Constant popups in Firefox Malware issues - Please HELP

Flowz · 05-13-2008, 06:52 AM

Dunno if I did everything correctly.. But here's what i got..

Let me know if anything else i need to let u kno..

Thanks in advance..

Flowz

Deckard's System Scanner v20071014.68
Run by ZuluFloW on 2008-05-13 09:20:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.56 GiB (less than 15%) free.

-- HijackThis (run as ZuluFloW.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:34 AM, on 5/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\ZuluFloW\Desktop\Anti V Stuff\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ZuluFloW.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q306&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: cfm - Unknown owner - C:\WINDOWS\system32\cfmom.exe (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10184 bytes

-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-12 02:19:44 0 d-------- C:\WINDOWS\Prefetch
2008-05-11 23:18:11 0 d-------- C:\WINDOWS\system32\scripting
2008-05-11 23:18:10 0 d-------- C:\WINDOWS\system32\en
2008-05-11 23:18:10 0 d-------- C:\WINDOWS\l2schemas
2008-05-11 23:18:09 0 d-------- C:\WINDOWS\system32\bits
2008-05-11 23:15:05 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-11 23:13:17 0 d-------- C:\WINDOWS\network diagnostic
2008-05-11 01:29:23 0 d-------- C:\Program Files\Panda Security
2008-05-10 16:21:03 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-05-10 16:20:10 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Talkback
2008-05-10 16:13:26 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-05-10 16:10:38 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-05-10 16:10:23 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-05-09 19:36:41 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-09 19:36:41 2542 --a------ C:\WINDOWS\unins000.dat
2008-05-09 19:08:51 5776 --a------ C:\WINDOWS\ upd.dll
2008-05-09 19:08:09 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-09 19:07:57 0 d-------- C:\Program Files\Easy Adder
2008-05-05 23:08:11 0 d-------- C:\Program Files\Teknowebwork LLC

-- Find3M Report ---------------------------------------------------------------

2008-05-12 02:17:58 0 d-------- C:\Program Files\Messenger
2008-05-11 23:18:09 0 d-------- C:\Program Files\Movie Maker
2008-05-11 23:14:47 0 d-------- C:\Program Files\Windows NT
2008-05-11 16:55:27 0 d-------- C:\Program Files\Trillian
2008-05-11 01:29:24 4819 --a----c- C:\WINDOWS\mozver.dat
2008-05-08 17:52:21 0 d-------- C:\Documents and Settings\ZuluFloW\Application Data\Skype
2008-05-08 16:04:23 0 d-------- C:\Documents and Settings\ZuluFloW\Application Data\skypePM
2008-05-08 14:09:05 0 d-------- C:\Documents and Settings\ZuluFloW\Application Data\AdobeUM
2008-05-08 01:25:03 0 d-------- C:\Program Files\Winamp
2008-05-07 14:51:09 2012 --a------ C:\Documents and Settings\ZuluFloW\Application Data\wklnhst.dat
2008-05-05 23:08:16 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-10 19:03:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-25 17:20:32 0 d-------- C:\Program Files\mIRC

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [02/15/2006 12:49 PM]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [04/18/2006 09:29 PM C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/04/2006 03:46 PM]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [04/11/2006 11:54 PM]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/08/2008 04:33 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [03/23/2006 01:38 PM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [01/26/2006 06:18 PM]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [10/11/2005 12:23 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 11:00 PM]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [08/04/2004 11:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 11:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 11:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 11:00 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/25/2006 01:54 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/02/2008 04:49 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [9/25/2005 3:39:30 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3044e482-d7c9-11db-beae-0016d3174e5c}]
AutoRun\command- PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f384355a-6f0a-11dc-bf40-0016d3174e5c}]
1\Command- .\RECYCLER\RECYCLER.exe
2\Command- .\RECYCLER\RECYCLER.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER.exe

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-05-13 23:47:56 ------------

Katana · 05-20-2008, 04:42 AM

Quote:

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

Flash Disinfector by sUBs
Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.

Please restart your computer.

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Flowz · 05-20-2008, 07:22 PM

ComboFix 08-05-19.4 - ZuluFloW 2008-05-21 5:26:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.567 [GMT 10:00]
Running from: C:\Documents and Settings\ZuluFloW\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-16 12:53 . 2008-05-16 12:53 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-16 06:50 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-16 06:50 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-16 06:50 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-15 17:30 . 2008-05-15 17:30 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-05-15 17:30 . 2008-05-15 17:30 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-05-15 17:14 . 2008-05-15 23:41 <DIR> d-------- C:\Documents and Settings\ZuluFloW\Contacts
2008-05-15 16:30 . 2008-05-15 17:13 <DIR> d-------- C:\Program Files\Windows Live
2008-05-15 16:30 . 2008-05-15 17:13 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-15 16:30 . 2008-05-15 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-11 23:15 . 2008-05-11 23:15 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-11 17:19 . 2004-07-17 22:55 129,045 --------- C:\WINDOWS\system32\drivers\cxthsfs2.cty
2008-05-11 15:13 . 2008-05-11 15:32 2,905 --a------ C:\WINDOWS\ pt.html
2008-05-11 01:29 . 2008-05-11 01:29 <DIR> d-------- C:\Program Files\Panda Security
2008-05-11 00:48 . 2008-05-11 01:06 <DIR> d-------- C:\SDFix
2008-05-10 16:20 . 2008-05-10 16:20 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Talkback
2008-05-09 19:36 . 2008-05-09 19:33 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-09 19:36 . 2008-05-09 19:36 2,542 --a------ C:\WINDOWS\unins000.dat
2008-05-09 19:08 . 2008-05-09 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-09 19:08 . 2008-05-10 17:23 5,776 --a------ C:\WINDOWS\ upd.dll
2008-05-09 19:07 . 2008-05-09 19:39 <DIR> d-------- C:\Program Files\Easy Adder
2008-05-05 23:08 . 2008-05-05 23:08 <DIR> d-------- C:\Program Files\Teknowebwork LLC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 18:41 --------- d-----w C:\Program Files\Trillian
2008-05-20 14:21 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\Skype
2008-05-20 14:08 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\skypePM
2008-05-16 07:50 2,012 ----a-w C:\Documents and Settings\ZuluFloW\Application Data\wklnhst.dat
2008-05-15 13:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-13 23:11 --------- d-----w C:\Program Files\Winamp
2008-05-10 07:23 5,776 ----a-w C:\WINDOWS\ upd.dll
2008-05-09 09:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-09 09:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-08 04:09 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\AdobeUM
2008-05-05 13:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 67,584 ----a-w C:\WINDOWS\system32\dllcache\pmigrate.dll
2008-04-14 00:10 53,760 ----a-w C:\WINDOWS\system32\dllcache\pintlcsd.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\dllcache\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 175,104 ----a-w C:\WINDOWS\system32\dllcache\pintlcsa.dll
2008-04-14 00:10 15,872 ----a-w C:\WINDOWS\system32\dllcache\padrs404.dll
2008-04-14 00:10 15,360 ----a-w C:\WINDOWS\system32\dllcache\padrs804.dll
2008-04-14 00:10 10,240 ----a-w C:\WINDOWS\system32\dllcache\tmigrate.dll
2008-04-13 19:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-13 19:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-13 19:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:46 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 12:49 454656]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 21:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 15:46 761948]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 23:54 102400]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 16:33 53096]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 13:38 131072]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 18:18 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 23:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 13:54 229952]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-02 04:49 36352]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-25 03:39:30 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 19:27]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-07 00:49]
S2 cfm;cfm;C:\WINDOWS\system32\cfmom.exe []
S3 pae_1394;pae_1394;C:\WINDOWS\system32\Drivers\pae_1394.sys [2005-06-10 09:35]
S3 pae_avs;pae_avs;C:\WINDOWS\system32\Drivers\pae_avs.sys [2005-06-10 09:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3044e482-d7c9-11db-beae-0016d3174e5c}]
\Shell\AutoRun\command - PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 18:38:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-10 04:45:55 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - ZuluFloW.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 05:31:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????R????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-21 5:35:18
ComboFix-quarantined-files.txt 2008-05-20 19:34:35
ComboFix2.txt 2008-01-31 06:23:33

Pre-Run: 7,848,235,008 bytes free
Post-Run: 8,261,046,272 bytes free

227 --- E O F --- 2008-05-17 17:01:51

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:48 PM, on 5/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q306&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: cfm - Unknown owner - C:\WINDOWS\system32\cfmom.exe (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10840 bytes

Katana · 05-21-2008, 01:53 AM

Hi Flowz,

There looks to be some evidence of a Password Stealer on your machine.
I recommend that you change ALL online passwords from a different computer

Disable Teatimer
First step:

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\ pt.html
Click Submit/Send File
Please post back, to let me know the results.

If Virustotal is too busy please try Jotti

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
C:\WINDOWS\ pt.html
C:\WINDOWS\ upd.dll
C:\WINDOWS\pt.html
C:\WINDOWS\upd.dll

Driver::
cfm
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"=-

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Installed Programs

Please could you give me a list of the programs that are installed.

Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Virus Total Report
ComboFix Log
Kaspersky Log
Installed Programs List
How are things running now ?

Flowz · 05-22-2008, 04:04 PM

ComboFix 08-05-19.4 - ZuluFloW 2008-05-21 19:28:34.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.420 [GMT 10:00]
Running from: C:\Documents and Settings\ZuluFloW\Desktop\Anti V Stuff\ComboFix.exe
Command switches used :: C:\Documents and Settings\ZuluFloW\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\ pt.html
C:\WINDOWS\ upd.dll
C:\WINDOWS\pt.html
C:\WINDOWS\upd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CFM
-------\Service_cfm

((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 14:55 . 2008-05-21 14:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 14:55 . 2008-05-21 14:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-16 12:53 . 2008-05-16 12:53 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-16 06:50 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-16 06:50 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-16 06:50 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-15 17:30 . 2008-05-15 17:30 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-05-15 17:30 . 2008-05-15 17:30 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-05-15 17:14 . 2008-05-15 23:41 <DIR> d-------- C:\Documents and Settings\ZuluFloW\Contacts
2008-05-15 16:30 . 2008-05-15 17:13 <DIR> d-------- C:\Program Files\Windows Live
2008-05-15 16:30 . 2008-05-15 17:13 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-15 16:30 . 2008-05-15 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-11 23:15 . 2008-05-11 23:15 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-11 17:19 . 2004-07-17 22:55 129,045 --------- C:\WINDOWS\system32\drivers\cxthsfs2.cty
2008-05-11 15:13 . 2008-05-11 15:32 2,905 --a------ C:\WINDOWS\ÿpt.html
2008-05-11 01:29 . 2008-05-11 01:29 <DIR> d-------- C:\Program Files\Panda Security
2008-05-11 00:48 . 2008-05-11 01:06 <DIR> d-------- C:\SDFix
2008-05-10 16:20 . 2008-05-10 16:20 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Talkback
2008-05-09 19:36 . 2008-05-09 19:33 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-09 19:36 . 2008-05-09 19:36 2,542 --a------ C:\WINDOWS\unins000.dat
2008-05-09 19:08 . 2008-05-09 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-09 19:08 . 2008-05-10 17:23 5,776 --a------ C:\WINDOWS\ÿupd.dll
2008-05-09 19:07 . 2008-05-09 19:39 <DIR> d-------- C:\Program Files\Easy Adder
2008-05-05 23:08 . 2008-05-05 23:08 <DIR> d-------- C:\Program Files\Teknowebwork LLC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 04:05 2,012 ----a-w C:\Documents and Settings\ZuluFloW\Application Data\wklnhst.dat
2008-05-20 18:41 --------- d-----w C:\Program Files\Trillian
2008-05-20 14:21 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\Skype
2008-05-20 14:08 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\skypePM
2008-05-15 13:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-13 23:11 --------- d-----w C:\Program Files\Winamp
2008-05-10 07:23 5,776 ----a-w C:\WINDOWS\ upd.dll
2008-05-09 09:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-09 09:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-08 04:09 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\AdobeUM
2008-05-05 13:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:46 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:41 18,560 ----a-w C:\WINDOWS\system32\drivers\i2omp.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-21_ 5.34.18.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 18:42:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 09:34:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 10:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-05-20 18:47:25 66,888 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-21 09:39:33 66,370 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-20 18:47:25 417,616 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-21 09:39:33 416,740 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 12:49 454656]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 21:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 15:46 761948]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 23:54 102400]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 16:33 53096]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 13:38 131072]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 18:18 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 23:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 13:54 229952]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-02 04:49 36352]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-25 03:39:30 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 19:27]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-07 00:49]
S3 pae_1394;pae_1394;C:\WINDOWS\system32\Drivers\pae_1394.sys [2005-06-10 09:35]
S3 pae_avs;pae_avs;C:\WINDOWS\system32\Drivers\pae_avs.sys [2005-06-10 09:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3044e482-d7c9-11db-beae-0016d3174e5c}]
\Shell\AutoRun\command - PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 09:38:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-10 04:45:55 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - ZuluFloW.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 19:35:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????R????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-05-21 19:45:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 09:45:54
ComboFix2.txt 2008-05-20 19:35:19
ComboFix3.txt 2008-01-31 06:23:33

Pre-Run: 8,461,115,392 bytes free
Post-Run: 8,346,750,976 bytes free

269 --- E O F --- 2008-05-17 17:01:51

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Uninstall list..

A Series of Unfortunate Events
Ableton Live v6.0.3
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
Alien Shooter
Ares 2.0.9
ASAPI Update
Audacity 1.2.6
AutoFriend
Ballistik
Bejeweled 2 Deluxe
BeTrapped!
BitTorrent 5.0.7
Bookworm Deluxe
Bpm Calculator 2005
BPM Counter 2004
Bricks of Egypt
CC_ccProxyExt
ccCommon
ccPxyCore
Chainz
Chuzzle
Conexant HD Audio
Cubis Gold 2
Customer Experience Enhancement
DivX Author 1.5
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Easy Adder 2.0.7
eMusic - 50 Free MP3 offer
Feeding Frenzy
HDAUDIO Soft Data Fax Modem with SmartCP
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
HP DVD Play 2.1
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Quick Launch Buttons 6.00 G2
HP Update
HP User Guides 0027
HP Wireless Assistant 2.00 E1
Insaniquarium Deluxe
Inspector-Parker
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Jewel Quest
Jigsaw 365
Kaspersky Online Scanner
Links® Course Challenge – Chateau Whistler
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Luxor
Macromedia Flash Player 8
Macromedia Shockwave Player
Magic Ball 2
Magic Inlay
Mah Jong Medley
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
mIRC
Mobysaurus Thesaurus
Mozilla Firefox (2.0.0.14)
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero 6 Ultra Edition
Nero BurnRights
NetWaiting
Nokia Connectivity Cable Driver
Norton AntiSpam
Norton AntiVirus 2006
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2006 (Symantec Corporation)
Norton Protection Center
Norton WMI Update
Norton WMI Update
NVIDIA Drivers
Panda ActiveScan
Panda ActiveScan 2.0
Papel 6.10.10
Picture Organiser
PreSonus Inspire 1394 Audio Driver V2.14.0
QuickTime
Ricochet Lost Worlds
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB941569)
Shape Solitaire
Skype™ 3.6
Smart Menus (Windows Live Toolbar)
SmartAudio
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SPBBC
Spin & Win
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Steinberg Nuendo v3.0.2.623
Symantec KB-DocID:2003093015493306
Synaptics Pointing Device Driver
Total Recorder 3.3
Tradewinds 2
Trillian
Tumblebugs
URS Everything EQ Bundle v4.0
Waves Diamond Bundle v5.0
Waves IR1 v5.0
Waves L3 Multimaximizer v1.0
Waves SSL 4000 Collection 1.1
Winamp
Windows Driver Package - 2Wire (2WIREPCP) Net (09/18/2002 1.4.0.5)
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0)
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Zuma Deluxe

05-20-2008, 07:22 PM	#3 (permalink)
Flowz Registered User Join Date: Jan 2008 Posts: 18 OS: XP	Re: Constant popups in Firefox Malware issues - Please HELP ComboFix 08-05-19.4 - ZuluFloW 2008-05-21 5:26:08.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.567 [GMT 10:00] Running from: C:\Documents and Settings\ZuluFloW\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Autorun.inf F:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 ))))))))))))))))))))))))))))))) . 2008-05-16 12:53 . 2008-05-16 12:53 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2008-05-16 06:50 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2008-05-16 06:50 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2008-05-16 06:50 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-05-15 17:30 . 2008-05-15 17:30 <DIR> d-------- C:\Program Files\Windows Live Toolbar 2008-05-15 17:30 . 2008-05-15 17:30 <DIR> d-------- C:\Program Files\Windows Live Favorites 2008-05-15 17:14 . 2008-05-15 23:41 <DIR> d-------- C:\Documents and Settings\ZuluFloW\Contacts 2008-05-15 16:30 . 2008-05-15 17:13 <DIR> d-------- C:\Program Files\Windows Live 2008-05-15 16:30 . 2008-05-15 17:13 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-05-15 16:30 . 2008-05-15 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\en 2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\bits 2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\l2schemas 2008-05-11 23:15 . 2008-05-11 23:15 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-05-11 17:19 . 2004-07-17 22:55 129,045 --------- C:\WINDOWS\system32\drivers\cxthsfs2.cty 2008-05-11 15:13 . 2008-05-11 15:32 2,905 --a------ C:\WINDOWS\ pt.html 2008-05-11 01:29 . 2008-05-11 01:29 <DIR> d-------- C:\Program Files\Panda Security 2008-05-11 00:48 . 2008-05-11 01:06 <DIR> d-------- C:\SDFix 2008-05-10 16:20 . 2008-05-10 16:20 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Talkback 2008-05-09 19:36 . 2008-05-09 19:33 691,545 --a------ C:\WINDOWS\unins000.exe 2008-05-09 19:36 . 2008-05-09 19:36 2,542 --a------ C:\WINDOWS\unins000.dat 2008-05-09 19:08 . 2008-05-09 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-09 19:08 . 2008-05-10 17:23 5,776 --a------ C:\WINDOWS\ upd.dll 2008-05-09 19:07 . 2008-05-09 19:39 <DIR> d-------- C:\Program Files\Easy Adder 2008-05-05 23:08 . 2008-05-05 23:08 <DIR> d-------- C:\Program Files\Teknowebwork LLC . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-20 18:41 --------- d-----w C:\Program Files\Trillian 2008-05-20 14:21 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\Skype 2008-05-20 14:08 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\skypePM 2008-05-16 07:50 2,012 ----a-w C:\Documents and Settings\ZuluFloW\Application Data\wklnhst.dat 2008-05-15 13:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-05-13 23:11 --------- d-----w C:\Program Files\Winamp 2008-05-10 07:23 5,776 ----a-w C:\WINDOWS\ upd.dll 2008-05-09 09:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-05-09 09:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-05-08 04:09 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\AdobeUM 2008-05-05 13:08 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin 2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe 2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll 2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll 2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys 2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys 2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys 2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll 2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys 2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll 2008-04-14 00:10 67,584 ----a-w C:\WINDOWS\system32\dllcache\pmigrate.dll 2008-04-14 00:10 53,760 ----a-w C:\WINDOWS\system32\dllcache\pintlcsd.dll 2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll 2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll 2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\dllcache\msdxmlc.dll 2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll 2008-04-14 00:10 175,104 ----a-w C:\WINDOWS\system32\dllcache\pintlcsa.dll 2008-04-14 00:10 15,872 ----a-w C:\WINDOWS\system32\dllcache\padrs404.dll 2008-04-14 00:10 15,360 ----a-w C:\WINDOWS\system32\dllcache\padrs804.dll 2008-04-14 00:10 10,240 ----a-w C:\WINDOWS\system32\dllcache\tmigrate.dll 2008-04-13 19:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll 2008-04-13 19:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe 2008-04-13 19:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll 2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys 2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys 2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys 2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys 2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys 2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys 2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys 2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys 2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys 2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys 2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys 2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys 2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys 2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys 2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys 2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys 2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys 2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys 2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys 2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys 2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys 2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys 2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys 2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys 2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys 2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys 2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys 2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys 2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys 2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys 2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys 2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys 2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys 2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys 2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys 2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys 2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys 2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys 2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys 2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys 2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys 2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys 2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys 2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys 2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys 2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys 2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys 2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys 2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys 2008-04-13 18:46 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys 2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys 2008-04-13 18:46 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys 2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys 2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys 2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys 2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys 2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys 2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys 2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 12:49 454656] "MsmqIntCert"="regsvr32 /s mqrt.dll" [] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 21:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 15:46 761948] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 23:54 102400] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 16:33 53096] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 13:38 131072] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 18:18 40960] "RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 23:00 44032] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 13:54 229952] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-02 04:49 36352] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696] HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-25 03:39:30 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer"= DrvTrNTm.dll "wave"= DrvTrNTm.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 19:27] R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-07 00:49] S2 cfm;cfm;C:\WINDOWS\system32\cfmom.exe [] S3 pae_1394;pae_1394;C:\WINDOWS\system32\Drivers\pae_1394.sys [2005-06-10 09:35] S3 pae_avs;pae_avs;C:\WINDOWS\system32\Drivers\pae_avs.sys [2005-06-10 09:35] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3044e482-d7c9-11db-beae-0016d3174e5c}] \Shell\AutoRun\command - PortableApps\PortableAppsMenu\PortableAppsMenu.exe Newly Created Service - COMHOST . Contents of the 'Scheduled Tasks' folder "2008-05-20 18:38:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2008-05-10 04:45:55 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - ZuluFloW.job" - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK: . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-21 05:31:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????R????????@???????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-05-21 5:35:18 ComboFix-quarantined-files.txt 2008-05-20 19:34:35 ComboFix2.txt 2008-01-31 06:23:33 Pre-Run: 7,848,235,008 bytes free Post-Run: 8,261,046,272 bytes free 227 --- E O F --- 2008-05-17 17:01:51 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:21:48 PM, on 5/21/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\mqtgsvc.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\WINDOWS\explorer.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q306&bd=presario&pf=laptop O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: cfm - Unknown owner - C:\WINDOWS\system32\cfmom.exe (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 10840 bytes

05-21-2008, 01:53 AM	#4 (permalink)
Katana Analyst, Security Team Join Date: Nov 2007 Location: Manchester, UK Posts: 604 OS: W2K SP4 + XP SP2 + Vista	Re: Constant popups in Firefox Malware issues - Please HELP Hi Flowz, There looks to be some evidence of a Password Stealer on your machine. I recommend that you change ALL online passwords from a different computer Disable Teatimer First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol) If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless. If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D Click Mode, choose Advanced Mode Go To the bottom of the Vertical Panel on the Left, Click Tools then, also in left panel, click Resident shows a red/white shield. If your firewall raises a question, say OK In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active OK any prompts. Use File, Exit to terminate Spybot Reboot your machine for the changes to take effect. Submit a File For Analysis We need to have the files below Scanned by Uploading them/it to Virus Total Please visit Virustotal Copy/paste the the following file path into the window C:\WINDOWS\ pt.html Click Submit/Send File Please post back, to let me know the results. If Virustotal is too busy please try Jotti Custom CFScript Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: File:: C:\WINDOWS\ pt.html C:\WINDOWS\ upd.dll C:\WINDOWS\pt.html C:\WINDOWS\upd.dll Driver:: cfm Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsmqIntCert"=- Save this as CFScript.txt and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Kaspersky Online Scanner . Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal NOTE:- This scan is best done from IE (Internet Explorer) Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html Read the Requirements and limitations before you click Accept. Allow the ActiveX download if necessary Once the database has downloaded, click Next. Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK. Click on "My Computer" and then put the kettle on! When the scan has completed, click Save Report As... Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (.txt) Click Save* - by default the file will be saved to your Desktop, but you can change this if you wish. Installed Programs Please could you give me a list of the programs that are installed. Start HijackThis Click on the Misc Tools button Click on the Open Uninstall Manager button. You will see a list with the programs installed in your computer. Click on save list button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into your next post. Logs/Information to Post in Reply Please post the following logs/Information in your reply Virus Total Report ComboFix Log Kaspersky Log Installed Programs List How are things running now ? __________________

05-22-2008, 04:04 PM	#5 (permalink)
Flowz Registered User Join Date: Jan 2008 Posts: 18 OS: XP	Re: Constant popups in Firefox Malware issues - Please HELP ComboFix 08-05-19.4 - ZuluFloW 2008-05-21 19:28:34.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.420 [GMT 10:00] Running from: C:\Documents and Settings\ZuluFloW\Desktop\Anti V Stuff\ComboFix.exe Command switches used :: C:\Documents and Settings\ZuluFloW\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\ pt.html C:\WINDOWS\ upd.dll C:\WINDOWS\pt.html C:\WINDOWS\upd.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CFM -------\Service_cfm ((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 ))))))))))))))))))))))))))))))) . 2008-05-21 14:55 . 2008-05-21 14:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-21 14:55 . 2008-05-21 14:55 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-16 12:53 . 2008-05-16 12:53 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2008-05-16 06:50 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2008-05-16 06:50 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2008-05-16 06:50 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-05-15 17:30 . 2008-05-15 17:30 <DIR> d-------- C:\Program Files\Windows Live Toolbar 2008-05-15 17:30 . 2008-05-15 17:30 <DIR> d-------- C:\Program Files\Windows Live Favorites 2008-05-15 17:14 . 2008-05-15 23:41 <DIR> d-------- C:\Documents and Settings\ZuluFloW\Contacts 2008-05-15 16:30 . 2008-05-15 17:13 <DIR> d-------- C:\Program Files\Windows Live 2008-05-15 16:30 . 2008-05-15 17:13 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-05-15 16:30 . 2008-05-15 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\en 2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\system32\bits 2008-05-11 23:18 . 2008-05-11 23:18 <DIR> d-------- C:\WINDOWS\l2schemas 2008-05-11 23:15 . 2008-05-11 23:15 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-05-11 17:19 . 2004-07-17 22:55 129,045 --------- C:\WINDOWS\system32\drivers\cxthsfs2.cty 2008-05-11 15:13 . 2008-05-11 15:32 2,905 --a------ C:\WINDOWS\ÿpt.html 2008-05-11 01:29 . 2008-05-11 01:29 <DIR> d-------- C:\Program Files\Panda Security 2008-05-11 00:48 . 2008-05-11 01:06 <DIR> d-------- C:\SDFix 2008-05-10 16:20 . 2008-05-10 16:20 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Talkback 2008-05-09 19:36 . 2008-05-09 19:33 691,545 --a------ C:\WINDOWS\unins000.exe 2008-05-09 19:36 . 2008-05-09 19:36 2,542 --a------ C:\WINDOWS\unins000.dat 2008-05-09 19:08 . 2008-05-09 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-09 19:08 . 2008-05-10 17:23 5,776 --a------ C:\WINDOWS\ÿupd.dll 2008-05-09 19:07 . 2008-05-09 19:39 <DIR> d-------- C:\Program Files\Easy Adder 2008-05-05 23:08 . 2008-05-05 23:08 <DIR> d-------- C:\Program Files\Teknowebwork LLC . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-21 04:05 2,012 ----a-w C:\Documents and Settings\ZuluFloW\Application Data\wklnhst.dat 2008-05-20 18:41 --------- d-----w C:\Program Files\Trillian 2008-05-20 14:21 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\Skype 2008-05-20 14:08 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\skypePM 2008-05-15 13:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-05-13 23:11 --------- d-----w C:\Program Files\Winamp 2008-05-10 07:23 5,776 ----a-w C:\WINDOWS\ upd.dll 2008-05-09 09:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-05-09 09:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-05-08 04:09 --------- d-----w C:\Documents and Settings\ZuluFloW\Application Data\AdobeUM 2008-05-05 13:08 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys 2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys 2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys 2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys 2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe 2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll 2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll 2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll 2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe 2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll 2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe 2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll 2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe 2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll 2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe 2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe 2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys 2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys 2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys 2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys 2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys 2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys 2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys 2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys 2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys 2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys 2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys 2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys 2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys 2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys 2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys 2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys 2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys 2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys 2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys 2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys 2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys 2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys 2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys 2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys 2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys 2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys 2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys 2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys 2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys 2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys 2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys 2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys 2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys 2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys 2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys 2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys 2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys 2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys 2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys 2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys 2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys 2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys 2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys 2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys 2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys 2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys 2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys 2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys 2008-04-13 18:46 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys 2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys 2008-04-13 18:46 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys 2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys 2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys 2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys 2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys 2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys 2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys 2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys 2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys 2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys 2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys 2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys 2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys 2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys 2008-04-13 18:41 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys 2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys 2008-04-13 18:41 18,560 ----a-w C:\WINDOWS\system32\drivers\i2omp.sys . ((((((((((((((((((((((((((((( snapshot@2008-05-21_ 5.34.18.60 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-20 18:42:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-21 09:34:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2005-10-20 10:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE - 2008-05-20 18:47:25 66,888 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-05-21 09:39:33 66,370 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-05-20 18:47:25 417,616 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-05-21 09:39:33 416,740 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 12:49 454656] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 21:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 15:46 761948] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 23:54 102400] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 16:33 53096] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 13:38 131072] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 18:18 40960] "RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 23:00 44032] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 13:54 229952] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-02 04:49 36352] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696] HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-25 03:39:30 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer"= DrvTrNTm.dll "wave"= DrvTrNTm.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 19:27] R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-07 00:49] S3 pae_1394;pae_1394;C:\WINDOWS\system32\Drivers\pae_1394.sys [2005-06-10 09:35] S3 pae_avs;pae_avs;C:\WINDOWS\system32\Drivers\pae_avs.sys [2005-06-10 09:35] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3044e482-d7c9-11db-beae-0016d3174e5c}] \Shell\AutoRun\command - PortableApps\PortableAppsMenu\PortableAppsMenu.exe Newly Created Service - COMHOST . Contents of the 'Scheduled Tasks' folder "2008-05-21 09:38:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2008-05-10 04:45:55 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - ZuluFloW.job" - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK: . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-21 19:35:13 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????R????????@???????@ scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\msdtc.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Hp\Digital Imaging\bin\hpqimzone.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE C:\Program Files\Messenger\msmsgs.exe . ************************************************************************ . Completion time: 2008-05-21 19:45:59 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-21 09:45:54 ComboFix2.txt 2008-05-20 19:35:19 ComboFix3.txt 2008-01-31 06:23:33 Pre-Run: 8,461,115,392 bytes free Post-Run: 8,346,750,976 bytes free 269 --- E O F --- 2008-05-17 17:01:51 The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file Uninstall list.. A Series of Unfortunate Events Ableton Live v6.0.3 Adobe Flash Player ActiveX Adobe Flash Player Plugin Adobe Reader 7.0.9 Alien Shooter Ares 2.0.9 ASAPI Update Audacity 1.2.6 AutoFriend Ballistik Bejeweled 2 Deluxe BeTrapped! BitTorrent 5.0.7 Bookworm Deluxe Bpm Calculator 2005 BPM Counter 2004 Bricks of Egypt CC_ccProxyExt ccCommon ccPxyCore Chainz Chuzzle Conexant HD Audio Cubis Gold 2 Customer Experience Enhancement DivX Author 1.5 DivX Codec DivX Content Uploader DivX Converter DivX Player DivX Web Player Easy Adder 2.0.7 eMusic - 50 Free MP3 offer Feeding Frenzy HDAUDIO Soft Data Fax Modem with SmartCP Highlight Viewer (Windows Live Toolbar) HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) HP DVD Play 2.1 HP Help and Support HP Imaging Device Functions 6.0 HP Photosmart Premier Software 6.0 HP Quick Launch Buttons 6.00 G2 HP Update HP User Guides 0027 HP Wireless Assistant 2.00 E1 Insaniquarium Deluxe Inspector-Parker IrfanView (remove only) iTunes J2SE Runtime Environment 5.0 Update 6 Java(TM) 6 Update 3 Jewel Quest Jigsaw 365 Kaspersky Online Scanner Links® Course Challenge – Chateau Whistler LiveUpdate 3.0 (Symantec Corporation) LiveUpdate Notice (Symantec Corporation) Luxor Macromedia Flash Player 8 Macromedia Shockwave Player Magic Ball 2 Magic Inlay Mah Jong Medley Map Button (Windows Live Toolbar) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Money Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Works mIRC Mobysaurus Thesaurus Mozilla Firefox (2.0.0.14) MSRedist MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) Nero 6 Ultra Edition Nero BurnRights NetWaiting Nokia Connectivity Cable Driver Norton AntiSpam Norton AntiVirus 2006 Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security Norton Internet Security 2006 (Symantec Corporation) Norton Protection Center Norton WMI Update Norton WMI Update NVIDIA Drivers Panda ActiveScan Panda ActiveScan 2.0 Papel 6.10.10 Picture Organiser PreSonus Inspire 1394 Audio Driver V2.14.0 QuickTime Ricochet Lost Worlds Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows XP (KB941569) Shape Solitaire Skype™ 3.6 Smart Menus (Windows Live Toolbar) SmartAudio Sonic Audio Module Sonic Copy Module Sonic Data Module Sonic Express Labeler Sonic MyDVD Plus Sonic Update Manager SPBBC Spin & Win Spybot - Search & Destroy Spybot - Search & Destroy 1.5.2.20 Steinberg Nuendo v3.0.2.623 Symantec KB-DocID:2003093015493306 Synaptics Pointing Device Driver Total Recorder 3.3 Tradewinds 2 Trillian Tumblebugs URS Everything EQ Bundle v4.0 Waves Diamond Bundle v5.0 Waves IR1 v5.0 Waves L3 Multimaximizer v1.0 Waves SSL 4000 Collection 1.1 Winamp Windows Driver Package - 2Wire (2WIREPCP) Net (09/18/2002 1.4.0.5) Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0) Windows Live Favorites for Windows Live Toolbar Windows Live installer Windows Live Messenger Windows Live Sign-in Assistant Windows Live Toolbar Windows Live Toolbar Windows Live Toolbar Extension (Windows Live Toolbar) Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Service Pack 3 WinRAR archiver Yahoo! Browser Services Yahoo! Install Manager Yahoo! Internet Mail Yahoo! Messenger Yahoo! Toolbar Zuma Deluxe

05-23-2008, 05:51 AM	#6 (permalink)
Katana Analyst, Security Team