C:\Program Files\NASA
2007-06-11 14:23:21 -------- d-----w C:\Program Files\mIRC
2007-06-11 14:17:13 -------- d-----w C:\Program Files\KaZaA Lite
2007-06-11 14:16:27 -------- d-----w C:\Program Files\Easy DVD Creator
2007-06-11 14:15:42 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-11 14:14:48 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-06 04:40:09 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\HP
2007-05-31 15:41:44 -------- d-----w C:\Program Files\Western Digital Technologies
2007-05-31 04:59:35 -------- d-----w C:\Program Files\CCleaner
2007-05-31 04:44:39 -------- d-----w C:\Program Files\MSXML 4.0
2007-05-31 04:31:35 -------- d-----w C:\Program Files\Messenger
2007-05-31 03:50:08 -------- d-----w C:\Program Files\Astonsoft
2007-05-31 03:50:08 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\DeepBurner Pro
2007-05-31 03:50:07 -------- d-----w C:\Program Files\MediaMonkey
2007-05-31 03:50:07 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Walgreens
2007-05-31 03:50:07 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Ashampoo
2007-05-31 03:50:03 -------- d-----w C:\Program Files\Media Player Classic
2007-05-31 03:48:30 -------- d-----w C:\Program Files\QuickTime Alternative
2007-05-31 03:48:09 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-31 03:48:09 -------- d-----w C:\Program Files\Ahead2
2007-05-22 14:26:11 -------- d-----w C:\Program Files\OpenOffice.org1.1.2
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-08 19:43:47 5 ----a-w C:\WINDOWS\system32\SySVid.dat
2007-05-08 19:36:54 -------- d-----w C:\Program Files\SuperAudiotool
2007-05-08 19:36:39 3,082 ----a-w C:\WINDOWS\system32\affv11300p4now.sys
2007-05-06 17:40:54 -------- d-----w C:\Program Files\Xilisoft
2007-05-06 08

23 -------- d-----w C:\Program Files\ImTOO
2007-05-06 07:43:24 -------- d-----w C:\Program Files\Ashampoo
2007-05-04 07:09:45 -------- d-----w C:\Program Files\ATP
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2004-02-26 06:18:26 2 --shatr C:\WINDOWS\winstart.bat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-05-15 10:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}]
2004-02-24 14:57 784384 --a------ C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F02EE046-5EDB-0C2F-D592-7AA2D8F23A95}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 22:19]
"LTMSG"="LTMSG.exe" [2003-07-14 20:52 C:\WINDOWS\ltmsg.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-15 21:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="C:\Program Files\tclockex\TCLOCKEX.EXE" [2000-03-09 02:15]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2004-10-25 15:36]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoClose"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoLogOff"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoNetSetup"=0 (0x0)
"NoPrinters"=0 (0x0)
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Organize.lnk]
backup=C:\WINDOWS\pss\Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32]
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
"C:\Program Files\Shareaza\Shareaza.exe" -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SLock]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
AutoRun\command- K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3a9f5a4-12bb-11dc-b482-00038a000015}]
AutoRun\command- K:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb4dcb1c-1065-11dc-b47e-00038a000015}]
AutoRun\command- K:\LaunchU3.exe -a

Contents of the 'Scheduled Tasks' folder
2007-06-25 11:48:00 C:\WINDOWS\tasks\Ad-aware 6.job
2007-07-02 01:12:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 21:10:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-01 21:17:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-01 21:13

--- E O F ---

Fresh HIJACKTHIS Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:19:18 PM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\a4f1z77c.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\a4f1z77c.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {F02EE046-5EDB-0C2F-D592-7AA2D8F23A95} - (no file)
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\tclockex\TCLOCKEX.EXE
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AdsGone 2004.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extend...s/iaieplay.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_2us.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

07-01-2007, 07:23 PM	#3 (permalink)
steve33809 Registered User Join Date: Jul 2007 Posts: 6 OS: XP	Re: Need to get rid of Errorsafe (and other bad stuff) Ok sUBs, done. ComboFix ran for about 40 minutes before I got a log, I thought it had locked up... Anyway, here ya go: ComboFix Log: "Owner" - 2007-07-01 20:37:00 - ComboFix 07-07-02.3 - Service Pack 2 (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\abrvarbc.dll C:\WINDOWS\system32\bovnjcet.dll C:\WINDOWS\system32\dromnynw.dll C:\WINDOWS\system32\jirkvrba.dll C:\WINDOWS\system32\kyopwljo.dll C:\WINDOWS\system32\lsjjiino.dll C:\WINDOWS\system32\nwhikdfu.dll C:\WINDOWS\system32\qnjiglhd.dll C:\WINDOWS\system32\rvtokfif.dll C:\WINDOWS\system32\vlbkkbai.dll C:\WINDOWS\system32\vttaauky.dll C:\WINDOWS\system32\xpyujbwl.dll C:\WINDOWS\system32\mljigfd.dll C:\WINDOWS\system32\vycdd.bak1 C:\WINDOWS\system32\vycdd.bak2 C:\WINDOWS\system32\vycdd.ini C:\WINDOWS\system32\vycdd.ini2 C:\WINDOWS\system32\vycdd.tmp C:\WINDOWS\system32\abrvkrij.ini C:\WINDOWS\system32\ojlwpoyk.ini C:\WINDOWS\system32\oniijjsl.ini C:\WINDOWS\system32\ufdkihwn.ini C:\WINDOWS\system32\dhlgijnq.ini C:\WINDOWS\system32\fifkotvr.ini C:\WINDOWS\system32\iabkkblv.ini C:\WINDOWS\system32\ykuaattv.ini C:\WINDOWS\system32\lwbjuypx.ini C:\WINDOWS\system32\vycdd.bak1 C:\WINDOWS\system32\vycdd.bak2 C:\WINDOWS\system32\vycdd.ini C:\WINDOWS\system32\vycdd.ini2 C:\WINDOWS\system32\vycdd.tmp C:\WINDOWS\system32\vycdd.bak1 C:\WINDOWS\system32\vycdd.bak2 C:\WINDOWS\system32\vycdd.ini C:\WINDOWS\system32\vycdd.ini2 C:\WINDOWS\system32\vycdd.tmp C:\WINDOWS\system32\ddcyv.dll C:\WINDOWS\system32\hggebbx.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Owner\APPLIC~1.\appatc~1 C:\DOCUME~1\Owner\APPLIC~1.\asembl~1 C:\DOCUME~1\Owner\APPLIC~1.\asks~1 C:\DOCUME~1\Owner\APPLIC~1.\crosof~1 C:\DOCUME~1\Owner\APPLIC~1.\crosof~1.net C:\DOCUME~1\Owner\APPLIC~1.\curity~1 C:\DOCUME~1\Owner\APPLIC~1.\dobe~1 C:\DOCUME~1\Owner\APPLIC~1.\ecurit~1 C:\DOCUME~1\Owner\APPLIC~1.\fnts~1 C:\DOCUME~1\Owner\APPLIC~1.\fnts~2 C:\DOCUME~1\Owner\APPLIC~1.\icroso~1.net C:\DOCUME~1\Owner\APPLIC~1.\mantec~1 C:\DOCUME~1\Owner\APPLIC~1.\mcroso~1 C:\DOCUME~1\Owner\APPLIC~1.\racle~1 C:\DOCUME~1\Owner\APPLIC~1.\racle~2 C:\DOCUME~1\Owner\APPLIC~1.\scurit~1 C:\DOCUME~1\Owner\APPLIC~1.\smante~1 C:\DOCUME~1\Owner\APPLIC~1.\ssembl~1 C:\DOCUME~1\Owner\APPLIC~1.\sstem~1 C:\DOCUME~1\Owner\APPLIC~1.\sstem3~1 C:\DOCUME~1\Owner\APPLIC~1.\wnsxs~1 C:\DOCUME~1\Owner\APPLIC~1.\ymbols~1 C:\DOCUME~1\Owner\MYDOCU~1.\appatc~1 C:\DOCUME~1\Owner\MYDOCU~1.\asembl~1 C:\DOCUME~1\Owner\MYDOCU~1.\asks~1 C:\DOCUME~1\Owner\MYDOCU~1.\asks~2 C:\DOCUME~1\Owner\MYDOCU~1.\curity~1 C:\DOCUME~1\Owner\MYDOCU~1.\dobe~1 C:\DOCUME~1\Owner\MYDOCU~1.\dobe~2 C:\DOCUME~1\Owner\MYDOCU~1.\ecurit~1 C:\DOCUME~1\Owner\MYDOCU~1.\fnts~1 C:\DOCUME~1\Owner\MYDOCU~1.\icroso~1 C:\DOCUME~1\Owner\MYDOCU~1.\icroso~1.net C:\DOCUME~1\Owner\MYDOCU~1.\icroso~2 C:\DOCUME~1\Owner\MYDOCU~1.\mbols~1 C:\DOCUME~1\Owner\MYDOCU~1.\ppatch~1 C:\DOCUME~1\Owner\MYDOCU~1.\pppatc~1 C:\DOCUME~1\Owner\MYDOCU~1.\racle~1 C:\DOCUME~1\Owner\MYDOCU~1.\racle~2 C:\DOCUME~1\Owner\MYDOCU~1.\smante~1 C:\DOCUME~1\Owner\MYDOCU~1.\ssembl~1 C:\DOCUME~1\Owner\MYDOCU~1.\sstem~1 C:\DOCUME~1\Owner\MYDOCU~1.\sstem3~1 C:\DOCUME~1\Owner\MYDOCU~1.\stem~1 C:\DOCUME~1\Owner\MYDOCU~1.\tsks~1 C:\DOCUME~1\Owner\MYDOCU~1.\wnsxs~1 C:\DOCUME~1\Owner\MYDOCU~1.\ymante~1 C:\DOCUME~1\Owner\MYDOCU~1.\ymbols~1 C:\Program Files\asks~1 C:\Program Files\Common Files\asks~1 C:\Program Files\Common Files\crosof~1 C:\Program Files\Common Files\curity~1 C:\Program Files\Common Files\dobe~1 C:\Program Files\Common Files\dobe~2 C:\Program Files\Common Files\ecurit~1 C:\Program Files\Common Files\fnts~1 C:\Program Files\Common Files\fnts~2 C:\Program Files\Common Files\icroso~1 C:\Program Files\Common Files\icroso~1.net C:\Program Files\Common Files\ppatch~1 C:\Program Files\Common Files\racle~1 C:\Program Files\Common Files\scurit~1 C:\Program Files\Common Files\sembly~1 C:\Program Files\Common Files\sks~1 C:\Program Files\Common Files\smbols~1 C:\Program Files\Common Files\ssembl~1 C:\Program Files\Common Files\sstem3~1 C:\Program Files\Common Files\stem~1 C:\Program Files\Common Files\tsks~1 C:\Program Files\Common Files\wnsxs~1 C:\Program Files\Common Files\ystem~1 C:\Program Files\curity~1 C:\Program Files\dobe~1 C:\Program Files\fnts~1 C:\Program Files\fnts~1\explorer.exe C:\Program Files\icroso~1 C:\Program Files\icroso~1.net C:\Program Files\outerinfo C:\Program Files\outerinfo\OiUninstaller.exe C:\Program Files\outerinfo\outerinfo.ico C:\Program Files\outerinfo\Terms.rtf C:\Program Files\ppatch~1 C:\Program Files\pppatc~1 C:\Program Files\sembly~1 C:\Program Files\sks~1 C:\Program Files\smbols~1 C:\Program Files\sstem3~1 C:\Program Files\wnsxs~1 C:\Program Files\ymbols~1 C:\Program Files\ystem~1 C:\Program Files\ystem3~1 C:\WINDOWS\asks~1 C:\WINDOWS\crosof~1.net C:\WINDOWS\crosof~1.net\javaw.exe C:\WINDOWS\ecurit~1 C:\WINDOWS\fnts~1 C:\WINDOWS\fnts~2 C:\WINDOWS\icroso~1 C:\WINDOWS\icroso~1.net C:\WINDOWS\mantec~1 C:\WINDOWS\mcroso~1.net C:\WINDOWS\NDNuninstall5_64.exe C:\WINDOWS\ppatch~1 C:\WINDOWS\pppatc~1 C:\WINDOWS\pppatc~2 C:\WINDOWS\scurit~1 C:\WINDOWS\smante~1 C:\WINDOWS\sstem3~1 C:\WINDOWS\stem~1 C:\WINDOWS\stem32~1 C:\WINDOWS\system32\appatc~1 C:\WINDOWS\system32\asembl~1 C:\WINDOWS\system32\crosof~1.net C:\WINDOWS\system32\dobe~1 C:\WINDOWS\system32\fnts~1 C:\WINDOWS\system32\mantec~1 C:\WINDOWS\system32\mcroso~1.net C:\WINDOWS\system32\pppatc~1 C:\WINDOWS\system32\racle~1 C:\WINDOWS\system32\racle~2 C:\WINDOWS\system32\sembly~1 C:\WINDOWS\system32\smante~1 C:\WINDOWS\system32\smbols~1 C:\WINDOWS\system32\sstem~1 C:\WINDOWS\system32\stem~1 C:\WINDOWS\system32\taskmgr.dll C:\WINDOWS\system32\tsks~1 C:\WINDOWS\system32\ymante~1 C:\WINDOWS\system32\ymbols~1 C:\WINDOWS\system32\ystem~1 C:\WINDOWS\system32\ystem3~1 C:\WINDOWS\wnsxs~1 C:\WINDOWS\wr.txt C:\WINDOWS\ymbols~1 C:\WINDOWS\ystem~1 ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\LEGACY_NM -------\DomainService -------\nm ((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 ))))))))))))))))))))))))))))))) 2007-07-01 20:36 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-07-01 18:59 <DIR> d-------- C:\Deckard 2007-07-01 18:46 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-07-01 16:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-07-01 14:58 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-06-29 01:58 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-06-29 01:58 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-06-29 01:58 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-06-29 01:58 1,356 --a------ C:\WINDOWS\system32\tmp.reg 2007-06-29 01:38 <DIR> d-------- C:\Program Files\RogueRemover 2007-06-29 00:34 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-06-25 00:52 66,176 --a------ C:\DOCUME~1\Ashley\ps.exe 2007-06-25 00:50 66,048 --a------ C:\DOCUME~1\Ashley\x.exe 2007-06-25 00:50 159,744 --a------ C:\DOCUME~1\Ashley\rm.exe 2007-06-22 14:14 <DIR> d-------- C:\bintheredunthat 2007-06-22 14:11 <DIR> d--hs---- C:\DOCUME~1\Owner\Complete 2007-06-15 13:42 <DIR> d-------- C:\New Samples 2007-06-06 01:28 <DIR> d-------- C:\Program Files\DVD Shrink 2007-06-06 01:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink 2007-06-06 00:46 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\ImgBurn 2007-06-06 00:45 <DIR> d-------- C:\Program Files\ImgBurn 2007-06-06 00:40 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Common Files 2007-06-05 15:43 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll 2007-06-05 15:43 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll 2007-06-05 15:43 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll 2007-06-05 15:43 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll 2007-06-05 15:43 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll 2007-06-05 15:43 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll 2007-06-05 15:43 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll 2007-06-05 15:43 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll 2007-06-05 15:43 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll 2007-06-05 15:43 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll 2007-06-05 15:43 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll 2007-06-05 15:43 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2007-06-05 15:43 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll 2007-06-05 15:43 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll 2007-06-03 12:48 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\U3 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-02 00:34:54 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\wsInspector 2007-07-01 22:19:35 -------- d-----w C:\Program Files\tclockex 2007-07-01 22:19:07 -------- d-----w C:\Program Files\ScreenPrint32 v3 2007-07-01 22:00:22 -------- d-----w C:\Program Files\AdsGone 2007-06-28 04:05:32 -------- d-----w C:\Program Files\GIANT Company Software 2007-06-26 15:10:45 352,137 ----a-w C:\swlist.reg 2007-06-25 17:57:32 -------- d-----w C:\Program Files\Morpheus 2007-06-19 07:02:46 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-06-13 16:59:50 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM 2007-06-11 14:33:10 -------- d-----w C:\Program Files\Yahoo! 2007-06-11 14:32:44 -------- d--h--r C:\DOCUME~1\Owner\APPLIC~1\yahoo! 2007-06-11 14:29:29 -------- d-----w C:\Program Files\Windows Live Toolbar 2007-06-11 14:27:44 -------- d-----w C:\Program Files\Soulseek 2007-06-11 14:25:09 -------- d-----w C:\Program Files\NASA 2007-06-11 14:23:21 -------- d-----w C:\Program Files\mIRC 2007-06-11 14:17:13 -------- d-----w C:\Program Files\KaZaA Lite 2007-06-11 14:16:27 -------- d-----w C:\Program Files\Easy DVD Creator 2007-06-11 14:15:42 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-06-11 14:14:48 -------- d-----w C:\Program Files\Common Files\AOL 2007-06-06 04:40:09 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\HP 2007-05-31 15:41:44 -------- d-----w C:\Program Files\Western Digital Technologies 2007-05-31 04:59:35 -------- d-----w C:\Program Files\CCleaner 2007-05-31 04:44:39 -------- d-----w C:\Program Files\MSXML 4.0 2007-05-31 04:31:35 -------- d-----w C:\Program Files\Messenger 2007-05-31 03:50:08 -------- d-----w C:\Program Files\Astonsoft 2007-05-31 03:50:08 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\DeepBurner Pro 2007-05-31 03:50:07 -------- d-----w C:\Program Files\MediaMonkey 2007-05-31 03:50:07 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Walgreens 2007-05-31 03:50:07 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Ashampoo 2007-05-31 03:50:03 -------- d-----w C:\Program Files\Media Player Classic 2007-05-31 03:48:30 -------- d-----w C:\Program Files\QuickTime Alternative 2007-05-31 03:48:09 -------- d-----w C:\Program Files\Common Files\Ahead 2007-05-31 03:48:09 -------- d-----w C:\Program Files\Ahead2 2007-05-22 14:26:11 -------- d-----w C:\Program Files\OpenOffice.org1.1.2 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-08 19:43:47 5 ----a-w C:\WINDOWS\system32\SySVid.dat 2007-05-08 19:36:54 -------- d-----w C:\Program Files\SuperAudiotool 2007-05-08 19:36:39 3,082 ----a-w C:\WINDOWS\system32\affv11300p4now.sys 2007-05-06 17:40:54 -------- d-----w C:\Program Files\Xilisoft 2007-05-06 0823 -------- d-----w C:\Program Files\ImTOO 2007-05-06 07:43:24 -------- d-----w C:\Program Files\Ashampoo 2007-05-04 07:09:45 -------- d-----w C:\Program Files\ATP 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2004-02-26 06:18:26 2 --shatr C:\WINDOWS\winstart.bat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] 2003-05-15 10:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}] 2004-02-24 14:57 784384 --a------ C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F02EE046-5EDB-0C2F-D592-7AA2D8F23A95}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 22:19] "LTMSG"="LTMSG.exe" [2003-07-14 20:52 C:\WINDOWS\ltmsg.exe] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25] "ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-15 21:36] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TClockEx"="C:\Program Files\tclockex\TCLOCKEX.EXE" [2000-03-09 02:15] "STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2004-10-25 15:36] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoClose"=0 (0x0) "StartMenuLogOff"=0 (0x0) "NoLogOff"=0 (0x0) "NoChangeStartMenu"=0 (0x0) "NoSetFolders"=0 (0x0) "NoNetSetup"=0 (0x0) "NoPrinters"=0 (0x0) "NoViewOnDrive"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk] backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Organize.lnk] backup=C:\WINDOWS\pss\Organize.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk] backup=C:\WINDOWS\pss\spamsubtract.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SLock] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K] AutoRun\command- K:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3a9f5a4-12bb-11dc-b482-00038a000015}] AutoRun\command- K:\wd_windows_tools\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb4dcb1c-1065-11dc-b47e-00038a000015}] AutoRun\command- K:\LaunchU3.exe -a Contents of the 'Scheduled Tasks' folder 2007-06-25 11:48:00 C:\WINDOWS\tasks\Ad-aware 6.job 2007-07-02 01:12:00 C:\WINDOWS\tasks\Symantec NetDetect.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-01 21:10:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** Completion time: 2007-07-01 21:17:16 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-01 21:13 --- E O F --- Fresh HIJACKTHIS Log:** Logfile of HijackThis v1.99.1 Scan saved at 9:19:18 PM, on 7/1/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\LTMSG.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AdsGone\adsgone.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\a4f1z77c.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\a4f1z77c.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll O2 - BHO: (no name) - {F02EE046-5EDB-0C2F-D592-7AA2D8F23A95} - (no file) O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup O4 - HKCU\..\Run: [TClockEx] C:\Program Files\tclockex\TCLOCKEX.EXE O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: AdsGone 2004.lnk = ? O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extend...s/iaieplay.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_2us.cab O20 - AppInit_DLLs: O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe