Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page IE7 Runs Itself- Trojan SHuer.ZQ
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 07-21-2007, 09:01 AM   #1 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: XP


IE7 Runs Itself- Trojan SHuer.ZQ
Every time my machine boots up, it displays the Windows Installer "Preparing to Install" dialog (the one used by most all win32 programs during their initial install). This pops up twice, then goes away and my machine comes up normally.

Some time later (maybe 2-3 minutes) IE7 starts up and runs all by itself, maximized and displaying various websites like abcsearch.com, llehs.com, netstar.com, winantivirus.com, etc. Sometimes it runs a new instance every 15 seconds or so, other times nothing happens for hours. Rebooting seems to kick something off which starts the more frequent occurrence. I am not an IE user and run mozilla firefox all the time. While firefox is running though, it seems IE launches itself more frequently.

NOTE: While running PandaScan, AVG popped up with the following: Virus Detected- Trojan Horse SHuer.ZQ, obeject path: C:\Documents.....\Local Settings\Temp\xefifyrf.exe. I had AVG move this file to the virus vault. I run a virus scan everyday and nothing gets detected.

========================================================
panda scan


Incident Status Location

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Joe Jaworski\Application Data\Mozilla\Firefox\Profiles\default.uwo\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Joe Jaworski\Cookies\joe@ad.yieldmanager[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Joe Jaworski\Cookies\joe@drivecleaner[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Joe Jaworski\Cookies\joe@stats1.reliablestats[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Joe Jaworski\Cookies\joe@stats1.reliablestats[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Joe Jaworski\Cookies\joe@winantivirus[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Joe Jaworski\Cookies\joe@winantivirus[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\LocalService\Cookies\system@revenue[2].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Torrent\PC_Video_Converter_Studio_v4.3-DIGERATI\PC_Video_Converter_Studio_v4.3-DIGERATI.rar[PC_Video.exe][setup1.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\UPLOAD\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\UPLOAD\SmitfraudFix\restart.exe
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\alchem.inf
Virus:Trj/Downloader.OZB Disinfected C:\WINDOWS\system32\ewnaxgdt.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\tuvvusr.dll
========================================================
Deckard's

Deckard's System Scanner v20070711.54
Run by joe on 2007-07-21 at 10:37:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
48: 2007-07-21 14:37:52 UTC - RP479 - Deckard's System Scanner Restore Point
47: 2007-07-21 12:42:50 UTC - RP478 - Removed QuickTime
46: 2007-07-21 12:42:19 UTC - RP477 - Removed iTunes Library Updater
45: 2007-07-21 12:40:34 UTC - RP476 - Removed iTunes
44: 2007-07-21 12:29:49 UTC - RP475 - Removed Microsoft Office Visio Professional 2007


-- First Restore Point --
1: 2007-07-02 22:59:22 UTC - RP432 - Printer Driver Adobe PDF Converter Installed


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as joe.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:33 AM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\StuffIt\MXTask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\PROGRA~1\StuffIt\mxtask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\Joe Jaworski\Desktop\dss.exe
C:\UPLOAD\joe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.0.16/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\tuvvusr.dll
O2 - BHO: (no name) - {32476CE7-4B55-487F-A8BE-9E3D46497F12} - C:\WINDOWS\system32\mllji.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\ewnaxgdt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MailWasher.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120147235484
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
O20 - Winlogon Notify: mllji - C:\WINDOWS\system32\mllji.dll
O20 - Winlogon Notify: tuvvusr - C:\WINDOWS\SYSTEM32\tuvvusr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\StuffIt\MXTask.exe

--
End of file - 6413 bytes

-- HijackThis Fixed Entries (C:\UPLOAD\backups\) -------------------------------

backup-20070717-065829-109 O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
backup-20070717-065829-162 O23 - Service: Messssanger - Unknown owner - c:\Recyclers\svchost.exe
backup-20070717-065829-361 O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
backup-20070717-065829-468 O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
backup-20070717-065829-507 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20070717-065829-515 O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
backup-20070717-065829-685 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20070717-065829-717 O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://192.168.0.11/kxhcm10.ocx
backup-20070717-065829-727 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20070717-065829-778 O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
backup-20070717-065829-834 O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
backup-20070717-065829-895 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
backup-20070717-065829-902 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20070719-071411-427 O23 - Service: Mespanger - Unknown owner - c:\Recyclers\svchost.exe
backup-20070719-072456-431 O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
backup-20070719-072456-651 O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)
backup-20070719-072456-734 O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
backup-20070720-081837-949 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0
backup-20070720-081837-994 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
backup-20070720-081838-913 O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
backup-20070721-085042-971 O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\fixscljd.dll",forkonce

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 zmxpzip - c:\windows\system32\drivers\zmxpzip.sys <Not Verified; Allume Systems; StuffIt® ZipFolders®>
R1 Ltxred (Lantronix COM Redirector) - c:\windows\system32\drivers\ltxred.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 meprog - c:\windows\system32\drivers\meprog.sys <Not Verified; microEngineering Labs, Inc.; meProg Programmer Parallel Driver>
R3 yukonwxp (NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller) - c:\windows\system32\drivers\yk51x86.sys <Not Verified; Marvell; Marvell Yukon Ethernet Controller>

S3 TDIMSYS - c:\windows\system32\drivers\tdimsys.sys (file missing)
S3 usb18prg - c:\windows\system32\drivers\usb18prg.sys <Not Verified; mikroElektronika; mikroElektronika® USB Device driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 StuffIt Task Manager - c:\progra~1\stuffit\mxtask.exe -service <Not Verified; Allume Systems, Inc.; StuffIt>

S4 Bonjour Service - c:\program files\musicmagic mixer\mdnsresponder.exe (file missing)
S4 Mespanger - c:\recyclers\svchost.exe
S4 Messssanger - c:\recyclers\svchost.exe
S4 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Files created between 2007-06-21 and 2007-07-21 -----------------------------

2007-07-21 10:31:08 73 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-07-21 10:31:08 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware>
2007-07-21 09:08:00 0 d-------- C:\WINDOWS\LastGood
2007-07-21 07:51:18 0 dr-h----- C:\Documents and Settings\Joe Jaworski\Recent
2007-07-20 11:16:08 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Mp3tag
2007-07-20 11:15:56 0 d-------- C:\Program Files\Mp3tag
2007-07-19 11:59:56 0 d-------- C:\Program Files\CCleaner
2007-07-19 06:52:13 128576 --a------ C:\WINDOWS\system32\ptmljdou.dll
2007-07-19 06:49:13 66624 -----n--- C:\WINDOWS\system32\ewnaxgdt.dll
2007-07-19 06:39:14 1807182 ---hs---- C:\WINDOWS\system32\ijllm.bak2
2007-07-18 18:39:03 6405 ---hs---- C:\WINDOWS\system32\ijllm.bak1
2007-07-18 18:38:55 266336 --a------ C:\WINDOWS\system32\mllji.dll
2007-07-18 18:33:51 31254 --a------ C:\WINDOWS\system32\tuvvusr.dll
2007-07-18 18:33:45 276758 --a------ C:\WINDOWS\PC Video Converter Studio Uninstaller.exe
2007-07-18 18:33:42 0 d-------- C:\Program Files\PC Video Converter Studio
2007-07-18 17:00:15 0 d-------- C:\Program Files\SpywareBlaster
2007-07-18 16:56:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-18 10:21:22 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Nero
2007-07-17 07:11:33 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-07-16 09:28:24 2184 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-16 08:52:58 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-07-16 08:52:53 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-07-16 08:52:53 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\SUPERAntiSpyware.com
2007-07-15 17:52:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2007-07-15 17:33:56 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-07-15 17:33:56 0 dr------- C:\Documents and Settings\LocalService\My Documents
2007-07-15 17:20:13 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-07-15 17:17:19 0 d-------- C:\Recyclers
2007-07-11 10:13:55 0 d-------- C:\Program Files\Microchip
2007-07-10 16:59:45 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Ahead
2007-07-10 16:57:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-07-10 16:57:44 0 d-------- C:\Program Files\Nero
2007-07-10 08:21:44 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-07-10 08:21:26 0 d-------- C:\Program Files\Common Files\Apple
2007-07-10 08:21:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-07-09 15:25:42 0 d-------- C:\Program Files\AZIPR
2007-07-09 15:12:03 0 d-------- C:\Program Files\WinISO
2007-07-09 08:15:23 0 d-------- C:\Program Files\ImTOO
2007-07-09 07:48:18 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2007-07-09 07:48:17 314368 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2007-07-09 07:48:16 0 d-------- C:\Program Files\Magic Video Converter
2007-07-08 20:05:24 0 d-------- C:\temp
2007-07-08 19:35:06 0 d-------- C:\Program Files\iSofter
2007-07-08 19:31:57 0 d-------- C:\ConverterOutput
2007-07-08 19:31:18 0 d-------- C:\movies
2007-07-08 19:26:10 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\dvdcss
2007-07-07 19:39:55 0 d-------- C:\Program Files\Microsoft Visual SourceSafe
2007-07-07 07:25:28 94208 --a------ C:\WINDOWS\system32\ssr2c.dll <Not Verified; Sheridan Software Systems, Inc.; SSR2C>
2007-07-07 07:25:28 0 d-------- C:\Program Files\Common Files\Data Dynamics
2007-07-07 07:25:27 45056 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft XML Core Services>
2007-07-07 07:25:27 3211264 --a------ C:\WINDOWS\system32\CoreObjX.dll <Not Verified; Synergration, Inc.; CoreObjX>
2007-07-07 07:24:15 0 d-------- C:\Program Files\PV5
2007-07-03 20:13:23 16 --a------ C:\WINDOWS\popcinfo.dat
2007-07-03 19:51:26 720896 --a------ C:\WINDOWS\iun6002ev.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-07-03 17:44:37 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-03 17:41:57 197120 --a------ C:\WINDOWS\patchw32.dll
2007-07-03 17:41:57 0 d-------- C:\Program Files\Common Files\PocketSoft
2007-07-03 07:13:44 0 d-------- C:\DCRABBIT_9.52
2007-07-02 17:17:53 0 d-------- C:\DCRABBIT_9.21
2007-07-02 16:14:21 0 d-------- C:\WINDOWS\Cache
2007-07-02 10:46:57 0 d-------- C:\Program Files\Intuit
2007-07-01 20:09:31 0 d-------- C:\Program Files\Common Files\SWF Studio
2007-07-01 14:31:47 0 d-------- C:\Program Files\Common Files\Vbox
2007-07-01 14:31:34 72192 --a------ C:\WINDOWS\unlite3.exe
2007-07-01 14:31:30 1507328 --a------ C:\WINDOWS\system32\cfmlvalidator.dll <Not Verified; Allaire Corp.; CF Studio>
2007-07-01 14:31:29 69632 --a------ C:\WINDOWS\system32\CFSDebug.dll <Not Verified; Macromedia, Inc.; HomeSite, ColdFusion Studio>
2007-07-01 14:31:29 110592 --a------ C:\WINDOWS\system32\CfRds.dll <Not Verified; Macromedia, Inc.; HomeSite, ColdFusion Studio>
2007-07-01 14:31:22 114688 --a------ C:\WINDOWS\system32\lang_cfml.dll
2007-07-01 14:31:21 28672 --a------ C:\WINDOWS\system32\xml_datagrove.dll
2007-06-29 18:38:04 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Allume Systems
2007-06-29 18:35:26 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Allume Systems
2007-06-29 18:35:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Allume Systems
2007-06-29 18:34:04 0 d-------- C:\Program Files\StuffIt
2007-06-29 17:26:47 0 d-------- C:\Program Files\QuickSFV
2007-06-29 12:02:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-06-29 12:02:56 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Azureus
2007-06-29 06:58:09 0 d-------- C:\Torrent
2007-06-28 12:05:03 0 d-------- C:\Program Files\PICC
2007-06-25 18:37:30 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-06-25 18:00:06 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-06-24 19:43:46 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Leadertech
2007-06-23 15:20:05 28 --a------ C:\WINDOWS\system32\vfw_32.reg
2007-06-22 21:08:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2007-06-22 21:08:06 0 d-------- C:\Program Files\InterActual
2007-06-22 21:05:30 0 d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-22 21:04:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-06-22 21:04:04 0 d-------- C:\Program Files\Xingtone
2007-06-22 21:00:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2007-06-22 21:00:26 0 d-------- C:\Program Files\Common Files\Sonic Shared
2007-06-22 21:00:26 0 d-------- C:\Program Files\Common Files\SightSpeed
2007-06-22 16:54:14 0 d-------- C:\Program Files\PwrISO
2007-06-22 10:51:54 0 d-------- C:\Program Files\MPlayer
2007-06-21 19:55:55 0 d-------- C:\Program Files\BitTorrent
2007-06-21 18:56:54 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\LimeWire


-- Find3M Report ---------------------------------------------------------------

2007-07-21 10:10:56 0 d-------- C:\Program Files\WinSCP3
2007-07-21 09:49:03 0 d-------- C:\Program Files\MailWasher Pro
2007-07-21 09:15:16 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\MailWasherPro
2007-07-21 08:44:27 0 d-------- C:\Program Files\QuickTime
2007-07-21 07:47:04 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\AVG7
2007-07-20 19:52:06 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\BitTorrent
2007-07-20 18:43:23 0 d-------- C:\Program Files\Eudora Pro
2007-07-18 19:54:21 133528 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-07-17 09:48:43 0 d-------- C:\Program Files\ExpressPCB
2007-07-17 09:43:52 0 d-------- C:\Program Files\Lavasoft
2007-07-17 09:43:22 0 d-------- C:\Program Files\Opera
2007-07-16 14:30:28 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Apple Computer
2007-07-15 09:10:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-14 08:59:05 148584 --a------ C:\Documents and Settings\Joe Jaworski\Application Data\GDIPFONTCACHEV1.DAT
2007-07-10 17:08:48 0 d-------- C:\Program Files\Common Files\Ahead
2007-07-09 15:41:37 4608 --a------ C:\Documents and Settings\Joe Jaworski\Application Data\DMX.bmk
2007-07-09 09:15:48 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\OpenOffice.org2
2007-07-09 07:23:12 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\AdobeUM
2007-07-07 07:20:13 0 d-------- C:\Program Files\Common Files\Intuit
2007-07-03 17:54:06 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Atari
2007-07-03 17:10:21 0 d-------- C:\Program Files\Common Files\Adobe
2007-07-03 17:08:07 23514 --a------ C:\WINDOWS\mozver.dat
2007-07-02 1128 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Intuit
2007-07-02 08:49:40 0 d-------- C:\Program Files\Macromedia
2007-07-01 14:58:14 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Adobe
2007-07-01 14:31:33 0 d-------- C:\Program Files\Bradbury
2007-06-29 19:05:51 0 d-------- C:\Program Files\Jasc Software Inc
2007-06-23 14:02:49 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Roxio
2007-06-23 09:56:10 0 d-------- C:\Program Files\Lantronix
2007-06-18 15:59:58 0 d-------- C:\Program Files\Common Files\InstallShield
2007-06-16 14:08:14 0 d-------- C:\Program Files\music
2007-06-14 16:42:33 0 d-------- C:\Program Files\ID3Embed
2007-06-14 16:14:10 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\GoldWaveCDDB
2007-06-12 20:38:21 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\Opera
2007-06-12 20:27:22 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-23 19:27:09 0 d-------- C:\Program Files\GoldWave
2007-05-22 11:36:03 0 d-------- C:\Documents and Settings\Joe Jaworski\Application Data\CyberLink
2007-05-22 11:34:15 0 d-------- C:\Program Files\CyberLink
2007-05-21 09:33:13 0 d-------- C:\Program Files\Yahoo!
2007-05-11 06:47:46 364544 --a------ C:\WINDOWS\system32\mpPathan.dll
2007-05-11 06:41:58 1753088 --a------ C:\WINDOWS\system32\mpxerces-c_2_7.dll <Not Verified; Apache Software Foundation; Xerces-C Version 2.7.0>
2007-04-27 08:52:34 81920 --a------ C:\WINDOWS\system32\MPMapTrace.dll
2007-04-22 19:22:18 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-04-22 08:39:28 441 --a------ C:\WINDOWS\PowerReg.dat


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1FB63E52-4D6E-48C1-A08F-F630FE50F337} C:\WINDOWS\system32\tuvvusr.dll
{32476CE7-4B55-487F-A8BE-9E3D46497F12} C:\WINDOWS\system32\mllji.dll
{938A8A03-A938-4019-B764-03FF8D167D79} C:\WINDOWS\system32\ewnaxgdt.dll
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SkyTel"="SkyTel.EXE"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"RTHDCPL"="RTHDCPL.EXE"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"CDRAutoRun"=hex:00,00,00,00
"ClearRecentDocsOnExit"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1FB63E52-4D6E-48C1-A08F-F630FE50F337}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllji
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvusr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\acrotray.exe "
"item"="Acrobat Assistant"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\Audible Download Manager.lnkCommon Startup"
"location"="Common Startup"
"item"="Audible Download Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\QUICKENW\\bagent.exe "
"item"="Quicken Scheduled Updates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
"location"="Common Startup"
"item"="Quicken Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Joe Jaworski^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cd9faa8a-2936-11d9-a044-806d6172696f}]
Shell\AutoRun\command D:\setup.exe


-- Hosts -----------------------------------------------------------------------

192.168.0.1 joe
192.168.0.2 starr
192.168.0.16 joesserver.com


-- End of Deckard's System Scanner: finished at 2007-07-21 at 10:41:10 ---------
Attached Files
File Type: txt extra.txt (32.0 KB, 0 views)
joejvj is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-21-2007, 04:21 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Re: IE7 Runs Itself- Trojan SHuer.ZQ
1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-21-2007, 04:50 PM   #3 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: XP


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Okay, Here it is:

"joe" - 2007-07-21 18:35:17 - ComboFix 07-07-22.2 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\sfsync02.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))


2007-07-21 18:40 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-07-21 18:34 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 10:37 <DIR> d-------- C:\Deckard
2007-07-20 11:16 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Mp3tag
2007-07-20 11:15 <DIR> d-------- C:\Program Files\Mp3tag
2007-07-19 11:59 <DIR> d-------- C:\Program Files\CCleaner
2007-07-19 06:52 128,576 --a------ C:\WINDOWS\system32\ptmljdou.dll
2007-07-19 06:39 1,807,182 --ahs---- C:\WINDOWS\system32\ijllm.bak2
2007-07-18 18:39 6,405 --ahs---- C:\WINDOWS\system32\ijllm.bak1
2007-07-18 18:33 276,758 --a------ C:\WINDOWS\PC Video Converter Studio Uninstaller.exe
2007-07-18 18:33 <DIR> d-------- C:\Program Files\PC Video Converter Studio
2007-07-18 17:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-18 16:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-18 10:21 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Nero
2007-07-17 07:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-16 09:28 2,184 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-16 08:52 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-16 08:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-15 17:17 <DIR> d-------- C:\Recyclers
2007-07-11 10:13 <DIR> d-------- C:\Program Files\Microchip
2007-07-10 16:59 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Ahead
2007-07-10 16:57 <DIR> d-------- C:\Program Files\Nero
2007-07-10 16:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-07-10 08:21 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-10 08:21 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-10 08:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-09 15:25 <DIR> d-------- C:\Program Files\AZIPR
2007-07-09 15:12 <DIR> d-------- C:\Program Files\WinISO
2007-07-09 08:15 <DIR> d-------- C:\Program Files\ImTOO
2007-07-09 07:48 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-07-09 07:48 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2007-07-09 07:48 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-07-09 07:48 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2007-07-09 07:48 <DIR> d-------- C:\Program Files\Magic Video Converter
2007-07-08 20:05 <DIR> d-------- C:\temp
2007-07-08 19:35 <DIR> d-------- C:\Program Files\iSofter
2007-07-08 19:31 <DIR> d-------- C:\movies
2007-07-08 19:31 <DIR> d-------- C:\ConverterOutput
2007-07-08 19:26 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\dvdcss
2007-07-07 19:39 <DIR> d-------- C:\Program Files\Microsoft Visual SourceSafe
2007-07-07 19:38 241,664 --a------ C:\WINDOWS\system32\drivers\c2scsi.sys
2007-07-07 07:25 94,208 --a------ C:\WINDOWS\system32\ssr2c.dll
2007-07-07 07:25 45,056 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-07-07 07:25 3,211,264 --a------ C:\WINDOWS\system32\CoreObjX.dll
2007-07-07 07:25 <DIR> d-------- C:\Program Files\Common Files\Data Dynamics
2007-07-07 07:24 <DIR> d-------- C:\Program Files\PV5
2007-07-03 20:13 16 --a------ C:\WINDOWS\popcinfo.dat
2007-07-03 19:51 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2007-07-03 17:44 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-03 17:41 197,120 --a------ C:\WINDOWS\patchw32.dll
2007-07-03 17:41 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-07-03 07:13 <DIR> d-------- C:\DCRABBIT_9.52
2007-07-02 17:17 <DIR> d-------- C:\DCRABBIT_9.21
2007-07-02 16:14 <DIR> d-------- C:\WINDOWS\Cache
2007-07-02 10:46 <DIR> d-------- C:\Program Files\Intuit
2007-07-01 20:09 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-07-01 14:31 72,192 --a------ C:\WINDOWS\unlite3.exe
2007-07-01 14:31 69,632 --a------ C:\WINDOWS\system32\CFSDebug.dll
2007-07-01 14:31 28,672 --a------ C:\WINDOWS\system32\xml_datagrove.dll
2007-07-01 14:31 114,688 --a------ C:\WINDOWS\system32\lang_cfml.dll
2007-07-01 14:31 110,592 --a------ C:\WINDOWS\system32\CfRds.dll
2007-07-01 14:31 1,507,328 --a------ C:\WINDOWS\system32\cfmlvalidator.dll
2007-07-01 14:31 <DIR> d-------- C:\Program Files\Common Files\Vbox
2007-06-29 18:38 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Allume Systems
2007-06-29 18:35 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Allume Systems
2007-06-29 18:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Allume Systems
2007-06-29 18:34 <DIR> d-------- C:\Program Files\StuffIt
2007-06-29 17:26 <DIR> d-------- C:\Program Files\QuickSFV
2007-06-29 12:02 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Azureus
2007-06-29 12:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-29 06:58 <DIR> d-------- C:\Torrent
2007-06-28 12:05 <DIR> d-------- C:\Program Files\PICC
2007-06-25 18:37 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-25 18:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-24 19:43 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Leadertech
2007-06-23 15:20 28 --a------ C:\WINDOWS\system32\vfw_32.reg
2007-06-22 21:08 <DIR> d-------- C:\Program Files\InterActual
2007-06-22 21:08 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Roxio
2007-06-22 21:05 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-22 21:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-06-22 21:00 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-06-22 21:00 <DIR> d-------- C:\Program Files\Common Files\SightSpeed
2007-06-22 21:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Roxio
2007-06-22 16:54 <DIR> d-------- C:\Program Files\PwrISO
2007-06-22 10:51 <DIR> d-------- C:\Program Files\MPlayer
2007-06-21 19:55 <DIR> d-------- C:\Program Files\BitTorrent
2007-06-21 18:56 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\LimeWire


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-21 22:42:42 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\MailWasherPro
2007-07-21 14:10:56 -------- d-----w C:\Program Files\WinSCP3
2007-07-21 13:49:03 -------- d-----w C:\Program Files\MailWasher Pro
2007-07-21 12:44:27 -------- d-----w C:\Program Files\QuickTime
2007-07-20 23:52:06 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\BitTorrent
2007-07-20 22:43:23 -------- d-----w C:\Program Files\Eudora Pro
2007-07-18 23:54:21 133,528 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-07-17 13:48:43 -------- d-----w C:\Program Files\ExpressPCB
2007-07-17 13:43:52 -------- d-----w C:\Program Files\Lavasoft
2007-07-17 13:43:22 -------- d-----w C:\Program Files\Opera
2007-07-16 18:30:28 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\Apple Computer
2007-07-15 13:10:57 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-14 12:59:05 148,584 ----a-w C:\DOCUME~1\JOEJAW~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-11 21:36:07 20,608 ----a-w C:\WINDOWS\system32\drivers\usb18prg.sys
2007-07-10 21:08:48 -------- d-----w C:\Program Files\Common Files\Ahead
2007-07-09 13:15:48 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\OpenOffice.org2
2007-07-09 11:23:12 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\AdobeUM
2007-07-07 11:20:13 -------- d-----w C:\Program Files\Common Files\Intuit
2007-07-03 21:54:06 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\Atari
2007-07-03 21:08:07 23,514 ----a-w C:\WINDOWS\mozver.dat
2007-07-02 1528 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\Intuit
2007-07-01 18:31:33 -------- d-----w C:\Program Files\Bradbury
2007-06-29 23:05:51 -------- d-----w C:\Program Files\Jasc Software Inc
2007-06-23 18:02:49 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\Roxio
2007-06-23 13:56:10 -------- d-----w C:\Program Files\Lantronix
2007-06-18 19:59:58 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-16 18:08:14 -------- d-----w C:\Program Files\music
2007-06-14 20:42:33 -------- d-----w C:\Program Files\ID3Embed
2007-06-14 20:14:10 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\GoldWaveCDDB
2007-06-13 00:38:21 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\Opera
2007-06-13 00:27:22 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-05-23 23:27:09 -------- d-----w C:\Program Files\GoldWave
2007-05-22 15:36:03 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\CyberLink
2007-05-22 15:34:15 -------- d-----w C:\Program Files\CyberLink
2007-05-21 13:33:13 -------- d-----w C:\Program Files\Yahoo!
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-11 10:47:46 364,544 ----a-w C:\WINDOWS\system32\mpPathan.dll
2007-05-11 10:41:58 1,753,088 ----a-w C:\WINDOWS\system32\mpxerces-c_2_7.dll
2007-04-27 12:52:34 81,920 ----a-w C:\WINDOWS\system32\MPMapTrace.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-22 23:22:18 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-04-22 12:39:28 441 ----a-w C:\WINDOWS\PowerReg.dat
2005-05-13 21:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 15:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 01:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-07-14 16:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 19:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 02:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 14:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 17:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1531534-00E3-41D1-B316-9F0361D25F24}]
C:\WINDOWS\system32\mllji.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-17 08:58]
"SkyTel"="SkyTel.EXE" []
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 01:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 C:\WINDOWS\RTHDCPL.EXE]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-08-18 15:49]

C:\Documents and Settings\Joe Jaworski\Start Menu\Programs\Startup\
MailWasher.lnk - C:\Program Files\MailWasher Pro\MailWasher.exe [2003-12-18 15:23:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UPnPMonitor"= {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 00:56 239616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllji]
C:\WINDOWS\system32\mllji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvusr]
tuvvusr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
backup=C:\WINDOWS\pss\Audible Download Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Joe Jaworski^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


aspi32 - System32\drivers\aspi32.sys
drvmcdb - System32\Drivers\DRVMCDB.SYS
iteatapi - system32\DRIVERS\iteatapi.sys - ITEATAPI_Service_Install
ltxred - \SystemRoot\System32\drivers\ltxred.sys - Lantronix COM Redirector
meprog - \??\C:\WINDOWS\system32\drivers\meProg.sys - meprog
mssql$sqlexpress - "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS - SQL Server (SQLEXPRESS)
nvidesm - system32\drivers\nvidesm.sys
sfdrv01 - System32\drivers\sfdrv01.sys - StarForce Protection Environment Driver (version 1.x)
sfhlp02 - System32\drivers\sfhlp02.sys - StarForce Protection Helper Driver (version 2.x)
stuffit task manager - C:\PROGRA~1\StuffIt\MXTask.exe -Service - StuffIt Task Manager
zmxpzip - system32\DRIVERS\zmxpzip.sys - zmxpzip


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd9faa8a-2936-11d9-a044-806d6172696f}]
AutoRun\command- D:\setup.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-21 18:42:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-21 18:44:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-21 18:43

--- E O F ---


=====================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:41 PM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\StuffIt\MXTask.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\StuffIt\mxtask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\UPLOAD\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.0.16/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E1531534-00E3-41D1-B316-9F0361D25F24} - C:\WINDOWS\system32\mllji.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MailWasher.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120147235484
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
O20 - Winlogon Notify: mllji - C:\WINDOWS\system32\mllji.dll (file missing)
O20 - Winlogon Notify: tuvvusr - tuvvusr.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\StuffIt\MXTask.exe

--
End of file - 6101 bytes
joejvj is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-21-2007, 05:00 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {E1531534-00E3-41D1-B316-9F0361D25F24} - C:\WINDOWS\system32\mllji.dll (file missing)
O20 - Winlogon Notify: mllji - C:\WINDOWS\system32\mllji.dll (file missing)
O20 - Winlogon Notify: tuvvusr - tuvvusr.dll (file missing)


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/169008-ie7-runs-itself-trojan-shuer-zq.html
Collect::
C:\WINDOWS\system32\ptmljdou.dll
DirLook::
C:\Program Files\PV5
File::
C:\WINDOWS\system32\sfsync02.dll
C:\WINDOWS\system32\ijllm.bak2
C:\WINDOWS\system32\ijllm.bak1
C:\WINDOWS\iun6002ev.exe
Folder::
C:\Recyclers
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1531534-00E3-41D1-B316-9F0361D25F24}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllji]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvusr]
Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file on your Desktop, called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingcomputer.com/subm....php?channel=4

The file must be uploaded before proceeding to the next step.


---------------


Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. We only require a report from it.
    It does not provide an option to clean/disinfect.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
* If you're downloading torrents in the background, please disconnect all of them.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2007, 12:26 PM   #5 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: XP


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Hello again,

Things are looking good! Here are the current problems I still see:

Ever time I reboot I get the following screen right after Windows comes up and plays the startup music:



Just like before this dialog box displays twice for maybe 5-10 seconds each, then goes away.

When I first rebooted after doing the kaspersky scan, the system came up and launched IE7 ONCE with an URL of "About:Blank". I closed the browser and it never ran again by itself. I have since rebooted 4-5 times and IE7 is not running itself anymore. In other words, this appears to be a one-time occurrence.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 22, 2007 1:42:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 22/07/2007
Kaspersky Anti-Virus database records: 366559
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 248096
Number of viruses found: 6
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 04:22:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Application Data\Mozilla\Firefox\Profiles\default.uwo\cert8.db Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Application Data\Mozilla\Firefox\Profiles\default.uwo\history.dat Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Application Data\Mozilla\Firefox\Profiles\default.uwo\key3.db Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Application Data\Mozilla\Firefox\Profiles\default.uwo\parent.lock Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Application Data\Mozilla\Firefox\Profiles\default.uwo\search.sqlite Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Application Data\Mozilla\Firefox\Profiles\default.uwo\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Desktop\[4]-Submit_2007-07-22_ 85257.70.zip/ptmljdou.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\Documents and Settings\Joe Jaworski\Desktop\[4]-Submit_2007-07-22_ 85257.70.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Joe Jaworski\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.uwo\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.uwo\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.uwo\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.uwo\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Joe Jaworski\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joe Jaworski\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Joe Jaworski\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_6c8.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Eudora Pro\Bread.mbx/[From "Norbert Langbecker" <norbert@mailhost.net>][Date Tue, 12 Oct 1999 13:33:23 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
C:\Program Files\Eudora Pro\Bread.mbx/[From RNNamVet@aol.com][Date Tue, 2 Jan 2001 04:02:16 EST]/text/[From RNNamVet@aol.com][Date Tue, 2 Jan 2001 23:32:35 EST]/text/[From RNNamVet@aol.com][Date Wed, 3 Jan 2001 06:39:29 EST]/text/[From "Gretchen Jansen" <gretchen@jansenco.net>][Date Sun, 14 Jan 2001 20:09:30 -0800]/UNNAMED/[From "Tralfaz" <tralfaz@usol.com>][Date Wed, 24 Jan 2001 19:27:56 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
C:\Program Files\Eudora Pro\Bread.mbx/[From RNNamVet@aol.com][Date Tue, 2 Jan 2001 04:02:16 EST]/text/[From RNNamVet@aol.com][Date Tue, 2 Jan 2001 23:32:35 EST]/text/[From RNNamVet@aol.com][Date Wed, 3 Jan 2001 06:39:29 EST]/text/[From "Gretchen Jansen" <gretchen@jansenco.net>][Date Sun, 14 Jan 2001 20:09:30 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
C:\Program Files\Eudora Pro\Bread.mbx/[From RNNamVet@aol.com][Date Tue, 2 Jan 2001 04:02:16 EST]/text/[From RNNamVet@aol.com][Date Tue, 2 Jan 2001 23:32:35 EST]/text/[From RNNamVet@aol.com][Date Wed, 3 Jan 2001 06:39:29 EST]/text Infected: Email-Worm.VBS.KakWorm skipped
C:\Program Files\Eudora Pro\Bread.mbx/[From RNNamVet@aol.com][Date Tue, 2 Jan 2001 04:02:16 EST]/text/[From RNNamVet@aol.com][Date Tue, 2 Jan 2001 23:32:35 EST]/text Infected: Email-Worm.VBS.KakWorm skipped
C:\Program Files\Eudora Pro\Bread.mbx/[From RNNamVet@aol.com][Date Tue, 2 Jan 2001 04:02:16 EST]/text Infected: Email-Worm.VBS.KakWorm skipped
C:\Program Files\Eudora Pro\Bread.mbx Mail Berkeley mbox: infected - 6 skipped
C:\Program Files\Eudora Pro\Ebay.mbx/[From service@paypal.com][Date Sun, 26 Jan 2003 04:24:44 -0800]/text/[From service@paypal.com][Date Thu, 01 May 2003 10:00:52 -0700]/text/[From "A David Hardee" <dhardee@houston.rr.com>][Date Tue, 2 Dec 2003 08:16:06 -0800]/html Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Program Files\Eudora Pro\Ebay.mbx/[From service@paypal.com][Date Sun, 26 Jan 2003 04:24:44 -0800]/text/[From service@paypal.com][Date Thu, 01 May 2003 10:00:52 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Program Files\Eudora Pro\Ebay.mbx/[From service@paypal.com][Date Sun, 26 Jan 2003 04:24:44 -0800]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Program Files\Eudora Pro\Ebay.mbx Mail Berkeley mbox: infected - 3 skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_578.trc Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP440\A0060164.dll Infected: not-a-virus:AdWare.Win32.BHO.aj skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP440\A0060478.dll Infected: not-a-virus:AdWare.Win32.BHO.aj skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP458\A0062632.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP466\A0062963.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP471\A0067008.exe/data.rar/setup1.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP471\A0067008.exe/data.rar Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP471\A0067008.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP471\A0067380.exe Object is locked skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP479\A0069550.dll Object is locked skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP479\A0069567.dll Object is locked skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP479\A0069568.dll Object is locked skipped
C:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP480\change.log Object is locked skipped
C:\Torrent\PC_Video_Converter_Studio_v4.3-DIGERATI\PC_Video_Converter_Studio_v4.3-DIGERATI.rar/PC_Video.exe/data.rar/setup1.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Torrent\PC_Video_Converter_Studio_v4.3-DIGERATI\PC_Video_Converter_Studio_v4.3-DIGERATI.rar/PC_Video.exe/data.rar Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Torrent\PC_Video_Converter_Studio_v4.3-DIGERATI\PC_Video_Converter_Studio_v4.3-DIGERATI.rar/PC_Video.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Torrent\PC_Video_Converter_Studio_v4.3-DIGERATI\PC_Video_Converter_Studio_v4.3-DIGERATI.rar RAR: infected - 3 skipped
C:\UPLOAD\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\UPLOAD\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\UPLOAD\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\UPLOAD\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\_restore{A5E43AED-9AE8-4E6B-9C56-4255784CEA9D}\RP480\change.log Object is locked skipped

Scan process completed.

=========================================================
=========================================================

"joe" - 2007-07-22 8:53:27 - ComboFix 07-07-22.2 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Joe Jaworski\Desktop\CFScript


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ptmljdou.dll
C:\WINDOWS\system32\uodjlmtp.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Recyclers
C:\Recyclers\svchost.exe
C:\WINDOWS\iun6002ev.exe
C:\WINDOWS\system32\ijllm.bak1
C:\WINDOWS\system32\ijllm.bak2
C:\WINDOWS\system32\ptmljdou.dll
C:\WINDOWS\system32\sfsync02.dll


((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))


2007-07-21 18:34 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 10:37 <DIR> d-------- C:\Deckard
2007-07-20 11:16 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Mp3tag
2007-07-20 11:15 <DIR> d-------- C:\Program Files\Mp3tag
2007-07-19 11:59 <DIR> d-------- C:\Program Files\CCleaner
2007-07-18 18:33 276,758 --a------ C:\WINDOWS\PC Video Converter Studio Uninstaller.exe
2007-07-18 18:33 <DIR> d-------- C:\Program Files\PC Video Converter Studio
2007-07-18 17:00 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-18 16:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-18 10:21 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Nero
2007-07-17 07:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-16 09:28 2,184 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-16 08:52 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-16 08:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-11 10:13 <DIR> d-------- C:\Program Files\Microchip
2007-07-10 16:59 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Ahead
2007-07-10 16:57 <DIR> d-------- C:\Program Files\Nero
2007-07-10 16:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-07-10 08:21 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-10 08:21 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-10 08:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-09 15:25 <DIR> d-------- C:\Program Files\AZIPR
2007-07-09 15:12 <DIR> d-------- C:\Program Files\WinISO
2007-07-09 08:15 <DIR> d-------- C:\Program Files\ImTOO
2007-07-09 07:48 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-07-09 07:48 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2007-07-09 07:48 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-07-09 07:48 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2007-07-09 07:48 <DIR> d-------- C:\Program Files\Magic Video Converter
2007-07-08 20:05 <DIR> d-------- C:\temp
2007-07-08 19:35 <DIR> d-------- C:\Program Files\iSofter
2007-07-08 19:31 <DIR> d-------- C:\movies
2007-07-08 19:31 <DIR> d-------- C:\ConverterOutput
2007-07-08 19:26 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\dvdcss
2007-07-07 19:39 <DIR> d-------- C:\Program Files\Microsoft Visual SourceSafe
2007-07-07 19:38 241,664 --a------ C:\WINDOWS\system32\drivers\c2scsi.sys
2007-07-07 07:25 94,208 --a------ C:\WINDOWS\system32\ssr2c.dll
2007-07-07 07:25 45,056 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-07-07 07:25 3,211,264 --a------ C:\WINDOWS\system32\CoreObjX.dll
2007-07-07 07:25 <DIR> d-------- C:\Program Files\Common Files\Data Dynamics
2007-07-07 07:24 <DIR> d-------- C:\Program Files\PV5
2007-07-03 20:13 16 --a------ C:\WINDOWS\popcinfo.dat
2007-07-03 17:44 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-03 17:41 197,120 --a------ C:\WINDOWS\patchw32.dll
2007-07-03 17:41 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-07-03 07:13 <DIR> d-------- C:\DCRABBIT_9.52
2007-07-02 17:17 <DIR> d-------- C:\DCRABBIT_9.21
2007-07-02 16:14 <DIR> d-------- C:\WINDOWS\Cache
2007-07-02 10:46 <DIR> d-------- C:\Program Files\Intuit
2007-07-01 20:09 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-07-01 14:31 72,192 --a------ C:\WINDOWS\unlite3.exe
2007-07-01 14:31 69,632 --a------ C:\WINDOWS\system32\CFSDebug.dll
2007-07-01 14:31 28,672 --a------ C:\WINDOWS\system32\xml_datagrove.dll
2007-07-01 14:31 114,688 --a------ C:\WINDOWS\system32\lang_cfml.dll
2007-07-01 14:31 110,592 --a------ C:\WINDOWS\system32\CfRds.dll
2007-07-01 14:31 1,507,328 --a------ C:\WINDOWS\system32\cfmlvalidator.dll
2007-07-01 14:31 <DIR> d-------- C:\Program Files\Common Files\Vbox
2007-06-29 18:38 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Allume Systems
2007-06-29 18:35 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Allume Systems
2007-06-29 18:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Allume Systems
2007-06-29 18:34 <DIR> d-------- C:\Program Files\StuffIt
2007-06-29 17:26 <DIR> d-------- C:\Program Files\QuickSFV
2007-06-29 12:02 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Azureus
2007-06-29 12:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-06-29 06:58 <DIR> d-------- C:\Torrent
2007-06-28 12:05 <DIR> d-------- C:\Program Files\PICC
2007-06-25 18:37 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-25 18:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-24 19:43 <DIR> d-------- C:\DOCUME~1\JOEJAW~1\APPLIC~1\Leadertech
2007-06-23 15:20 28 --a------ C:\WINDOWS\system32\vfw_32.reg
2007-06-22 21:08 <DIR> d-------- C:\Program Files\InterActual
2007-06-22 21:08 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Roxio
2007-06-22 21:05 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-22 21:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-06-22 21:00 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-06-22 21:00 <DIR> d-------- C:\Program Files\Common Files\SightSpeed
2007-06-22 21:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Roxio
2007-06-22 16:54 <DIR> d-------- C:\Program Files\PwrISO
2007-06-22 10:51 <DIR> d-------- C:\Program Files\MPlayer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 13:00:31 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\MailWasherPro
2007-07-22 12:48:23 -------- d-----w C:\Program Files\Eudora Pro
2007-07-21 14:10:56 -------- d-----w C:\Program Files\WinSCP3
2007-07-21 13:49:03 -------- d-----w C:\Program Files\MailWasher Pro
2007-07-21 12:44:27 -------- d-----w C:\Program Files\QuickTime
2007-07-20 23:52:06 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\BitTorrent
2007-07-18 23:54:21 133,528 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-07-17 13:48:43 -------- d-----w C:\Program Files\ExpressPCB
2007-07-17 13:43:52 -------- d-----w C:\Program Files\Lavasoft
2007-07-17 13:43:22 -------- d-----w C:\Program Files\Opera
2007-07-16 18:30:28 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\Apple Computer
2007-07-15 13:10:57 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-14 12:59:05 148,584 ----a-w C:\DOCUME~1\JOEJAW~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-11 21:36:07 20,608 ----a-w C:\WINDOWS\system32\drivers\usb18prg.sys
2007-07-10 21:08:48 -------- d-----w C:\Program Files\Common Files\Ahead
2007-07-09 13:15:48 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\OpenOffice.org2
2007-07-09 11:23:12 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\AdobeUM
2007-07-07 11:20:13 -------- d-----w C:\Program Files\Common Files\Intuit
2007-07-03 21:54:06 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\Atari
2007-07-03 21:08:07 23,514 ----a-w C:\WINDOWS\mozver.dat
2007-07-02 1528 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\Intuit
2007-07-01 18:31:33 -------- d-----w C:\Program Files\Bradbury
2007-06-29 23:05:51 -------- d-----w C:\Program Files\Jasc Software Inc
2007-06-29 16:25:56 -------- d-----w C:\Program Files\BitTorrent
2007-06-23 18:02:49 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\Roxio
2007-06-23 13:56:10 -------- d-----w C:\Program Files\Lantronix
2007-06-21 23:49:53 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\LimeWire
2007-06-18 19:59:58 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-16 18:08:14 -------- d-----w C:\Program Files\music
2007-06-14 20:42:33 -------- d-----w C:\Program Files\ID3Embed
2007-06-14 20:14:10 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\GoldWaveCDDB
2007-06-13 00:38:21 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\Opera
2007-06-13 00:27:22 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-05-23 23:27:09 -------- d-----w C:\Program Files\GoldWave
2007-05-22 15:36:03 -------- d-----w C:\DOCUME~1\JOEJAW~1\APPLIC~1\CyberLink
2007-05-22 15:34:15 -------- d-----w C:\Program Files\CyberLink
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-11 10:47:46 364,544 ----a-w C:\WINDOWS\system32\mpPathan.dll
2007-05-11 10:41:58 1,753,088 ----a-w C:\WINDOWS\system32\mpxerces-c_2_7.dll
2007-04-27 12:52:34 81,920 ----a-w C:\WINDOWS\system32\MPMapTrace.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-22 23:22:18 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-04-22 12:39:28 441 ----a-w C:\WINDOWS\PowerReg.dat
2005-05-13 21:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 15:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 01:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-07-14 16:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 19:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 02:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 14:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 17:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 04:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\Program Files\PV5 ----

2007-07-07 07:28 847872 --a------ C:\Program Files\PV5\pvpr50.TDB
2007-07-07 07:28 847872 --a------ C:\Program Files\PV5\pvpr50.SAV
2007-07-07 07:28 1474560 --a------ C:\Program Files\PV5\Example5.mdb
2007-07-07 07:27 364544 --a------ C:\Program Files\PV5\Import50.tdb
2007-07-07 07:26 13943 --a------ C:\Program Files\PV5\INSTALL.LOG
2005-06-08 13:11 2818048 --a------ C:\Program Files\PV5\PV.exe
2005-06-08 13:02 196608 --a------ C:\Program Files\PV5\pv5gen.dll
2005-06-03 16:27 991232 --a------ C:\Program Files\PV5\pv5rpt.dll
2005-06-01 13:24 307200 --a------ C:\Program Files\PV5\pv5pkl.dll
2005-05-05 11:59 86016 --a------ C:\Program Files\PV5\pv5exp.dll
2005-04-27 12:43 167936 --a------ C:\Program Files\PV5\pvr409.dll
2005-04-18 12:14 434176 --a------ C:\Program Files\PV5\pv5imp.dll
2005-03-16 16:04 204800 --a------ C:\Program Files\PV5\pv5copy.dll
2004-12-23 14:43 217088 --a------ C:\Program Files\PV5\pv5sec.dll
2004-12-20 14:43 700416 --a------ C:\Program Files\PV5\pv5eco.dll
2004-12-20 13:02 282624 --a------ C:\Program Files\PV5\pv5lab.dll
2004-08-19 12:25 290816 --a------ C:\Program Files\PV5\PVQB.dll
2004-08-16 16:00 163840 --a------ C:\Program Files\PV5\pv5add.dll
2004-07-20 11:19 155648 --a------ C:\Program Files\PV5\PVPECO.exe
2004-02-04 12:02 417792 --a------ C:\Program Files\PV5\tdtd.005
2003-12-11 12:19 208896 --a------ C:\Program Files\PV5\pv5comp.dll
2003-10-24 13:16 208896 --a------ C:\Program Files\PV5\pv5grid.dll
2003-08-27 11:59 159744 --a------ C:\Program Files\PV5\pv5ado.dll
2003-08-26 16:46 40960 --a------ C:\Program Files\PV5\pv5read.dll
2003-06-10 13:16 360448 --a------ C:\Program Files\PV5\pv5conv.dll
2003-04-25 14:15 159744 --a------ C:\Program Files\PV5\pv5file.dll
2003-03-30 10:55 98304 --a------ C:\Program Files\PV5\pv5bar.dll
2003-03-18 13:17 290816 --a------ C:\Program Files\PV5\pv5opt.dll
2003-03-17 14:53 106496 --a------ C:\Program Files\PV5\pv5cur.dll
2003-02-22 00:09 180224 --a------ C:\Program Files\PV5\pv5filt.dll
2003-01-20 15:26 147456 --a------ C:\Program Files\PV5\pv5rptd.dll
2002-12-20 14:16 442368 --a------ C:\Program Files\PV5\pv5mrg.dll
2002-12-18 18:40 712704 --a------ C:\Program Files\PV5\Pv5data._db
2002-12-13 15:54 81920 --a------ C:\Program Files\PV5\pv5data.dll
2002-11-18 22:17 282624 --a------ C:\Program Files\PV5\pv5fgrid.dll
2002-11-12 12:21 1413 --a------ C:\Program Files\PV5\upgintro.txt
2002-10-06 23:56 77824 --a------ C:\Program Files\PV5\pv5vtm.dll
2002-10-06 23:54 98304 --a------ C:\Program Files\PV5\pv5unit.dll
2002-10-06 23:49 172032 --a------ C:\Program Files\PV5\pv5find.dll
2002-10-06 23:30 233472 --a------ C:\Program Files\PV5\pv5arc.dll
2002-08-22 16:29 49152 --a------ C:\Program Files\PV5\pv5fpwd.dll
2002-08-07 12:37 28672 --a------ C:\Program Files\PV5\GetPVDataFile.exe
2002-07-31 12:08 40960 --a------ C:\Program Files\PV5\Getpwd5.exe
2002-07-30 15:07 81920 --a------ C:\Program Files\PV5\pv5used.dll
2002-07-23 13:07 61440 --a------ C:\Program Files\PV5\pv5zoom.dll
2002-07-23 13:06 57344 --a------ C:\Program Files\PV5\pv5tip.dll
2002-07-23 12:52 77824 --a------ C:\Program Files\PV5\pv5fc.exe
2002-06-26 23:18 3093 --a------ C:\Program Files\PV5\Lic-agr5.txt
2002-04-29 14:18 45056 --a------ C:\Program Files\PV5\pv5view.dll
2002-01-17 23:34 20480 --a------ C:\Program Files\PV5\PVRestoreLocal.exe
2001-05-24 12:59 162304 --a------ C:\Program Files\PV5\UNWISE.EXE
2001-05-11 14:32 1406 --a------ C:\Program Files\PV5\save.ico
2001-05-11 14:32 1406 --a------ C:\Program Files\PV5\open.ico
2001-02-06 00:31 3836 --a------ C:\Program Files\PV5\PVrsSvr.TLB
2000-11-16 13:00 65536 --a------ C:\Program Files\PV5\JETCOMP.exe
1999-09-08 14:19 7240 --a------ C:\Program Files\PV5\pvtip.txt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-17 08:58]
"SkyTel"="SkyTel.EXE" []
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-09-24 01:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 C:\WINDOWS\RTHDCPL.EXE]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-08-18 15:49]

C:\Documents and Settings\Joe Jaworski\Start Menu\Programs\Startup\
MailWasher.lnk - C:\Program Files\MailWasher Pro\MailWasher.exe [2003-12-18 15:23:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UPnPMonitor"= {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 00:56 239616]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
backup=C:\WINDOWS\pss\Audible Download Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Joe Jaworski^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


aspi32 - System32\drivers\aspi32.sys
drvmcdb - System32\Drivers\DRVMCDB.SYS
iteatapi - system32\DRIVERS\iteatapi.sys - ITEATAPI_Service_Install
ltxred - \SystemRoot\System32\drivers\ltxred.sys - Lantronix COM Redirector
meprog - \??\C:\WINDOWS\system32\drivers\meProg.sys - meprog
mssql$sqlexpress - "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS - SQL Server (SQLEXPRESS)
nvidesm - system32\drivers\nvidesm.sys
sfdrv01 - System32\drivers\sfdrv01.sys - StarForce Protection Environment Driver (version 1.x)
sfhlp02 - System32\drivers\sfhlp02.sys - StarForce Protection Helper Driver (version 2.x)
stuffit task manager - C:\PROGRA~1\StuffIt\MXTask.exe -Service - StuffIt Task Manager
zmxpzip - system32\DRIVERS\zmxpzip.sys - zmxpzip


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd9faa8a-2936-11d9-a044-806d6172696f}]
AutoRun\command- D:\setup.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-22 09:00:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-22 9:02:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-22 09:01
C:\ComboFix2.txt ... 2007-07-21 18:44

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:24 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\StuffIt\MXTask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\StuffIt\mxtask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\UPLOAD\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.0.16/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MailWasher.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120147235484
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\StuffIt\MXTask.exe

--
End of file - 6054 bytes
joejvj is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2007, 12:43 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Launch your email client - Eudora Pro. Then delete the following emails:

* norbert@mailhost.net [Date Tue, 12 Oct 1999 13:33:23 -0700]
* RNNamVet@aol.com [Date Tue, 2 Jan 2001 04:02:16 EST]
* service@paypal.com [Date Sun, 26 Jan 2003 04:24:44 -0800]


----------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\Joe Jaworski\Desktop\[4]-Submit_2007-07-22_ 85257.70.zip"
C:\Torrent\PC_Video_Converter_Studio_v4.3-DIGERATI\PC_Video_Converter_Studio_v4.3-DIGERATI.rar
C:\UPLOAD\SmitfraudFix.exe
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in (
C:\UPLOAD\SmitfraudFix
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says


----------


The windows installer issue will require a lot of digging around.








Please download this tool > System Repair Engineer
  1. Extract it to it's own folder & double click SREng.exe to run it

  2. Select 'Smart Scan' & tick "Verify Digital Signatures"

  3. Click on the [Scan] button

  4. When finished, click on the [Save Reports] button & save the log to Desktop

  5. Attach the log in your next reply. Dont post it

Note: You may have to rename SREngLog.log to SREngLog.txt before attaching
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2007, 03:11 PM   #7 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: XP


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Hello,

The batch file ran and reported 'Deleted Successfully!'
joejvj is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2007, 03:13 PM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Please post the SRENG log
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2007, 03:15 PM   #9 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: XP


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Code:
2007-07-22,17:09:18

System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File
    Process Privileges Scan


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
    <updateMgr><C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <AVG7_CC><C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP>  [GRISOFT, s.r.o.]
    <SkyTel><SkyTel.EXE>  [N/A]
    <Acrobat Assistant 7.0><"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe">  [Adobe Systems Inc.]
    <Adobe Reader Speed Launcher><"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe">  [(Verified)"Adobe Systems, Incorporated"]  
    <RTHDCPL><RTHDCPL.EXE>  [(Verified)Microsoft Windows XP Publisher]
    <ISUSPM Startup><C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup>  [InstallShield Software Corporation]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    <WinlogonNotify: WgaLogon><WgaLogon.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
    <IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
    <N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install>  [Microsoft Corporation]

==================================
Startup Folders
[MailWasher]
  <C:\Documents and Settings\Joe Jaworski\Start Menu\Programs\Startup\MailWasher.lnk --> C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE [Firetrust Ltd]><N>

==================================
Services
[Adobe LM Service / Adobe LM Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[Apple Mobile Device / Apple Mobile Device][Running/Auto Start]
  <"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"><Apple, Inc.>
[AVG7 Alert Manager Server / Avg7Alrt][Running/Auto Start]
  <C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe><GRISOFT, s.r.o.>
[AVG7 Update Service / Avg7UpdSvc][Running/Auto Start]
  <C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe><GRISOFT, s.r.o.>
[Bonjour Service / Bonjour Service][Stopped/Disabled]
  <C:\Program Files\MusicMagic Mixer\mDNSResponder.exe><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Mespanger / Mespanger][Stopped/Disabled]
  <c:\Recyclers\svchost.exe><N/A>
[Messssanger / Messssanger][Stopped/Disabled]
  <c:\Recyclers\svchost.exe><N/A>
[NBService / NBService][Stopped/Disabled]
  <C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe><Nero AG>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
  <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[stllssvr / stllssvr][Stopped/Disabled]
  <"C:\Program Files\Common Files\SureThing Shared\stllssvr.exe"><MicroVision Development, Inc.>
[StuffIt Task Manager / StuffIt Task Manager][Running/Auto Start]
  <C:\PROGRA~1\StuffIt\MXTask.exe -Service><Allume Systems, Inc.>

==================================
Drivers
[Aspi32 / Aspi32][Running/Auto Start]
  <System32\drivers\aspi32.sys><Adaptec>
[AVG7 Kernel / Avg7Core][Running/System Start]
  <\SystemRoot\System32\Drivers\avg7core.sys><GRISOFT, s.r.o.>
[AVG7 Wrap Driver / Avg7RsW][Running/System Start]
  <\SystemRoot\System32\Drivers\avg7rsw.sys><GRISOFT, s.r.o.>
[AVG7 Resident Driver XP / Avg7RsXP][Running/System Start]
  <\SystemRoot\System32\Drivers\avg7rsxp.sys><GRISOFT, s.r.o.>
[AVG7 Clean Driver / AvgClean][Running/System Start]
  <\SystemRoot\system32\drivers\avgclean.sys><GRISOFT, s.r.o.>
[catchme / catchme][Stopped/Manual Start]
  <\??\C:\DOCUME~1\JOEJAW~1\LOCALS~1\Temp\catchme.sys><N/A>
[DRVMCDB / DRVMCDB][Running/Boot Start]
  <\SystemRoot\System32\Drivers\DRVMCDB.SYS><Sonic Solutions>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
  <system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
  <system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[ITEATAPI_Service_Install / iteatapi][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\iteatapi.sys><Integrated Technology Express, Inc.>
[Lantronix COM Redirector / Ltxred][Running/System Start]
  <\SystemRoot\System32\drivers\ltxred.sys><Microsoft Corporation>
[meprog / meprog][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\meProg.sys><microEngineering Labs, Inc.>
[ATK0110 ACPI UTILITY / MTsensor][Running/Manual Start]
  <system32\DRIVERS\ASACPI.sys><>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[nvatabus / nvatabus][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\nvatabus.sys><NVIDIA Corporation>
[Service for NVIDIA(R) nForce(TM) Audio Enumerator / nvax][Stopped/Manual Start]
  <system32\drivers\nvax.sys><NVIDIA Corporation>
[NVIDIA nForce Networking Controller Driver / NVENET][Stopped/Manual Start]
  <system32\DRIVERS\NVENET.sys><NVIDIA Corporation>
[nvidesm / nvidesm][Running/Boot Start]
  <\SystemRoot\system32\drivers\nvidesm.sys><NVIDIA Corporation>
[Service for NVIDIA(R) nForce(TM) Audio / nvnforce][Stopped/Manual Start]
  <system32\drivers\nvapu.sys><NVIDIA Corporation>
[NVIDIA nForce AGP Bus Filter / nv_agp][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\nv_agp.sys><NVIDIA Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[Secdrv / Secdrv][Running/Auto Start]
  <System32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[StarForce Protection Environment Driver (version 1.x) / sfdrv01][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfdrv01.sys><Protection Technology>
[StarForce Protection Helper Driver (version 2.x) / sfhlp02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfhlp02.sys><Protection Technology>
[TDIMSYS / TDIMSYS][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\TDIMSYS.SYS><N/A>
[USB to Serial Converter Driver(Philips) / U2SP][Stopped/Manual Start]
  <system32\DRIVERS\u2s2kxp.sys><Magic Control Technology Corp.>
[ultra / ultra][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\ultra.sys><Promise Technology, Inc.>
[usb18prg / usb18prg][Stopped/Manual Start]
  <system32\drivers\usb18prg.sys><mikroElektronika>
[Logitech Virtual Bus Enumerator Driver / WmBEnum][Running/Manual Start]
  <system32\drivers\WmBEnum.sys><Logitech Inc.>
[Logitech WingMan HID Filter Driver / WmFilter][Stopped/Manual Start]
  <system32\drivers\WmFilter.sys><Logitech Inc.>
[Logitech Virtual Hid Device Driver / WmVirHid][Stopped/Manual Start]
  <system32\drivers\WmVirHid.sys><Logitech Inc.>
[Logitech WingMan Translation Layer Driver / WmXlCore][Running/Manual Start]
  <system32\drivers\WmXlCore.sys><Logitech Inc.>
[NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller / yukonwxp][Running/Manual Start]
  <system32\DRIVERS\yk51x86.sys><Marvell>
[zmxpzip / zmxpzip][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\zmxpzip.sys><Allume Systems>

==================================
Browser Add-ons
[Adobe PDF Reader Link Helper]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[AcroIEToolbarHelper Class]
  {AE7CD045-E861-484f-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll, Adobe Systems Incorporated>
[]
  {e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <, N/A>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll, Adobe Systems Incorporated>
[CKAVWebScan Object]
  {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[Office Update Installation Engine]
  {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} <C:\WINDOWS\opuc.dll, Microsoft Corporation>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[ActiveScan Installer Class]
  {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} <C:\WINDOWS\Downloaded Program Files\asinst.dll, Panda Software>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\macromed\flash\Flash.ocx, Macromedia, Inc.>
[CTAdjust Class]
  {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} <C:\WINDOWS\Downloaded Program Files\clearadjust.dll, N/A>
[Yahoo! Toolbar Helper]
  {02478D38-C3F9-4EFB-9B51-7695ECA05670} <, N/A>
[Adobe PDF Reader Link Helper]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Web Browser Applet Control]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\System32\msjava.dll, Microsoft Corporation>
[CKAVWebScan Object]
  {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[Windows Genuine Advantage Validation Tool]
  {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corporation>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[Tabular Data Control]
  {333C7BC4-460F-11D0-BC04-0080C7055A83} <C:\WINDOWS\system32\tdc.ocx, Microsoft Corporation>
[IETag Factory]
  {38481807-CA0E-42D2-BF39-B33AF135CC4D} <C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\IETAG.DLL, Microsoft Corporation>
[Office Update Installation Engine]
  {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} <C:\WINDOWS\opuc.dll, Microsoft Corporation>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll, Adobe Systems Incorporated>
[XML Document]
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <%SystemRoot%\system32\msxml3.dll, N/A>
[Reporte Class]
  {4A2A4430-3967-4461-94C7-BD95C419F3CF} <C:\WINDOWS\system32\ActiveScan\ascontrol.dll, Panda Software>
[InstallShield Update Service Agent]
  {5B7524C8-2446-40E9-9474-94A779DBA224} <C:\WINDOWS\Downloaded Program Files\isusweb.dll, InstallShield Software Corporation>
[CKAVReportCtrl Object]
  {6117669B-8C2D-41FA-A6D9-9E484B999CF0} <C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Seleccion Class]
  {6CEC0297-FAFB-41FB-97EA-77E3081B1DFE} <C:\WINDOWS\system32\ActiveScan\ascontrol.dll, Panda Software>
[ControlConexion Class]
  {6FDCDD41-6C97-4A3B-9E6D-0144B66A1CE4} <C:\WINDOWS\system32\ActiveScan\ascontrol.dll, Panda Software>
[Microsoft Web Browser]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\ieframe.dll, Microsoft Corporation>
[EltronX Label Printer]
  {8EA56D4D-1F18-45D7-A150-6E497C35F03B} <C:\WINDOWS\DOWNLO~1\EltronX.ocx, N/A>
[Panda ActiveScan]
  {96567F65-E04C-4611-AF29-7CDEA6FA6A84} <C:\WINDOWS\system32\ACTIVE~1\as.dll, Panda Software>
[ActiveScan Installer Class]
  {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} <C:\WINDOWS\Downloaded Program Files\asinst.dll, Panda Software>
[AcroIEToolbarHelper Class]
  {AE7CD045-E861-484F-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll, Adobe Systems Incorporated>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\System32\shdocvw.dll, N/A>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\macromed\flash\Flash.ocx, Macromedia, Inc.>
[CTAdjust Class]
  {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} <C:\WINDOWS\Downloaded Program Files\clearadjust.dll, N/A>
[InstallShield Update Service Agent]
  {E9880553-B8A7-4960-A668-95C68BED571E} <C:\WINDOWS\Downloaded Program Files\isusweb.dll, InstallShield Software Corporation>
[XML HTTP Request]
  {ED8C108E-4349-11D2-91A4-00C04F7969E8} <%SystemRoot%\system32\msxml3.dll, N/A>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <, N/A>
[XML DOM Document 3.0]
  {F5078F32-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, N/A>
[XML HTTP]
  {F6D90F16-9C73-11D3-B32E-00C04F990BB4} <%SystemRoot%\system32\msxml3.dll, N/A>
[Convert link target to Adobe PDF]
  <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html, N/A>
[Convert link target to existing PDF]
  <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html, N/A>
[Convert selected links to Adobe PDF]
  <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html, N/A>
[Convert selected links to existing PDF]
  <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html, N/A>
[Convert selection to Adobe PDF]
  <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html, N/A>
[Convert selection to existing PDF]
  <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html, N/A>
[Convert to Adobe PDF]
  <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html, N/A>
[Convert to existing PDF]
  <res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html, N/A>
[E&xport to Microsoft Excel]
  <res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>

==================================
Running Processes
[PID: 632 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 680 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 704 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 748 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 760 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 936 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1000 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1096 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1180 / NETWORK SERVICE][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1260 / LOCAL SERVICE][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1312 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\WINDOWS\system32\AdobePDF.dll]  [Adobe Systems Incorporated., 8.0.0.00]
    [C:\Program Files\Adobe\Acrobat 7.0\Distillr\adistres.dll]  [Adobe Systems Incorporated., 7.0.5.2005092300]
    [C:\WINDOWS\system32\pt15l.dll]  [Brother Industries, Ltd., 1, 0, 0, 0]
    [C:\WINDOWS\system32\ptusbp2.dll]  [Brother Industries, Ltd., 2, 2, 1, 0]
    [C:\WINDOWS\system32\ptusbp2r.dll]  [Brother Industries, Ltd., 20, 1, 5, 8]
    [C:\WINDOWS\system32\zsdepl.dcl]  [Number Five Software, 1, 1, 0, 0]
    [C:\WINDOWS\system32\HPDCMON.DLL]  [Hewlett-Packard, 04.20.00]
[PID: 1624 / SYSTEM][C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe]  [Apple, Inc., 1, 12, 0, 0]
[PID: 1648 / SYSTEM][C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe]  [GRISOFT, s.r.o., 7.5.0.453]
    [C:\PROGRA~1\Grisoft\AVG7\avgklib.dll]  [GRISOFT, s.r.o., 7.5.0.458]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\PROGRA~1\Grisoft\AVG7\avglog.dll]  [GRISOFT, s.r.o., 7.5.0.429]
    [C:\Program Files\Grisoft\AVG7\avgcfg.dll]  [GRISOFT, s.r.o., 7.5.0.460]
    [C:\Program Files\Grisoft\AVG7\avglng.dll]  [GRISOFT, s.r.o., 7.5.0.429]
    [C:\Program Files\Grisoft\AVG7\avgamint.dll]  [GRISOFT, s.r.o., 7.5.0.435]
    [C:\Program Files\Grisoft\AVG7\avgamsps.dll]  [GRISOFT, s.r.o., 7.5.0.407]
[PID: 1668 / SYSTEM][C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe]  [GRISOFT, s.r.o., 7.5.0.420]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[PID: 1764 / NETWORK SERVICE][c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe]  [Microsoft Corporation, 2005.090.1399.00]
    [C:\WINDOWS\system32\MSCOREE.DLL]  [Microsoft Corporation, 2.0.50727.832 (QFE.050727-8300)]
[PID: 1924 / joe][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\dfshim.dll]  [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
    [C:\WINDOWS\system32\mscoree.dll]  [Microsoft Corporation, 2.0.50727.832 (QFE.050727-8300)]
    [C:\Program Files\WinSCP3\DragExt.dll]  [Martin Prikryl, 1.1.3.43]
    [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 7.0.5.2005092300]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\WINDOWS\system32\CfShellFtpRds.dll]  [Macromedia, Inc., 6,0,0,0]
    [C:\WINDOWS\system32\cfssvradmin.dll]  [Macromedia, Inc., 6,0,0,0]
    [C:\WINDOWS\system32\CFFileProxy.dll]  [Macromedia, Inc., 6,0,0,0]
    [C:\Program Files\Common Files\Ahead\Lib\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\Common Files\Ahead\Lib\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MFC71enu.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll]  [Adobe Systems Inc., 7.0.5.2005092300\0]
    [C:\Program Files\Adobe\Acrobat 7.0\Distillr\ADIST32.dll]  [Adobe Systems Incorporated., 7.0.5.0]
    [C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll]  [Nero AG, 2, 7, 2, 0]
    [C:\Program Files\Nero\Nero 7\Nero BackItUp\MFC71U.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\StuffIt\CompressMenu.dll]  [Allume Systems, Inc., 9.0.1.27]
    [C:\Program Files\StuffIt\Allume.dll]  [Allume Systems, Inc, 9.0.1.27]
    [C:\Program Files\Grisoft\AVG7\avgse.dll]  [GRISOFT, s.r.o., 7.5.0.409]
    [C:\Program Files\QuickSFV\QSFVShll.dll]  [Mercedes, 2, 3, 4, 0]
    [C:\Program Files\StuffIt\ArchiveMenu.dll]  [Allume Systems, Inc., 9.0.1.27]
    [C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll]  [Nero AG, 2, 0, 0, 8]
    [C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll]  [Sun Microsystems, Inc., 8.0.0.9090]
    [C:\Program Files\OpenOffice.org 2.1\program\uwinapi.dll]  [Sun Microsystems, Inc., 8.0.0.9084]
    [C:\Program Files\OpenOffice.org 2.1\program\stlport_vc7145.dll]  [STLport Consulting, Inc., 4.5.2003.0120]
    [C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 8.1.0.0]
[PID: 2000 / joe][C:\PROGRA~1\Grisoft\AVG7\avgcc.exe]  [GRISOFT, s.r.o., 7.5.0.460]
    [C:\PROGRA~1\Grisoft\AVG7\AvgTMgr.dll]  [GRISOFT, s.r.o., 7.5.0.458]
    [C:\PROGRA~1\Grisoft\AVG7\AvgCtrl.dll]  [GRISOFT, s.r.o., 7.5.0.458]
    [C:\WINDOWS\system32\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\WINDOWS\system32\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\Grisoft\AVG7\AvgAbout.dll]  [GRISOFT, s.r.o., 7.5.0.458]
    [C:\PROGRA~1\Grisoft\AVG7\AvgTest.dll]  [GRISOFT, s.r.o., 7.5.0.458]
    [C:\PROGRA~1\Grisoft\AVG7\AvgTRes.dll]  [GRISOFT, s.r.o., 7.5.0.458]
    [C:\PROGRA~1\Grisoft\AVG7\AvgSet.dll]  [, ]
    [C:\WINDOWS\system32\MFC71enu.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\Grisoft\AVG7\avglog.dll]  [GRISOFT, s.r.o., 7.5.0.429]
    [C:\Program Files\Grisoft\AVG7\avgcfg.dll]  [GRISOFT, s.r.o., 7.5.0.460]
    [C:\Program Files\Grisoft\AVG7\avgklib.dll]  [GRISOFT, s.r.o., 7.5.0.458]
    [C:\Program Files\Grisoft\AVG7\avglng.dll]  [GRISOFT, s.r.o., 7.5.0.429]
    [C:\Program Files\Grisoft\AVG7\AVGRES.DLL]  [N/A, ]
    [C:\Program Files\Grisoft\AVG7\avgcckrn.dll]  [GRISOFT, s.r.o., 7.5.0.460]
    [C:\Program Files\Grisoft\AVG7\avgvault.dll]  [GRISOFT, s.r.o., 7.5.0.458]
    [C:\Program Files\Grisoft\AVG7\avgrep.dll]  [GRISOFT, s.r.o., 7.5.0.448]
    [C:\Program Files\Grisoft\AVG7\avgunarc.dll]  [GRISOFT, s.r.o., 7.5.0.474]
    [C:\PROGRA~1\EUDORA~1\Plugins\avgeud32.dll]  [GRISOFT, s.r.o., 7.5.0.415]
[PID: 2012 / SYSTEM][C:\WINDOWS\system32\nvsvc32.exe]  [NVIDIA Corporation, 6.14.10.9371]
    [C:\WINDOWS\system32\nvapi.dll]  [N/A, ]
[PID: 164 / NETWORK SERVICE][C:\WINDOWS\System32\locator.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 244 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 272 / SYSTEM][C:\PROGRA~1\StuffIt\MXTask.exe]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\StuffIt\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\PROGRA~1\StuffIt\MXDebug2.dll]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\MXPM.DLL]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\zftsvc.dll]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\zfintf.dll]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\ZipFoldersOptions.dll]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\StuffIt\OptionsGUI.dll]  [Allume Systems, Inc, 9.0.1.27]
    [C:\PROGRA~1\StuffIt\Allume.dll]  [Allume Systems, Inc, 9.0.1.27]
    [C:\WINDOWS\system32\MFC71enu.DLL]  [Microsoft Corporation, 7.10.3077.0]
[PID: 400 / joe][C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe]  [Adobe Systems Inc., 7.0.1.2005092300]
    [C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.DEU]  [Adobe Systems Inc., 7.0.0.0]
    [C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.FRA]  [Adobe Systems Inc., 7.0.0.0]
[PID: 496 / joe][C:\WINDOWS\RTHDCPL.EXE]  [Realtek Semiconductor Corp., 2.0.1.7]
[PID: 724 / joe][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 2120 / SYSTEM][C:\PROGRA~1\StuffIt\mxtask.exe]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\StuffIt\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\PROGRA~1\StuffIt\MXDebug2.dll]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\MXPM.DLL]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\zftuser.dll]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\PROGRA~1\StuffIt\ZipFoldersOptions.dll]  [Allume Systems, Inc., 9.0.1.27]
    [C:\PROGRA~1\StuffIt\OptionsGUI.dll]  [Allume Systems, Inc, 9.0.1.27]
    [C:\PROGRA~1\StuffIt\Allume.dll]  [Allume Systems, Inc, 9.0.1.27]
    [C:\WINDOWS\system32\MFC71enu.DLL]  [Microsoft Corporation, 7.10.3077.0]
[PID: 2208 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3464 / joe][C:\Program Files\MailWasher Pro\MailWasher.exe]  [Firetrust Ltd, 5.0.14.6034]
    [C:\Program Files\MailWasher Pro\MailAnalysis.dll]  [, 1.0.0.1]
[PID: 4084 / joe][C:\Program Files\Mozilla Firefox\firefox.exe]  [Mozilla Corporation, 1.8.1.5: 2007071317]
    [C:\Program Files\Mozilla Firefox\js3250.dll]  [Netscape Communications Corporation, 4.0]
    [C:\Program Files\Mozilla Firefox\nspr4.dll]  [Netscape Communications Corporation, 4.6.7]
    [C:\Program Files\Mozilla Firefox\xpcom_core.dll]  [Mozilla Foundation, 1.8.1.5: 2007071317]
    [C:\Program Files\Mozilla Firefox\plc4.dll]  [Netscape Communications Corporation, 4.6.7]
    [C:\Program Files\Mozilla Firefox\plds4.dll]  [Netscape Communications Corporation, 4.6.7]
    [C:\Program Files\Mozilla Firefox\smime3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
    [C:\Program Files\Mozilla Firefox\nss3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
    [C:\Program Files\Mozilla Firefox\softokn3.dll]  [Mozilla Foundation, 3.11.4 Basic ECC]
    [C:\Program Files\Mozilla Firefox\ssl3.dll]  [Mozilla Foundation, 3.11.5 Basic ECC]
    [C:\Program Files\Mozilla Firefox\xpcom_compat.dll]  [Mozilla Foundation, 1.8.1.5: 2007071317]
    [C:\Program Files\Mozilla Firefox\components\myspell.dll]  [Mozilla Foundation, 1.8.1.5: 2007071317]
    [C:\Program Files\Mozilla Firefox\components\jar50.dll]  [Mozilla Foundation, 1.8.1.5: 2007071317]
    [C:\Program Files\Mozilla Firefox\components\jsd3250.dll]  [Mozilla Foundation, 1.8.1.5: 2007071317]
    [C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll]  [Mozilla Foundation, 1.8.1.5: 2007071317]
    [C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL]  [Full Circle Software, Inc., 2.2.unofficial]
    [C:\Program Files\Mozilla Firefox\freebl3.dll]  [Mozilla Foundation, 3.11.4 Basic ECC]
    [C:\Program Files\Mozilla Firefox\nssckbi.dll]  [Mozilla Foundation, 1.64]
    [C:\Program Files\Mozilla Firefox\components\spellchk.dll]  [Mozilla Foundation, 1.8.1.5: 2007071317]
[PID: 3824 / joe][C:\UPLOAD\sreng2\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
    [C:\UPLOAD\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]  
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1       localhost

==================================
Process Privileges Scan
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 1624, C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 2000, C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 272, C:\PROGRA~1\STUFFIT\MXTASK.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 2120, C:\PROGRA~1\STUFFIT\MXTASK.EXE]
Special Privilege Enabled: SeLoadDriverPrivilege [PID = 3464, C:\PROGRAM FILES\MAILWASHER PRO\MAILWASHER.EXE]

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================
joejvj is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2007, 03:59 PM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Re: IE7 Runs Itself- Trojan SHuer.ZQ
I'm not seeing anything out of the ordinary that may be causing those Windows Installer dialog boxes. Does those boxes require you to click on anything before they disappear? If possible, please grab a screenshot of them.

I want a closer look at this file - C:\QooBox\Quarantine\c\Recyclers\svchost.exe.vir
Please upload to this website: http://www.bleepingcomputer.com/subm....php?channel=4
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2007, 04:09 PM   #11 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: XP


Re: IE7 Runs Itself- Trojan SHuer.ZQ
I don't have a subdirectory in the root named 'QooBox'.

I have already posted the boxes that I see above. They are not on the screen very long. They go away by themselves. I have also tried clicking on the cancel buttons when the boxes popped up and it made no difference.

During my own attempts of getting spyware, adware, malware, etc. programs I did install and uninstall a lot of stuff in a short period of time. I'm wondering is this has nothing to do with the virus, and is just something I did during that time. I do remember my machine crashing during one of those installs.
joejvj is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2007, 04:21 PM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Sorry about that. We deleted QooBox earlier on.

Does those boxes appear in Safe mode?

What programs did you try to install?
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2007, 05:01 PM   #13 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: XP


Re: IE7 Runs Itself- Trojan SHuer.ZQ
No, It doesn't happen in Safe Mode.

I don't have a clear list of what I tried to install. I did remove a few programs like iTunes and Microsoft Office Visio because I thought they were infected. In fact, Visio crashed during the uninstall, so perhaps that is part of the problem. I will try a repair or a re-install on that one.

The things I installed were SpywareBlaster, Ad-Aware 2007, Spybot, silentrunning.vbs, and maybe a few more. I have removed many of these already. Sorry I did not document this.
joejvj is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-22-2007, 07:52 PM   #14 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Re: IE7 Runs Itself- Trojan SHuer.ZQ
We have to find out which of your autostart entries are causing this.

Do this now..
Go to Start > Run - type msconfig <Press Enter> (this opens the system configuration utility)

Under the General Tab, select Selective Startup
Untick Load StartUp Items & click OK

Reboot your computer when prompted.

Let me know if dialog boxes appear
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2007, 05:58 AM   #15 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: XP


Re: IE7 Runs Itself- Trojan SHuer.ZQ
The "Preparing To Install" boxes do NOT happen when I disabled all startup items through msconfig.

So went through and turned on each startup item and rebooted. I discovered that this entry alone causes the dialog boxes to appear:

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

I hate startup items, so if there is a safe way to just delete it I'm in favor of that.
joejvj is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2007, 06:35 AM   #16 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Re: IE7 Runs Itself- Trojan SHuer.ZQ
LOL ..it's not an essential entry. Simply have Hijackthis fix the entry.

Let us know how that went
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2007, 07:03 AM   #17 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: XP


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Thank You so much for your help. I could not have found someone to do this locally, let alone walk me through the repairs step by step to get my machine back up and running. Even the installer dialog box issue I had (which I don't believe was caused by the Trojan) was fixed as well. I am going now to make a donation to you guys.

Anyone else reading this- You can't buy this kind of service anywhere. Please make a donation to these guys. I am running antivirus and spyware programs 24/7 on my machine and still a virus got through. It will likely happen to you too.
joejvj is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2007, 08:05 AM   #18 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,463
OS: N/A


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start → Run → type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html


  6. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html

  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2007, 08:16 AM   #19 (permalink)
Registered User
 
Join Date: Jul 2007
Posts: 10
OS: XP


Re: IE7 Runs Itself- Trojan SHuer.ZQ
Thanks!
joejvj is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 07:00 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85