Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Trojan/Bloodhound.Exploit and BO:HEAP Problems Trojan/Bloodhound.Exploit and BO:HEAP Problems
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 04-15-2007, 08:45 PM   #1 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 24
OS: Windows XP


Trojan/Bloodhound.Exploit and BO:HEAP Problems
hi, i'm new to this forum but i've used it many times when fixing spyware issues previous. however, i've recently encountered a few spyware/malware/virus problems and i can't seem to be able to fix the problem.

initially, i had a w32 issues which caused me to not be able to log onto the internet, and also caused my taskbar to freeze up. however, i uninstalled firefox and a few other applications and it seemed to have 'fixed' the issue.

about last week, using symantec antivirus, i was warned about a bloodhound.exploit.20 and one more bloodhound.exploit.109 (i think). then, my symantec was disabled.

now using mcafee, i keep getting a virus alert pop up saying bo:heap was detected.

i'm at a lost and not sure where to go or what else to try - and in need of some expert help.

posted below is my hijackthis log. thanks in advance for the help.

========================================
Logfile of HijackThis v1.99.1
Scan saved at 7:21:12 PM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462

\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\raylee\Desktop\Temp\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {DA27770C-B55E-4F1A-A7C6-CFB2F5594C22} -

c:\windows\system32\dahadah.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog

Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

/tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming

Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and

Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32

\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program

Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program

Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1

\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %

windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-

f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.smartsearchonline.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B635029-8269-11D8-9E2B-004005A9ABD2} (TX - ButtonBar Control) -

http://search10.smartsearchonline.co...rsonnel/Tx.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) -

http://picasaweb.google.com/s/v/16.27/uploader2.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1

\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program

Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1

\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: uvadzgyh - C:\WINDOWS\SYSTEM32\dahadah.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - c:\Program

Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file

missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program

Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. -

C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation

- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program

files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program

Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates,

Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc.

- C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network

Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -

Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. -

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe


========================================
Attached Files
File Type: txt hijackthis-apr15-1.log.txt (7.5 KB, 1 views)
retro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-16-2007, 02:50 AM   #2 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 24
OS: Windows XP


Re: Trojan/Bloodhound.Exploit and BO:HEAP Problems
hi again,

an update: last few times, got the mcafee popup about a bo:heap alert and then ie will crash and i need to 'end program' forcefully.

anyway, decided to run combofix and got a log below.

waiting for help.. thx again.

==================================
"raylee" - 07-04-16 1:28:02 Service Pack 2
ComboFix 07-04-05.Rev3 - Running from: "C:\Documents and Settings\raylee\Desktop"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dahadah.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\zkchigdi.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\xfubdgjd
-------\LEGACY_XFUBDGJD


((((((((((((((((((((((((((((((( Files Created from 2007-03-16 to 2007-04-16 ))))))))))))))))))))))))))))))))))


2007-04-14 09:46 43,008 --a------ C:\WINDOWS\system32\tmsdsnjm.dll
2007-04-14 09:46 129,536 --a------ C:\WINDOWS\system32\gcyuimqb.dll
2007-04-14 09:46 100,864 --a------ C:\WINDOWS\system32\mdthrubt.dll
2007-04-13 23:34 <DIR> d-------- C:\!KillBox
2007-04-13 21:48 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2007-04-13 21:48 108,480 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-13 21:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Network Associates
2007-04-13 21:44 <DIR> d-------- C:\Program Files\Network Associates
2007-04-13 21:44 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2007-04-13 21:01 <DIR> d--h----- C:\WINDOWS\PIF
2007-04-13 19:42 <DIR> d-------- C:\Temp\Sophos
2007-04-13 19:41 <DIR> d-------- C:\Temp
2007-04-11 10:51 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-10 21:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-02 19:35 <DIR> d-------- C:\DOCUME~1\raylee\APPLIC~1\DivX
2007-04-02 18:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-03-30 10:36 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-03-30 10:36 <DIR> d-------- C:\WINDOWS\system32\custom matrices
2007-03-30 10:36 <DIR> d-------- C:\WINDOWS\system32\C2MP
2007-03-22 18:10 <DIR> d-------- C:\DOCUME~1\raylee\APPLIC~1\Skype
2007-03-22 01:06 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-03-22 00:55 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-03-22 00:53 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-03-22 00:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-03-21 23:02 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-20 18:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-20 10:51 <DIR> d-------- C:\DOCUME~1\raylee\.housecall6.6
2007-03-20 04:38 2,756 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-20 03:57 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-20 03:35 <DIR> d-------- C:\WINDOWS\pss
2007-03-20 00:17 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-03-19 14:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-03-19 11:40 786,432 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-19 11:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\toshiba
2007-03-19 11:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-03-19 11:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun
2007-03-19 11:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-03-19 11:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
2007-03-19 10:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-19 10:43 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-03-19 10:43 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-16 01:36 79360 --a------ C:\WINDOWS\system32\dahadah.dll
2007-04-13 23:49 -------- d-------- C:\Program Files\google
2007-04-13 19:40 -------- d-------- C:\Program Files\symantec
2007-04-13 19:40 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-22 17:55 -------- d-------- C:\Program Files\skype
2007-03-21 21:33 -------- d--h----- C:\Program Files\installshield installation information
2007-03-21 21:33 -------- d-------- C:\Program Files\toshiba
2007-03-20 04:15 -------- d-------- C:\Program Files\java
2007-03-20 03:41 -------- d-------- C:\Program Files\microsoft location finder
2007-03-20 03:32 -------- d-------- C:\Program Files\divx
2007-03-20 00:14 -------- d-------- C:\Program Files\Common Files\real
2007-03-20 00:13 -------- d-------- C:\DOCUME~1\raylee\APPLIC~1\real
2007-03-12 21:54 -------- d-------- C:\Program Files\helponclick operator client
2007-03-11 07:27 73216 --a------ C:\WINDOWS\st6unst.exe
2007-03-11 07:27 282624 -ra------ C:\WINDOWS\setup1.exe
2007-03-11 07:27 102400 --a------ C:\WINDOWS\system32\vb6stkit.dll
2007-02-26 14:24 239616 --a------ C:\WINDOWS\system32\gdsmux.exe
2007-02-26 14:24 220672 --a------ C:\WINDOWS\system32\dxr.dll
2007-02-26 14:23 104960 --a------ C:\WINDOWS\system32\dsmux.exe
2007-02-26 14:22 159744 --a------ C:\WINDOWS\system32\mmfinfo.dll
2007-02-26 14:22 151552 --a------ C:\WINDOWS\system32\ts.dll
2007-02-26 14:22 150528 --a------ C:\WINDOWS\system32\mkx.dll
2007-02-26 14:22 141312 --a------ C:\WINDOWS\system32\mp4.dll
2007-02-26 14:22 135168 --a------ C:\WINDOWS\system32\mkv2vfr.exe
2007-02-26 14:22 123392 --a------ C:\WINDOWS\system32\ogm.dll
2007-02-26 14:22 110592 --a------ C:\WINDOWS\system32\avi.dll
2007-02-26 14:22 106496 --a------ C:\WINDOWS\system32\avss.dll
2007-02-26 14:21 99840 --a------ C:\WINDOWS\system32\avs.dll
2007-02-26 14:21 79360 --a------ C:\WINDOWS\system32\mkzlib.dll
2007-02-26 14:21 23552 --a------ C:\WINDOWS\system32\mkunicode.dll
2007-02-12 12:21 97280 --a------ C:\WINDOWS\system32\ff_realaac.dll
2007-02-12 12:21 79872 --a------ C:\WINDOWS\system32\ff_tremor.dll
2007-02-12 12:21 741376 --a------ C:\WINDOWS\system32\audxlib.dll
2007-02-12 12:21 462848 --a------ C:\WINDOWS\system32\ff_x264.dll
2007-02-12 12:21 40960 --a------ C:\WINDOWS\system32\ff_liba52.dll
2007-02-12 12:21 399872 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-02-12 12:21 38400 --a------ C:\WINDOWS\system32\ff_unrar.dll
2007-02-12 12:21 3426304 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-02-12 12:21 26624 --a------ C:\WINDOWS\system32\ff_wmv9.dll
2007-02-12 12:21 245760 --a------ C:\WINDOWS\system32\ff_libfaad2.dll
2007-02-12 12:21 225280 --a------ C:\WINDOWS\system32\ff_kerneldeint.dll
2007-02-12 12:21 200704 --a------ C:\WINDOWS\system32\tomsmocomp_ff.dll
2007-02-12 12:21 155648 --a------ C:\WINDOWS\system32\ff_libdts.dll
2007-02-12 12:21 143360 --a------ C:\WINDOWS\system32\ff_theora.dll
2007-02-12 12:21 122880 --a------ C:\WINDOWS\system32\ff_samplerate.dll
2007-02-12 12:21 118784 --a------ C:\WINDOWS\system32\ff_libmad.dll
2007-02-12 12:21 114688 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-02-12 12:21 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-02-11 18:29 2560 --a------ C:\WINDOWS\_msrstrt.exe
2007-01-31 21:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-31 14:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-29 22:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-29 22:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-29 22:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-29 21:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-29 21:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-29 21:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-29 21:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-29 21:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-29 21:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Tvs"="C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"THotkey"="C:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\KEM.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Communications_Helper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickCam10"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\QuickCam10\\QuickCam10.exe\" /hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFncKy"
"hkey"="HKLM"
"command"="TFncKy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TPSMain"
"hkey"="HKLM"
"command"="TPSMain.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uvadzgyh

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
zvttjfjp

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_XFUBDGJD


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Registration reminder 2.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-16 1:39:26
C:\ComboFix-quarantined-files.txt ... 07-04-16 01:39

==================================
Attached Files
File Type: txt ComboFix-apr15-1.txt (16.0 KB, 0 views)
retro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2007, 06:03 AM   #3 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 24
OS: Windows XP


Re: Trojan/Bloodhound.Exploit and BO:HEAP Problems
hi again,

problems seems to be getting worse. everytime i use ie, it will trigger the virus alert (bo:heap) from mcafee and then my ie would be non-responsive (not responding state).

to continue, i need to go to the task manager and then kill the ieexplorer.exe process.

unfortunately, there is no consistency to when the virus alert (and therefore, ie crashing) happens. it can occur the moment i open ie, or it can happen 5-10min after using ie.

again, thx in advance for the help.
retro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-20-2007, 05:34 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Trojan/Bloodhound.Exploit and BO:HEAP Problems
1. Delete your existing copy of combofix & grab a new copy from here -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-22-2007, 07:28 PM   #5 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 24
OS: Windows XP


Re: Trojan/Bloodhound.Exploit and BO:HEAP Problems
=======================================
COMBO FIX LOG
=======================================

"raylee" - 07-04-22 18:09:10 Service Pack 2
ComboFix 07-04-21.3V - Running from: "C:\Documents and Settings\raylee\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dahadah.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\zkchigdi.sys . . . . failed to delete
C:\WINDOWS\system32\dahadah.dll . . . . failed to delete
C:\WINDOWS\system32\dahadah.dll . . . . failed to delete


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\xfubdgjd
-------\LEGACY_XFUBDGJD


((((((((((((((((((((((((((((((( Files Created from 2007-03-22 to 2007-04-22 ))))))))))))))))))))))))))))))))))


2007-04-17 07:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Innovative Solutions
2007-04-16 19:27 <DIR> d-------- C:\DOCUME~1\raylee\APPLIC~1\Smart PC Solutions
2007-04-16 01:36 79,360 --------- C:\WINDOWS\system32\dahadah.dll
2007-04-16 01:36 12,416 C:\WINDOWS\system32\drivers\zkchigdi.sys
2007-04-14 09:46 44,032 --a------ C:\WINDOWS\system32\tmsdsnjm.dll
2007-04-14 09:46 131,584 --a------ C:\WINDOWS\system32\gcyuimqb.dll
2007-04-14 09:46 100,864 --a------ C:\WINDOWS\system32\mdthrubt.dll
2007-04-13 21:48 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2007-04-13 21:48 108,480 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-13 21:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Network Associates
2007-04-13 21:44 <DIR> d-------- C:\Program Files\Network Associates
2007-04-13 21:44 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2007-04-13 21:01 <DIR> d--h----- C:\WINDOWS\PIF
2007-04-10 21:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-02 19:35 <DIR> d-------- C:\DOCUME~1\raylee\APPLIC~1\DivX
2007-04-02 18:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-03-30 10:36 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-03-30 10:36 <DIR> d-------- C:\WINDOWS\system32\custom matrices
2007-03-30 10:36 <DIR> d-------- C:\WINDOWS\system32\C2MP
2007-03-22 18:10 <DIR> d-------- C:\DOCUME~1\raylee\APPLIC~1\Skype
2007-03-22 00:55 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-03-22 00:53 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-03-22 00:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-20 08:50 -------- d-------- C:\Program Files\ltmoh.vir
2007-04-17 07:40 -------- d-------- C:\Program Files\google
2007-04-13 19:40 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-22 17:55 -------- d-------- C:\Program Files\skype
2007-03-21 21:33 -------- d--h----- C:\Program Files\installshield installation information
2007-03-21 21:33 -------- d-------- C:\Program Files\toshiba
2007-03-20 10:28 2756 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-20 03:37 -------- d-------- C:\Program Files\eset.vir
2007-03-20 00:13 -------- d-------- C:\DOCUME~1\raylee\APPLIC~1\real
2007-03-12 21:54 -------- d-------- C:\Program Files\helponclick operator client
2007-03-11 07:27 73216 --a------ C:\WINDOWS\st6unst.exe
2007-03-11 07:27 282624 -ra------ C:\WINDOWS\setup1.exe
2007-03-11 07:27 102400 --a------ C:\WINDOWS\system32\vb6stkit.dll
2007-02-26 14:24 239616 --a------ C:\WINDOWS\system32\gdsmux.exe
2007-02-26 14:24 220672 --a------ C:\WINDOWS\system32\dxr.dll
2007-02-26 14:23 104960 --a------ C:\WINDOWS\system32\dsmux.exe
2007-02-26 14:22 159744 --a------ C:\WINDOWS\system32\mmfinfo.dll
2007-02-26 14:22 151552 --a------ C:\WINDOWS\system32\ts.dll
2007-02-26 14:22 150528 --a------ C:\WINDOWS\system32\mkx.dll
2007-02-26 14:22 141312 --a------ C:\WINDOWS\system32\mp4.dll
2007-02-26 14:22 135168 --a------ C:\WINDOWS\system32\mkv2vfr.exe
2007-02-26 14:22 123392 --a------ C:\WINDOWS\system32\ogm.dll
2007-02-26 14:22 110592 --a------ C:\WINDOWS\system32\avi.dll
2007-02-26 14:22 106496 --a------ C:\WINDOWS\system32\avss.dll
2007-02-26 14:21 99840 --a------ C:\WINDOWS\system32\avs.dll
2007-02-26 14:21 79360 --a------ C:\WINDOWS\system32\mkzlib.dll
2007-02-26 14:21 23552 --a------ C:\WINDOWS\system32\mkunicode.dll
2007-02-12 12:21 97280 --a------ C:\WINDOWS\system32\ff_realaac.dll
2007-02-12 12:21 79872 --a------ C:\WINDOWS\system32\ff_tremor.dll
2007-02-12 12:21 741376 --a------ C:\WINDOWS\system32\audxlib.dll
2007-02-12 12:21 462848 --a------ C:\WINDOWS\system32\ff_x264.dll
2007-02-12 12:21 40960 --a------ C:\WINDOWS\system32\ff_liba52.dll
2007-02-12 12:21 399872 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-02-12 12:21 38400 --a------ C:\WINDOWS\system32\ff_unrar.dll
2007-02-12 12:21 3426304 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-02-12 12:21 26624 --a------ C:\WINDOWS\system32\ff_wmv9.dll
2007-02-12 12:21 245760 --a------ C:\WINDOWS\system32\ff_libfaad2.dll
2007-02-12 12:21 225280 --a------ C:\WINDOWS\system32\ff_kerneldeint.dll
2007-02-12 12:21 200704 --a------ C:\WINDOWS\system32\tomsmocomp_ff.dll
2007-02-12 12:21 155648 --a------ C:\WINDOWS\system32\ff_libdts.dll
2007-02-12 12:21 143360 --a------ C:\WINDOWS\system32\ff_theora.dll
2007-02-12 12:21 122880 --a------ C:\WINDOWS\system32\ff_samplerate.dll
2007-02-12 12:21 118784 --a------ C:\WINDOWS\system32\ff_libmad.dll
2007-02-12 12:21 114688 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-02-12 12:21 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-02-11 18:29 2560 --a------ C:\WINDOWS\_msrstrt.exe
2007-01-31 21:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-31 14:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-29 22:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-29 22:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-29 22:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-29 21:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-29 21:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-29 21:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-29 21:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-29 21:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-29 21:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Tvs"="C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"THotkey"="C:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uvadzgyh

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\KEM.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\RAMASST.lnk"
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Communications_Helper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickCam10"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\QuickCam10\\QuickCam10.exe\" /hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFncKy"
"hkey"="HKLM"
"command"="TFncKy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TPSMain"
"hkey"="HKLM"
"command"="TPSMain.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
zvttjfjp

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_XFUBDGJD


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Registration reminder 2.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-22 18:18:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-22 18:20:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-22 18:20


=======================================
Attached Files
File Type: txt ComboFix-2007-04-23.txt (14.2 KB, 0 views)
retro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-22-2007, 07:29 PM   #6 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 24
OS: Windows XP


Re: Trojan/Bloodhound.Exploit and BO:HEAP Problems
====================================
HIJACKTHIS LOG
====================================


Logfile of HijackThis v1.99.1
Scan saved at 6:23:34 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\raylee\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {DA27770C-B55E-4F1A-A7C6-CFB2F5594C22} - c:\windows\system32\dahadah.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.smartsearchonline.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1B635029-8269-11D8-9E2B-004005A9ABD2} (TX - ButtonBar Control) - http://search10.smartsearchonline.co...rsonnel/Tx.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.43/uploader2.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: uvadzgyh - C:\WINDOWS\SYSTEM32\dahadah.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - c:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe


====================================
Attached Files
File Type: txt hijackthis-2007-04-23.log.txt (7.1 KB, 0 views)
retro is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-22-2007, 07:35 PM   #7 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: Trojan/Bloodhound.Exploit and BO:HEAP Problems
Quote:
C:\WINDOWS\system32\drivers\zkchigdi.sys . . . . failed to delete
C:\WINDOWS\system32\dahadah.dll . . . . failed to delete
C:\WINDOWS\system32\dahadah.dll . . . . failed to delete
Please run it once more. It sometimes fails to get it in the first pass
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-22-2007, 08:37 PM   #8 (permalink)
Registered User
 
Join Date: Apr 2007
Posts: 24
OS: Windows XP


Re: Trojan/Bloodhound.Exploit and BO:HEAP Problems
Looks like it still coudln't clean all of it.

=============================
COMBO FIX LOG
=============================

"raylee" - 07-04-22 19:24:29 Service Pack 2
ComboFix 07-04-21.3V - Running from: "C:\Documents and Settings\raylee\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dahadah.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\zkchigdi.sys . . . . failed to delete
C:\WINDOWS\system32\dahadah.dll


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\xfubdgjd
-------\LEGACY_XFUBDGJD


((((((((((((((((((((((((((((((( Files Created from 2007-03-22 to 2007-04-22 ))))))))))))))))))))))))))))))))))


2007-04-22 18:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-17 07:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Innovative Solutions
2007-04-16 19:27 <DIR> d-------- C:\DOCUME~1\raylee\APPLIC~1\Smart PC Solutions
2007-04-16 01:36 79,360 --a------ C:\WINDOWS\system32\dahadah.dll
2007-04-16 01:36 12,416 C:\WINDOWS\system32\drivers\zkchigdi.sys
2007-04-14 09:46 44,032 --a------ C:\WINDOWS\system32\tmsdsnjm.dll
2007-04-14 09:46 131,584 --a------ C:\WINDOWS\system32\gcyuimqb.dll
2007-04-14 09:46 100,864 --a------ C:\WINDOWS\system32\mdthrubt.dll
2007-04-13 21:48 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2007-04-13 21:48 108,480 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-04-13 21:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Network Associates
2007-04-13 21:44 <DIR> d-------- C:\Program Files\Network Associates
2007-04-13 21:44 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2007-04-13 21:01 <DIR> d--h----- C:\WINDOWS\PIF
2007-04-10 21:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-02 19:35 <DIR> d-------- C:\DOCUME~1\raylee\APPLIC~1\DivX
2007-04-02 18:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-03-30 10:36 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-03-30 10:36 <DIR> d-------- C:\WINDOWS\system32\custom matrices
2007-03-30 10:36 <DIR> d-------- C:\WINDOWS\system32\C2MP
2007-03-22 18:10 <DIR> d-------- C:\DOCUME~1\raylee\APPLIC~1\Skype
2007-03-22 00:55 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-03-22 00:53 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-03-22 00:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-20 08:50 -------- d-------- C:\Program Files\ltmoh.vir
2007-04-17 07:40 -------- d-------- C:\Program Files\google
2007-04-13 19:40 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-22 17:55 -------- d-------- C:\Program Files\skype
2007-03-21 21:33 -------- d--h----- C:\Program Files\installshield installation information
2007-03-21 21:33 -------- d-------- C:\Program Files\toshiba
2007-03-20 10:28 2756 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-20 03:37 -------- d-------- C:\Program Files\eset.vir
2007-03-20 00:13 -------- d-------- C:\DOCUME~1\raylee\APPLIC~1\real
2007-03-12 21:54 -------- d-------- C:\Program Files\helponclick operator client
2007-03-11 07:27 73216 --a------ C:\WINDOWS\st6unst.exe
2007-03-11 07:27 282624 -ra------ C:\WINDOWS\setup1.exe
2007-03-11 07:27 102400 --a------ C:\WINDOWS\system32\vb6stkit.dll
2007-02-26 14:24 239616 --a------ C:\WINDOWS\system32\gdsmux.exe
2007-02-26 14:24 220672 --a------ C:\WINDOWS\system32\dxr.dll
2007-02-26 14:23 104960 --a------ C:\WINDOWS\system32\dsmux.exe
2007-02-26 14:22 159744 --a------ C:\WINDOWS\system32\mmfinfo.dll
2007-02-26 14:22 151552 --a------ C:\WINDOWS\system32\ts.dll
2007-02-26 14:22 150528 --a------ C:\WINDOWS\system32\mkx.dll
2007-02-26 14:22 141312 --a------ C:\WINDOWS\system32\mp4.dll
2007-02-26 14:22 135168 --a------ C:\WINDOWS\system32\mkv2vfr.exe
2007-02-26 14:22 123392 --a------ C:\WINDOWS\system32\ogm.dll
2007-02-26 14:22 110592 --a------ C:\WINDOWS\system32\avi.dll
2007-02-26 14:22 106496 --a------ C:\WINDOWS\system32\avss.dll
2007-02-26 14:21 99840 --a------ C:\WINDOWS\system32\avs.dll
2007-02-26 14:21 79360 --a------ C:\WINDOWS\system32\mkzlib.dll
2007-02-26 14:21 23552 --a------ C:\WINDOWS\system32\mkunicode.dll
2007-02-12 12:21 97280 --a------ C:\WINDOWS\system32\ff_realaac.dll
2007-02-12 12:21 79872 --a------ C:\WINDOWS\system32\ff_tremor.dll
2007-02-12 12:21 741376 --a------ C:\WINDOWS\system32\audxlib.dll
2007-02-12 12:21 462848 --a------ C:\WINDOWS\system32\ff_x264.dll
2007-02-12 12:21 40960 --a------ C:\WINDOWS\system32\ff_liba52.dll
2007-02-12 12:21 399872 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-02-12 12:21 38400 --a------ C:\WINDOWS\system32\ff_unrar.dll
2007-02-12 12:21 3426304 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-02-12 12:21 26624 --a------ C:\WINDOWS\system32\ff_wmv9.dll
2007-02-12 12:21 245760 --a------ C:\WINDOWS\system32\ff_libfaad2.dll
2007-02-12 12:21 225280 --a------ C:\WINDOWS\system32\ff_kerneldeint.dll
2007-02-12 12:21 200704 --a------ C:\WINDOWS\system32\tomsmocomp_ff.dll
2007-02-12 12:21 155648 --a------ C:\WINDOWS\system32\ff_libdts.dll
2007-02-12 12:21 143360 --a------ C:\WINDOWS\system32\ff_theora.dll
2007-02-12 12:21 122880 --a------ C:\WINDOWS\system32\ff_samplerate.dll
2007-02-12 12:21 118784 --a------ C:\WINDOWS\system32\ff_libmad.dll
2007-02-12 12:21 114688 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-02-12 12:21 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-02-11 18:29 2560 --a------ C:\WINDOWS\_msrstrt.exe
2007-01-31 21:56 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-01-31 14:27 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-29 22:03 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-29 22:03 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-29 22:03 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-29 21:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-29 21:56 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-29 21:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-29 21:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-29 21:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-29 21:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Tvs"="C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"THotkey"="C:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uvadzgyh

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^S