Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Collected.11.B keeps returning Collected.11.B keeps returning
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 04-16-2007, 09:37 AM   #1 (permalink)
Registered User
 
cowboy13210's Avatar
 
Join Date: Apr 2007
Posts: 11
OS: XP


Collected.11.B keeps returning
I did all the 5 steps i could,
Panda would not scan , said error on page , this trojan keeps coming back , my AVG detects it , i send file to vault , but everytime i reboot its back , always a dll file , just different filenames


Deckard's System Scanner v20070411.38
Run by one on 2007-04-16 at 10:45:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
58: 2007-04-16 14:45:56 UTC - RP533 - Deckard's System Scanner Restore Point
57: 2007-04-16 13:26:50 UTC - RP532 - Software Distribution Service 2.0
56: 2007-04-15 23:53:16 UTC - RP531 - System Checkpoint
55: 2007-04-14 14:48:32 UTC - RP530 - Installed Opera 9.20
54: 2007-04-14 14:47:14 UTC - RP529 - Removed Opera 9.10


-- First Restore Point --
1: 2007-02-25 13:22:55 UTC - RP476 - Software Distribution Service 2.0


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as one.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:48:50 AM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Rocket Software\Rocket Mobile & Security Apps\MobileCenter.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\one\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\one.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: run=
O2 - BHO: (no name) - {483CC496-D041-4545-8D9E-2D64294F97B2} - C:\WINDOWS\system32\jkkiigf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {563DD40C-D23B-4D34-AEB6-E356A2BB6515} - C:\WINDOWS\system32\vtstr.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\mhibwdmo.dll
O2 - BHO: (no name) - {7447BBD6-65E5-441C-875B-53FBA126D811} - C:\WINDOWS\system32\pmkjg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {F9B896E7-0977-4DC6-B0F4-DFEC8C53A1C6} - C:\WINDOWS\system32\ddccb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\kghqqvtj.dll",setvm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [RocketAppCenter.exe] "C:\Program Files\Rocket Software\Rocket Mobile & Security Apps\MobileCenter.exe"
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com:8000/Java/cfs40320.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.3...ass2-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.5.5.2...ttso-en_US.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.6.0.2...oppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.5.3.3...pit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.6.0.2...reak-en_US.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.5.3.4...ride-en_US.cab
O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.5.5.3...eper-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.6.2.3...eaks-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.5.3.3...ries-en_US.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/...ad/tgctlar.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123915191171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123915296328
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: jkkiigf - C:\WINDOWS\SYSTEM32\jkkiigf.dll
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 cmpci (C-Media PCI Audio Driver (WDM)) - c:\windows\system32\drivers\cmaudio.sys
R3 L8042mou (Logitech SetPoint PS/2 Mouse Filter Driver) - c:\windows\system32\drivers\l8042mou.sys
R3 ltmodem5 (LT Modem Driver) - c:\windows\system32\drivers\ltmdmnt.sys
R3 QCDonner (Logitech QuickCam Express(PID_0840)) - c:\windows\system32\drivers\lvcd.sys

S3 FileInfo - c:\program files\rocket software\rocket mobile & security apps\finfo.sys (file missing)
S3 LHidUsbK (Logitech SetPoint USB Receiver Device Driver) - c:\windows\system32\drivers\lhidusbk.sys
S3 LUsbKbd (Logitech SetPoint USB Keyboard Filter) - c:\windows\system32\drivers\lusbkbd.sys
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - "c:\program files\executive software\diskeeper\dkservice.exe"
R2 ProtexisLicensing - c:\windows\system32\psiservice.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-03-21 07:55:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-03-16 and 2007-04-16 -----------------------------

2007-04-16 09:35:50 0 d-------- C:\WINDOWS\network diagnostic<NETWOR~1>
2007-04-16 06:49:33 123972 --a------ C:\WINDOWS\system32\yvlckdxo.dll
2007-04-16 06:49:33 1391967 ---hs---- C:\WINDOWS\system32\rtstv.bak1<RTSTV~1.BAK>
2007-04-16 06:49:11 280676 ---hs---- C:\WINDOWS\system32\vtstr.dll
2007-04-15 13:31:35 123972 --a------ C:\WINDOWS\system32\ljkvglep.dll
2007-04-15 13:31:30 1395016 ---hs---- C:\WINDOWS\system32\gjkmp.bak2<GJKMP~1.BAK>
2007-04-15 06:59:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-04-15 06:57:38 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-14 13:31:29 123972 --a------ C:\WINDOWS\system32\cwfbiule.dll
2007-04-14 13:30:52 280676 ---h----- C:\WINDOWS\system32\pmkjg.dll
2007-04-13 15:11:40 123972 --a------ C:\WINDOWS\system32\cxkepfmd.dll
2007-04-12 07:50:22 123972 --a------ C:\WINDOWS\system32\ffvaseug.dll
2007-04-12 07:50:06 48708 --a------ C:\WINDOWS\system32\mhibwdmo.dll
2007-04-12 07:49:37 280676 ---hs---- C:\WINDOWS\system32\ddccb.dll
2007-04-11 20:51:10 0 d-------- C:\Program Files\RogueRemover<ROGUER~1>
2007-04-11 19:33:13 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-04-07 16:55:05 280676 ---hs---- C:\WINDOWS\system32\geede.dll
2007-04-07 16:55:05 280676 ---hs---- C:\WINDOWS\system32\awtqr.dll
2007-04-07 16:50:00 26694 --a------ C:\WINDOWS\system32\iiffecy.dll
2007-04-07 16:48:32 26694 --a------ C:\WINDOWS\system32\jkkhigh.dll
2007-04-07 16:44:17 26694 --a------ C:\WINDOWS\system32\jkkiigf.dll
2007-04-07 08:48:47 0 d-------- C:\Documents and Settings\one\Application Data\Opera
2007-04-07 08:48:17 0 d-------- C:\Program Files\Opera
2007-04-06 08:08:01 255848 --a------ C:\WINDOWS\system32\xactengine2_6.dll<XA3066~1.DLL>
2007-04-06 08:08:00 251672 --a------ C:\WINDOWS\system32\xactengine2_5.dll<XA3C56~1.DLL>
2007-04-06 08:07:59 3426072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-04-06 08:07:58 68888 --a------ C:\WINDOWS\system32\xinput1_3.dll<XINPUT~4.DLL>
2007-04-06 08:07:58 237848 --a------ C:\WINDOWS\system32\xactengine2_4.dll<XA3856~1.DLL>
2007-04-06 08:07:58 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll<X3DAUD~2.DLL>
2007-04-06 08:07:56 2414360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-04-06 08:07:55 236824 --a------ C:\WINDOWS\system32\xactengine2_3.dll<XACTEN~4.DLL>
2007-04-06 08:07:54 62744 --a------ C:\WINDOWS\system32\xinput1_2.dll<XINPUT~3.DLL>
2007-04-06 08:07:36 2297552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-04-04 17:25:28 75512 --a------ C:\WINDOWS\zllsputility.exe<ZLLSPU~1.EXE>
2007-04-04 17:25:27 11264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-04-04 17:24:47 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-04-01 04:56:10 0 d-------- C:\20c3c74e86ab721be2<20C3C7~1>
2007-04-01 0306 0 d-------- C:\Program Files\MSBuild
2007-04-01 02:58:47 0 d-------- C:\WINDOWS\system32\XPSViewer<XPSVIE~1>
2007-04-01 02:56:48 0 d-------- C:\Program Files\Reference Assemblies<REFERE~1>
2007-04-01 02:09:57 14048 -----n--- C:\WINDOWS\system32\spmsg2.dll
2007-03-31 19:15:39 520192 -----n--- C:\WINDOWS\system32\ati2sgag.exe
2007-03-31 19:14:41 0 d-------- C:\Program Files\ATI Technologies<ATITEC~1>
2007-03-31 19:12:18 0 d-------- C:\ATI
2007-03-31 18:52:20 1288960 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-03-31 18:52:20 2824512 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-03-31 18:52:18 1972224 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-03-31 18:52:17 870784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2007-03-31 18:51:59 265728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-03-31 18:51:57 348160 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-03-20 17:16:13 0 d-------- C:\Program Files\Extension Changer<EXTENS~1>


-- Find3M Report ---------------------------------------------------------------

2007-04-16 09:31:14 0 d-------- C:\Documents and Settings\one\Application Data\Skype
2007-04-12 12:13:11 0 d-------- C:\Program Files\Java
2007-04-12 08:57:42 0 d-------- C:\Documents and Settings\one\Application Data\AVG7
2007-04-12 06:58:30 0 d-------- C:\Program Files\Logitech
2007-04-06 09:45:17 0 d-------- C:\Documents and Settings\one\Application Data\dvdcss
2007-04-05 0740 0 d-------- C:\Program Files\NewzToolz<NEWZTO~1>
2007-04-05 07:02:43 0 d-------- C:\Program Files\KeyText
2007-04-04 17:27:41 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-31 19:16:08 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-23 19:01:44 0 d-------- C:\Program Files\TorrentStorm<TORREN~1>
2007-03-17 09:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 14:30:39 0 d-------- C:\Documents and Settings\one\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}<{27ABE~1>
2007-03-13 20:53:29 0 d-------- C:\Documents and Settings\one\Application Data\Alien Skin<ALIENS~1>
2007-03-10 08:17:15 0 d-------- C:\Documents and Settings\one\Application Data\Corel
2007-03-10 08:15:56 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-10 08:11:58 0 d-------- C:\Program Files\Alchemy Mindworks<ALCHEM~1>
2007-03-09 19:07:43 0 d-------- C:\Documents and Settings\one\Application Data\Jasc
2007-03-09 19:05:06 0 d-------- C:\Program Files\Jasc Software Inc<JASCSO~1>
2007-03-08 11:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-02 16:57:04 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-03-02 16:54:35 307200 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-03-02 16:47:51 118784 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-03-02 16:47:42 110592 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-03-02 16:47:35 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-03-02 16:47:30 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-03-02 16:47:19 110592 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-03-02 16:46:12 446464 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-03-02 16:45:32 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-03-02 16:29:08 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-03-02 16:21:15 5398528 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-03-02 16:17:37 258048 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-03-02 16:16:23 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-02-26 11:44:06 147685 --a------ C:\WINDOWS\system32\atiicdxx.dat
2007-02-19 21:23:25 0 d-------- C:\Program Files\Acoustica MP3 To Wave Converter PLUS<ACOUST~1>
2007-02-19 15:38:45 0 d---s---- C:\Documents and Settings\one\Application Data\Microsoft<MICROS~1>
2007-02-05 16:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WebCamRT.exe"=""
"RocketAppCenter.exe"="\"C:\\Program Files\\Rocket Software\\Rocket Mobile & Security Apps\\MobileCenter.exe\""
"ProxyWay"="C:\\Program Files\\ProxyWay\\proxyway.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"C-Media Mixer"="Mixer.exe /startup"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\kghqqvtj.dll\",setvm"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{483CC496-D041-4545-8D9E-2D64294F97B2}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkiigf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-04-16 at 10:50:48 ---------
from what i see a lotta people are getting this, but as i know very little about it i dont want to mess with anything withoiut advice , ty

i see a message says upload error when i upload the extra text, so ill paste it here , i hope its ok
Deckard's System Scanner v20070411.38
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 1700MHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 511.53 MiB / 177.87 MiB
Pagefile Memory (total/avail): 1248.48 MiB / 970.89 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1971.01 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 76.31 GiB total, 23.05 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.337.000 (Check Point, LTD.)
AV: AVG 7.5.446 v7.5.446 (GRISOFT)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\one\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MICHAELS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\one
LOGONSERVER=\\MICHAELS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Executive Software\Diskeeper\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=000a
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\one\LOCALS~1\Temp
TMP=C:\DOCUME~1\one\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=MICHAELS
USERNAME=one
USERPROFILE=C:\Documents and Settings\one
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

one (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acoustica MP3 To Wave Converter PLUS --> C:\PROGRA~1\ACOUST~1\UNWISE.EXE C:\PROGRA~1\ACOUST~1\INSTALL.LOG
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Alien Skin Xenofex 2.0 Demo --> C:\PROGRA~1\MACROM~1\FIREWO~1\\Plug-Ins\ALIENS~1\Unwise32.exe C:\PROGRA~1\MACROM~1\FIREWO~1\\Plug-Ins\ALIENS~1\INSTALL.LOG
AnalogX Capture --> C:\Program Files\AnalogX\Capture\captureu.exe
Apple Software Update --> MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Diskeeper Professional Edition --> MsiExec.exe /X{DBCD6910-F929-4D46-B867-3EBEA4A1D409}
Easy Video Splitter 1.28 --> "C:\Program Files\Easy Video Splitter\unins000.exe"
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
Everest Poker (Remove Only) --> C:\Program Files\Everest Poker\cstart.exe /uninstall
Extension Changer --> C:\Program Files\Extension Changer\extuninstall.exe
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
GrabIt 1.5.2 Beta(build 902) --> "C:\Program Files\GrabIt\unins000.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet 3740 --> msiexec /x{F901CA6D-A074-42D3-A11D-33AAE6FFD0C1}
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Jasc Animation Shop 3 --> MsiExec.exe /I{174D5678-D941-433C-BD23-58A5C7B0D36D}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
KeyText v2.25 --> "C:\Program Files\KeyText\unins000.exe"
Lavasoft VX2 Cleaner --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\INSTALL.LOG
Logitech QuickCam --> MsiExec.exe /I{77E70C3C-DBB9-4C47-8663-1E1F81FEC623}
Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash Player 8 --> MsiExec.exe /X{885A63EA-382B-4DD4-A755-14809B8557D6}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NewzToolz v1.0.1 --> "C:\Program Files\NewzToolz\unins000.exe"
NUDURA Estimator --> MsiExec.exe /I{F6B21633-4AE1-4557-AC11-6AA7F44A3241}
OLYMPUS CAMEDIA Master 4.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.2
OmniMouse Driver 4.06 --> C:\Program Files\NASDAK\OmniMouse Driver\4.06\unins000.EXE
Opera 9.20 --> MsiExec.exe /X{E5EC3E84-F3D6-4ECB-9486-69FCF11694B3}
PCI Audio Driver --> cmuninst.exe
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rocket.Time --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{78FE57A5-9645-40AF-A95C-8FAC37CFDD33}\setup.exe" -l0x9 -removeonly
RogueRemover 1.15 --> C:\Program Files\RogueRemover\uninst.exe
Skype 1.4 --> "C:\Program Files\Skype\Phone\unins000.exe"
SpongeBob SquarePants - The Movie --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B98D958E-9E59-43B7-B47F-043D45D73EE6}\setup.exe" -l0x9 -uninst
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TorrentStorm --> C:\Program Files\TorrentStorm\Uninstall.exe
VideoEgg Publisher --> C:\Program Files\VideoEgg\Uninstall.exe
VideoLAN VLC media player 0.8.5 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! extras --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- End of Deckard's System Scanner: finished at 2007-04-16 at 10:50:48 ---------
Last edited by cowboy13210 : 04-16-2007 at 09:48 AM. Reason: extra text log attachment
cowboy13210 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2007, 08:34 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,752
OS: 2000 Pro; XP Pro; XP Home


Re: Collected.11.B keeps returning
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{483CC496-D041-4545-8D9E-2D64294F97B2}"=-
Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations:
  2. Double click on ComboFix.exe & follow the prompts.
  3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2007, 09:12 AM   #3 (permalink)
Registered User
 
cowboy13210's Avatar
 
Join Date: Apr 2007
Posts: 11
OS: XP


Re: Collected.11.B keeps returning
"one" - 07-04-17 10:57:35 Service Pack 2
ComboFix 07-04-17.V - Running from: C:\Documents and Settings\one\Desktop\


((((((((((((((((((((((((((((((( Files Created from 2007-03-17 to 2007-04-17 ))))))))))))))))))))))))))))))))))


2007-04-17 07:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-17 07:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-16 10:45 <DIR> d-------- C:\Deckard
2007-04-16 09:35 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-15 06:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-15 06:57 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-11 20:51 <DIR> d-------- C:\Program Files\RogueRemover
2007-04-11 19:33 <DIR> d-------- C:\VundoFix Backups
2007-04-07 08:48 <DIR> d-------- C:\Program Files\Opera
2007-04-07 08:48 <DIR> d-------- C:\DOCUME~1\one\APPLIC~1\Opera
2007-04-06 08:08 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-04-06 08:08 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-04-06 08:07 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-04-06 08:07 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-04-06 08:07 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-04-06 08:07 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-04-06 08:07 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-04-06 08:07 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-04-06 08:07 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-04-06 08:07 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-04-04 17:25 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-04-04 17:25 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-04-04 17:24 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-04-01 04:56 <DIR> d-------- C:\20c3c74e86ab721be2
2007-04-01 03:06 <DIR> d-------- C:\Program Files\MSBuild
2007-04-01 02:58 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-04-01 02:56 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-04-01 02:09 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-03-31 19:15 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-03-31 19:14 <DIR> d-------- C:\Program Files\ATI Technologies
2007-03-31 19:12 <DIR> d-------- C:\ATI
2007-03-31 18:52 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2007-03-31 18:52 2,824,512 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-03-31 18:52 1,972,224 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-03-31 18:52 1,288,960 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-03-31 18:51 348,160 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-03-31 18:51 265,728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-03-20 17:16 <DIR> d-------- C:\Program Files\Extension Changer


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-17 10:40 -------- d-------- C:\DOCUME~1\one\APPLIC~1\skype
2007-04-17 07:33 -------- d-------- C:\DOCUME~1\one\APPLIC~1\lavasoft
2007-04-17 07:15 -------- d-------- C:\Program Files\yahoo!
2007-04-17 07:08 -------- d-------- C:\Program Files\newztoolz
2007-04-17 07:06 -------- d-------- C:\Program Files\grabit
2007-04-17 07:01 -------- d-------- C:\Program Files\jasc software inc
2007-04-12 12:13 -------- d-------- C:\Program Files\java
2007-04-12 06:58 -------- d-------- C:\Program Files\logitech
2007-04-06 09:45 -------- d-------- C:\DOCUME~1\one\APPLIC~1\dvdcss
2007-04-05 07:02 -------- d-------- C:\Program Files\keytext
2007-04-04 17:27 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-31 19:16 -------- d--h----- C:\Program Files\installshield installation information
2007-03-23 19:01 -------- d-------- C:\Program Files\torrentstorm
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 14:30 -------- d-------- C:\DOCUME~1\one\APPLIC~1\{27abead9-b7c4-4994-891f-48f5f48861fa}
2007-03-10 08:15 3350 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-03-09 19:07 -------- d-------- C:\DOCUME~1\one\APPLIC~1\jasc
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-02 16:57 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-03-02 16:54 307200 --a------ C:\WINDOWS\system32\atidemgx.dll
2007-03-02 16:47 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-03-02 16:47 26112 --a------ C:\WINDOWS\system32\ati2mdxx.exe
2007-03-02 16:47 118784 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-03-02 16:47 110592 --a------ C:\WINDOWS\system32\oemdspif.dll
2007-03-02 16:47 110592 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-03-02 16:46 446464 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-03-02 16:45 53248 --a------ C:\WINDOWS\system32\atiddc.dll
2007-03-02 16:29 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-03-02 16:21 5398528 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-03-02 16:17 258048 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-03-02 16:16 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-02-26 11:44 147685 --a------ C:\WINDOWS\system32\atiicdxx.dat
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{67C55A8D-E808-4caa-9EA7-F77102DE0BB6} C:\WINDOWS\system32\mhibwdmo.dll [x]
{7447BBD6-65E5-441C-875B-53FBA126D811} C:\WINDOWS\system32\pmkjg.dll [x]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{F9B896E7-0977-4DC6-B0F4-DFEC8C53A1C6} C:\WINDOWS\system32\ddccb.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"C-Media Mixer"="Mixer.exe /startup"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WebCamRT.exe"=""
"RocketAppCenter.exe"="\"C:\\Program Files\\Rocket Software\\Rocket Mobile & Security Apps\\MobileCenter.exe\""
"ProxyWay"="C:\\Program Files\\ProxyWay\\proxyway.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-17 11:01:51
C:\ComboFix-quarantined-files.txt ... 07-04-17 11:01
C:\ComboFix2.txt ... 07-04-17 10:46

IT also created a quarantined files text file as follows:


07-04-07 16:44 26694 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkiigf.dll.vir
07-04-07 16:48 26694 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkhigh.dll.vir
07-04-07 16:50 26694 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\iiffecy.dll.vir
07-04-07 16:55 280676 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\awtqr.dll.vir
07-04-07 16:55 280676 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\geede.dll.vir
07-04-07 16:55 353 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\edeeg.ini.vir
07-04-12 07:49 280676 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ddccb.dll.vir
07-04-12 07:50 123972 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ffvaseug.dll.vir
07-04-12 07:50 48708 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mhibwdmo.dll.vir
07-04-13 15:11 123972 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cxkepfmd.dll.vir
07-04-14 12:44 1366951 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bccdd.ini.vir
07-04-14 13:30 280676 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pmkjg.dll.vir
07-04-14 13:31 123972 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cwfbiule.dll.vir
07-04-15 13:31 123972 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ljkvglep.dll.vir
07-04-15 13:31 1395016 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gjkmp.bak2.vir
07-04-16 06:31 1393106 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gjkmp.ini.vir
07-04-16 06:49 123972 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\yvlckdxo.dll.vir
07-04-16 06:49 1391967 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rtstv.bak1.vir
07-04-16 06:49 280676 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vtstr.dll.vir
07-04-16 18:34 1392640 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rtstv.tmp.vir
07-04-16 18:34 1394539 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rtstv.ini.vir
07-04-16 18:44 123972 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xmwtunsp.dll.vir
07-04-16 18:44 1392590 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dfhkj.bak1.vir
07-04-16 18:44 280676 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkhfd.dll.vir
07-04-17 07:56 1394191 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dfhkj.ini.vir
07-04-17 08:11 280676 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\geeda.dll.vir
07-04-17 08:12 123972 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gvcrtuhb.dll.vir
07-04-17 08:12 1392590 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\adeeg.bak1.vir
07-04-17 10:38 1394548 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\adeeg.ini.vir


Folder PATH listing
Volume serial number is 2CE4-7A08
C:\QOOBOX
\---Quarantine
+---C
| \---WINDOWS
| \---system32
| adeeg.bak1.vir
| adeeg.ini.vir
| awtqr.dll.vir
| bccdd.ini.vir
| cwfbiule.dll.vir
| cxkepfmd.dll.vir
| ddccb.dll.vir
| dfhkj.bak1.vir
| dfhkj.ini.vir
| edeeg.ini.vir
| ffvaseug.dll.vir
| geeda.dll.vir
| geede.dll.vir
| gjkmp.bak2.vir
| gjkmp.ini.vir
| gvcrtuhb.dll.vir
| iiffecy.dll.vir
| jkhfd.dll.vir
| jkkhigh.dll.vir
| jkkiigf.dll.vir
| ljkvglep.dll.vir
| mhibwdmo.dll.vir
| pmkjg.dll.vir
| rtstv.bak1.vir
| rtstv.ini.vir
| rtstv.tmp.vir
| vtstr.dll.vir
| xmwtunsp.dll.vir
| yvlckdxo.dll.vir
|
\---Registry_backups
Last edited by tetonbob : 04-17-2007 at 09:43 AM.
cowboy13210 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2007, 09:55 AM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,752
OS: 2000 Pro; XP Pro; XP Home


Re: Collected.11.B keeps returning
Hi cowboy13210 -

Please post the text file, C:\ComboFix2.txt

Apologies, but I also meant to ask for this.

Please post a new HijackThis log.

Do this:

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
Last edited by tetonbob : 04-17-2007 at 09:56 AM.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-17-2007, 10:09 AM   #5 (permalink)
Registered User
 
cowboy13210's Avatar
 
Join Date: Apr 2007
Posts: 11
OS: XP


Re: Collected.11.B keeps returning
COMBOFIX2.text
"one" - 07-04-17 10:27:51 Service Pack 2
ComboFix 07-04-17.V - Running from: C:\Documents and Settings\one\Desktop\


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\adeeg.bak1
C:\WINDOWS\system32\adeeg.ini
C:\WINDOWS\system32\cwfbiule.dll
C:\WINDOWS\system32\cxkepfmd.dll
C:\WINDOWS\system32\ffvaseug.dll
C:\WINDOWS\system32\gvcrtuhb.dll
C:\WINDOWS\system32\ljkvglep.dll
C:\WINDOWS\system32\xmwtunsp.dll
C:\WINDOWS\system32\yvlckdxo.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\mhibwdmo.dll
C:\WINDOWS\system32\iiffecy.dll
C:\WINDOWS\system32\jkkhigh.dll
C:\WINDOWS\system32\adeeg.bak1
C:\WINDOWS\system32\adeeg.ini
C:\WINDOWS\system32\adeeg.tmp
C:\WINDOWS\system32\gjkmp.bak2
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\bccdd.ini
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.ini
C:\WINDOWS\system32\rtstv.tmp
C:\WINDOWS\system32\geeda.dll
C:\WINDOWS\system32\jkkiigf.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2007-03-17 to 2007-04-17 ))))))))))))))))))))))))))))))))))


2007-04-17 07:31 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-17 07:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-16 10:45 <DIR> d-------- C:\Deckard
2007-04-16 09:35 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-15 06:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-15 06:57 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-11 20:51 <DIR> d-------- C:\Program Files\RogueRemover
2007-04-11 19:33 <DIR> d-------- C:\VundoFix Backups
2007-04-07 08:48 <DIR> d-------- C:\Program Files\Opera
2007-04-07 08:48 <DIR> d-------- C:\DOCUME~1\one\APPLIC~1\Opera
2007-04-06 08:08 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-04-06 08:08 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-04-06 08:07 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-04-06 08:07 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-04-06 08:07 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-04-06 08:07 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-04-06 08:07 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-04-06 08:07 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-04-06 08:07 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-04-06 08:07 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-04-04 17:25 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-04-04 17:25 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-04-04 17:24 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-04-01 04:56 <DIR> d-------- C:\20c3c74e86ab721be2
2007-04-01 03:06 <DIR> d-------- C:\Program Files\MSBuild
2007-04-01 02:58 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-04-01 02:56 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-04-01 02:09 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-03-31 19:15 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-03-31 19:14 <DIR> d-------- C:\Program Files\ATI Technologies
2007-03-31 19:12 <DIR> d-------- C:\ATI
2007-03-31 18:52 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2007-03-31 18:52 2,824,512 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-03-31 18:52 1,972,224 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-03-31 18:52 1,288,960 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-03-31 18:51 348,160 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-03-31 18:51 265,728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-03-20 17:16 <DIR> d-------- C:\Program Files\Extension Changer


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-17 10:40 -------- d-------- C:\DOCUME~1\one\APPLIC~1\skype
2007-04-17 07:33 -------- d-------- C:\DOCUME~1\one\APPLIC~1\lavasoft
2007-04-17 07:15 -------- d-------- C:\Program Files\yahoo!
2007-04-17 07:08 -------- d-------- C:\Program Files\newztoolz
2007-04-17 07:06 -------- d-------- C:\Program Files\grabit
2007-04-17 07:01 -------- d-------- C:\Program Files\jasc software inc
2007-04-12 12:13 -------- d-------- C:\Program Files\java
2007-04-12 06:58 -------- d-------- C:\Program Files\logitech
2007-04-06 09:45 -------- d-------- C:\DOCUME~1\one\APPLIC~1\dvdcss
2007-04-05 07:02 -------- d-------- C:\Program Files\keytext
2007-04-04 17:27 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-31 19:16 -------- d--h----- C:\Program Files\installshield installation information
2007-03-23 19:01 -------- d-------- C:\Program Files\torrentstorm
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 14:30 -------- d-------- C:\DOCUME~1\one\APPLIC~1\{27abead9-b7c4-4994-891f-48f5f48861fa}
2007-03-10 08:15 3350 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-03-09 19:07 -------- d-------- C:\DOCUME~1\one\APPLIC~1\jasc
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-02 16:57 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-03-02 16:54 307200 --a------ C:\WINDOWS\system32\atidemgx.dll
2007-03-02 16:47 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-03-02 16:47 26112 --a------ C:\WINDOWS\system32\ati2mdxx.exe
2007-03-02 16:47 118784 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-03-02 16:47 110592 --a------ C:\WINDOWS\system32\oemdspif.dll
2007-03-02 16:47 110592 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-03-02 16:46 446464 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-03-02 16:45 53248 --a------ C:\WINDOWS\system32\atiddc.dll
2007-03-02 16:29 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-03-02 16:21 5398528 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-03-02 16:17 258048 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-03-02 16:16 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-02-26 11:44 147685 --a------ C:\WINDOWS\system32\atiicdxx.dat
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{67C55A8D-E808-4caa-9EA7-F77102DE0BB6} C:\WINDOWS\system32\mhibwdmo.dll [x]
{7447BBD6-65E5-441C-875B-53FBA126D811} C:\WINDOWS\system32\pmkjg.dll [x]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{F9B896E7-0977-4DC6-B0F4-DFEC8C53A1C6} C:\WINDOWS\system32\ddccb.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"C-Media Mixer"="Mixer.exe /startup"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WebCamRT.exe"=""
"RocketAppCenter.exe"="\"C:\\Program Files\\Rocket Software\\Rocket Mobile & Security Apps\\MobileCenter.exe\""
"ProxyWay"="C:\\Program Files\\ProxyWay\\proxyway.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-17 10:46:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-17 10:46


HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 12:03:03 PM, on 4/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Rocket Software\Rocket Mobile & Security Apps\MobileCenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\mhibwdmo.dll (file missing)
O2 - BHO: (no name) - {7447BBD6-65E5-441C-875B-53FBA126D811} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {F9B896E7-0977-4DC6-B0F4-DFEC8C53A1C6} - C:\WINDOWS\system32\ddccb.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [RocketAppCenter.exe] "C:\Program Files\Rocket Software\Rocket Mobile & Security Apps\MobileCenter.exe"
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com:8000/Java/cfs40320.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.3...ass2-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.5.5.2...ttso-en_US.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.6.0.2...oppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.5.3.3...pit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.6.0.2...reak-en_US.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.5.3.4...ride-en_US.cab
O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.5.5.3...eper-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.6.2.3...eaks-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.5.3.3...ries-en_US.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/...ad/tgctlar.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123915191171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -