Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Computer infected Computer infected
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 06-28-2008, 05:43 PM   #1 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: xp


Computer infected
I have followed the 1st four steps:

Everything good until I got to update Windows, it would get to a download page and just stall there.

I downloaded DSS and tried running it. While it says "back up registry hives" I get a popup saying "dss.eve has encountered a problem and needs to close". I then send error report. I tried again, but no good.

I am getting Pop ups:

"Warning-PCcleanPRo mostly.
Also, my desktop wallpaper was changed to another thing trying to get me to download and clean my pc.

Active scan should be attached.

Thanks,
Terri
Attached Files
File Type: txt ActiveScan.txt (8.4 KB, 0 views)
tntstanifer is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-01-2008, 02:42 PM   #2 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 21,651
OS: Win XP Pro SP3

My System

Blog Entries: 10
Send a message via MSN to Glaswegian
Re: Computer infected
Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.



We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that ComboFix is saved directly to your desktop**

Please ensure you read this guide carefully and install the Recovery Console. This will help us restore your system in the event of a serious crash. It's very simple to complete and will only take a few moments. A quick guide is detailed below.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See here for a guide to disabling AV, Firewall and Anti-malware programmes.

Once you've downloaded the appropriate RC setup package for your system to the desktop, follow these instructions:
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.




  • When the tool is finished, it will produce a report for you.

Please post the log C:\ComboFix.txt along with a fresh HijackThis log for further review.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-01-2008, 05:57 PM   #3 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: xp


Re: Computer infected
Hi Iain,
Thanks in advance for your help!!!

Here's ComboFix:

ComboFix 08-06-30.2 - Owner 2008-07-01 18:21:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\349168
C:\WINDOWS\system32\349168\349168.dll
C:\WINDOWS\system32\BLTAaJlm.ini
C:\WINDOWS\system32\BLTAaJlm.ini2
C:\WINDOWS\system32\gfjigdyi.ini
C:\WINDOWS\system32\Hphc3204.dll
C:\WINDOWS\system32\hrhlfxvv.dll
C:\WINDOWS\system32\icbkyviy.dll
C:\WINDOWS\system32\kjrygtut.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-29 22:47 . 2008-06-29 22:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Template
2008-06-29 22:44 . 2008-06-30 16:29 706 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-06-29 08:28 . 2008-06-29 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-06-29 08:28 . 2002-02-14 01:53 6,345 -ra------ C:\WINDOWS\system32\DevMngr.vxd
2008-06-29 08:22 . 2008-06-29 08:23 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-06-28 18:31 . 2008-06-28 18:31 <DIR> d-------- C:\Deckard
2008-06-28 17:09 . 2008-06-28 17:21 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-28 11:01 . 2008-06-28 11:01 <DIR> d-------- C:\ie-spyad_zo
2008-06-28 10:48 . 2008-06-29 07:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-28 10:48 . 2008-06-30 10:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-28 10:13 . 2008-06-28 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\jaluncjy
2008-06-28 10:13 . 2008-06-28 10:13 94,208 --a------ C:\WINDOWS\system32\tcnqfuhq.exe
2008-06-28 00:40 . 2008-06-28 00:41 <DIR> d-------- C:\Program Files\Panda Security
2008-06-28 00:05 . 2008-06-28 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\stapixof
2008-06-28 00:05 . 2008-06-28 00:05 81,920 --a------ C:\WINDOWS\system32\qxkvunkz.exe
2008-06-27 23:39 . 2008-06-27 23:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\kraduvsf
2008-06-27 23:10 . 2008-06-27 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vyjwxcjk
2008-06-27 23:10 . 2008-06-27 23:10 81,920 --a------ C:\WINDOWS\system32\tmdczqhg.exe
2008-06-27 17:24 . 2008-06-27 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-27 17:23 . 2008-06-28 00:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-27 17:23 . 2008-06-28 00:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-27 16:36 . 2008-06-26 22:41 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-27 16:23 . 2008-06-27 16:23 114,688 --a------ C:\WINDOWS\system32\kvzajazy.dll
2008-06-27 16:23 . 2008-06-27 16:23 114,688 --a------ C:\Documents and Settings\All Users\Application Data\qzqzilwb.dll
2008-06-27 16:23 . 2008-06-27 16:23 94,208 --a------ C:\WINDOWS\system32\dzslhgbm.exe
2008-06-27 00:43 . 2008-07-01 17:42 110,423 --a------ C:\WINDOWS\BM89636401.xml
2008-06-26 22:40 . 2008-06-27 16:36 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-06-26 12:01 . 2008-06-26 12:01 <DIR> d-------- C:\Program Files\Astonsoft
2008-06-26 12:01 . 2008-06-26 14:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DeepBurner
2008-06-26 11:47 . 2008-06-26 11:47 <DIR> d-------- C:\Program Files\Ahead
2008-06-26 11:43 . 2008-06-27 23:56 <DIR> d-------- C:\WINDOWS\system32\371186
2008-06-26 11:42 . 2008-06-26 11:42 32,768 --a------ C:\WINDOWS\system32\winuns32.dll
2008-06-26 10:03 . 2008-06-26 10:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InfraRecorder
2008-06-26 00:53 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-06-26 00:53 . 2008-02-28 13:01 774,144 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-06-25 23:35 . 2008-06-25 23:35 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-06-25 23:30 . 2008-06-25 23:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nero
2008-06-25 23:27 . 2008-06-25 23:27 <DIR> d-------- C:\Program Files\Nero
2008-06-25 23:27 . 2008-06-26 00:54 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-06-25 23:27 . 2008-06-26 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-06-25 17:39 . 2008-06-25 18:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2008-06-25 17:39 . 2008-06-25 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-25 16:41 . 2008-06-26 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-17 22:16 . 2008-06-17 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-06-17 22:15 . 2008-06-26 00:47 <DIR> d-------- C:\Program Files\MySpace
2008-06-17 08:59 . 2008-06-17 08:59 99,648 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-06-16 18:44 . 2008-07-01 16:12 561 --a------ C:\hpfr5550.xml
2008-06-16 18:38 . 2008-06-16 18:38 34 --a------ C:\WINDOWS\hpfsched.ini
2008-06-16 18:36 . 2008-06-16 18:36 <DIR> d-------- C:\Program Files\HP Photosmart 11
2008-06-16 18:36 . 2006-01-06 14:07 348,160 --a------ C:\WINDOWS\system32\hphmon04.exe
2008-06-16 18:36 . 2006-01-06 14:07 249,856 --a------ C:\WINDOWS\system32\hphsav04.exe
2008-06-16 18:36 . 2006-01-06 14:07 77,824 --a------ C:\WINDOWS\system32\hphipm11.exe
2008-06-16 18:36 . 2006-01-06 14:07 50,896 --a------ C:\WINDOWS\system32\drivers\hphid411.sys
2008-06-16 18:36 . 2006-01-06 14:07 50,276 --a------ C:\WINDOWS\system32\drivers\hphs2k11.sys
2008-06-16 18:36 . 2006-01-06 14:07 36,864 --a------ C:\WINDOWS\hpfsched.exe
2008-06-16 18:36 . 2006-01-06 14:07 18,928 --a------ C:\WINDOWS\system32\drivers\hphius11.sys
2008-06-16 18:36 . 2006-01-06 14:07 16,112 --a------ C:\WINDOWS\system32\drivers\hphipr11.sys
2008-06-16 18:34 . 2008-06-16 18:36 <DIR> d-------- C:\TEMP\photosmart
2008-06-16 18:34 . 2006-01-06 14:07 270,336 --a------ C:\WINDOWS\system32\hpzcon07.dll
2008-06-16 18:34 . 2006-01-06 14:07 208,896 --a------ C:\WINDOWS\system32\hpzcoi07.dll
2008-06-16 18:34 . 2006-01-06 14:07 185,344 --a------ C:\WINDOWS\system32\hpfinst.dll
2008-06-16 18:34 . 2006-01-06 14:07 98,304 --a------ C:\WINDOWS\system32\hphidr11.dll
2008-06-16 18:34 . 2006-01-06 14:07 81,920 --a------ C:\WINDOWS\system32\hphipr11.dll
2008-06-16 18:34 . 2006-01-06 14:07 69,632 --------- C:\WINDOWS\system32\hpodinet.dll
2008-06-16 18:34 . 2006-01-06 14:07 4,760 --------- C:\WINDOWS\hphmdl11.dat
2008-06-11 10:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-11 10:21 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-11 10:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-11 08:25 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:25 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 22:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spare Backup
2008-06-26 05:45 --------- d-----w C:\Program Files\Elaborate Bytes
2008-06-18 15:24 --------- d-----w C:\Program Files\The Weather Channel FW
2008-06-13 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-03 13:46 --------- d-----w C:\Program Files\McAfee
2008-05-31 11:41 --------- d-----w C:\Program Files\iTunes
2008-05-31 11:41 --------- d-----w C:\Program Files\iPod
2008-05-31 11:41 --------- d-----w C:\Program Files\Bonjour
2008-05-31 11:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-05-31 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-31 11:40 --------- d-----w C:\Program Files\QuickTime
2008-05-31 11:39 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-31 11:39 --------- d-----w C:\Program Files\Apple Software Update
2008-05-31 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-30 17:35 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-30 17:34 --------- d-----w C:\Program Files\Real
2008-05-30 17:34 --------- d-----w C:\Program Files\Common Files\Real
2008-05-30 16:21 --------- d-----w C:\Program Files\AOL 9.0a
2008-05-30 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-30 15:03 --------- d-----w C:\Program Files\McAfee.com
2008-05-30 15:03 --------- d-----w C:\Program Files\Common Files\McAfee
2008-05-29 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-29 14:54 --------- d-----w C:\Program Files\Common Files\aol
2008-05-29 14:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-05-29 14:53 --------- d-----w C:\Program Files\Viewpoint
2008-05-29 14:53 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-05-29 14:53 --------- d-----w C:\Program Files\Common Files\aolshare
2008-05-29 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-29 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-05-29 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-05-29 03:10 --------- d-----w C:\Program Files\SlySoft
2008-05-28 12:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-26 12:40 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2007-08-10 02:27 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51217602-5ED2-832D-1F8F-07E46F11E1BC}]
2008-06-27 16:23 114688 --a------ C:\WINDOWS\system32\kvzajazy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2008-06-17 10:01 89024]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 16:18 785520]
"bolesqsp"="C:\WINDOWS\system32\tmdczqhg.exe" [2008-06-27 23:10 81920]
"aeuyjrcj"="C:\WINDOWS\system32\qxkvunkz.exe" [2008-06-28 00:05 81920]
"pplmhdgk"="C:\WINDOWS\system32\tcnqfuhq.exe" [2008-06-28 10:13 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-10-05 23:11 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-05 23:13 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-05 23:10 94208]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 17:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 14:22 58928]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-09 21:03 240640]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 18:04 2348584]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [2007-07-13 18:19 5252936]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HostManager"="C:\Program Files\Common Files\AOL\1212072788\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-30 12:34 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 14:07 188416]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2006-01-06 14:07 348160]
"dzslhgbm"="C:\WINDOWS\system32\dzslhgbm.exe" [2008-06-27 16:23 94208]
"MotiveReportAgent"="C:\Program Files\Common Files\Motive\McciBootStrapper.exe" [2005-06-02 13:54 202240]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 19:33 16132608 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 22:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2007-08-09 21:08:06 2348584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"EYPSxy0S8n"= C:\Documents and Settings\All Users\Application Data\jaluncjy\hsfszulq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32]
2008-06-26 11:42 32768 C:\WINDOWS\system32\winuns32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\aol\\1212072788\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 22:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abcdc963-46e0-11dc-9731-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df53717d-4af7-11dc-831d-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 20:13:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-01 23:25:42 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-06-05 03:30:02 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-06-10 04:45:02 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-06-15 06:04:58 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-01 06:00:13 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{27D351C5-4044-4C42-B3FE-33C57B9459C0} - C:\WINDOWS\system32\371186\371186.dll
HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKCU-Run-Power2GoExpress - NA
HKLM-Run-HPHUPD04 - C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
HKLM-Run-NBKeyScan - C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-BM89636401 - C:\WINDOWS\system32\hrhlfxvv.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 18:26:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\winuns32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\aol\acs\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\WINDOWS\system32\hphipm11.exe
C:\Program Files\Common Files\Motive\MotiveBrowser.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-07-01 18:28:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 23:28:43

Pre-Run: 60,448,829,440 bytes free
Post-Run: 61,442,191,360 bytes free

267 --- E O F --- 2008-06-21 15:00:04


And HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:50 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Common Files\AOL\1212072788\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\dzslhgbm.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhughesnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...ys=DTP&M=W3622
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {51217602-5ED2-832D-1F8F-07E46F11E1BC} - C:\WINDOWS\system32\kvzajazy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1212072788\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [dzslhgbm] C:\WINDOWS\system32\dzslhgbm.exe
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\MotiveBrowser.exe" /hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [bolesqsp] C:\WINDOWS\system32\tmdczqhg.exe
O4 - HKCU\..\Run: [aeuyjrcj] C:\WINDOWS\system32\qxkvunkz.exe
O4 - HKCU\..\Run: [pplmhdgk] C:\WINDOWS\system32\tcnqfuhq.exe
O4 - HKLM\..\Policies\Explorer\Run: [EYPSxy0S8n] C:\Documents and Settings\All Users\Application Data\jaluncjy\hsfszulq.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: winuns32 - C:\WINDOWS\SYSTEM32\winuns32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8636 bytes
tntstanifer is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-02-2008, 02:47 PM   #4 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 21,651
OS: Win XP Pro SP3

My System

Blog Entries: 10
Send a message via MSN to Glaswegian
Re: Computer infected
Hi again

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


FixIEDef
Download FixIEDef by ShadowPuterDude to your Desktop.
  • Double-click FixIEDef
  • Click OK
  • Click Scan
  • Click OK
(FixIEDef requires Adminstrator Privileges to run correctly. This box tells you that FixIEDef successfully elevated it's privileges to that of Administrator)

WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

Everything will be restored to normal, once the malicious file is removed.

Click 'Exit' once FixIEDef displays the All Finished message.

Post the FixIEDef log file, located on the Desktop.





Combofix
  • Close any open browsers.
  • Open notepad and copy/paste the text in the box below into it:

Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/264103-computer-infected.html

Collect::[4]
C:\WINDOWS\system32\tcnqfuhq.exe
C:\WINDOWS\system32\qxkvunkz.exe
C:\WINDOWS\system32\tmdczqhg.exe
C:\WINDOWS\system32\dzslhgbm.exe
C:\WINDOWS\system32\kvzajazy.dll
C:\Documents and Settings\All Users\Application Data\qzqzilwb.dll

Folder::
C:\Documents and Settings\All Users\Application Data\jaluncjy
C:\Documents and Settings\All Users\Application Data\stapixof
C:\Documents and Settings\All Users\Application Data\kraduvsf
C:\Documents and Settings\All Users\Application Data\vyjwxcjk
C:\WINDOWS\system32\371186
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51217602-5ED2-832D-1F8F-07E46F11E1BC}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bolesqsp"=- 
"pplmhdgk"=- 
"aeuyjrcj"=- 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dzslhgbm"=- 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"EYPSxy0S8n"=- 

File::
C:\WINDOWS\BM89636401.xml
Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.


CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-02-2008, 10:46 PM   #5 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: xp


Re: Computer infected
FixIEDef:

********************************************************************************
* *
* FixIEDef Log *
* Version 1.4.20.5893 *
* *
********************************************************************************

Created at 23:07:28 on Wednesday, July 02, 2008

Time Zone : (GMT-06:00) Central Time (US & Canada)

Logged On User : Owner

Operating System : Microsoft Windows XP Home Edition Service Pack 2
OS Version : 5.1.2600
System Langauge : English (United States)
Keyboard Layout : English (United States)
Processor : X86 Intel Celeron processor

System Drive : C:\
Windows Directory : C:\WINDOWS
System Directory : C:\WINDOWS\system32

Total Physical Memory : 527941632 bytes
Free Physical Memory : 109472 bytes
Total Virtual Memory : 2097024 bytes
Free Virtual Memory : 2054012 bytes

Boot State : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\system32\winuns32.dll

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\E404.e404mgr
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\E404.e404mgr.1

================================================================================

All Done :)

ShadowPuterDude

Safe Surfing!!!

ComboFix:

I followed the procedure up to dragging CFScript onto ComboFix.exe. A browser opened and I submitted the requested file. I cannot find the file now to send you copy. I have no icons or anything on my desktop. Did I goof somewhere? :(

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:07 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Common Files\AOL\1212072788\ee\AOLSoftware.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhughesnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...ys=DTP&M=W3622
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1212072788\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\MotiveBrowser.exe" /hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: winuns32 - C:\WINDOWS\SYSTEM32\winuns32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8025 bytes


I will be leaving for vacation Friday morning (july 4) and will not return until the 11th. Just in case I do not reply back for a while.
Thanks,
T
tntstanifer is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-03-2008, 01:19 PM   #6 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 21,651
OS: Win XP Pro SP3

My System

Blog Entries: 10
Send a message via MSN to Glaswegian
Re: Computer infected
Hi

You don't need to send me the file - it's gone elsewhere.

I do need the log from combofix though - it should be located at C:\combofix.txt
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-03-2008, 01:59 PM   #7 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 5
OS: xp


Re: Computer infected
Combofix :)

ComboFix 08-06-30.2 - Owner 2008-07-02 23:10:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.195 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\BM89636401.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\jaluncjy
C:\Documents and Settings\All Users\Application Data\jaluncjy\hsfszulq.exe
C:\Documents and Settings\All Users\Application Data\kraduvsf
C:\Documents and Settings\All Users\Application Data\kraduvsf\alidqluv.exe
C:\Documents and Settings\All Users\Application Data\qzqzilwb.dll
C:\Documents and Settings\All Users\Application Data\stapixof
C:\Documents and Settings\All Users\Application Data\stapixof\knyhylgx.exe
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-2053831270.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-503483291.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1225687444.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1298792408.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1413133098.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-464794776.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1873882722.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\203417848.mtz
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\627090066.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1110246170.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-123838012.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1298916743.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1678503882.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1759202489.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1966598345.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\2079239485.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\389458529.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\407034558.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\988776428.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-114971867.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1686393227.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-553540031.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\117035348.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1418327668.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1966598338.mtz
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\806206894.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\890185812.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9\FLFBootStrap.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9Plus\FLFBootStrap.mtx
C:\Documents and Settings\All Users\Application Data\vyjwxcjk
C:\Documents and Settings\All Users\Application Data\vyjwxcjk\twveryhw.exe
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
C:\WINDOWS\BM89636401.xml
C:\WINDOWS\system32\371186
C:\WINDOWS\system32\371186\371186.dll
C:\WINDOWS\system32\dzslhgbm.exe
C:\WINDOWS\system32\kvzajazy.dll
C:\WINDOWS\system32\qxkvunkz.exe
C:\WINDOWS\system32\tcnqfuhq.exe
C:\WINDOWS\system32\tmdczqhg.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-06-29 22:47 . 2008-06-29 22:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Template
2008-06-29 22:44 . 2008-06-30 16:29 706 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-06-29 08:28 . 2008-06-29 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-06-29 08:28 . 2002-02-14 01:53 6,345 -ra------ C:\WINDOWS\system32\DevMngr.vxd
2008-06-29 08:22 . 2008-06-29 08:23 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-06-28 18:31 . 2008-06-28 18:31 <DIR> d-------- C:\Deckard
2008-06-28 17:09 . 2008-06-28 17:21 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-28 11:01 . 2008-06-28 11:01 <DIR> d-------- C:\ie-spyad_zo
2008-06-28 10:48 . 2008-06-29 07:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-28 10:48 . 2008-06-30 10:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-28 00:40 . 2008-06-28 00:41 <DIR> d-------- C:\Program Files\Panda Security
2008-06-27 17:24 . 2008-06-27 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-27 17:23 . 2008-06-28 00:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-27 17:23 . 2008-06-28 00:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-27 16:36 . 2008-06-26 22:41 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-26 22:40 . 2008-06-27 16:36 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-06-26 12:01 . 2008-06-26 12:01 <DIR> d-------- C:\Program Files\Astonsoft
2008-06-26 12:01 . 2008-06-26 14:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DeepBurner
2008-06-26 11:47 . 2008-06-26 11:47 <DIR> d-------- C:\Program Files\Ahead
2008-06-26 11:42 . 2008-06-26 11:42 32,768 --a------ C:\WINDOWS\system32\winuns32.dll
2008-06-26 10:03 . 2008-06-26 10:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InfraRecorder
2008-06-26 00:53 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-06-26 00:53 . 2008-02-28 13:01 774,144 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-06-25 23:35 . 2008-06-25 23:35 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-06-25 23:30 . 2008-06-25 23:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nero
2008-06-25 23:27 . 2008-06-25 23:27 <DIR> d-------- C:\Program Files\Nero
2008-06-25 23:27 . 2008-06-26 00:54 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-06-25 23:27 . 2008-06-26 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-06-25 17:39 . 2008-06-25 18:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2008-06-25 17:39 . 2008-06-25 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-25 16:41 . 2008-06-26 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-17 22:16 . 2008-06-17 22:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2008-06-17 22:15 . 2008-06-26 00:47 <DIR> d-------- C:\Program Files\MySpace
2008-06-17 08:59 . 2008-06-17 08:59 99,648 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-06-16 18:44 . 2008-07-02 22:58 565 --a------ C:\hpfr5550.xml
2008-06-16 18:38 . 2008-06-16 18:38 34 --a------ C:\WINDOWS\hpfsched.ini
2008-06-16 18:36 . 2008-06-16 18:36 <DIR> d-------- C:\Program Files\HP Photosmart 11
2008-06-16 18:36 . 2006-01-06 14:07 348,160 --a------ C:\WINDOWS\system32\hphmon04.exe
2008-06-16 18:36 . 2006-01-06 14:07 249,856 --a------ C:\WINDOWS\system32\hphsav04.exe
2008-06-16 18:36 . 2006-01-06 14:07 77,824 --a------ C:\WINDOWS\system32\hphipm11.exe
2008-06-16 18:36 . 2006-01-06 14:07 50,896 --a------ C:\WINDOWS\system32\drivers\hphid411.sys
2008-06-16 18:36 . 2006-01-06 14:07 50,276 --a------ C:\WINDOWS\system32\drivers\hphs2k11.sys
2008-06-16 18:36 . 2006-01-06 14:07 36,864 --a------ C:\WINDOWS\hpfsched.exe
2008-06-16 18:36 . 2006-01-06 14:07 18,928 --a------ C:\WINDOWS\system32\drivers\hphius11.sys
2008-06-16 18:36 . 2006-01-06 14:07 16,112 --a------ C:\WINDOWS\system32\drivers\hphipr11.sys
2008-06-16 18:34 . 2008-06-16 18:36 <DIR> d-------- C:\TEMP\photosmart
2008-06-16 18:34 . 2006-01-06 14:07 270,336 --a------ C:\WINDOWS\system32\hpzcon07.dll
2008-06-16 18:34 . 2006-01-06 14:07 208,896 --a------ C:\WINDOWS\system32\hpzcoi07.dll
2008-06-16 18:34 . 2006-01-06 14:07 185,344 --a------ C:\WINDOWS\system32\hpfinst.dll
2008-06-16 18:34 . 2006-01-06 14:07 98,304 --a------ C:\WINDOWS\system32\hphidr11.dll
2008-06-16 18:34 . 2006-01-06 14:07 81,920 --a------ C:\WINDOWS\system32\hphipr11.dll
2008-06-16 18:34 . 2006-01-06 14:07 69,632 --------- C:\WINDOWS\system32\hpodinet.dll
2008-06-16 18:34 . 2006-01-06 14:07 4,760 --------- C:\WINDOWS\hphmdl11.dat
2008-06-11 10:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-11 10:21 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-11 10:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-11 08:25 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:25 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 12:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spare Backup
2008-06-29 13:23 155,995 ----a-w C:\WINDOWS\java\Packages\8S80KZTR.ZIP
2008-06-26 05:45 --------- d-----w C:\Program Files\Elaborate Bytes
2008-06-18 15:24 --------- d-----w C:\Program Files\The Weather Channel FW
2008-06-13 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-03 13:46 --------- d-----w C:\Program Files\McAfee
2008-05-31 11:41 --------- d-----w C:\Program Files\iTunes
2008-05-31 11:41 --------- d-----w C:\Program Files\iPod
2008-05-31 11:41 --------- d-----w C:\Program Files\Bonjour
2008-05-31 11:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-05-31 11:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-31 11:40 --------- d-----w C:\Program Files\QuickTime
2008-05-31 11:39 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-31 11:39 --------- d-----w C:\Program Files\Apple Software Update
2008-05-31 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-30 17:35 --------- d-----w C:\Program Files\Common Files\xing shared
2008-05-30 17:34 --------- d-----w C:\Program Files\Real
2008-05-30 17:34 --------- d-----w C:\Program Files\Common Files\Real
2008-05-30 16:21 --------- d-----w C:\Program Files\AOL 9.0a
2008-05-30 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-30 15:03 --------- d-----w C:\Program Files\McAfee.com
2008-05-30 15:03 --------- d-----w C:\Program Files\Common Files\McAfee
2008-05-29 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-29 14:54 --------- d-----w C:\Program Files\Common Files\aol
2008-05-29 14:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-05-29 14:53 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-05-29 14:53 --------- d-----w C:\Program Files\Common Files\aolshare
2008-05-29 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-05-29 03:13 --