Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page help cleaning up
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-23-2007, 06:27 PM   #1 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 58
OS: WinXP


help cleaning up
hi again.....i recently just graduated and went to grad night....so i wasn't home for about a day and a half, and my relatives are at my house too and my little cousin was using my computer when i wasn't home and when i came back my computer was running slower then before here is my hijackthis log....



Logfile of HijackThis v1.99.1
Scan saved at 18:20, on 6/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\GRETECH\GomPlayer\GOM.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DHAutoRun] C:\Program Files\LITTLEGIANT\Foxplayer\DHAutoRun.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 플래쉬겟으로 모두 받기 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 플래쉬겟으로 받기 - C:\Program Files\FlashGet\jc_link.htm
O10 - Broken Internet access because of LSP provider 'prxernsp.dll' missing
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} - http://help.rr.com/Foundrysdccommon/...ad/tgctlar.cab
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {21FDDE58-51A6-402A-8040-39DA033DC196} (Pull0PlayerX Control) - http://image.pullbbang.com/newTop/Pull0Control.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://cafe.naver.com/common/activex/nbgm.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://imgcdn.pandora.tv/pan_img/liv.../SVPorsche.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranac...data/imweb.cab
O16 - DPF: {7FC751A9-492D-41B1-9F8D-D2C8809D8907} - http://pimg.hanmail.net/tv/cabs_2005...VInstaller.cab
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - http://www.diodeo.com/DioDeoPlayer.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} - http://live.pdbox.co.kr:8057/WStarter.cab
O16 - DPF: {9C33ABEA-52B6-4895-85B0-E3BAB337EE3E} - http://pullshot.pullbbang.com/images/Pull0Player.ocx
O16 - DPF: {A79A1664-9145-4B61-A34B-0139959EE714} - http://www.diodeo.com/DioDeoPlayer.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} - http://www.camtour.co.kr/webeye/wg_webeye.cab
O16 - DPF: {A9A10555-AD70-4A69-A440-9159867E61B9} (muzmvset Class) - http://player.muz.co.kr/package/muzmvset.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} - http://download.soribada.com/down/So...24/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3p...e/pdrtvset.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,1
O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} - http://activexdown.paran.com/paranac...a/ImPlayer.cab
O16 - DPF: {C294E262-4EC1-4407-8AB9-787269BC875D} - http://www.findclubbox.co.kr/ax_cb/cb.cab
O16 - DPF: {C2C16510-10F4-46FE-A82C-4846435EBDEB} (p3muzset Class) - http://casx.musiccity.co.kr/damoim/dll/p3damoimset.cab
O16 - DPF: {C394A9A2-C51D-4C26-BB2C-6DEB30A890F4} - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {C4CD0ED6-5C46-432D-BF4E-3069700DEEBD} (PhotoTVControl Control) - http://www.myphototv.com/Box/Control...oTVControl.cab
O16 - DPF: {D0122112-9444-463A-AE2D-7EF5E2793AEE} - http://update.ad-zero.com/cab/ADZEROCom.cab
O16 - DPF: {D26A941D-7E89-4098-B583-43291FC14218} - http://image.pullbbang.com/images/Pull0Control.ocx
O16 - DPF: {DF472C86-9DD8-46C4-86D3-4A861DE82650} (LiveUpdate Class) - http://imgcdn.pandora.tv/pan_img/liv...iveUpdater.cab
O16 - DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} (AFCStarter Control) - http://live.pdbox.co.kr:8057/AFCStarter.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandora.tv/pan_img/lau...ra_SetUpAX.cab
O16 - DPF: {F9483795-6A21-47A0-949B-77E3E8A41989} (KTHPlayerCtrl Control) - http://mbox.paran.com/mbox/cabinets/KTHPlayerCtrl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
xdragonx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 06-24-2007, 12:51 PM   #2 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 58
OS: WinXP


Re: help cleaning up
first the comp was just a little slow.....now its VERY sluggish...i understand you guys are busy, just writing new post so you guys won't forget -_-
xdragonx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-24-2007, 03:21 PM   #3 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,264
OS: N/A


Re: help cleaning up
1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-24-2007, 04:43 PM   #4 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 58
OS: WinXP


Re: help cleaning up
thanks subs, here is combofix log

"admin" - 2007-06-24 16:12:33 - ComboFix 07-06-25.2 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pmnnlmj.dll
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\nnnmp.bak2
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\nnnmp.tmp
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\nnnmp.bak2
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\nnnmp.tmp
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\nnnnkkk.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\avp.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\driver.exe
C:\WINDOWS\system32\msxml3a.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))


2007-06-24 16:00 122,944 --a------ C:\WINDOWS\system32\snqubpqs.exe
2007-06-24 15:23 122,944 --a------ C:\WINDOWS\system32\klsgyios.exe
2007-06-24 10:58 122,944 --a------ C:\WINDOWS\system32\midwtspf.exe
2007-06-23 20:01 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-23 17:48 <DIR> d-------- C:\Program Files\GNU
2007-06-23 17:37 <DIR> d-------- C:\Program Files\?еcurity
2007-06-23 16:39 236,747 --a------ C:\Program Files\FLVSPLITTER.exe
2007-06-22 19:16 <DIR> d-------- C:\Program Files\PictureProject In Touch Downloader
2007-06-22 19:15 765,952 --a------ C:\WINDOWS\system32\msvcp71d.dll
2007-06-22 19:15 76,800 -ra------ C:\WINDOWS\system32\RedEye.dll
2007-06-22 19:15 5,709,824 -ra------ C:\WINDOWS\system32\NkNEFPlugin.dll
2007-06-22 19:15 495,616 -ra------ C:\WINDOWS\system32\DRAGNKL1.dll
2007-06-22 19:15 48,128 -ra------ C:\WINDOWS\system32\picn20.dll
2007-06-22 19:15 180,224 -ra------ C:\WINDOWS\system32\Strato4.dll
2007-06-22 19:15 180,224 -ra------ C:\WINDOWS\system32\picn1120.dll
2007-06-22 19:15 155,648 -ra------ C:\WINDOWS\system32\picn1020.dll
2007-06-22 19:15 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2007-06-22 19:15 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-06-22 19:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nikon
2007-06-22 19:15 <DIR> d-------- C:\DOCUME~1\admin\APPLIC~1\Nikon
2007-06-22 19:14 20 ---h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLds.DAT
2007-06-22 19:14 <DIR> d-------- C:\Program Files\Nikon
2007-06-22 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ultima_T15
2007-06-22 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\EnterNHelp
2007-06-22 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Applause and Laugher
2007-06-22 19:11 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-06-22 19:11 <DIR> d-------- C:\Program Files\ArcSoft
2007-06-22 19:10 <DIR> d-------- C:\Program Files\Common Files\Nikon
2007-06-22 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-06-22 10:13 <DIR> d-------- C:\Program Files\DivXLand
2007-06-22 10:11 1,783,574 --a------ C:\Program Files\DivXLand_MediaSub_205.exe
2007-06-17 18:33 <DIR> d-------- C:\Program Files\KONAMI
2007-06-17 16:29 23,220,928 --a------ C:\Program Files\JAD7_BASIC.exe
2007-06-09 11:05 <DIR> d-------- C:\Program Files\DkZ Studio
2007-06-09 11:03 <DIR> d-------- C:\Program Files\dkz
2007-06-01 23:23 <DIR> d-------- C:\Program Files\afreeca
2007-06-01 23:10 53,248 --a------ C:\WINDOWS\system32\PrxerNsp.dll
2007-06-01 23:10 53,248 --a------ C:\WINDOWS\system32\PrxerDrv.dll
2007-06-01 23:10 <DIR> d-------- C:\Program Files\Proxifier
2007-06-01 23:09 701,713 --a------ C:\Program Files\ProxifierSetup.exe
2007-06-01 18:10 <DIR> d-------- C:\Program Files\COWON
2007-06-01 15:20 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-06-01 15:20 45,056 --a------ C:\WINDOWS\system32\ogg.dll
2007-06-01 15:20 237,568 --a------ C:\WINDOWS\system32\OggDS.dll
2007-06-01 15:20 188,416 --a------ C:\WINDOWS\system32\vorbis.dll
2007-06-01 15:11 <DIR> d-------- C:\DOCUME~1\admin\APPLIC~1\COWON
2007-06-01 15:06 <DIR> d-------- C:\Program Files\JetAudio
2007-06-01 15:06 <DIR> d-------- C:\Program Files\Common Files\COWON
2007-05-30 20:51 26,057 --a------ C:\subafsfile0.bin
2007-05-24 16:13 <DIR> d-------- C:\Deckard
2007-05-24 16:11 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-24 04:07 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-24 03:20 <DIR> d-------- C:\Program Files\backups
2007-05-24 03:16 1,308,216 --a------ C:\Program Files\HiJackThis_v2.exe
2007-05-24 02:02 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-05-24 02:02 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-05-24 01:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 23:31:08 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-24 23:09:56 -------- d-----w C:\Program Files\FlashGet
2007-06-24 18:02:45 -------- d-----w C:\Program Files\CCleaner
2007-06-24 00:37:37 -------- d-----w C:\Program Files\?еcurity
2007-06-23 02:15:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-20 05:03:36 -------- d-----w C:\Program Files\NetFolder
2007-06-16 00:54:25 -------- d-----w C:\Program Files\Minilyrics
2007-06-13 01:54:56 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\LimeWire
2007-06-13 00:16:43 -------- d-----w C:\Program Files\GRETECH
2007-06-13 00:16:43 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\GRETECH
2007-06-10 02:02:24 -------- d-----w C:\Program Files\TVAnts
2007-06-10 02:01:17 2,838,136 ----a-w C:\Program Files\TvantsSetup.EXE
2007-06-09 18:37:58 -------- d-----w C:\Program Files\Game Graphic Studio
2007-06-09 18:04:06 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-06-09 05:19:41 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\Fileguri
2007-05-31 04:21:56 54,304 ----a-w C:\bin0.bin
2007-05-29 2142 565,248 ----a-w C:\WINDOWS\system32\IdiskLauncherEx.exe
2007-05-28 02:46:08 -------- d-----w C:\Program Files\Nowcom
2007-05-26 05:56:47 -------- d-----w C:\Program Files\StepMania
2007-05-24 21:26:19 8,224 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-05-24 11:10:23 -------- d-----w C:\Program Files\Microsoft Works
2007-05-24 07:53:50 -------- d-----w C:\Program Files\Winamp
2007-05-24 03:08:45 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\SmartDraw
2007-05-22 02:26:26 12,302,384 ----a-w C:\Program Files\widgetsus.exe
2007-05-21 01:13:46 -------- d-----w C:\Program Files\DivX
2007-05-21 01:02:03 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\dvdcss
2007-05-20 22:44:40 6,221,304 ----a-w C:\Program Files\winamp535_full_emusic-7plus.exe
2007-05-20 20:50:38 2,719,216 ----a-w C:\Program Files\ccsetup140.exe
2007-05-19 00:25:57 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\ESTsoft
2007-05-19 00:24:44 -------- d-----w C:\Program Files\ESTsoft
2007-05-19 00:22:13 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\U3
2007-05-18 04:33:11 -------- d-----w C:\Program Files\FT8D91
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 01:43:24 1 ----a-w C:\mcheck_dio.dat
2007-05-08 09:56:27 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\MusicIP
2007-05-05 22:30:35 -------- d-----w C:\Program Files\MiniLyrics.v4.5.2266.Incl.Crack-iNViSiBLE
2007-05-05 22:29:35 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\uTorrent
2007-04-27 03:11:29 1,053,184 ----a-w C:\WINDOWS\system32\mfc71u.dll
2007-04-27 03:11:08 2,801,756 ----a-w C:\WINDOWS\system32\libmmd.dll
2007-04-27 02:48:48 1,700,352 ----a-w C:\WINDOWS\system32\gdiplus.dll
2007-04-26 01:42:33 -------- d-----w C:\Program Files\AC3Filter
2007-04-26 01:40:47 2,139,213 ----a-w C:\Program Files\ac3filter_1_30b.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-21 01:49:44 2,714,784 ----a-w C:\Program Files\ccsetup139.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-15 05:26:44 19,994,184 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-04-11 04:37:19 3,374,720 ----a-w C:\Program Files\EasyLink_Connect.exe
2007-04-09 00:24:43 794,624 ----a-w C:\WINDOWS\system32\pdrtvctl.dll
2007-04-09 00:24:43 204,800 ----a-w C:\WINDOWS\system32\pdrtvsvr.exe
2007-04-09 00:24:43 204,800 ----a-w C:\WINDOWS\system32\pdrtvf2.dll
2007-04-09 00:24:43 147,456 ----a-w C:\WINDOWS\system32\pdrtvf1.dll
2007-04-09 00:24:43 1,091,584 ----a-w C:\WINDOWS\system32\pavc.dll
2007-03-31 23:20:11 6,006,832 ----a-w C:\Program Files\Firefox Setup 2.0.0.3.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\PROGRA~1\FlashGet\jccatch.dll [2006-05-16 15:19]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 05:00]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"DHAutoRun"="C:\Program Files\LITTLEGIANT\Foxplayer\DHAutoRun.exe" [2007-01-25 15:37]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 19:34]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 11:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmfu32]
winmfu32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DHAutoRun]
C:\Program Files\LITTLEGIANT\Foxplayer\DHAutoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fileguri]
"C:\Program Files\Freechal\Fileguri\Fileguri.exe" PathFileguri /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{047efda1-059e-11dc-bab6-0016171b4a49}]
AutoRun\command- F:\LaunchU3.exe -a


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 16:32:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [2712]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-24 16:35:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-24 16:35

--- E O F ---




here is hijack this


Logfile of HijackThis v1.99.1
Scan saved at 16:43, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DHAutoRun] C:\Program Files\LITTLEGIANT\Foxplayer\DHAutoRun.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 플래쉬겟으로 모두 받기 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 플래쉬겟으로 받기 - C:\Program Files\FlashGet\jc_link.htm
O10 - Broken Internet access because of LSP provider 'prxernsp.dll' missing
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} - http://help.rr.com/Foundrysdccommon/...ad/tgctlar.cab
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {21FDDE58-51A6-402A-8040-39DA033DC196} (Pull0PlayerX Control) - http://image.pullbbang.com/newTop/Pull0Control.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://cafe.naver.com/common/activex/nbgm.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://imgcdn.pandora.tv/pan_img/liv.../SVPorsche.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranac...data/imweb.cab
O16 - DPF: {7FC751A9-492D-41B1-9F8D-D2C8809D8907} - http://pimg.hanmail.net/tv/cabs_2005...VInstaller.cab
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - http://www.diodeo.com/DioDeoPlayer.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} - http://live.pdbox.co.kr:8057/WStarter.cab
O16 - DPF: {9C33ABEA-52B6-4895-85B0-E3BAB337EE3E} - http://pullshot.pullbbang.com/images/Pull0Player.ocx
O16 - DPF: {A79A1664-9145-4B61-A34B-0139959EE714} - http://www.diodeo.com/DioDeoPlayer.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} - http://www.camtour.co.kr/webeye/wg_webeye.cab
O16 - DPF: {A9A10555-AD70-4A69-A440-9159867E61B9} (muzmvset Class) - http://player.muz.co.kr/package/muzmvset.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} - http://download.soribada.com/down/So...24/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3p...e/pdrtvset.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,1
O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} - http://activexdown.paran.com/paranac...a/ImPlayer.cab
O16 - DPF: {C294E262-4EC1-4407-8AB9-787269BC875D} - http://www.findclubbox.co.kr/ax_cb/cb.cab
O16 - DPF: {C2C16510-10F4-46FE-A82C-4846435EBDEB} (p3muzset Class) - http://casx.musiccity.co.kr/damoim/dll/p3damoimset.cab
O16 - DPF: {C394A9A2-C51D-4C26-BB2C-6DEB30A890F4} - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {C4CD0ED6-5C46-432D-BF4E-3069700DEEBD} (PhotoTVControl Control) - http://www.myphototv.com/Box/Control...oTVControl.cab
O16 - DPF: {D0122112-9444-463A-AE2D-7EF5E2793AEE} - http://update.ad-zero.com/cab/ADZEROCom.cab
O16 - DPF: {D26A941D-7E89-4098-B583-43291FC14218} - http://image.pullbbang.com/images/Pull0Control.ocx
O16 - DPF: {DF472C86-9DD8-46C4-86D3-4A861DE82650} (LiveUpdate Class) - http://imgcdn.pandora.tv/pan_img/liv...iveUpdater.cab
O16 - DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} (AFCStarter Control) - http://live.pdbox.co.kr:8057/AFCStarter.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandora.tv/pan_img/lau...ra_SetUpAX.cab
O16 - DPF: {F9483795-6A21-47A0-949B-77E3E8A41989} (KTHPlayerCtrl Control) - http://mbox.paran.com/mbox/cabinets/KTHPlayerCtrl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
xdragonx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-25-2007, 12:15 AM   #5 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,264
OS: N/A


Re: help cleaning up
Before fixing anything, open notepad and Copy/Paste the text in the box below into it:

Code:
@echo off
move /y "C:\Program Files\??curity"  "c:\QooBox\Quarantine\curity~1" >nul
For %%g in (
C:\WINDOWS\system32\snqubpqs.exe
C:\WINDOWS\system32\klsgyios.exe
C:\WINDOWS\system32\midwtspf.exe
) do catchme -l nul -k %%g >nul
echo.Please submit the file, catchme.zip located on Desktop
pause
exit
Save this as Submit.bat Choose to "Save type as - All Files". It should look like this:
Double click on Submit.bat & allow it to generate a zipped file on your Desktop called catchme.zip
Please submit catchme.zip to this site → http://www.bleepingcomputer.com/subm....php?channel=4

The file must be uploaded before proceeding to the next step.


---------------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} -
O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\WINDOWS\system32\snqubpqs.exe
C:\WINDOWS\system32\klsgyios.exe
C:\WINDOWS\system32\midwtspf.exe
C:\WINDOWS\system32\sysmon32.exe
Save this as ComboFix-Do.txt




Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log


---------------


Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. We only require a report from it.
    It does not provide an option to clean/disinfect.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-26-2007, 11:31 AM   #6 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 58
OS: WinXP


Re: help cleaning up
i have submitted the catchme.zip and i encountered no problems at all while performing any of the steps and the computer seems to be working like before..

here is hijack this


Logfile of HijackThis v1.99.1
Scan saved at 11:28, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DHAutoRun] C:\Program Files\LITTLEGIANT\Foxplayer\DHAutoRun.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 플래쉬겟으로 모두 받기 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 플래쉬겟으로 받기 - C:\Program Files\FlashGet\jc_link.htm
O10 - Broken Internet access because of LSP provider 'prxernsp.dll' missing
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} - http://help.rr.com/Foundrysdccommon/...ad/tgctlar.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {21FDDE58-51A6-402A-8040-39DA033DC196} (Pull0PlayerX Control) - http://image.pullbbang.com/newTop/Pull0Control.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5DAEF053-DEF0-4752-A963-CCE9B49B0B79} (Gogs Class) - http://cafe.naver.com/common/activex/nbgm.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://imgcdn.pandora.tv/pan_img/liv.../SVPorsche.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranac...data/imweb.cab
O16 - DPF: {7FC751A9-492D-41B1-9F8D-D2C8809D8907} - http://pimg.hanmail.net/tv/cabs_2005...VInstaller.cab
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {9B75502C-BBED-4BBD-8FE2-822E5E0AD32C} - http://www.diodeo.com/DioDeoPlayer.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} - http://live.pdbox.co.kr:8057/WStarter.cab
O16 - DPF: {9C33ABEA-52B6-4895-85B0-E3BAB337EE3E} - http://pullshot.pullbbang.com/images/Pull0Player.ocx
O16 - DPF: {A79A1664-9145-4B61-A34B-0139959EE714} - http://www.diodeo.com/DioDeoPlayer.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} - http://www.camtour.co.kr/webeye/wg_webeye.cab
O16 - DPF: {A9A10555-AD70-4A69-A440-9159867E61B9} (muzmvset Class) - http://player.muz.co.kr/package/muzmvset.cab
O16 - DPF: {AF11AA64-87A5-4146-AF3B-A7BD0F278485} - http://download.soribada.com/down/So...24/SBStart.CAB
O16 - DPF: {AF60D574-F249-4243-8040-5521AAA5BB5E} (PandoraTVSet Class) - http://imgcdn.pandora.tv/pan_img/p3p...e/pdrtvset.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,3,1
O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
O16 - DPF: {BE81B237-0EE9-40F6-BABB-0CE2C1DA7832} - http://activexdown.paran.com/paranac...a/ImPlayer.cab
O16 - DPF: {C294E262-4EC1-4407-8AB9-787269BC875D} - http://www.findclubbox.co.kr/ax_cb/cb.cab
O16 - DPF: {C2C16510-10F4-46FE-A82C-4846435EBDEB} (p3muzset Class) - http://casx.musiccity.co.kr/damoim/dll/p3damoimset.cab
O16 - DPF: {C394A9A2-C51D-4C26-BB2C-6DEB30A890F4} - http://www.diodeo.com/ActiveDiodeoPlayer.cab
O16 - DPF: {C4CD0ED6-5C46-432D-BF4E-3069700DEEBD} (PhotoTVControl Control) - http://www.myphototv.com/Box/Control...oTVControl.cab
O16 - DPF: {D0122112-9444-463A-AE2D-7EF5E2793AEE} - http://update.ad-zero.com/cab/ADZEROCom.cab
O16 - DPF: {D26A941D-7E89-4098-B583-43291FC14218} - http://image.pullbbang.com/images/Pull0Control.ocx
O16 - DPF: {DF472C86-9DD8-46C4-86D3-4A861DE82650} (LiveUpdate Class) - http://imgcdn.pandora.tv/pan_img/liv...iveUpdater.cab
O16 - DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} (AFCStarter Control) - http://live.pdbox.co.kr:8057/AFCStarter.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandora.tv/pan_img/lau...ra_SetUpAX.cab
O16 - DPF: {F9483795-6A21-47A0-949B-77E3E8A41989} (KTHPlayerCtrl Control) - http://mbox.paran.com/mbox/cabinets/KTHPlayerCtrl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


here is the kaspersky online results


Tuesday, June 26, 2007 11:14
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/06/2007
Kaspersky Anti-Virus database records: 353503


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases false

Scan Target My Computer
A:\
C:\
D:\
E:\
G:\

Scan Statistics
Total number of scanned objects 112989
Number of viruses found 23
Number of infected objects 74 / 0
Number of suspicious objects 2
Duration of the scan process 02:55:31

Infected Object Name Virus Name Last Action
C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\admin\Local Settings\Application Data\Yahoo\Widget Engine\Widgets DB\widgets.db Object is locked skipped

C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\admin\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\admin\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/win19E.tmp.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01440000.VBN/Setup.exe Infected: Worm.Win32.VB.an skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01440000.VBN ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01440000.VBN CryptZ: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01980000.VBN Infected: Backdoor.Win32.Pakes skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04A00000.VBN/Setup.exe Infected: P2P-Worm.Win32.SpyBot.gz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04A00000.VBN ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04A00000.VBN CryptZ: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D00000.VBN/setup.exe Infected: not-a-virus:AdWare.Win32.AdvertMen.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D00000.VBN ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D00000.VBN CryptZ: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07200000.VBN/Setup.exe Infected: Backdoor.Win32.IRCBot.tk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07200000.VBN ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07200000.VBN CryptZ: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN/Setup.exe Infected: P2P-Worm.Win32.VB.dw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN CryptZ: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\081C0000.VBN/[CRACKS] Absynth 3 serial numbers and keygen.exe Infected: not-a-virus:AdWare.Win32.180Solutions.as skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\081C0000.VBN ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\081C0000.VBN CryptZ: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580000.VBN/Setup.exe Infected: Worm.Win32.VB.an skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580000.VBN ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09580000.VBN CryptZ: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00000\4EF8BCBF.VBN Infected: Trojan-Clicker.Win32.Agent.is skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F680000.VBN/Setup.exe Infected: P2P-Worm.Win32.VB.dw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F680000.VBN ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F680000.VBN CryptZ: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0512NAV~.TMP Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0819NAV~.TMP Object is locked skipped

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1162OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\QooBox\Quarantine\C\WINDOWS\avp.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.b skipped

C:\QooBox\Quarantine\C\WINDOWS\smgr.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\driver.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.c skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\nnnnkkk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\phhrpg.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnlmj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ucewncqg.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\QooBox\Quarantine\catchme2007-06-25_221724.64.zip/snqubpqs.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\catchme2007-06-25_221724.64.zip/klsgyios.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\catchme2007-06-25_221724.64.zip/midwtspf.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\QooBox\Quarantine\catchme2007-06-25_221724.64.zip ZIP: infected - 3 skipped

C:\QooBox\Quarantine\curity~1\chkntfs.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP438\A0064418.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP438\A0064420.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP438\A0064420.exe/data.rar/crack.exe Infected: Trojan.Win32.Agent.apt skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP438\A0064420.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP438\A0064420.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP438\A0064420.exe/data.rar Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP438\A0064420.exe RarSFX: infected - 5 skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP438\A0064421.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064443.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064444.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064445.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064446.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064448.exe Infected: Trojan-Downloader.Win32.Alphabet.b skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064449.dll Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064451.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064452.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064460.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064460.exe/data.rar/crack.exe Infected: Trojan.Win32.Agent.apt skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064460.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064460.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064460.exe/data.rar Infected: Trojan-Downloader.Win32.Agent.bls skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064460.exe RarSFX: infected - 5 skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064575.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064576.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064577.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064578.dll Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0064579.exe Infected: Trojan-Downloader.Win32.Alphabet.b skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0065533.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0065580.exe Infected: Trojan-Downloader.Win32.Alphabet.b skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0065581.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0065582.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0065584.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP440\A0065588.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

C:\System Volume Information\_restore{9C6D3BBA-122B-4B5E-BB3D-F892C47789C2}\RP442\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped

C:\WINDOWS\system32\sysmon32.exe Infected: Trojan-Downloader.Win32.Alphabet.c skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


here is the combofix log


"admin" - 2007-06-25 22:10:19 - ComboFix 07-06-25.2 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\admin\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-24 16:00 122,944 --a------ C:\WINDOWS\system32\snqubpqs.exe
2007-06-24 15:23 122,944 --a------ C:\WINDOWS\system32\klsgyios.exe
2007-06-24 10:58 122,944 --a------ C:\WINDOWS\system32\midwtspf.exe
2007-06-23 20:01 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-23 17:48 <DIR> d-------- C:\Program Files\GNU
2007-06-23 16:39 236,747 --a------ C:\Program Files\FLVSPLITTER.exe
2007-06-22 19:16 <DIR> d-------- C:\Program Files\PictureProject In Touch Downloader
2007-06-22 19:15 765,952 --a------ C:\WINDOWS\system32\msvcp71d.dll
2007-06-22 19:15 76,800 -ra------ C:\WINDOWS\system32\RedEye.dll
2007-06-22 19:15 5,709,824 -ra------ C:\WINDOWS\system32\NkNEFPlugin.dll
2007-06-22 19:15 495,616 -ra------ C:\WINDOWS\system32\DRAGNKL1.dll
2007-06-22 19:15 48,128 -ra------ C:\WINDOWS\system32\picn20.dll
2007-06-22 19:15 180,224 -ra------ C:\WINDOWS\system32\Strato4.dll
2007-06-22 19:15 180,224 -ra------ C:\WINDOWS\system32\picn1120.dll
2007-06-22 19:15 155,648 -ra------ C:\WINDOWS\system32\picn1020.dll
2007-06-22 19:15 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2007-06-22 19:15 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-06-22 19:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nikon
2007-06-22 19:15 <DIR> d-------- C:\DOCUME~1\admin\APPLIC~1\Nikon
2007-06-22 19:14 20 ---h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLds.DAT
2007-06-22 19:14 <DIR> d-------- C:\Program Files\Nikon
2007-06-22 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ultima_T15
2007-06-22 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\EnterNHelp
2007-06-22 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Applause and Laugher
2007-06-22 19:11 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-06-22 19:11 <DIR> d-------- C:\Program Files\ArcSoft
2007-06-22 19:10 <DIR> d-------- C:\Program Files\Common Files\Nikon
2007-06-22 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-06-22 10:13 <DIR> d-------- C:\Program Files\DivXLand
2007-06-22 10:11 1,783,574 --a------ C:\Program Files\DivXLand_MediaSub_205.exe
2007-06-17 18:33 <DIR> d-------- C:\Program Files\KONAMI
2007-06-17 16:29 23,220,928 --a------ C:\Program Files\JAD7_BASIC.exe
2007-06-09 11:05 <DIR> d-------- C:\Program Files\DkZ Studio
2007-06-09 11:03 <DIR> d-------- C:\Program Files\dkz
2007-06-01 23:23 <DIR> d-------- C:\Program Files\afreeca
2007-06-01 23:10 53,248 --a------ C:\WINDOWS\system32\PrxerNsp.dll
2007-06-01 23:10 53,248 --a------ C:\WINDOWS\system32\PrxerDrv.dll
2007-06-01 23:10 <DIR> d-------- C:\Program Files\Proxifier
2007-06-01 23:09 701,713 --a------ C:\Program Files\ProxifierSetup.exe
2007-06-01 18:10 <DIR> d-------- C:\Program Files\COWON
2007-06-01 15:20 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-06-01 15:20 45,056 --a------ C:\WINDOWS\system32\ogg.dll
2007-06-01 15:20 237,568 --a------ C:\WINDOWS\system32\OggDS.dll
2007-06-01 15:20 188,416 --a------ C:\WINDOWS\system32\vorbis.dll
2007-06-01 15:11 <DIR> d-------- C:\DOCUME~1\admin\APPLIC~1\COWON
2007-06-01 15:06 <DIR> d-------- C:\Program Files\JetAudio
2007-06-01 15:06 <DIR> d-------- C:\Program Files\Common Files\COWON
2007-05-30 20:51 26,057 --a------ C:\subafsfile0.bin


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-25 02:14:00 -------- d-----w C:\Program Files\Minilyrics
2007-06-24 23:34:30 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-24 23:09:56 -------- d-----w C:\Program Files\FlashGet
2007-06-24 18:02:45 -------- d-----w C:\Program Files\CCleaner
2007-06-23 02:15:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-20 05:03:36 -------- d-----w C:\Program Files\NetFolder
2007-06-13 01:54:56 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\LimeWire
2007-06-13 00:16:43 -------- d-----w C:\Program Files\GRETECH
2007-06-13 00:16:43 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\GRETECH
2007-06-10 02:02:24 -------- d-----w C:\Program Files\TVAnts
2007-06-10 02:01:17 2,838,136 ----a-w C:\Program Files\TvantsSetup.EXE
2007-06-09 18:37:58 -------- d-----w C:\Program Files\Game Graphic Studio
2007-06-09 18:04:06 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-06-09 05:19:41 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\Fileguri
2007-05-31 04:21:56 54,304 ----a-w C:\bin0.bin
2007-05-29 2142 565,248 ----a-w C:\WINDOWS\system32\IdiskLauncherEx.exe
2007-05-28 02:46:08 -------- d-----w C:\Program Files\Nowcom
2007-05-26 05:56:47 -------- d-----w C:\Program Files\StepMania
2007-05-24 21:26:19 8,224 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-05-24 11:10:23 -------- d-----w C:\Program Files\Microsoft Works
2007-05-24 11:07:20 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-24 10:22:13 -------- d-----w C:\Program Files\backups
2007-05-24 07:53:50 -------- d-----w C:\Program Files\Winamp
2007-05-24 03:08:45 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\SmartDraw
2007-05-22 02:26:26 12,302,384 ----a-w C:\Program Files\widgetsus.exe
2007-05-21 01:13:46 -------- d-----w C:\Program Files\DivX
2007-05-21 01:02:03 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\dvdcss
2007-05-20 22:44:40 6,221,304 ----a-w C:\Program Files\winamp535_full_emusic-7plus.exe
2007-05-20 20:50:38 2,719,216 ----a-w C:\Program Files\ccsetup140.exe
2007-05-19 00:25:57 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\ESTsoft
2007-05-19 00:24:44 -------- d-----w C:\Program Files\ESTsoft
2007-05-19 00:22:13 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\U3
2007-05-18 04:33:11 -------- d-----w C:\Program Files\FT8D91
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 01:43:24 1 ----a-w C:\mcheck_dio.dat
2007-05-08 09:56:27 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\MusicIP
2007-05-05 22:30:35 -------- d-----w C:\Program Files\MiniLyrics.v4.5.2266.Incl.Crack-iNViSiBLE
2007-05-05 22:29:35 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\uTorrent
2007-04-27 03:11:29 1,053,184 ----a-w C:\WINDOWS\system32\mfc71u.dll
2007-04-27 03:11:08 2,801,756 ----a-w C:\WINDOWS\system32\libmmd.dll
2007-04-27 02:48:48 1,700,352 ----a-w C:\WINDOWS\system32\gdiplus.dll
2007-04-26 01:42:33 -------- d-----w C:\Program Files\AC3Filter
2007-04-26 01:40:47 2,139,213 ----a-w C:\Program Files\ac3filter_1_30b.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-21 01:49:44 2,714,784 ----a-w C:\Program Files\ccsetup139.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-15 05:26:44 19,994,184 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-04-11 04:37:19 3,374,720 ----a-w C:\Program Files\EasyLink_Connect.exe
2007-04-09 00:24:43 794,624 ----a-w C:\WINDOWS\system32\pdrtvctl.dll
2007-04-09 00:24:43 204,800 ----a-w C:\WINDOWS\system32\pdrtvsvr.exe
2007-04-09 00:24:43 204,800 ----a-w C:\WINDOWS\system32\pdrtvf2.dll
2007-04-09 00:24:43 147,456 ----a-w C:\WINDOWS\system32\pdrtvf1.dll
2007-04-09 00:24:43 1,091,584 ----a-w C:\WINDOWS\system32\pavc.dll
2007-03-31 23:20:11 6,006,832 ----a-w C:\Program Files\Firefox Setup 2.0.0.3.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\PROGRA~1\FlashGet\jccatch.dll [2006-05-16 15:19]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 05:00]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"DHAutoRun"="C:\Program Files\LITTLEGIANT\Foxplayer\DHAutoRun.exe" [2007-01-25 15:37]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 19:34]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 11:31]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DHAutoRun]
C:\Program Files\LITTLEGIANT\Foxplayer\DHAutoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fileguri]
"C:\Program Files\Freechal\Fileguri\Fileguri.exe" PathFileguri /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{047efda1-059e-11dc-bab6-0016171b4a49}]
AutoRun\command- F:\LaunchU3.exe -a


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 22:17:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-25 22:18:26
C:\ComboFix-quarantined-files.txt ... 2007-06-25 22:18
C:\ComboFix2.txt ... 2007-06-24 16:35

--- E O F ---
xdragonx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-26-2007, 11:38 AM   #7 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,264
OS: N/A


Re: help cleaning up
Hmm ...the combofix log looks odd.
Please open the file - C:\Documents and Settings\admin\Desktop\ComboFix-Do.txt

Check if the contents look exactly like this:

File::
C:\WINDOWS\system32\snqubpqs.exe
C:\WINDOWS\system32\klsgyios.exe
C:\WINDOWS\system32\midwtspf.exe
C:\WINDOWS\system32\sysmon32.exe
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-26-2007, 01:04 PM   #8 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 58
OS: WinXP


Re: help cleaning up
looks exactly the same
xdragonx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-26-2007, 01:06 PM   #9 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,264
OS: N/A


Re: help cleaning up
Could I trouble you to run it once more?

Thanks
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-26-2007, 04:03 PM   #10 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 58
OS: WinXP


Re: help cleaning up
no problem i think its the same thing but here it is


"admin" - 2007-06-26 15:32:52 - ComboFix 07-06-25.2 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\admin\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-26 04:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-26 04:11 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-24 16:00 122,944 --a------ C:\WINDOWS\system32\snqubpqs.exe
2007-06-24 15:23 122,944 --a------ C:\WINDOWS\system32\klsgyios.exe
2007-06-24 10:58 122,944 --a------ C:\WINDOWS\system32\midwtspf.exe
2007-06-23 20:01 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-06-23 17:48 <DIR> d-------- C:\Program Files\GNU
2007-06-23 16:39 236,747 --a------ C:\Program Files\FLVSPLITTER.exe
2007-06-22 19:16 <DIR> d-------- C:\Program Files\PictureProject In Touch Downloader
2007-06-22 19:15 765,952 --a------ C:\WINDOWS\system32\msvcp71d.dll
2007-06-22 19:15 76,800 -ra------ C:\WINDOWS\system32\RedEye.dll
2007-06-22 19:15 5,709,824 -ra------ C:\WINDOWS\system32\NkNEFPlugin.dll
2007-06-22 19:15 495,616 -ra------ C:\WINDOWS\system32\DRAGNKL1.dll
2007-06-22 19:15 48,128 -ra------ C:\WINDOWS\system32\picn20.dll
2007-06-22 19:15 180,224 -ra------ C:\WINDOWS\system32\Strato4.dll
2007-06-22 19:15 180,224 -ra------ C:\WINDOWS\system32\picn1120.dll
2007-06-22 19:15 155,648 -ra------ C:\WINDOWS\system32\picn1020.dll
2007-06-22 19:15 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2007-06-22 19:15 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-06-22 19:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nikon
2007-06-22 19:15 <DIR> d-------- C:\DOCUME~1\admin\APPLIC~1\Nikon
2007-06-22 19:14 20 ---h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLds.DAT
2007-06-22 19:14 <DIR> d-------- C:\Program Files\Nikon
2007-06-22 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ultima_T15
2007-06-22 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\EnterNHelp
2007-06-22 19:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Applause and Laugher
2007-06-22 19:11 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-06-22 19:11 <DIR> d-------- C:\Program Files\ArcSoft
2007-06-22 19:10 <DIR> d-------- C:\Program Files\Common Files\Nikon
2007-06-22 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-06-22 10:13 <DIR> d-------- C:\Program Files\DivXLand
2007-06-22 10:11 1,783,574 --a------ C:\Program Files\DivXLand_MediaSub_205.exe
2007-06-17 18:33 <DIR> d-------- C:\Program Files\KONAMI
2007-06-17 16:29 23,220,928 --a------ C:\Program Files\JAD7_BASIC.exe
2007-06-09 11:05 <DIR> d-------- C:\Program Files\DkZ Studio
2007-06-09 11:03 <DIR> d-------- C:\Program Files\dkz
2007-06-01 23:23 <DIR> d-------- C:\Program Files\afreeca
2007-06-01 23:10 53,248 --a------ C:\WINDOWS\system32\PrxerNsp.dll
2007-06-01 23:10 53,248 --a------ C:\WINDOWS\system32\PrxerDrv.dll
2007-06-01 23:10 <DIR> d-------- C:\Program Files\Proxifier
2007-06-01 23:09 701,713 --a------ C:\Program Files\ProxifierSetup.exe
2007-06-01 18:10 <DIR> d-------- C:\Program Files\COWON
2007-06-01 15:20 921,600 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-06-01 15:20 45,056 --a------ C:\WINDOWS\system32\ogg.dll
2007-06-01 15:20 237,568 --a------ C:\WINDOWS\system32\OggDS.dll
2007-06-01 15:20 188,416 --a------ C:\WINDOWS\system32\vorbis.dll
2007-06-01 15:11 <DIR> d-------- C:\DOCUME~1\admin\APPLIC~1\COWON
2007-06-01 15:06 <DIR> d-------- C:\Program Files\JetAudio
2007-06-01 15:06 <DIR> d-------- C:\Program Files\Common Files\COWON
2007-05-30 20:51 26,057 --a------ C:\subafsfile0.bin


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-25 02:14:00 -------- d-----w C:\Program Files\Minilyrics
2007-06-24 23:34:30 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-24 23:09:56 -------- d-----w C:\Program Files\FlashGet
2007-06-24 18:02:45 -------- d-----w C:\Program Files\CCleaner
2007-06-23 02:15:03 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-20 05:03:36 -------- d-----w C:\Program Files\NetFolder
2007-06-13 01:54:56 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\LimeWire
2007-06-13 00:16:43 -------- d-----w C:\Program Files\GRETECH
2007-06-13 00:16:43 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\GRETECH
2007-06-10 02:02:24 -------- d-----w C:\Program Files\TVAnts
2007-06-10 02:01:17 2,838,136 ----a-w C:\Program Files\TvantsSetup.EXE
2007-06-09 18:37:58 -------- d-----w C:\Program Files\Game Graphic Studio
2007-06-09 18:04:06 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-06-09 05:19:41 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\Fileguri
2007-05-31 04:21:56 54,304 ----a-w C:\bin0.bin
2007-05-29 2142 565,248 ----a-w C:\WINDOWS\system32\IdiskLauncherEx.exe
2007-05-28 02:46:08 -------- d-----w C:\Program Files\Nowcom
2007-05-26 05:56:47 -------- d-----w C:\Program Files\StepMania
2007-05-24 21:26:19 8,224 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-05-24 11:10:23 -------- d-----w C:\Program Files\Microsoft Works
2007-05-24 11:07:20 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-24 10:22:13 -------- d-----w C:\Program Files\backups
2007-05-24 07:53:50 -------- d-----w C:\Program Files\Winamp
2007-05-24 03:08:45 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\SmartDraw
2007-05-22 02:26:26 12,302,384 ----a-w C:\Program Files\widgetsus.exe
2007-05-21 01:13:46 -------- d-----w C:\Program Files\DivX
2007-05-21 01:02:03 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\dvdcss
2007-05-20 22:44:40 6,221,304 ----a-w C:\Program Files\winamp535_full_emusic-7plus.exe
2007-05-20 20:50:38 2,719,216 ----a-w C:\Program Files\ccsetup140.exe
2007-05-19 00:25:57 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\ESTsoft
2007-05-19 00:24:44 -------- d-----w C:\Program Files\ESTsoft
2007-05-19 00:22:13 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\U3
2007-05-18 04:33:11 -------- d-----w C:\Program Files\FT8D91
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 01:43:24 1 ----a-w C:\mcheck_dio.dat
2007-05-08 09:56:27 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\MusicIP
2007-05-05 22:30:35 -------- d-----w C:\Program Files\MiniLyrics.v4.5.2266.Incl.Crack-iNViSiBLE
2007-05-05 22:29:35 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\uTorrent
2007-04-27 03:11:29 1,053,184 ----a-w C:\WINDOWS\system32\mfc71u.dll
2007-04-27 03:11:08 2,801,756 ----a-w C:\WINDOWS\system32\libmmd.dll
2007-04-27 02:48:48 1,700,352 ----a-w C:\WINDOWS\system32\gdiplus.dll
2007-04-26 01:42:33 -------- d-----w C:\Program Files\AC3Filter
2007-04-26 01:40:47 2,139,213 ----a-w C:\Program Files\ac3filter_1_30b.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-21 01:49:44 2,714,784 ----a-w C:\Program Files\ccsetup139.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-15 05:26:44 19,994,184 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-04-11 04:37:19 3,374,720 ----a-w C:\Program Files\EasyLink_Connect.exe
2007-04-09 00:24:43 794,624 ----a-w C:\WINDOWS\system32\pdrtvctl.dll
2007-04-09 00:24:43 204,800 ----a-w C:\WINDOWS\system32\pdrtvsvr.exe
2007-04-09 00:24:43 204,800 ----a-w C:\WINDOWS\system32\pdrtvf2.dll
2007-04-09 00:24:43 147,456 ----a-w C:\WINDOWS\system32\pdrtvf1.dll
2007-04-09 00:24:43 1,091,584 ----a-w C:\WINDOWS\system32\pavc.dll
2007-03-31 23:20:11 6,006,832 ----a-w C:\Program Files\Firefox Setup 2.0.0.3.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\PROGRA~1\FlashGet\jccatch.dll [2006-05-16 15:19]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 05:00]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"DHAutoRun"="C:\Program Files\LITTLEGIANT\Foxplayer\DHAutoRun.exe" [2007-01-25 15:37]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 19:34]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 11:31]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DHAutoRun]
C:\Program Files\LITTLEGIANT\Foxplayer\DHAutoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fileguri]
"C:\Program Files\Freechal\Fileguri\Fileguri.exe" PathFileguri /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{047efda1-059e-11dc-bab6-0016171b4a49}]
AutoRun\command- F:\LaunchU3.exe -a


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 15:41:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-26 15:42:39
C:\ComboFix-quarantined-files.txt ... 2007-06-26 15:42
C:\ComboFix2.txt ... 2007-06-25 22:18
C:\ComboFix3.txt ... 2007-06-24 16:35

--- E O F ---
xdragonx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-26-2007, 04:07 PM   #11 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,264
OS: N/A


Re: help cleaning up
LoL ...wish I know what's going on. Please manually delete these files

C:\WINDOWS\system32\snqubpqs.exe
C:\WINDOWS\system32\klsgyios.exe
C:\WINDOWS\system32\midwtspf.exe
C:\WINDOWS\system32\sysmon32.exe

Let me know if any of them resist deletions
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-26-2007, 07:23 PM   #12 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 58
OS: WinXP


Re: help cleaning up
i had some trouble finding them but none deleted all of them without a problem
xdragonx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-26-2007, 10:34 PM   #13 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,264
OS: N/A


Re: help cleaning up
Of the stuff Kaspersky found earlier,

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\ is your antivirus program's quarantine cache. You should delete the contents. Please use Symantec's guide to remove the files from quarantine. http://service1.symantec.com/SUPPORT...on=1#_Section1

C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while


----------------------


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start → Run → type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html


  6. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html

  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here: http://www.winpatrol.com/features.html

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-26-2007, 10:48 PM   #14 (permalink)
Registered User
 
Join Date: Nov 2006
Posts: 58
OS: WinXP


Re: help cleaning up
thank you subs, i only have adaware and spyboy search and destroy if thats good enough? hope you have a nice day ^-^
xdragonx is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 06-26-2007, 11:31 PM   #15 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,264
OS: N/A


Re: help cleaning up
At the very least, get ERUNT. It can make a difference.

Surf Safe & stay safe.
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 01:17 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84