Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page HJT help!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 08-06-2007, 09:04 PM   #1 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


HJT help!
hi everyone its been a while, hope everyone doing well. anyways i am having problem opening HJT "HijackThis.exe has generate3d errors and will be closed by Windows. You need to restart the program..............An error log is being created." is the error i am getting.

i have try uninstalling HJT and reinstalling but it doesnt seem to help.

also i am having alot of pop ups and troj. i cant seem to clean it with my virus scanner, adaware, spy bot search and destroy.

if anyone is available, i would like some help please. thank you.
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 08-06-2007, 09:13 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: HJT help!
Please follow MicroBell's 5 Step process - http://www.techsupportforum.com/secu...sting-log.html.

You shall have a proper set of logs for us after that
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-06-2007, 09:26 PM   #3 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


Re: HJT help!
i am having trouble with step #2. was scanning until IE froze on me. had to restart. now im getting:

Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... Try again
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-06-2007, 09:29 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: HJT help!
Skip everything & proceed to the final step, STEP #5
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-06-2007, 09:37 PM   #5 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


Re: HJT help!
Deckard's System Scanner v20070804.61
Run by Kevin on 2007-08-06 at 21:29:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Kevin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:54 PM, on 8/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINNT\system32\taskmgr.exe
D:\Program Files\$$$$$$$$$$$$$$$$\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kevin.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {857A461D-8D96-4996-A4A0-AEA0A2535B86} - C:\WINNT\system32\efcccdd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B233F9B9-8058-49FC-9386-E12FB2E207BC} - C:\WINNT\system32\gebcd.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINNT\system32\qkydqqjm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - D:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175971104859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175972679609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: efcccdd - C:\WINNT\SYSTEM32\efcccdd.dll
O20 - Winlogon Notify: gebcd - C:\WINNT\system32\gebcd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Google Advanced Search - http://www.google.com/advanced_search?hl=en

--
End of file - 8837 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StarOpen - c:\winnt\system32\drivers\staropen.sys
R3 NaiAvFilter1 - c:\winnt\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>

S3 XDva004 - c:\winnt\system32\xdva004.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_10DE&DEV_00E8&SUBSYS_34011019&REV_A2\3&13C0B0C5&0&12
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_10DE&DEV_00E8&SUBSYS_34011019&REV_A2\3&13C0B0C5&0&12
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_05741317&REV_11\4&3191A3E6&0&4870
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_05741317&REV_11\4&3191A3E6&0&4870
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1033&DEV_00E0&SUBSYS_33830EE4&REV_04\4&3191A3E6&0&5270
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1033&DEV_00E0&SUBSYS_33830EE4&REV_04\4&3191A3E6&0&5270
Service:


-- Scheduled Tasks -------------------------------------------------------------

2007-08-01 16:18:01 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-07-06 and 2007-08-06 -----------------------------

2007-08-06 21:11:43 0 d-------- C:\WINNT\system32\ActiveScan
2007-08-06 16:03:15 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_454.dat
2007-08-06 15:25:31 0 d-------- C:\Program Files\Trend Micro
2007-08-06 03:48:47 125504 --a------ C:\WINNT\system32\opqfyrff.dll
2007-08-06 03:45:47 4672 --a------ C:\WINNT\system32\xjhuautm.exe
2007-08-06 03:42:47 4672 --a------ C:\WINNT\system32\ckcrhbuc.exe
2007-08-06 02:48:48 4672 --a------ C:\WINNT\system32\bvenrovp.exe
2007-08-06 02:40:18 4672 --a------ C:\WINNT\system32\sluclkqk.exe
2007-08-05 16:08:54 0 d-------- C:\Documents and Settings\Kevin\Application Data\SopCast
2007-08-05 16:08:53 0 d-------- C:\Program Files\SopCast
2007-08-05 12:38:06 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_434.dat
2007-08-05 12:33:02 0 d-------- C:\Documents and Settings\Kevin\.housecall6.6
2007-08-05 11:56:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-05 02:46:08 4672 --a------ C:\WINNT\system32\ksvcgjwn.exe
2007-08-05 02:43:11 125504 --a------ C:\WINNT\system32\qrucqflq.dll
2007-08-05 02:37:08 4672 --a------ C:\WINNT\system32\sjngxyve.exe
2007-08-04 13:02:49 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_400.dat
2007-08-04 02:38:05 125504 --a------ C:\WINNT\system32\sbpetcme.dll
2007-08-04 02:38:01 4672 --a------ C:\WINNT\system32\ckeuccal.exe
2007-08-04 02:35:09 4672 --a------ C:\WINNT\system32\atfvoghd.exe
2007-08-03 13:29:28 125504 --a------ C:\WINNT\system32\rqyxceym.dll
2007-08-03 02:43:57 69184 --a------ C:\WINNT\system32\qkydqqjm.dll
2007-08-03 02:40:55 4672 --a------ C:\WINNT\system32\eyaldsjf.exe
2007-08-03 02:36:50 66112 --a------ C:\WINNT\system32\ciqpkbux.exe
2007-08-03 02:35:13 4672 --a------ C:\WINNT\system32\nwnhuqgr.exe
2007-08-03 02:33:32 1767512 ---hs---- C:\WINNT\system32\dcbeg.bak2
2007-07-29 12:08:32 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_428.dat
2007-07-26 13:38:55 0 d-------- C:\Documents and Settings\Kevin\Application Data\Stamps.com Internet Postage
2007-07-26 13:36:36 0 d-a------ C:\Program Files\Stamps.com Internet Postage
2007-07-24 1406 4096 --a------ C:\WINNT\system32\crash
2007-07-23 14:11:15 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_42c.dat
2007-07-21 15:23:15 266336 --a------ C:\WINNT\system32\gebcd.dll
2007-07-21 15:18:09 31254 -----n--- C:\WINNT\system32\efcccdd.dll
2007-07-19 03:38:09 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-07-16 18:35:46 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_480.dat
2007-07-15 09:55:49 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_478.dat
2007-07-10 15:00:24 0 d-------- C:\Program Files\iPod
2007-07-10 13:09:13 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_470.dat


-- Find3M Report ---------------------------------------------------------------

2007-08-06 21:04:58 0 d-------- C:\Program Files\Viewpoint
2007-07-29 20:31:06 0 d-------- C:\Documents and Settings\Kevin\Application Data\LimeWire
2007-07-26 13:41:31 0 d-------- C:\Program Files\MySpace
2007-07-26 00:38:46 0 d-------- C:\Documents and Settings\Kevin\Application Data\Yahoo!
2007-07-15 03:35:55 1018392 ---h----- C:\WINNT\ShellIconCache
2007-07-10 14:57:31 0 d-------- C:\Program Files\Apple Software Update
2007-07-05 05:05:35 0 d-------- C:\Documents and Settings\Kevin\Application Data\ZoomBrowser EX
2007-07-04 21:20:35 0 d-------- C:\Documents and Settings\Kevin\Application Data\MySpace
2007-07-04 16:44:59 0 d-------- C:\Program Files\Canon
2007-07-04 16:44:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-04 16:35:16 0 d-------- C:\Program Files\Common Files\Canon
2007-07-04 16:35:06 0 d-a------ C:\Program Files\Common Files
2007-06-22 19:02:06 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_234.dat
2007-06-22 18:53:02 109753 --a------ C:\WINNT\hpoins11.dat
2007-06-22 18:52:47 0 d-------- C:\Program Files\Hewlett-Packard
2007-06-22 18:52:38 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-06-22 18:52:08 0 d-------- C:\Program Files\HP
2007-06-17 10:46:06 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_408.dat
2007-06-14 21:17:30 0 d-------- C:\Documents and Settings\Kevin\Application Data\Viewpoint
2007-06-11 23:32:11 0 d-------- C:\Program Files\Common Files\InstallShield
2007-06-10 17:57:15 0 d-------- C:\Program Files\AIM6
2007-06-07 22:32:24 0 d-------- C:\Documents and Settings\Kevin\Application Data\Apple Computer
2007-06-07 22:31:30 0 d-------- C:\Program Files\QuickTime
2007-06-07 04:16:22 0 d-------- C:\Documents and Settings\Kevin\Application Data\Adobe
2007-06-07 04:09:54 0 d-------- C:\Program Files\Common Files\Adobe
2007-06-07 04:08:24 2914 --a------ C:\WINNT\mozver.dat
2007-06-03 1753 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4c0.dat
2007-05-31 23:13:47 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3d0.dat
2007-05-29 18:19:08 50176 --a------ C:\WINNT\system32\reg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-05-28 23:34:10 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_444.dat
2007-05-26 18:31:08 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_430.dat
2007-05-26 17:55:51 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4a8.dat
2007-05-26 17:45:46 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_bf4.dat
2007-05-23 09:00:01 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3cc.dat
2007-05-20 14:15:51 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_398.dat
2007-05-09 02:31:25 2528 --a------ C:\Documents and Settings\Kevin\Application Data\$_hpcst$.hpc


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{857A461D-8D96-4996-A4A0-AEA0A2535B86}]
07/21/07 03:18p 31254 --------- C:\WINNT\system32\efcccdd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B233F9B9-8058-49FC-9386-E12FB2E207BC}]
07/21/07 03:23p 266336 --a------ C:\WINNT\system32\gebcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}]
08/03/07 02:44a 69184 --a------ C:\WINNT\system32\qkydqqjm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [11/17/06 05:42a C:\WINNT\soundman.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/29/03 07:10a]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [09/10/03 03:11a]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/07 01:02a]
"CTHelper"="CTHELPER.EXE" [08/11/06 02:56p C:\WINNT\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/06 02:56p C:\WINNT\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/07 03:43a]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/09/07 06:53p]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [04/25/07 08:44a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]
"mdioccrqwd"="c:\winnt\system32\mdioccrqwd.exe" [08/01/07 12:39p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/06 12:35p]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [03/12/07 01:49p]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [03/27/07 03:22p]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05/25/05 12:12p]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{857A461D-8D96-4996-A4A0-AEA0A2535B86}"= C:\WINNT\system32\efcccdd.dll [07/21/07 03:18p 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcccdd]
efcccdd.dll 07/21/07 03:18p 31254 C:\WINNT\system32\efcccdd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd]
C:\WINNT\system32\gebcd.dll 07/21/07 03:23p 266336 C:\WINNT\system32\gebcd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2007-08-06 at 21:31:42 ---------
Attached Files
File Type: txt extra.txt (15.1 KB, 0 views)
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-06-2007, 09:39 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: HJT help!
1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-06-2007, 09:49 PM   #7 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


Re: HJT help!
log.txt

ComboFix 07-08-07.5 - "Kevin" 08/06/2007 21:39:30.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.461 [GMT -7:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Kevin\APPLIC~1.\macromedia\Flash Player\#SharedObjects\VU6TDGYT\www.broadcaster.com
C:\DOCUME~1\Kevin\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\WINNT\system32\atfvoghd.exe
C:\WINNT\system32\bvenrovp.exe
C:\WINNT\system32\ciqpkbux.exe
C:\WINNT\system32\ckcrhbuc.exe
C:\WINNT\system32\ckeuccal.exe
C:\WINNT\system32\dcbeg.bak2
C:\WINNT\system32\dcbeg.ini
C:\WINNT\system32\efcccdd.dll
C:\WINNT\system32\emctepbs.ini
C:\WINNT\system32\eyaldsjf.exe
C:\WINNT\system32\ffryfqpo.ini
C:\WINNT\system32\gebcd.dll
C:\WINNT\system32\ksvcgjwn.exe
C:\WINNT\system32\mdioccrqwd.dat
C:\WINNT\system32\mdioccrqwd.exe
C:\WINNT\system32\mdioccrqwd_nav.dat
C:\WINNT\system32\mdioccrqwd_navps.dat
C:\WINNT\system32\myecxyqr.ini
C:\WINNT\system32\nvs2.inf
C:\WINNT\system32\nwnhuqgr.exe
C:\WINNT\system32\opqfyrff.dll
C:\WINNT\system32\qkydqqjm.dll
C:\WINNT\system32\qlfqcurq.ini
C:\WINNT\system32\qrucqflq.dll
C:\WINNT\system32\rqyxceym.dll
C:\WINNT\system32\sbpetcme.dll
C:\WINNT\system32\sjngxyve.exe
C:\WINNT\system32\sluclkqk.exe
C:\WINNT\system32\xjhuautm.exe


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-06 21:43 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_52c.dat
2007-08-06 21:40 69,184 --a------ C:\WINNT\system32\morjysmf.dll
2007-08-06 21:38 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-06 21:29 <DIR> d-------- C:\Deckard
2007-08-06 21:11 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-08-06 15:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-05 16:08 <DIR> d-------- C:\Program Files\SopCast
2007-08-05 16:08 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\SopCast
2007-08-05 12:33 <DIR> d-------- C:\DOCUME~1\Kevin\.housecall6.6
2007-08-05 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-26 13:38 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\Stamps.com Internet Postage
2007-07-26 13:36 <DIR> d-a------ C:\Program Files\Stamps.com Internet Postage
2007-07-19 03:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-10 15:00 <DIR> d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

99-12-07 05:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07-08-06 21:04 --------- d-------- C:\Program Files\Viewpoint
07-07-29 20:31 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\LimeWire
07-07-26 13:41 --------- d-------- C:\Program Files\MySpace
07-07-26 00:38 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Yahoo!
07-07-10 14:57 --------- d-------- C:\Program Files\Apple Software Update
07-07-05 05:05 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\ZoomBrowser EX
07-07-04 21:20 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\MySpace
07-07-04 16:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-07-04 16:44 --------- d-------- C:\Program Files\Canon
07-07-04 16:35 --------- d-------- C:\Program Files\Common Files\Canon
07-06-22 18:53 109753 --a------ C:\WINNT\hpoins11.dat
07-06-22 18:52 --------- d-------- C:\Program Files\HP
07-06-22 18:52 --------- d-------- C:\Program Files\Hewlett-Packard
07-06-22 18:52 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
07-06-14 21:17 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint
07-06-11 23:32 --------- d-------- C:\Program Files\Common Files\InstallShield
07-06-10 17:57 --------- d-------- C:\Program Files\AIM6
07-06-07 22:32 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Apple Computer
07-06-07 22:31 --------- d-------- C:\Program Files\QuickTime
07-06-07 04:08 2914 --a------ C:\WINNT\mozver.dat
07-05-29 18:19 50176 --a------ C:\WINNT\system32\reg.exe
07-04-07 10:47 271 ---h----- C:\Program Files\desktop.ini
07-04-07 10:47 21952 ---h----- C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [06-11-17 05:42 C:\WINNT\soundman.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [03-09-29 07:10 ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [03-09-10 03:11 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 01:02 ]
"CTHelper"="CTHELPER.EXE" [06-08-11 14:56 C:\WINNT\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [06-08-11 14:56 C:\WINNT\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [07-03-09 18:53 ]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [07-04-25 08:44 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [06-11-10 12:35 ]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [07-03-12 13:49 ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-03-27 15:22 ]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05-05-25 12:12 ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 StarOpen;StarOpen;C:\WINNT\system32\drivers\StarOpen.sys
R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
S3 hap17v2k;Creative P17V HAL Driver;C:\WINNT\system32\drivers\hap17v2k.sys
S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINNT\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINNT\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINNT\system32\DRIVERS\ssm_mdm.sys
S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys
S3 XDva004;XDva004;\??\C:\WINNT\system32\XDva004.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

Contents of the 'Scheduled Tasks' folder
2007-08-01 23:18:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 21:43:07
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINNT\system32\Perflib_Perfdata_408.dat

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-06 21:45:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-06 21:44

--- E O F ---




hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:35 PM, on 8/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - D:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175971104859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175972679609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Google Advanced Search - http://www.google.com/advanced_search?hl=en

--
End of file - 8271 bytes
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-06-2007, 09:55 PM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: HJT help!
Please disable AdWatch, as it may hinder the removal of some entries.
You can re-enable it after you're clean. To disable AdWatch:
  • Open AdAware SE.
  • Go to AdWatch User Interface.
  • Go to Tools and Preferences.
  • At the bottom of the screen you will see 2 options Active and Automatic.
  • Active: This will turn Ad-Watch On\Off without closing it
  • Automatic: Suspicious activity will be blocked automatically
  • Uncheck both options. You can enable these after resolving your problem.
  • Unless they are turned off they could interfere with the fix.


---------------


Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:
  • ViewPoint
Please note any other programs that you dont recognize in that list in your next response


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\Winnt\system32\morjysmf.dll
Folder::
C:\Program Files\Viewpoint
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint
Registry::
Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Click here perform an online scan >> Online Scanner


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-06-2007, 10:47 PM   #9 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


Re: HJT help!
1.) hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:44 PM, on 8/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - D:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175971104859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175972679609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Google Advanced Search - http://www.google.com/advanced_search?hl=en

--
End of file - 8592 bytes


2.) Kaspersky Online scan...found no malware,etc...


3.) log.txt

ComboFix 07-08-07.5 - "Kevin" 08/06/2007 22:01:43.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.541 [GMT -7:00]
Command switches used :: D:\Program Files\$$$$$$$$$$$$$$$$\DSS LOG\CFScript.txt

FILE::
C:\Winnt\system32\morjysmf.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1704320493.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\250892612.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-140210881.mtz
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-299397824.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-882039367.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1054459834.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1624992797.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1991437604.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\373851225.mts
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1859761695.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\407034558.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-107933152.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1850579979.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\670487064.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1148673767.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-299397824.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1054459834.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1282749521.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1624992797.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1991437604.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1290601034.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1695846852.mtz
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1859761695.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\407034558.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-1850579979.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-21412136.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-744169420.mts
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1070867519.swf
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini
C:\DOCUME~1\Kevin\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMgr.dll
C:\WINNT\system32\morjysmf.dll


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-06 22:04 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6ec.dat
2007-08-06 21:38 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-06 21:29 <DIR> d-------- C:\Deckard
2007-08-06 21:11 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-08-06 15:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-05 16:08 <DIR> d-------- C:\Program Files\SopCast
2007-08-05 16:08 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\SopCast
2007-08-05 12:33 <DIR> d-------- C:\DOCUME~1\Kevin\.housecall6.6
2007-08-05 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-26 13:38 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\Stamps.com Internet Postage
2007-07-26 13:36 <DIR> d-a------ C:\Program Files\Stamps.com Internet Postage
2007-07-19 03:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-10 15:00 <DIR> d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

99-12-07 05:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07-07-29 20:31 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\LimeWire
07-07-26 13:41 --------- d-------- C:\Program Files\MySpace
07-07-26 00:38 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Yahoo!
07-07-10 14:57 --------- d-------- C:\Program Files\Apple Software Update
07-07-05 05:05 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\ZoomBrowser EX
07-07-04 21:20 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\MySpace
07-07-04 16:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-07-04 16:44 --------- d-------- C:\Program Files\Canon
07-07-04 16:35 --------- d-------- C:\Program Files\Common Files\Canon
07-06-22 18:53 109753 --a------ C:\WINNT\hpoins11.dat
07-06-22 18:52 --------- d-------- C:\Program Files\HP
07-06-22 18:52 --------- d-------- C:\Program Files\Hewlett-Packard
07-06-22 18:52 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
07-06-11 23:32 --------- d-------- C:\Program Files\Common Files\InstallShield
07-06-10 17:57 --------- d-------- C:\Program Files\AIM6
07-06-07 22:32 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Apple Computer
07-06-07 22:31 --------- d-------- C:\Program Files\QuickTime
07-06-07 04:08 2914 --a------ C:\WINNT\mozver.dat
07-05-29 18:19 50176 --a------ C:\WINNT\system32\reg.exe
07-04-07 10:47 271 ---h----- C:\Program Files\desktop.ini
07-04-07 10:47 21952 ---h----- C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [06-11-17 05:42 C:\WINNT\soundman.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [03-09-29 07:10 ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [03-09-10 03:11 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 01:02 ]
"CTHelper"="CTHELPER.EXE" [06-08-11 14:56 C:\WINNT\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [06-08-11 14:56 C:\WINNT\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [07-03-09 18:53 ]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [07-04-25 08:44 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [06-11-10 12:35 ]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [07-03-12 13:49 ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-03-27 15:22 ]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05-05-25 12:12 ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 StarOpen;StarOpen;C:\WINNT\system32\drivers\StarOpen.sys
R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
S3 hap17v2k;Creative P17V HAL Driver;C:\WINNT\system32\drivers\hap17v2k.sys
S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINNT\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINNT\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINNT\system32\DRIVERS\ssm_mdm.sys
S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys
S3 XDva004;XDva004;\??\C:\WINNT\system32\XDva004.sys


Contents of the 'Scheduled Tasks' folder
2007-08-01 23:18:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 22:04:31
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINNT\system32\Perflib_Perfdata_420.dat

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-06 2254 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-06 22:05
C:\ComboFix2.txt ... 07-08-06 21:45

--- E O F ---
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-06-2007, 10:51 PM   #10 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


Re: HJT help!
The computer performs alot faster than before. i notice popup hasnt been appearing as often.

few fix ago u ask for any questions about add/remove programs....i have a few...

- getPlus(R)_dll
- Hotfix for MDAC 2.53(kb927779)
- Remote Desktop Connection
- Viewpoint (not sure if it has been removed)

sUBs you have been awefully busy these past hrs. thx for taking time to help. and the sad thing is Barry Bonds after 11th innings still have not hit his 756 HR!
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-06-2007, 11:05 PM   #11 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: HJT help!
Quote:
Kaspersky Online scan...found no malware,etc...
You must have done it wrongly & performed a standard scan.

There's no way Kaspersky would come up clean. Some of the stuff Combofix quarantined in C:\QooBox will surely be detected.

Please review the instructions for Kaspersky Scan again. The settings must be extended scan
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-07-2007, 01:10 AM   #12 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


Re: HJT help!
1. hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:33 AM, on 8/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - D:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175971104859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175972679609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Google Advanced Search - http://www.google.com/advanced_search?hl=en

--
End of file - 8581 bytes


2. Online

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 07, 2007 12:57:38 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/08/2007
Kaspersky Anti-Virus database records: 376348
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 114618
Number of viruses found: 16
Number of infected objects: 54
Number of suspicious objects: 16
Duration of the scan process: 01:46:47

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Kevin\LOCALS~1\Temp\laf1.exe Infected: Trojan-Downloader.Win32.Agent.bkd skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Kevin\LOCALS~1\Temp\lyqudotp.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Kevin\LOCALS~1\Temp\NeroDemo12550\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Kevin\LOCALS~1\Temp\vwcfxaum.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Kevin\LOCALS~1\Temp\yidovrlb.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_ROLLEAZY.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_ROLLEAZY.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Lavasoft\Ad-Aware\Logs\AWEVLOG.txt Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\cert8.db Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\history.dat Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\key3.db Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\parent.lock Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Kevin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\AOL OCP\AIM\Storage\data\iicanibusxthcii\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\ATI\ACE\Log\MOM-0.log Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Identities\{D60BFC08-63F6-4915-94EC-FB44C27FA1DC}\Microsoft\Outlook Express\cleanup.log Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Identities\{D60BFC08-63F6-4915-94EC-FB44C27FA1DC}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Identities\{D60BFC08-63F6-4915-94EC-FB44C27FA1DC}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\ml9dbb1z.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\History\History.IE5\MSHist012007080620070807\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Temp\~DFA48A.tmp Object is locked skipped
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kevin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kevin\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINNT\system32\atfvoghd.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\bvenrovp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\ciqpkbux.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINNT\system32\ckcrhbuc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\ckeuccal.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\eyaldsjf.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\ksvcgjwn.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\nwnhuqgr.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\qkydqqjm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.la skipped
C:\QooBox\Quarantine\C\WINNT\system32\sjngxyve.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\sluclkqk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINNT\system32\xjhuautm.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\catchme2007-08-06_214305.43.zip/efcccdd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\catchme2007-08-06_214305.43.zip/gebcd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\QooBox\Quarantine\catchme2007-08-06_214305.43.zip ZIP: infected - 2 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\ROLLEAZY.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\security\edb.log Object is locked skipped
C:\WINNT\security\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\ACEEvent.evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_420.dat Object is locked skipped
C:\WINNT\system32\wbem\Repository\CIM.REP Object is locked skipped
C:\WINNT\Temp\ZLT00313.TMP Object is locked skipped
C:\WINNT\Temp\ZLT0366f.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\{00000002-00000000-00000007-00001102-00000004-10021102}.CDF Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\73899a3abc976d1d25befdc7e2840681_1340d0cf-cae5-4cdc-a300-b4ab4e07db2a Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\19b92f83a328096f8ea3ee9a33062681_1340d0cf-cae5-4cdc-a300-b4ab4e07db2a Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e68df68444fac068cc6511a63797e07_1340d0cf-cae5-4cdc-a300-b4ab4e07db2a Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\74dc1d68a57cd554b1477e01a5cd765e_1340d0cf-cae5-4cdc-a300-b4ab4e07db2a Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf14ae3203f2262309f5cf8a8f7ea256_1340d0cf-cae5-4cdc-a300-b4ab4e07db2a Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy20.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy20.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy24.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy24.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy28.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy28.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy32.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy32.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy36.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy36.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy40.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy40.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWStealerModule.zip/module32.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWStealerModule.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\xxx\Local Settings\Temp\hsperfdata_xxx\2176 Object is locked skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm/alien.cab/amm06.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm/alien.cab Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm/joysavsht.cab/amm06.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm/joysavsht.cab Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm/page.htm Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\mma.chm CHM: infected - 5 skipped
D:\Documents and Settings\xxx\Local Settings\Temp\stdrun6.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
D:\Documents and Settings\xxx\Local Settings\Temp\stdrun6.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
D:\Documents and Settings\xxx\Local Settings\Temp\stdrun6.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
D:\Documents and Settings\xxx\Local Settings\Temp\stdrun6.exe NSIS: infected - 3 skipped
D:\Documents and Settings\xxx\Local Settings\Temp\winfix.chm/page.htm Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
D:\Documents and Settings\xxx\Local Settings\Temp\winfix.chm/SystemDoctor2006FreeInstall.cab/USDR6_0001_D08M0404NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
D:\Documents and Settings\xxx\Local Settings\Temp\winfix.chm/SystemDoctor2006FreeInstall.cab Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
D:\Documents and Settings\xxx\Local Settings\Temp\winfix.chm CHM: infected - 3 skipped
D:\System Volume Information\_restore{196A5EC6-C7FF-4F62-BE48-2CA846D93A3F}\RP537\A0396711.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\System Volume Information\_restore{196A5EC6-C7FF-4F62-BE48-2CA846D93A3F}\RP537\A0396726.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\System Volume Information\_restore{196A5EC6-C7FF-4F62-BE48-2CA846D93A3F}\RP537\A0396754.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\System Volume Information\_restore{196A5EC6-C7FF-4F62-BE48-2CA846D93A3F}\RP537\A0396758.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\System Volume Information\_restore{196A5EC6-C7FF-4F62-BE48-2CA846D93A3F}\RP537\A0396766.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\$NtServicePackUninstall$\wmipdskq.dll Infected: not-a-virus:AdWare.Win32.Hmt skipped
D:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
D:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
D:\WINDOWS\srvnzeikrw.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\srvnzeikrw.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\srvnzeikrw.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\srvnzeikrw.exe NSIS: infected - 3 skipped
D:\WINDOWS\system32\crunner\cupdater.exe Infected: Trojan-Downloader.MSIL.Agent.c skipped
D:\WINDOWS\system32\h82o0if3e82.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\ir0ml5d11.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\jtjs0717e.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\jtl4073qe.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\ktr2l79o1.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\mv64l9jq1.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\system32\uplmon.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
D:\WINDOWS\YazzleBundle-1264.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
D:\WINDOWS\YazzleBundle-1264.exe NSIS: infected - 1 skipped

Scan process completed.


3. combo

ComboFix 07-08-07.5 - "Kevin" 08/07/2007 1:03:53.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.415 [GMT -7:00]
Command switches used :: D:\Program Files\$$$$$$$$$$$$$$$$\DSS LOG\CFScript.txt

FILE::
C:\Winnt\system32\morjysmf.dll


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-06 22:10 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-08-06 22:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 22:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_420.dat
2007-08-06 21:38 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-06 21:29 <DIR> d-------- C:\Deckard
2007-08-06 21:11 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-08-06 15:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-05 16:08 <DIR> d-------- C:\Program Files\SopCast
2007-08-05 16:08 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\SopCast
2007-08-05 12:33 <DIR> d-------- C:\DOCUME~1\Kevin\.housecall6.6
2007-08-05 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-26 13:38 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\Stamps.com Internet Postage
2007-07-26 13:36 <DIR> d-a------ C:\Program Files\Stamps.com Internet Postage
2007-07-19 03:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-10 15:00 <DIR> d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

12/07/99 05:00a 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07/29/07 08:31p --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\LimeWire
07/26/07 12:38a --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Yahoo!
07/26/07 01:41p --------- d-------- C:\Program Files\MySpace
07/10/07 02:57p --------- d-------- C:\Program Files\Apple Software Update
07/05/07 05:05a --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\ZoomBrowser EX
07/04/07 09:20p --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\MySpace
07/04/07 04:44p --------- d--h----- C:\Program Files\InstallShield Installation Information
07/04/07 04:44p --------- d-------- C:\Program Files\Canon
07/04/07 04:35p --------- d-------- C:\Program Files\Common Files\Canon
06/22/07 06:53p 109753 --a------ C:\WINNT\hpoins11.dat
06/22/07 06:52p --------- d-------- C:\Program Files\HP
06/22/07 06:52p --------- d-------- C:\Program Files\Hewlett-Packard
06/22/07 06:52p --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
06/11/07 11:32p --------- d-------- C:\Program Files\Common Files\InstallShield
06/10/07 05:57p --------- d-------- C:\Program Files\AIM6
06/07/07 10:32p --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Apple Computer
06/07/07 10:31p --------- d-------- C:\Program Files\QuickTime
06/07/07 04:08a 2914 --a------ C:\WINNT\mozver.dat
05/29/07 06:19p 50176 --a------ C:\WINNT\system32\reg.exe
04/07/07 10:47a 271 ---h----- C:\Program Files\desktop.ini
04/07/07 10:47a 21952 ---h----- C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [11/17/06 05:42a C:\WINNT\soundman.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/29/03 07:10a]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [09/10/03 03:11a]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/07 01:02a]
"CTHelper"="CTHELPER.EXE" [08/11/06 02:56p C:\WINNT\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/06 02:56p C:\WINNT\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/07 03:43a]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/09/07 06:53p]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [04/25/07 08:44a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/13/07 04:38p]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/06 12:35p]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [03/12/07 01:49p]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [03/27/07 03:22p]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05/25/05 12:12p]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 StarOpen;StarOpen;C:\WINNT\system32\drivers\StarOpen.sys
R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
S3 hap17v2k;Creative P17V HAL Driver;C:\WINNT\system32\drivers\hap17v2k.sys
S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINNT\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINNT\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINNT\system32\DRIVERS\ssm_mdm.sys
S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys
S3 XDva004;XDva004;\??\C:\WINNT\system32\XDva004.sys


Contents of the 'Scheduled Tasks' folder
2007-08-01 23:18:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 01:04:56
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 08/07/2007 114
C:\ComboFix-quarantined-files.txt ... 08/07/07 01:05a
C:\ComboFix2.txt ... 08/06/07 10:06p
C:\ComboFix3.txt ... 08/06/07 09:45p

--- E O F ---
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-07-2007, 07:08 AM   #13 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: HJT help!
Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
D:\WINDOWS\srvnzeikrw.exe
D:\WINDOWS\system32\crunner
D:\WINDOWS\system32\h82o0if3e82.dll
D:\WINDOWS\system32\ir0ml5d11.dll
D:\WINDOWS\system32\jtjs0717e.dll
D:\WINDOWS\system32\jtl4073qe.dll
D:\WINDOWS\system32\ktr2l79o1.dll
D:\WINDOWS\system32\mv64l9jq1.dll
D:\WINDOWS\system32\uplmon.dll
D:\WINDOWS\YazzleBundle-1264.exe
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in ( 
C:\Deckard
"D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery"
"D:\Documents and Settings\xxx\Local Settings\Temp"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Disable("")>SR.vbs
echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Enable("")>>SR.vbs
wscript SR.vbs

(
echo.REGEDIT4&echo.
echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]
echo."hidden"=dword:00000002
echo."hidefileext"=dword:00000001
echo."showsuperhidden"=dword:00000000
)>rehide.reg

regedit /s rehide.reg
del rehide.reg SR.vbs
nircmd wait 7000
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-07-2007, 02:04 PM   #14 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


Re: HJT help!
C:\WINNT\system32\cmd.exe opened up, but just a blank screen.
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-07-2007, 02:13 PM   #15 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: HJT help!
Right click on the file & select edit.

Replace this line - @echo off
With - @prompt $

Run it again. This time, you shall see a series of lines. Tell me where it stalls
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-07-2007, 02:41 PM   #16 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


Re: HJT help!
this is the last bracket to bracket...


<
del /a/f D:\WINDOWS\system32\crunner 1>nul 2>$1
if exist D:\WINDOWS\syste32\crunner echo.D:\WINDOWS\system32\crunner1>>"C:\DOCUME~1\Kevin\LOCALS~\Temp\log.txt"
>
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-07-2007, 02:45 PM   #17 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: HJT help!
Yes, I see the error now. Crunner is a folder. We'll need another script to do the job.

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
D:\WINDOWS\srvnzeikrw.exe
D:\WINDOWS\system32\h82o0if3e82.dll
D:\WINDOWS\system32\ir0ml5d11.dll
D:\WINDOWS\system32\jtjs0717e.dll
D:\WINDOWS\system32\jtl4073qe.dll
D:\WINDOWS\system32\ktr2l79o1.dll
D:\WINDOWS\system32\mv64l9jq1.dll
D:\WINDOWS\system32\uplmon.dll
D:\WINDOWS\YazzleBundle-1264.exe
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in ( 
D:\WINDOWS\system32\crunner
C:\Deckard
"D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery"
"D:\Documents and Settings\xxx\Local Settings\Temp"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Disable("")>SR.vbs
echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Enable("")>>SR.vbs
wscript SR.vbs

(
echo.REGEDIT4&echo.
echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]
echo."hidden"=dword:00000002
echo."hidefileext"=dword:00000001
echo."showsuperhidden"=dword:00000000
)>rehide.reg

regedit /s rehide.reg
del rehide.reg SR.vbs
nircmd wait 7000
del %0
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-07-2007, 02:57 PM   #18 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


Re: HJT help!
1. log.txt

D:\WINDOWS\system32\crunner
"D:\Documents and Settings\xxx\Local Settings\Temp"

2. Windows Script Host

Script: D\Program Files\$$$$$$$$$$$$$\DSS LOG\SR.vbs
Line: 1
Char: 1
Error: Not found

Code: 80041002
Source: SWbemServices
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-07-2007, 03:01 PM   #19 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 23,238
OS: N/A


Re: HJT help!
Since it doesn't want to go away peacefully, we'll have to use a bigger gun.


Open notepad and copy/paste the text in the quotebox below into it:

Code:
Folder::
D:\WINDOWS\system32\crunner
D:\Documents and Settings\xxx\Local Settings\Temp
Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
__________________
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 08-07-2007, 03:10 PM   #20 (permalink)
Registered User
 
Join Date: Jun 2006
Posts: 30
OS: XP


Re: HJT help!
ComboFix 07-08-07.5 - "Kevin" 08/07/2007 15:02:10.4 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.519 [GMT -7:00]
Command switches used :: D:\Program Files\$$$$$$$$$$$$$$$$\DSS LOG\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\Documents and Settings\xxx\Local Settings\Temp
D:\WINDOWS\system32\crunner


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 15:05 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_69c.dat
2007-08-06 22:10 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-08-06 22:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 21:38 51,200 --a------ C:\WINNT\nircmd.exe
2007-08-06 21:11 <DIR> d-a------ C:\WINNT\system32\ActiveScan
2007-08-06 15:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-05 16:08 <DIR> d-------- C:\Program Files\SopCast
2007-08-05 16:08 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\SopCast
2007-08-05 12:33 <DIR> d-------- C:\DOCUME~1\Kevin\.housecall6.6
2007-08-05 11:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-26 13:38 <DIR> d-------- C:\DOCUME~1\Kevin\APPLIC~1\Stamps.com Internet Postage
2007-07-26 13:36 <DIR> d-a------ C:\Program Files\Stamps.com Internet Postage
2007-07-19 03:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-10 15:00 <DIR> d-------- C:\Program Files\iPod


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

99-12-07 05:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07-07-29 20:31 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\LimeWire
07-07-26 13:41 --------- d-------- C:\Program Files\MySpace
07-07-26 00:38 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Yahoo!
07-07-10 14:57 --------- d-------- C:\Program Files\Apple Software Update
07-07-05 05:05 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\ZoomBrowser EX
07-07-04 21:20 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\MySpace
07-07-04 16:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-07-04 16:44 --------- d-------- C:\Program Files\Canon
07-07-04 16:35 --------- d-------- C:\Program Files\Common Files\Canon
07-06-22 18:53 109753 --a------ C:\WINNT\hpoins11.dat
07-06-22 18:52 --------- d-------- C:\Program Files\HP
07-06-22 18:52 --------- d-------- C:\Program Files\Hewlett-Packard
07-06-22 18:52 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
07-06-11 23:32 --------- d-------- C:\Program Files\Common Files\InstallShield
07-06-10 17:57 --------- d-------- C:\Program Files\AIM6
07-06-07 22:32 --------- d-------- C:\DOCUME~1\Kevin\APPLIC~1\Apple Computer
07-06-07 22:31 --------- d-------- C:\Program Files\QuickTime
07-06-07 04:08 2914 --a------ C:\WINNT\mozver.dat
07-05-29 18:19 50176 --a------ C:\WINNT\system32\reg.exe
07-04-07 10:47 271 ---h----- C:\Program Files\desktop.ini
07-04-07 10:47 21952 ---h----- C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [06-11-17 05:42 C:\WINNT\soundman.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [03-09-29 07:10 ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [03-09-10 03:11 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 01:02 ]
"CTHelper"="CTHELPER.EXE" [06-08-11 14:56 C:\WINNT\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [06-08-11 14:56 C:\WINNT\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [07-03-09 18:53 ]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [07-04-25 08:44 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [06-11-10 12:35 ]
"Aim6"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [07-03-12 13:49 ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [07-03-27 15:22 ]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05-05-25 12:12 ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 StarOpen;StarOpen;C:\WINNT\system32\drivers\StarOpen.sys
R3 ctgame;Game Port;C:\WINNT\system32\DRIVERS\ctgame.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
S3 hap17v2k;Creative P17V HAL Driver;C:\WINNT\system32\drivers\hap17v2k.sys
S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINNT\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINNT\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINNT\system32\DRIVERS\ssm_mdm.sys
S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys
S3 XDva004;XDva004;\??\C:\WINNT\system32\XDva004.sys


Contents of the 'Scheduled Tasks' folder
2007-08-01 23:18:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 15:05:17
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINNT\system32\Perflib_Perfdata_3dc.dat

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-07 15:07:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-08-07 01:05
C:\ComboFix2.txt ... 07-08-07 01:06
C:\ComboFix3.txt ... 07-08-06 22:06

--- E O F ---
HoAfCr is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:39 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84