|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-14-2007, 10:19 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 15
OS: xp pro
|
help with huijackthis log
Hi
I am having problems with pcsecuritylabs.com having taken over my IE. attaching hyjackthis log It is not allowing me to restore pc to earleir point or run security softwares. quote ogfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:18:17 PM, on 10/14/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\NCH Swift Sound\Components\mp3el\mp3enc.exe C:\Program Files\NCH Swift Sound\Components\mp3el\mp3enc.exe C:\WINDOWS\system32\nvsvc32.exe D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe d:\Program Files\Advanced Registry Doctor\RegManServ.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file) O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file) O2 - BHO: (no name) - {00EE2230-D6C9-4957-9D72-1E861935F156} - C:\WINDOWS\system32\rqrromm.dll O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file) O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file) O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file) O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file) O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file) O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file) O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {8221948E-BC3A-4947-B7C4-2C607C1751D5} - C:\WINDOWS\system32\jkklm.dll O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\mehbrinj.dll O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file) O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file) O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file) O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - C:\WINDOWS\system32\oembios32.dll (file missing) O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file) O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file) O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\qkcnbebs.dll",sitypnow O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://gs.reyrey.com O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/Cli...dvancedCAB.CAB O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/...lateviewer.cab O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (File Transfer ActiveX Client) - https://home:2000/activex/RACtrl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1183834216265 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1185639133265 O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.gs.reyrey.com/clientdll/arview2.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.callutheran.edu/dana...niperSetup.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...91/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{694FF3D2-94BC-4697-818E-FCBA3D5A91B4}: NameServer = 10.40.13.91,10.40.13.95 O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC69EA4-2394-47D6-B67B-DD4C4C0DFCB1}: NameServer = 192.168.0.1 O20 - Winlogon Notify: rqrromm - C:\WINDOWS\SYSTEM32\rqrromm.dll O20 - Winlogon Notify: winhoq32 - C:\WINDOWS\SYSTEM32\winhoq32.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BroadWave Service (BroadWaveService) - Unknown owner - C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe O23 - Service: Registry Management Service (RegManServ) - Unknown owner - d:\Program Files\Advanced Registry Doctor\RegManServ.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 10318 bytes unquote |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-15-2007, 08:14 AM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: help with huijackthis log
Hello and welcome to TSF
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. =============================================================== Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. --------------------------------------------------------------- Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean the infection is gone,its in your best interest that you follow this through to the end. =================================================== Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file) O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file) O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file) O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file) O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file) O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file) O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file) O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file) O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file) O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file) O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file) O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file) O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file) O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file) O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - C:\WINDOWS\system32\oembios32.dll (file missing) O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file) O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file) O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file) Please remember to close all other windows, including browsers then click Fix checked. =================================================== Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe * IMPORTANT !!! Place combofix.exe on your Desktop  Go to  → Run → paste in the single line command & click OK"%userprofile%\desktop\combofix.exe" /killallWhen finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ==================================================== Hijackthis Uninstall List * Start HijackThis * Click on the Config button * Click on the Misc Tools button * Click on the Open Uninstall Manager button. * You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into your next reply. When finished click on the Main Menu button and follow instructions below. --------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ================================== Logs Required C:\Combofix.txt Uninstall list from Hijackthis Hijackthis log Let me know how your system is behaving,thanks. |
|
|
|
|
10-17-2007, 08:09 PM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 15
OS: xp pro
|
Re: help with huijackthis log
Thanks much for your help.
I tried saving uninstall file from Hijacktthis but it saves and closes the program I am unable to find the file through search. I am attaching other 2 files. I once again got pop ups and security bar in IE. =========== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:05:12 PM, on 10/17/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe C:\Program Files\NCH Swift Sound\Components\mp3el\mp3enc.exe C:\Program Files\NCH Swift Sound\Components\mp3el\mp3enc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\notepad.exe D:\Program Files\Trend Micro\HijackThis\hijackthis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\lfbuhnau.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\fuknpcgu.dll",sitypnow O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://gs.reyrey.com O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/Cli...dvancedCAB.CAB O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/...lateviewer.cab O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (File Transfer ActiveX Client) - https://home:2000/activex/RACtrl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1183834216265 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1185639133265 O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.gs.reyrey.com/clientdll/arview2.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.callutheran.edu/dana...niperSetup.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...91/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{694FF3D2-94BC-4697-818E-FCBA3D5A91B4}: NameServer = 10.40.13.91,10.40.13.95 O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC69EA4-2394-47D6-B67B-DD4C4C0DFCB1}: NameServer = 192.168.0.1 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: BroadWave Service (BroadWaveService) - Unknown owner - C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wyfrbmfi.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 8447 bytes ================ ComboFix 07-10-17.8 - vkamdar 2007-10-17 18:26:41.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1750 [GMT -7:00] Running from: C:\Documents and Settings\vkamdar\desktop\combofix.exe Command switches used :: /killall . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\3721 C:\Program Files\3721\assist\asbar.dll C:\Program Files\3721\helper.dll C:\Program Files\Accoona C:\Program Files\Accoona\ASearchAssist.dll C:\Program Files\akl C:\Program Files\akl\akl.dll C:\Program Files\akl\akl.exe C:\Program Files\akl\curlog.htm C:\Program Files\akl\keylog.txt C:\Program Files\akl\readme.txt C:\Program Files\akl\uninstall.exe C:\Program Files\akl\unsetup.dat C:\Program Files\akl\unsetup.exe C:\Program Files\amsys C:\Program Files\amsys\awmsg.dat C:\Program Files\amsys\guid.dat C:\Program Files\amsys\ijl15.dll C:\Program Files\amsys\mfc42.dll C:\Program Files\amsys\msvcrt.dll C:\Program Files\amsys\unins000.dat C:\Program Files\amsys\unis000.exe C:\Program Files\amsys\winam.dat C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe C:\Program Files\e-zshopper C:\Program Files\e-zshopper\BarLcher.dll C:\Program Files\Temporary C:\Program Files\WinAble C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\fse C:\Temp\fse\tmpZTF.log C:\WINDOWS\764.exe C:\WINDOWS\7search.dll C:\WINDOWS\aconti.exe C:\WINDOWS\adbar.dll C:\WINDOWS\cbinst$.exe C:\WINDOWS\cookies.ini C:\WINDOWS\daxtime.dll C:\WINDOWS\dp0.dll C:\WINDOWS\eventlowg.dll C:\WINDOWS\fhfmm-Uninstaller.exe C:\WINDOWS\fhfmm.exe C:\WINDOWS\flt.dll C:\WINDOWS\hcwprn.exe C:\WINDOWS\hotporn.exe C:\WINDOWS\ie_32.exe C:\WINDOWS\iexplorr23.dll C:\WINDOWS\jd2002.dll C:\WINDOWS\kkcomp$.exe C:\WINDOWS\kkcomp.dll C:\WINDOWS\kkcomp.exe C:\WINDOWS\kvnab$.exe C:\WINDOWS\kvnab.dll C:\WINDOWS\kvnab.exe C:\WINDOWS\liqad$.exe C:\WINDOWS\liqad.dll C:\WINDOWS\liqad.exe C:\WINDOWS\liqui-Uninstaller.exe C:\WINDOWS\liqui.dll C:\WINDOWS\liqui.exe C:\WINDOWS\ngd.dll C:\WINDOWS\pbar.dll C:\WINDOWS\pbsysie.dll C:\WINDOWS\settn.dll C:\WINDOWS\spredirect.dll C:\WINDOWS\system32\C2 C:\WINDOWS\system32\djlbmfsy.dll C:\WINDOWS\system32\drivers\bg_bg.gif C:\WINDOWS\system32\drivers\blank.gif C:\WINDOWS\system32\drivers\box_1.gif C:\WINDOWS\system32\drivers\box_2.gif C:\WINDOWS\system32\drivers\box_3.gif C:\WINDOWS\system32\drivers\button_buynow.gif C:\WINDOWS\system32\drivers\button_freescan.gif C:\WINDOWS\system32\drivers\cell_bg.gif C:\WINDOWS\system32\drivers\cell_footer.gif C:\WINDOWS\system32\drivers\cell_header_block.gif C:\WINDOWS\system32\drivers\cell_header_remove.gif C:\WINDOWS\system32\drivers\cell_header_scan.gif C:\WINDOWS\system32\drivers\close_ico.gif C:\WINDOWS\system32\drivers\detect.htm C:\WINDOWS\system32\drivers\download_box.gif C:\WINDOWS\system32\drivers\download_btn.jpg C:\WINDOWS\system32\drivers\download_now_btn.gif C:\WINDOWS\system32\drivers\footer_back.jpg C:\WINDOWS\system32\drivers\header_1.gif C:\WINDOWS\system32\drivers\header_2.gif C:\WINDOWS\system32\drivers\header_3.gif C:\WINDOWS\system32\drivers\header_4.gif C:\WINDOWS\system32\drivers\header_red_bg.gif C:\WINDOWS\system32\drivers\header_red_free_scan.gif C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif C:\WINDOWS\system32\drivers\icon_warning_big.gif C:\WINDOWS\system32\drivers\infected.gif C:\WINDOWS\system32\drivers\main_back.gif C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg C:\WINDOWS\system32\drivers\product_1_header.gif C:\WINDOWS\system32\drivers\product_1_name_small.gif C:\WINDOWS\system32\drivers\product_2_header.gif C:\WINDOWS\system32\drivers\product_2_name_small.gif C:\WINDOWS\system32\drivers\product_3_header.gif C:\WINDOWS\system32\drivers\product_3_name_small.gif C:\WINDOWS\system32\drivers\product_features.gif C:\WINDOWS\system32\drivers\pt.htm C:\WINDOWS\system32\drivers\rating.gif C:\WINDOWS\system32\drivers\remove_spyware_header.gif C:\WINDOWS\system32\drivers\s_detect.htm C:\WINDOWS\system32\drivers\screenshot.jpg C:\WINDOWS\system32\drivers\sep_hor.gif C:\WINDOWS\system32\drivers\sep_vert.gif C:\WINDOWS\system32\drivers\shadow.jpg C:\WINDOWS\system32\drivers\shadow_bg.gif C:\WINDOWS\system32\drivers\spacer.gif C:\WINDOWS\system32\drivers\spy_away_box.jpg C:\WINDOWS\system32\drivers\spyware_detected.gif C:\WINDOWS\system32\drivers\star.gif C:\WINDOWS\system32\drivers\star_gray.gif C:\WINDOWS\system32\drivers\star_gray_small.gif C:\WINDOWS\system32\drivers\star_small.gif C:\WINDOWS\system32\drivers\style.css C:\WINDOWS\system32\drivers\v.gif C:\WINDOWS\system32\drivers\warning_ico.gif C:\WINDOWS\system32\drivers\warning_icon.gif C:\WINDOWS\system32\drivers\win_logo.gif C:\WINDOWS\system32\drivers\x.gif C:\WINDOWS\system32\drivers\yellow_warning_ico.gif C:\WINDOWS\system32\ESHOPEE.exe C:\WINDOWS\system32\f02WtR C:\WINDOWS\system32\gtv_sd.bin C:\WINDOWS\system32\icsabqpx.exe C:\WINDOWS\system32\ihgtwhot.exe C:\WINDOWS\system32\iqstivtv.exe C:\WINDOWS\system32\jkklm.dll C:\WINDOWS\system32\mehbrinj.dll C:\WINDOWS\system32\mlkkj.bak1 C:\WINDOWS\system32\mlkkj.bak1 C:\WINDOWS\system32\mlkkj.ini C:\WINDOWS\system32\mlkkj.ini C:\WINDOWS\system32\prutv.bak1 C:\WINDOWS\system32\prutv.bak1 C:\WINDOWS\system32\prutv.ini C:\WINDOWS\system32\prutv.ini C:\WINDOWS\system32\pyvuvdbt.dll C:\WINDOWS\system32\RAinit.dll C:\WINDOWS\system32\tbdvuvyp.ini C:\WINDOWS\system32\ttstv.bak1 C:\WINDOWS\system32\ttstv.ini C:\WINDOWS\system32\vturp.dll C:\WINDOWS\system32\vxddsk.exe C:\WINDOWS\system32\wml.exe C:\WINDOWS\system32\ysfmbljd.ini C:\WINDOWS\system32\Z1 C:\WINDOWS\system32\Z2 C:\WINDOWS\system32\Z2\mon33dll.exe C:\WINDOWS\vxddsk.exe C:\WINDOWS\wbeCheck.exe C:\WINDOWS\wbeInst$.exe C:\WINDOWS\wml.exe C:\WINDOWS\xadbrk.dll C:\WINDOWS\xadbrk.exe C:\WINDOWS\xadbrk_.exe C:\WINDOWS\xxxvideo.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 ))))))))))))))))))))))))))))))) . 2007-10-17 18:26 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-17 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software 2007-10-17 12:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-10-16 19:41 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Bitdefender 2007-10-16 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-10-16 18:23 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2007-10-16 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2007-10-16 18:02 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-10-16 06:16 101,376 --a------ C:\WINDOWS\system32\drvkuk.dll 2007-10-16 06:16 33,792 --a------ C:\WINDOWS\system32\hggefgh.dll 2007-10-16 06:16 15,360 --a------ C:\WINDOWS\system32\drvkukr.dll 2007-10-15 21:40 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys 2007-10-15 21:40 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys 2007-10-15 21:40 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys 2007-10-15 21:40 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys 2007-10-15 21:40 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys 2007-10-15 21:40 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys 2007-10-15 18:25 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys 2007-10-15 06:26 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe 2007-10-15 06:17 <DIR> d-------- C:\Program Files\Panda Security 2007-10-13 13:48 34,816 --a------ C:\WINDOWS\system32\rqrromm.dll 2007-10-13 08:40 1,924 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-12 07:14 <DIR> d-------- C:\Program Files\AntispyStorm 2007-10-12 05:43 4 --a------ C:\WINDOWS\system32\stfv.bin 2007-10-12 05:42 <DIR> d-------- C:\WINDOWS\system32\acespy 2007-10-12 00:18 101,888 --a------ C:\WINDOWS\system32\drvboz.dll 2007-10-12 00:18 15,360 --a------ C:\WINDOWS\system32\drvbozr.dll 2007-10-11 23:59 196,096 --a------ C:\WINDOWS\system32\macd32.dll 2007-10-11 23:59 138,752 --a------ C:\WINDOWS\system32\mase32.dll 2007-10-11 23:59 136,192 --a------ C:\WINDOWS\system32\mamc32.dll 2007-10-11 23:59 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL 2007-10-11 23:59 57,856 --a------ C:\WINDOWS\system32\masd32.dll 2007-10-11 23:59 27,648 --a------ C:\WINDOWS\system32\ma32.dll 2007-10-11 23:58 171,520 --a------ C:\WINDOWS\system32\drivers\MarvinBus.sys 2007-10-11 23:58 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll 2007-10-11 23:58 41,219 --a------ C:\WINDOWS\RSETPATH.exe 2007-10-11 23:58 14,165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys 2007-10-11 23:57 <DIR> d-------- C:\Program Files\Pinnacle 2007-10-11 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio 2007-10-10 20:59 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Media Player Classic 2007-10-10 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:39 <DIR> d-------- C:\Program Files\NCH Software 2007-10-10 20:39 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Recordpad 2007-10-10 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2007-10-10 20:38 23,616 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys 2007-10-10 20:37 <DIR> d-------- C:\Program Files\NCH Swift Sound 2007-10-10 20:37 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\NCH Swift Sound 2007-10-10 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-09 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle 2007-10-09 19:52 <DIR> d-------- C:\Program Files\MagicISO 2007-10-07 16:13 <DIR> d-------- C:\Program Files\Astro Gemini Software 2007-10-07 11:01 <DIR> d-------- C:\Program Files\Common Files\Nullsoft 2007-10-07 09:48 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-06 19:52 41,729 --a------ C:\WINDOWS\system32\drivers\Mkeusbi.sys 2007-10-06 19:52 14,308 --a------ C:\WINDOWS\system32\drivers\Mkemusb.sys 2007-10-06 13:33 <DIR> d-------- C:\WINDOWS\system32\ffdshow 2007-10-03 15:02 768 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-10-02 06:26 <DIR> d-------- C:\Program Files\WinPcap 2007-10-02 06:25 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Sytexis Software 2007-09-30 20:22 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Grisoft 2007-09-30 20:22 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-09-30 20:21 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-09-30 14:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-30 13:19 <DIR> d-------- C:\WINDOWS\system32\GB9 2007-09-30 13:19 <DIR> d-------- C:\WINDOWS\system32\DL1 2007-09-30 13:19 <DIR> d-------- C:\Temp 2007-09-30 09:37 <DIR> d-------- C:\Program Files\iPod 2007-09-24 20:22 <DIR> d-------- C:\RegBackup 2007-09-21 18:38 <DIR> d-------- C:\Program Files\Apple Software Update . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-17 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2007-10-16 01:25 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-15 13:35 --------- d-----w C:\Program Files\Google 2007-10-15 02:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-10-07 16:48 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-07 02:47 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-05 13:28 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\AdobeUM 2007-09-30 13:58 --------- d-----w C:\Program Files\QuickTime 2007-09-30 13:58 --------- d-----w C:\Program Files\FileZilla Server 2007-09-15 20:02 --------- d-----w C:\Program Files\MSN Messenger 2007-09-15 12:30 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Easy Macro Recorder 2007-09-15 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Easy Macro Recorder 2007-09-06 01:07 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\dvdcss 2007-09-03 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit 2007-09-03 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP 2007-09-01 14:44 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\gtk-2.0 2007-08-26 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2007-08-25 16:05 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\vlc 2007-08-21 13:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks 2007-08-21 13:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks 2007-08-21 13:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Program Files\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Juniper Networks 2007-08-21 02:48 --------- d-----w C:\Program Files\MSECache 2007-08-19 17:03 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Ahead 2007-08-16 02:28 81 ----a-w C:\CTX.DAT 2007-06-29 22:58 948 ----a-w C:\Documents and Settings\vkamdar\notepad.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00EE2230-D6C9-4957-9D72-1E861935F156}] 2007-10-13 13:48 34816 --a------ C:\WINDOWS\system32\rqrromm.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 11:12] "BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48] "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00] C:\Documents and Settings\vkamdar\Start Menu\Programs\Startup\ Outlook Express.lnk - C:\Program Files\Outlook Express\msimn.exe [2007-07-07 10:43:44] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{00EE2230-D6C9-4957-9D72-1E861935F156}"= C:\WINDOWS\system32\rqrromm.dll [2007-10-13 13:48 34816] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrromm] rqrromm.dll 2007-10-13 13:48 34816 C:\WINDOWS\system32\rqrromm.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhoq32] winhoq32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=sockspy.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CARD Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CARD Monitor.lnk backup=C:\WINDOWS\pss\CARD Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BroadWaveRun] "C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe" -logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive] rundll32.exe C:\WINDOWS\system32\drvboz.dll,startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] CTXFIHLP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4] "C:\Program Files\ISM\ISMModule4.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service] d:\Program Files\Essentials Codec Pack\update.exe -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] d:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemotelyAnywhere GUI] "D:\Program Files\RemotelyAnywhere\x86\RAGui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble] C:\Program Files\WinAble\winable.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "Pml Driver HPZ12"=3 (0x3) "FileZilla Server"=2 (0x2) "ERSvc"=2 (0x2) "dsNcService"=2 (0x2) R2 BroadWaveService;BroadWave Service;"C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe" -service R2 RAInfo;RemotelyAnywhere Kernel Information Provider;\??\D:\Program Files\RemotelyAnywhere\x86\RaInfo.sys R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;\??\C:\WINDOWS\system32\drivers\RARfsDriver.sys R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys R3 ramirr;ramirr;C:\WINDOWS\system32\DRIVERS\ramirr.sys S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys . Contents of the 'Scheduled Tasks' folder "2007-10-16 23:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2007-10-15 00:30:33 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1184454664.job" - D:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-17 18:52:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-17 18:52:55 - machine was rebooted . --- E O F --- |
|
|
|
|
10-18-2007, 08:18 AM
|
#4 (permalink) | ||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: help with huijackthis log
Hello again
Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. ======================================================== Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s). ===================================================== Quote:
When you click on save list>save to Desktop. ---------------------------------------------------- Also please rename hijackthis.exe to vikkam.exe: Right click on Hijackthis>scroll to rename>vikkam.exe. ==================================================== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ======================================================= Logs Required C:\Combofix.txt Uninstall list Hijackthis log |
||
|
|
|
|
10-18-2007, 09:16 AM
|
#5 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 15
OS: xp pro
|
Re: help with huijackthis log
Thanks so much for helping me out.
I tried running Trendmicro and Kaspersky online scan whole of last night. The security bar seems to be embedded very deep. This is on my home machine so do it tonight and post. Thanks once again fo rall your help without which I may have to format and loose most of important data. vikkam |
|
|
|
|
10-18-2007, 03:06 PM
|
#6 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: help with huijackthis log
Do not run online scans at this time,it its not needed.The Toolbar should be removed this time around as Combofix will target the file for removal.
Format is a last resort and we have not reached that point. |
|
|
|
|
10-18-2007, 08:34 PM
|
#7 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 15
OS: xp pro
|
Re: help with huijackthis log
C:\Combofix.txt
======================= ComboFix 07-10-19.1 - vkamdar 2007-10-18 18:45:43.2 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1725 [GMT -7:00] Running from: C:\Documents and Settings\vkamdar\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\vkamdar\Desktop\cfscript.txt FILE:: C:\WINDOWS\retadpu1000106.exe C:\WINDOWS\system32\fuknpcgu.dll C:\WINDOWS\system32\stfv.bin . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data.\salesmonitor C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus\avtasks.dat C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus\avtasks.dat C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus\Logs\av.log C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus\Logs\av.log C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus\Logs\ga6Support.log C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus\Logs\ga6Support.log C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus\Logs\update.log C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus\Logs\update.log C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus\PGE.dat C:\Documents and Settings\vkamdar\Application Data\BestsellerAntivirus\PGE.dat C:\Program Files\AntispyStorm C:\Program Files\AntispyStorm\as_ie_monitor.dll C:\Program Files\AntispyStorm\config.dat C:\Program Files\AntispyStorm\stat.bin C:\Program Files\AntispyStorm\uninstall.exe C:\Program Files\AntispyStorm\uninstall.log C:\UGA6P C:\WINDOWS\cookies.ini C:\WINDOWS\system32\acespy C:\WINDOWS\system32\acespy\systune.exe C:\WINDOWS\system32\drvboz.dll C:\WINDOWS\system32\drvbozr.dll C:\WINDOWS\system32\drvkuk.dll C:\WINDOWS\system32\drvkukr.dll C:\WINDOWS\system32\fuknpcgu.dll C:\WINDOWS\system32\fuknpcgu.dll C:\WINDOWS\system32\hjllm.bak1 C:\WINDOWS\system32\hjllm.bak1 C:\WINDOWS\system32\hjllm.ini C:\WINDOWS\system32\hjllm.ini C:\WINDOWS\system32\lfbuhnau.dll C:\WINDOWS\system32\lfbuhnau.dll C:\WINDOWS\system32\mlljh.dll C:\WINDOWS\system32\mlljh.dll C:\WINDOWS\system32\qtyvsbei.dll C:\WINDOWS\system32\rqrromm.dll C:\WINDOWS\system32\stfv.bin C:\WINDOWS\system32\ugcpnkuf.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 ))))))))))))))))))))))))))))))) . 2007-10-18 18:47 <DIR> d-------- C:\WINDOWS\system32\tmp00005764 2007-10-18 06:39 <DIR> d--hs---- C:\found.000 2007-10-17 20:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-17 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-17 20:20 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-10-17 19:47 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-10-17 19:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-10-17 19:47 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-10-17 19:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-10-17 19:47 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-10-17 19:40 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-10-17 18:26 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-17 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software 2007-10-17 12:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-10-16 19:41 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Bitdefender 2007-10-16 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-10-16 18:23 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2007-10-16 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2007-10-16 18:02 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-10-16 06:16 33,792 --a------ C:\WINDOWS\system32\hggefgh.dll 2007-10-15 21:40 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys 2007-10-15 21:40 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys 2007-10-15 21:40 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys 2007-10-15 21:40 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys 2007-10-15 21:40 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys 2007-10-15 21:40 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys 2007-10-15 18:25 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys 2007-10-15 06:26 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe 2007-10-15 06:17 <DIR> d-------- C:\Program Files\Panda Security 2007-10-13 08:40 2,182 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-12 00:01 1,712,128 --a------ C:\WINDOWS\system32\GDIPLUS.DLL 2007-10-12 00:01 401,408 --a------ C:\WINDOWS\system32\pvmjpg30.dll 2007-10-12 00:01 233,472 --------- C:\WINDOWS\system32\DiskIO.dll 2007-10-12 00:01 184,320 --------- C:\WINDOWS\system32\RALMain.dll 2007-10-12 00:01 126,976 --------- C:\WINDOWS\system32\AVIPrAx.dll 2007-10-12 00:01 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll 2007-10-12 00:01 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll 2007-10-12 00:01 41,984 --a------ C:\WINDOWS\system32\cacheX.dll 2007-10-12 00:01 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll 2007-10-11 23:59 196,096 --a------ C:\WINDOWS\system32\macd32.dll 2007-10-11 23:59 138,752 --a------ C:\WINDOWS\system32\mase32.dll 2007-10-11 23:59 136,192 --a------ C:\WINDOWS\system32\mamc32.dll 2007-10-11 23:59 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL 2007-10-11 23:59 57,856 --a------ C:\WINDOWS\system32\masd32.dll 2007-10-11 23:59 27,648 --a------ C:\WINDOWS\system32\ma32.dll 2007-10-11 23:58 171,520 --a------ C:\WINDOWS\system32\drivers\MarvinBus.sys 2007-10-11 23:58 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll 2007-10-11 23:58 41,219 --a------ C:\WINDOWS\RSETPATH.exe 2007-10-11 23:58 14,165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys 2007-10-11 23:57 <DIR> d-------- C:\Program Files\Pinnacle 2007-10-11 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio 2007-10-10 20:59 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Media Player Classic 2007-10-10 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:39 <DIR> d-------- C:\Program Files\NCH Software 2007-10-10 20:39 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Recordpad 2007-10-10 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2007-10-10 20:38 23,616 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys 2007-10-10 20:37 <DIR> d-------- C:\Program Files\NCH Swift Sound 2007-10-10 20:37 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\NCH Swift Sound 2007-10-10 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-09 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle 2007-10-09 19:52 <DIR> d-------- C:\Program Files\MagicISO 2007-10-07 16:13 <DIR> d-------- C:\Program Files\Astro Gemini Software 2007-10-07 11:01 <DIR> d-------- C:\Program Files\Common Files\Nullsoft 2007-10-07 09:48 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-06 19:52 41,729 --a------ C:\WINDOWS\system32\drivers\Mkeusbi.sys 2007-10-06 19:52 14,308 --a------ C:\WINDOWS\system32\drivers\Mkemusb.sys 2007-10-03 15:02 768 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-10-02 06:26 <DIR> d-------- C:\Program Files\WinPcap 2007-10-02 06:25 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Sytexis Software 2007-09-30 20:22 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Grisoft 2007-09-30 20:22 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-09-30 20:21 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-09-30 14:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-30 13:19 <DIR> d-------- C:\WINDOWS\system32\GB9 2007-09-30 13:19 <DIR> d-------- C:\WINDOWS\system32\DL1 2007-09-30 13:19 <DIR> d-------- C:\Temp 2007-09-30 09:37 <DIR> d-------- C:\Program Files\iPod 2007-09-24 20:22 <DIR> d-------- C:\RegBackup 2007-09-21 18:38 <DIR> d-------- C:\Program Files\Apple Software Update . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-18 03:08 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Easy Macro Recorder 2007-10-17 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2007-10-16 01:25 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-15 13:35 --------- d-----w C:\Program Files\Google 2007-10-15 02:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-10-07 16:48 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-07 02:47 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-05 13:28 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\AdobeUM 2007-09-30 13:58 --------- d-----w C:\Program Files\QuickTime 2007-09-15 20:02 --------- d-----w C:\Program Files\MSN Messenger 2007-09-15 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Easy Macro Recorder 2007-09-06 01:07 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\dvdcss 2007-09-03 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit 2007-09-03 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP 2007-09-01 14:44 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\gtk-2.0 2007-08-26 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2007-08-25 16:05 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\vlc 2007-08-21 13:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks 2007-08-21 13:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks 2007-08-21 13:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Program Files\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Juniper Networks 2007-08-21 02:48 --------- d-----w C:\Program Files\MSECache 2007-08-19 17:03 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Ahead 2007-08-16 02:28 81 ----a-w C:\CTX.DAT 2007-06-29 22:58 948 ----a-w C:\Documents and Settings\vkamdar\notepad.exe . ((((((((((((((((((((((((((((( snapshot@2007-10-17_18.52.30.95 ))))))))))))))))))))))))))))))))))))))))) . + 2004-11-02 21:41:52 516,832 ----a-w C:\WINDOWS\system32\capicom.dll - 2007-10-12 07:04:30 390,384 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT + 2007-10-18 13:41:24 370,488 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT + 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll - 2007-10-18 01:52:29 70,852 ----a-w C:\WINDOWS\system32\perfc009.dat + 2007-10-19 01:51:37 70,968 ----a-w C:\WINDOWS\system32\perfc009.dat - 2007-10-18 01:52:29 438,956 ----a-w C:\WINDOWS\system32\perfh009.dat + 2007-10-19 01:51:37 439,264 ----a-w C:\WINDOWS\system32\perfh009.dat + 2007-03-15 19:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll + 2007-03-15 19:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 11:12] "BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48] "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lfbuhnau] lfbuhnau.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=sockspy.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlljh.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CARD Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CARD Monitor.lnk backup=C:\WINDOWS\pss\CARD Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BroadWaveRun] "C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe" -logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive] rundll32.exe C:\WINDOWS\system32\drvboz.dll,startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] CTXFIHLP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4] "C:\Program Files\ISM\ISMModule4.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service] d:\Program Files\Essentials Codec Pack\update.exe -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] d:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemotelyAnywhere GUI] "D:\Program Files\RemotelyAnywhere\x86\RAGui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "Pml Driver HPZ12"=3 (0x3) "FileZilla Server"=2 (0x2) "ERSvc"=2 (0x2) "dsNcService"=2 (0x2) R2 RAInfo;RemotelyAnywhere Kernel Information Provider;\??\D:\Program Files\RemotelyAnywhere\x86\RaInfo.sys R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;\??\C:\WINDOWS\system32\drivers\RARfsDriver.sys R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys R3 ramirr;ramirr;C:\WINDOWS\system32\DRIVERS\ramirr.sys S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys . Contents of the 'Scheduled Tasks' folder "2007-10-16 23:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2007-10-15 00:30:33 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1184454664.job" - D:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-18 19:09:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-18 19:11:13 - machine was rebooted C:\ComboFix2.txt ... 2007-10-17 18:52 . --- E O F --- ============================= Uninstall list Can not find file ================================ Hijackthis.log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:32:26 PM, on 10/18/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://gs.reyrey.com O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/Cli...dvancedCAB.CAB O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/...lateviewer.cab O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (File Transfer ActiveX Client) - https://home:2000/activex/RACtrl.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1183834216265 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1185639133265 O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.gs.reyrey.com/clientdll/arview2.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.callutheran.edu/dana...niperSetup.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...91/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{694FF3D2-94BC-4697-818E-FCBA3D5A91B4}: NameServer = 10.40.13.91,10.40.13.95 O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC69EA4-2394-47D6-B67B-DD4C4C0DFCB1}: NameServer = 192.168.0.1 O20 - Winlogon Notify: lfbuhnau - lfbuhnau.dll (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 8139 bytes |
|
|
|
|
10-18-2007, 09:04 PM
|
#10 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 15
OS: xp pro
|
Re: help with huijackthis log
I am posting hijackthis run after all activities.
I am still seeing the file... O20 - Winlogon Notify: lfbuhnau - lfbuhnau.dll (file missing) Any suggestions ? Thanks once again Vikkam quote Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:59:50 PM, on 10/18/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://gs.reyrey.com O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/Cli...dvancedCAB.CAB O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/...lateviewer.cab O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (File Transfer ActiveX Client) - https://home:2000/activex/RACtrl.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1183834216265 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1185639133265 O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.gs.reyrey.com/clientdll/arview2.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.callutheran.edu/dana...niperSetup.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...91/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{694FF3D2-94BC-4697-818E-FCBA3D5A91B4}: NameServer = 10.40.13.91,10.40.13.95 O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC69EA4-2394-47D6-B67B-DD4C4C0DFCB1}: NameServer = 192.168.0.1 O20 - Winlogon Notify: lfbuhnau - lfbuhnau.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 8069 bytes unquote |
|
|
|
|
10-19-2007, 07:53 AM
|
#11 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: help with huijackthis log
Hello again
Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. ======================================================= Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ===================================================== Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
===================================================== Logs Required C:\Combofix.txt C:\Deckard\System Scanner\main.txt C:\Deckard\System Scanner\extra.txt<----Attached |
|
|
|
|
|
10-19-2007, 08:28 AM
|
#12 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 15
OS: xp pro
|
Re: help with huijackthis log
C:\Combofix.txt
========================== ComboFix 07-10-19.1 - vkamdar 2007-10-19 7:14:25.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535 [GMT -7:00] Running from: C:\Documents and Settings\vkamdar\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\vkamdar\Desktop\cfscript.txt * Created a new restore point FILE:: C:\WINDOWS\system32\mlljh.dll . ((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 ))))))))))))))))))))))))))))))) . 2007-10-18 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-10-18 06:39 <DIR> d--hs---- C:\found.000 2007-10-17 20:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-17 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-17 20:20 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-10-17 19:47 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-10-17 19:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-10-17 19:47 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-10-17 19:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-10-17 19:47 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-10-17 19:40 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-10-17 18:26 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-17 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software 2007-10-17 12:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-10-16 19:41 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Bitdefender 2007-10-16 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-10-16 18:23 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2007-10-16 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2007-10-16 18:02 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-10-16 06:16 33,792 --a------ C:\WINDOWS\system32\hggefgh.dll 2007-10-15 21:40 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys 2007-10-15 21:40 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys 2007-10-15 21:40 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys 2007-10-15 21:40 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys 2007-10-15 21:40 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys 2007-10-15 21:40 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys 2007-10-15 18:25 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys 2007-10-15 06:26 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe 2007-10-15 06:17 <DIR> d-------- C:\Program Files\Panda Security 2007-10-13 08:40 2,182 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-12 00:01 1,712,128 --a------ C:\WINDOWS\system32\GDIPLUS.DLL 2007-10-12 00:01 401,408 --a------ C:\WINDOWS\system32\pvmjpg30.dll 2007-10-12 00:01 233,472 --------- C:\WINDOWS\system32\DiskIO.dll 2007-10-12 00:01 184,320 --------- C:\WINDOWS\system32\RALMain.dll 2007-10-12 00:01 126,976 --------- C:\WINDOWS\system32\AVIPrAx.dll 2007-10-12 00:01 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll 2007-10-12 00:01 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll 2007-10-12 00:01 41,984 --a------ C:\WINDOWS\system32\cacheX.dll 2007-10-12 00:01 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll 2007-10-11 23:59 196,096 --a------ C:\WINDOWS\system32\macd32.dll 2007-10-11 23:59 138,752 --a------ C:\WINDOWS\system32\mase32.dll 2007-10-11 23:59 136,192 --a------ C:\WINDOWS\system32\mamc32.dll 2007-10-11 23:59 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL 2007-10-11 23:59 57,856 --a------ C:\WINDOWS\system32\masd32.dll 2007-10-11 23:59 27,648 --a------ C:\WINDOWS\system32\ma32.dll 2007-10-11 23:58 171,520 --a------ C:\WINDOWS\system32\drivers\MarvinBus.sys 2007-10-11 23:58 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll 2007-10-11 23:58 41,219 --a------ C:\WINDOWS\RSETPATH.exe 2007-10-11 23:58 14,165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys 2007-10-11 23:57 <DIR> d-------- C:\Program Files\Pinnacle 2007-10-11 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio 2007-10-10 20:59 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Media Player Classic 2007-10-10 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:39 <DIR> d-------- C:\Program Files\NCH Software 2007-10-10 20:39 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Recordpad 2007-10-10 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2007-10-10 20:38 23,616 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys 2007-10-10 20:37 <DIR> d-------- C:\Program Files\NCH Swift Sound 2007-10-10 20:37 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\NCH Swift Sound 2007-10-10 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-09 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle 2007-10-09 19:52 <DIR> d-------- C:\Program Files\MagicISO 2007-10-07 16:13 <DIR> d-------- C:\Program Files\Astro Gemini Software 2007-10-07 11:01 <DIR> d-------- C:\Program Files\Common Files\Nullsoft 2007-10-07 09:48 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-06 19:52 41,729 --a------ C:\WINDOWS\system32\drivers\Mkeusbi.sys 2007-10-06 19:52 14,308 --a------ C:\WINDOWS\system32\drivers\Mkemusb.sys 2007-10-03 15:02 768 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-10-02 06:26 <DIR> d-------- C:\Program Files\WinPcap 2007-10-02 06:25 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Sytexis Software 2007-09-30 20:22 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Grisoft 2007-09-30 20:22 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-09-30 20:21 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-09-30 14:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-30 13:19 <DIR> d-------- C:\WINDOWS\system32\GB9 2007-09-30 13:19 <DIR> d-------- C:\WINDOWS\system32\DL1 2007-09-30 13:19 <DIR> d-------- C:\Temp 2007-09-30 09:37 <DIR> d-------- C:\Program Files\iPod 2007-09-24 20:22 <DIR> d-------- C:\RegBackup 2007-09-21 18:38 <DIR> d-------- C:\Program Files\Apple Software Update . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-18 03:08 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Easy Macro Recorder 2007-10-17 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2007-10-16 01:25 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-15 13:35 --------- d-----w C:\Program Files\Google 2007-10-15 02:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-10-07 16:48 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-07 02:47 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-05 13:28 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\AdobeUM 2007-09-30 13:58 --------- d-----w C:\Program Files\QuickTime 2007-09-15 20:02 --------- d-----w C:\Program Files\MSN Messenger 2007-09-15 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Easy Macro Recorder 2007-09-06 01:07 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\dvdcss 2007-09-03 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit 2007-09-03 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP 2007-09-01 14:44 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\gtk-2.0 2007-08-26 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2007-08-25 16:05 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\vlc 2007-08-21 13:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks 2007-08-21 13:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks 2007-08-21 13:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-08-21 04:40 --------- d-----w C:\Program Files\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Juniper Networks 2007-08-21 02:48 --------- d-----w C:\Program Files\MSECache 2007-08-19 17:03 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Ahead 2007-08-16 02:28 81 ----a-w C:\CTX.DAT 2007-07-31 02:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-07-31 02:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-07-31 02:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-07-31 02:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-07-31 02:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-07-31 02:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-07-31 02:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll 2007-07-31 02:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-07-31 02:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-07-31 02:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-06-29 22:58 948 ----a-w C:\Documents and Settings\vkamdar\notepad.exe . ((((((((((((((((((((((((((((( snapshot@2007-10-17_18.52.30.95 ))))))))))))))))))))))))))))))))))))))))) . + 2007-10-19 02:49:35 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe + 2007-10-19 02:49:35 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe + 2007-10-19 02:49:35 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe + 2007-10-19 02:49:35 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe + 2004-11-02 21:41:52 516,832 ----a-w C:\WINDOWS\system32\capicom.dll + 2007-07-11 21:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys + 2007-08-07 20:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys + 2007-08-07 20:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys - 2007-10-12 07:04:30 390,384 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT + 2007-10-18 13:41:24 370,488 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT + 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll + 2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe - 2007-10-18 01:52:29 70,852 ----a-w C:\WINDOWS\system32\perfc009.dat + 2007-10-19 12:49:19 70,968 ----a-w C:\WINDOWS\system32\perfc009.dat - 2007-10-18 01:52:29 438,956 ----a-w C:\WINDOWS\system32\perfh009.dat + 2007-10-19 12:49:19 439,264 ----a-w C:\WINDOWS\system32\perfh009.dat + 2007-03-15 19:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll + 2007-03-15 19:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 11:12] "BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48] "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=sockspy.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CARD Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CARD Monitor.lnk backup=C:\WINDOWS\pss\CARD Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BroadWaveRun] "C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe" -logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] CTXFIHLP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4] "C:\Program Files\ISM\ISMModule4.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service] d:\Program Files\Essentials Codec Pack\update.exe -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] d:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemotelyAnywhere GUI] "D:\Program Files\RemotelyAnywhere\x86\RAGui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "Pml Driver HPZ12"=3 (0x3) "FileZilla Server"=2 (0x2) "ERSvc"=2 (0x2) "dsNcService"=2 (0x2) R2 RAInfo;RemotelyAnywhere Kernel Information Provider;\??\D:\Program Files\RemotelyAnywhere\x86\RaInfo.sys R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;\??\C:\WINDOWS\system32\drivers\RARfsDriver.sys R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys R3 ramirr;ramirr;C:\WINDOWS\system32\DRIVERS\ramirr.sys S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys . Contents of the 'Scheduled Tasks' folder "2007-10-16 23:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2007-10-15 00:30:33 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1184454664.job" - D:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-19 07:15:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-19 7:16:02 C:\ComboFix2.txt ... 2007-10-18 19:11 C:\ComboFix3.txt ... 2007-10-17 18:52 . --- E O F --- ====================================== C:\Deckard\System Scanner\main.txt Deckard's System Scanner v20071014.68 Run by vkamdar on 2007-10-19 07:18:59 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 5: 2007-10-19 14:19:01 UTC - RP5 - Deckard's System Scanner Restore Point 4: 2007-10-19 14:14:21 UTC - RP4 - ComboFix created restore point 3: 2007-10-19 03:09:34 UTC - RP3 - Ad-Aware Restore Point 2007-10-18 20:09:31 2: 2007-10-19 02:49:29 UTC - RP2 - Installed Ad-Aware 2007 1: 2007-10-19 01:47:52 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as vkamdar.exe) --------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:19:45 AM, on 10/19/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\vkamdar\Desktop\dss.exe D:\PROGRA~1\TRENDM~1\HIJACK~1\vkamdar.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://gs.reyrey.com O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/Cli...dvancedCAB.CAB O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/...lateviewer.cab O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (File Transfer ActiveX Client) - https://home:2000/activex/RACtrl.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1183834216265 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1185639133265 O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.gs.reyrey.com/clientdll/arview2.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.callutheran.edu/dana...niperSetup.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...91/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{694FF3D2-94BC-4697-818E-FCBA3D5A91B4}: NameServer = 10.40.13.91,10.40.13.95 O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC69EA4-2394-47D6-B67B-DD4C4C0DFCB1}: NameServer = 192.168.0.1 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 8095 bytes -- HijackThis Fixed Entries (D:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20070930-140729-125 O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" backup-20070930-140729-514 O2 - BHO: (no name) - {AC22AC99-AEF2-4B75-B08D-8FFC7302E947} - C:\Program Files\Windows Media Player\metoc4444.dll backup-20070930-140729-597 O2 - BHO: (no name) - {93EEAC54-E82C-4739-99C1-05AB883E725D} - C:\WINDOWS\system32\vtstt.dll (file missing) backup-20070930-140729-606 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime backup-20070930-140729-762 O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe backup-20070930-140729-940 O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe" backup-20070930-144406-168 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE~1\OFFICE11\REFIEBAR.DLL backup-20070930-205439-965 O2 - BHO: (no name) - {1B5D12D5-CE4E-498C-B033-C0CEFAF85FB9} - C:\Program Files\Windows Media Player\metoc83122.dll backup-20071012-062550-128 O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) backup-20071012-062550-153 O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file) backup-20071012-062550-171 O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file) backup-20071012-062550-232 O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file) backup-20071012-062550-239 O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) backup-20071012-062550-256 O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file) backup-20071012-062550-314 O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file) backup-20071012-062550-324 O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file) backup-20071012-062550-356 O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file) backup-20071012-062550-424 O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) backup-20071012-062550-446 O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) backup-20071012-062550-484 O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file) backup-20071012-062550-491 O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file) backup-20071012-062550-499 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) backup-20071012-062550-534 O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) backup-20071012-062550-623 O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file) backup-20071012-062550-694 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto backup-20071012-062550-719 O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file) backup-20071012-062550-730 O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file) backup-20071012-062550-752 O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file) backup-20071012-062550-794 O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file) backup-20071012-062550-822 O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file) backup-20071012-062550-929 O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file) backup-20071012-062550-961 O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file) backup-20071012-062550-976 O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file) backup-20071012-182941-202 O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) backup-20071012-182941-221 O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file) backup-20071012-182941-241 O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file) backup-20071012-182941-263 O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file) backup-20071012-182941-277 O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file) backup-20071012-182941-291 O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file) backup-20071012-182941-377 O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) backup-20071012-182941-515 O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file) backup-20071012-182941-552 O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file) backup-20071012-182941-600 O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file) backup-20071012-182941-619 O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file) backup-20071012-182941-664 O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) backup-20071012-182941-743 O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file) backup-20071012-182941-768 O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file) backup-20071012-182941-885 O2 - BHO: (no name) - {561713B1-52F3-4481-898E-7E22CD9773B2} - (no file) backup-20071012-182941-894 O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file) backup-20071012-182941-935 O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) backup-20071012-182941-963 O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file) backup-20071012-182942-264 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto backup-20071012-182942-370 O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file) backup-20071012-182942-575 O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) backup-20071012-182942-693 O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file) backup-20071012-182942-742 O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file) backup-20071012-182942-791 O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file) backup-20071012-182942-928 O2 - BHO: (no name) - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - (no file) backup-20071012-182942-933 O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file) backup-20071012-182942-971 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe backup-20071012-182945-721 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL backup-20071012-182945-945 O23 - Service: RemotelyAnywhere - LogMeIn, Inc. - D:\Program Files\RemotelyAnywhere\x86\RemotelyAnywhere.exe backup-20071013-131527-922 O20 - Winlogon Notify: ljjkiii - ljjkiii.dll (file missing) backup-20071014-180355-112 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe backup-20071014-180355-248 O23 - Service: BroadWave Service (BroadWaveService) - Unknown owner - C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe backup-20071014-180355-360 O23 - Service: Registry Management Service (RegManServ) - Unknown owner - d:\Program Files\Advanced Registry Doctor\RegManServ.exe backup-20071014-180355-405 O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\tndohujm.dll",sitypnow backup-20071014-180355-965 O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\lynpsdag.exe (file missing) backup-20071014-194814-490 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe backup-20071014-194814-971 O23 - Service: BroadWave Service (BroadWaveService) - Unknown owner - C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe backup-20071014-194828-634 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe backup-20071014-212419-138 O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file) backup-20071014-212419-170 O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file) backup-20071014-212419-177 O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file) backup-20071014-212419-185 O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file) backup-20071014-212419-220 O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) backup-20071014-212419-240 O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file) backup-20071014-212419-309 O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file) backup-20071014-212419-330 O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file) backup-20071014-212419-351 O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) backup-20071014-212419-358 O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - C:\WINDOWS\system32\oembios32.dll (file missing) backup-20071014-212419-405 O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file) backup-20071014-212419-407 O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) backup-20071014-212419-508 O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file) backup-20071014-212419-536 O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file) backup-20071014-212419-541 O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file) backup-20071014-212419-593 O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file) backup-20071014-212419-615 O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file) backup-20071014-212419-636 O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file) backup-20071014-212419-662 O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) backup-20071014-212419-762 O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file) backup-20071014-212419-844 O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file) backup-20071014-212419-857 O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file) backup-20071014-212419-925 O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file) backup-20071014-212419-973 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe backup-20071014-212419-995 O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) backup-20071016-163516-926 O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvkuk.dll,startup backup-20071017-191208-111 O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\lfbuhnau.dll backup-20071017-191208-808 O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\fuknpcgu.dll",sitypnow backup-20071017-191221-810 O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\lfbuhnau.dll backup-20071017-191732-298 O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wyfrbmfi.exe (file missing) backup-20071017-191732-331 O23 - Service: BroadWave Service (BroadWaveService) - Unknown owner - C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe backup-20071017-191732-476 O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\lfbuhnau.dll backup-20071017-192928-830 O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\lfbuhnau.dll backup-20071018-195627-580 O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R3 catchme - c:\docume~1\vkamdar\locals~1\temp\catchme.sys (file missing) R3 dsNcAdpt (Juniper Network Connect Adapter) - c:\windows\system32\drivers\dsncadpt.sys <Not Verified; Juniper Networks; Network Connect> R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete> R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell> S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller> S2 MKEMUSB (Panasonic Digital Palmcorder) - c:\windows\system32\drivers\mkemusb.sys <Not Verified; Matsushita Kotobuki Electronics Industries, Ltd.; Panasonic Digital Palmcorder> S3 BDFsDrv - c:\program files\softwin\bitdefender10\bdfsdrv.sys (file missing) S3 BDRsDrv - c:\program files\softwin\bitdefender10\bdrsdrv.sys (file missing) S3 DCamUSBMke (USB Video Camera for Panasonic Digital Palmcorder) - c:\windows\system32\drivers\mkeusbi.sys <Not Verified; Matsushita Kotobuki Electronics Industries,Ltd.; Panasonic Digital Palmcorder> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> S3 QBFCService (Intuit QuickBooks FCS) - "c:\program files\common files\intuit\quickbooks\fcs\intuit.quickbooks.fcs.exe" <Not Verified; Intuit Inc.; QuickBooks 2007> S4 dsNcService (Juniper Network Connect Service) - c:\program files\juniper networks\common files\dsncservice.exe <Not Verified; Juniper Networks; Network Connect> S4 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI> S4 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2007-10-16 16:43:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2007-10-14 17:30:33 358 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1184454664.job -- Files created between 2007-09-19 and 2007-10-19 ----------------------------- 2007-10-18 20:54:17 0 dr-h----- C:\Documents and Settings\vkamdar\Recent 2007-10-18 19:49:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-10-18 06:39:59 0 d--hs---- C:\found.000 2007-10-17 20:34:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-17 20:34:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-17 20:04:04 0 d-------- C:\!KillBox 2007-10-17 19:47:59 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-10-17 19:47:59 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; > 2007-10-17 19:47:59 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS> 2007-10-17 19:47:59 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility> 2007-10-17 19:47:59 51200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-10-17 19:40:56 0 d-------- C:\Program Files\Enigma Software Group 2007-10-17 14:19:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software 2007-10-17 12:35:42 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-10-16 19:41:57 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Bitdefender 2007-10-16 18:36:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-10-16 18:23:27 81984 --a------ C:\WINDOWS\system32\bdod.bin 2007-10-16 18:17:16 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2007-10-16 18:02:36 0 d-------- C:\WINDOWS\BDOSCAN8 2007-10-16 06:16:33 33792 --a------ C:\WINDOWS\system32\hggefgh.dll 2007-10-15 18:25:32 14604 --a------ C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell> 2007-10-15 06:26:59 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware> 2007-10-15 06:17:47 0 d-------- C:\Program Files\Panda Security 2007-10-13 08:40:49 2182 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-12 00:01:59 401408 --a------ C:\WINDOWS\system32\pvmjpg30.dll <Not Verified; Pegasus Imaging Corporation; PICVideo Codec Suite> 2007-10-12 00:01:58 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1> 2007-10-12 00:01:57 1712128 --a------ C:\WINDOWS\system32\GDIPLUS.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2007-10-12 00:01:32 184320 -----n--- C:\WINDOWS\system32\RALMain.dll <Not Verified; Pinnacle Systems GmbH; Register Abstraction Layer> 2007-10-12 00:01:32 73728 -----n--- C:\WINDOWS\system32\MMAviAx.dll <Not Verified; Pinnacle Systems GmbH; miroVIDEO MFP> 2007-10-12 00:01:32 32768 -----n--- C:\WINDOWS\system32\MLPagAx.dll <Not Verified; Pinnacle Systems GmbH; MLPag DLL> 2007-10-12 00:01:32 233472 -----n--- C:\WINDOWS\system32\DiskIO.dll <Not Verified; Pinnacle Systems GmbH; Media File Sequencer> 2007-10-12 00:01:32 41984 --a------ C:\WINDOWS\system32\cacheX.dll <Not Verified; Pinnacle Systems GmbH; Cache DLL> 2007-10-12 00:01:32 126976 -----n--- C:\WINDOWS\system32\AVIPrAx.dll <Not Verified; Pinnacle Systems GmbH; miroVIDEO AFP> 2007-10-12 00:00:14 0 d-------- C:\Documents and Settings\vkamdar\My Documents 2007-10-12 00:00:14 0 d-------- C:\Documents and Settings\NetworkService\My Documents 2007-10-12 00:00:14 0 d-------- C:\Documents and Settings\LocalService\My Documents 2007-10-11 23:59:47 138752 --a------ C:\WINDOWS\system32\mase32.dll 2007-10-11 23:59:47 57856 --a------ C:\WINDOWS\system32\masd32.dll 2007-10-11 23:59:47 136192 --a------ C:\WINDOWS\system32\mamc32.dll <Not Verified; ; MAMC32 Dynamic Link Library> 2007-10-11 23:59:47 196096 --a------ C:\WINDOWS\system32\macd32.dll <Not Verified; ; MACD32 Dynamic Link Library> 2007-10-11 23:59:45 27648 --a------ C:\WINDOWS\system32\ma32.dll 2007-10-11 23:58:48 14165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI> 2007-10-11 23:58:44 171520 --a------ C:\WINDOWS\system32\drivers\MarvinBus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete> 2007-10-11 23:58:42 41219 --a------ C:\WINDOWS\RSETPATH.exe <Not Verified; Pinnacle Systems; Pinnacle Systems RSETPATH> 2007-10-11 23:58:11 49152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll <Not Verified; Pinnacle Systems; Guid_dll> 2007-10-11 23:57:40 0 d-------- C:\Program Files\Pinnacle 2007-10-11 23:57:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio 2007-10-10 20:59:53 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Media Player Classic 2007-10-10 20:40:47 0 d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:39:34 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Recordpad 2007-10-10 20:39:26 0 d-------- C:\Program Files\NCH Software 2007-10-10 20:39:05 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2007-10-10 20:37:43 0 d-------- C:\Program Files\NCH Swift Sound 2007-10-10 20:37:43 0 d-------- C:\Documents and Settings\vkamdar\Application Data\NCH Swift Sound 2007-10-09 19:56:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle 2007-10-09 19:52:28 0 d-------- C:\Program Files\MagicISO 2007-10-07 16:13:27 0 d-------- C:\Program Files\Astro Gemini Software 2007-10-07 11:04:01 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Help 2007-10-07 11:01:40 0 d-------- C:\Program Files\Common Files\Nullsoft 2007-10-07 09:48:15 0 d-------- C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-06 19:52:15 41729 --a------ C:\WINDOWS\system32\drivers\Mkeusbi.sys <Not Verified; Matsushita Kotobuki Electronics Industries,Ltd.; Panasonic Digital Palmcorder> 2007-10-06 19:52:15 14308 --a------ C:\WINDOWS\system32\drivers\Mkemusb.sys <Not Verified; Matsushita Kotobuki Electronics Industries, Ltd.; Panasonic Digital Palmcorder> 2007-10-03 15:02:11 768 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-10-02 06:26:19 0 d-------- C:\Program Files\WinPcap 2007-10-02 06:25:36 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Sytexis Software 2007-09-30 20:22:06 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Grisoft 2007-09-30 14:17:50 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-09-30 13:19:07 0 d-------- C:\WINDOWS\system32\GB9 2007-09-30 13:19:07 0 d-------- C:\WINDOWS\system32\DL1 2007-09-30 13:19:01 0 d-------- C:\Temp 2007-09-30 09:37:57 0 d-------- C:\Program Files\iPod 2007-09-24 20:22:39 0 d-------- C:\RegBackup 2007-09-21 18:38:20 0 d-------- C:\Program Files\Apple Software Update -- Find3M Report --------------------------------------------------------------- 2007-10-17 20:20:51 0 d-------- C:\Program Files\Common Files 2007-10-17 20:08:53 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Easy Macro Recorder 2007-10-15 18:39:39 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Adobe 2007-10-15 18:25:28 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-10-15 06:35:50 0 d-------- C:\Program Files\Google 2007-10-14 19:30:45 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-10-11 23:59:47 95 --a------ C:\AUTOEXEC.BAT 2007-10-07 11:02:21 2470 --a------ C:\WINDOWS\mozver.dat 2007-10-07 10:04:55 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Mozilla 2007-10-06 19:47:37 0 d-------- C:\Program Files\Common Files\InstallShield 2007-10-05 06:28:32 0 d-------- C:\Documents and Settings\vkamdar\Application Data\AdobeUM 2007-09-30 13:56:45 0 d-------- C:\Program Files\Messenger 2007-09-30 06:58:46 0 d-------- C:\Program Files\QuickTime 2007-09-15 13:02:10 0 d-------- C:\Program Files\MSN Messenger 2007-09-05 18:07:46 0 d-------- C:\Documents and Settings\vkamdar\Application Data\dvdcss 2007-09-01 07:44:45 0 d-------- C:\Documents and Settings\vkamdar\Application Data\gtk-2.0 2007-08-25 09:05:45 0 d-------- C:\Documents and Settings\vkamdar\Application Data\vlc 2007-08-20 21:40:12 0 d-------- C:\Program Files\Juniper Networks 2007-08-20 21:40:09 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Juniper Networks 2007-08-20 19:48:55 0 d-------- C:\Program Files\MSECache 2007-08-19 10:03:28 0 d-------- C:\Documents and Settings\vkamdar\Application Data\Ahead 2007-08-19 08:28:21 12 --a------ C:\WINDOWS\lang_e86.dll 2007-08-15 19:28:28 81 --a------ C:\CTX.DAT -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/21/2006 11:12 AM] "BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [04/02/2007 04:48 PM] "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [03/26/2007 03:49 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ClearRecentDocsOnExit"=1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoLowDiskSpaceChecks"=1 (0x1) "ClearRecentDocsOnExit"=01 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=sockspy.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CARD Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CARD Monitor.lnk backup=C:\WINDOWS\pss\CARD Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BroadWaveRun] "C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe" -logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] CTXFIHLP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4] "C:\Program Files\ISM\ISMModule4.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service] d:\Program Files\Essentials Codec Pack\update.exe -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] d:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemotelyAnywhere GUI] "D:\Program Files\RemotelyAnywhere\x86\RAGui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "Pml Driver HPZ12"=3 (0x3) "FileZilla Server"=2 (0x2) "ERSvc"=2 (0x2) "dsNcService"=2 (0x2) -- End of Deckard's System Scanner: finished at 2007-10-19 07:20:28 ------------ ============================================== |
|
|
|
|
10-19-2007, 09:53 AM
|
#13 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: help with huijackthis log
Good job.
Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. ==================================================== Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Java(TM) SE Runtime Environment 6 Update 1 Java(TM) 6 Update 2 ===================================================== Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ===================================================== JAVA OUTDATED Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java:
===================================================== Download ATF-Cleaner by Atribune to your desktop. Double-click ATF Cleaner.exe to open it Under Main choose: Windows Temp Current User Temp All Users Temp Cookies Temporary Internet Files Prefetch Java Cache *The other boxes are optional* Then click the Empty Selected button. If you have Firefox installed: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. If you have Opera installed: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Click Exit on the Main menu to close the program. ==================================================== Perform an online scan with Internet Explorer with Panda ActiveScan
* Turn off the real time scanner of any existing antivirus program while performing the online scan Paste the Panda Scan report into your next reply. ==================================================== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ======================================================= Logs Required C:\Combofix.txt Panda scan report Hijackthis log How is your system behaving now. |
|
|
|
|
|
10-19-2007, 08:34 PM
|
#15 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 15
OS: xp pro
|
Re: help with huijackthis log
Combofix.txt
ComboFix 07-10-19.1 - vkamdar 2007-10-19 18:16:56.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1399 [GMT -7:00] Running from: C:\Documents and Settings\vkamdar\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\vkamdar\Desktop\CFscript.txt * Created a new restore point FILE:: C:\WINDOWS\system32\hggefgh.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Enigma Software Group C:\WINDOWS\system32\hggefgh.dll . ((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 ))))))))))))))))))))))))))))))) . 2007-10-19 07:18 <DIR> d-------- C:\Deckard 2007-10-18 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-10-18 06:39 <DIR> d--hs---- C:\found.000 2007-10-17 20:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-10-17 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-10-17 20:20 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-10-17 19:47 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-10-17 19:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-10-17 19:47 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-10-17 19:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-10-17 19:47 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-10-17 18:26 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-17 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software 2007-10-17 12:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-10-16 19:41 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Bitdefender 2007-10-16 19:41 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Bitdefender 2007-10-16 19:41 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Bitdefender 2007-10-16 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-10-16 18:23 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2007-10-16 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2007-10-16 18:02 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-10-15 21:40 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys 2007-10-15 21:40 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys 2007-10-15 21:40 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys 2007-10-15 21:40 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys 2007-10-15 21:40 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys 2007-10-15 21:40 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys 2007-10-15 18:25 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys 2007-10-15 06:26 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe 2007-10-15 06:17 <DIR> d-------- C:\Program Files\Panda Security 2007-10-13 08:40 2,182 --a------ C:\WINDOWS\system32\tmp.reg 2007-10-12 00:01 1,712,128 --a------ C:\WINDOWS\system32\GDIPLUS.DLL 2007-10-12 00:01 401,408 --a------ C:\WINDOWS\system32\pvmjpg30.dll 2007-10-12 00:01 233,472 --------- C:\WINDOWS\system32\DiskIO.dll 2007-10-12 00:01 184,320 --------- C:\WINDOWS\system32\RALMain.dll 2007-10-12 00:01 126,976 --------- C:\WINDOWS\system32\AVIPrAx.dll 2007-10-12 00:01 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll 2007-10-12 00:01 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll 2007-10-12 00:01 41,984 --a------ C:\WINDOWS\system32\cacheX.dll 2007-10-12 00:01 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll 2007-10-11 23:59 196,096 --a------ C:\WINDOWS\system32\macd32.dll 2007-10-11 23:59 138,752 --a------ C:\WINDOWS\system32\mase32.dll 2007-10-11 23:59 136,192 --a------ C:\WINDOWS\system32\mamc32.dll 2007-10-11 23:59 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL 2007-10-11 23:59 57,856 --a------ C:\WINDOWS\system32\masd32.dll 2007-10-11 23:59 27,648 --a------ C:\WINDOWS\system32\ma32.dll 2007-10-11 23:58 171,520 --a------ C:\WINDOWS\system32\drivers\MarvinBus.sys 2007-10-11 23:58 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll 2007-10-11 23:58 41,219 --a------ C:\WINDOWS\RSETPATH.exe 2007-10-11 23:58 14,165 --a------ C:\WINDOWS\system32\drivers\Pclepci.sys 2007-10-11 23:57 <DIR> d-------- C:\Program Files\Pinnacle 2007-10-11 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio 2007-10-10 20:59 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Media Player Classic 2007-10-10 20:59 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Media Player Classic 2007-10-10 20:59 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Media Player Classic 2007-10-10 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NCH Swift Sound 2007-10-10 20:39 <DIR> d-------- C:\Program Files\NCH Software 2007-10-10 20:39 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Recordpad 2007-10-10 20:39 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Recordpad 2007-10-10 20:39 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Recordpad 2007-10-10 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound 2007-10-10 20:38 23,616 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys 2007-10-10 20:37 <DIR> d-------- C:\Program Files\NCH Swift Sound 2007-10-10 20:37 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\NCH Swift Sound 2007-10-10 20:37 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\NCH Swift Sound 2007-10-10 20:37 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\NCH Swift Sound 2007-10-10 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-09 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle 2007-10-09 19:52 <DIR> d-------- C:\Program Files\MagicISO 2007-10-07 16:13 <DIR> d-------- C:\Program Files\Astro Gemini Software 2007-10-07 11:01 <DIR> d-------- C:\Program Files\Common Files\Nullsoft 2007-10-07 09:48 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-07 09:48 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-07 09:48 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-06 19:52 41,729 --a------ C:\WINDOWS\system32\drivers\Mkeusbi.sys 2007-10-06 19:52 14,308 --a------ C:\WINDOWS\system32\drivers\Mkemusb.sys 2007-10-03 15:02 768 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-10-02 06:26 <DIR> d-------- C:\Program Files\WinPcap 2007-10-02 06:25 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Sytexis Software 2007-10-02 06:25 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Sytexis Software 2007-10-02 06:25 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Sytexis Software 2007-09-30 20:22 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Grisoft 2007-09-30 20:22 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Grisoft 2007-09-30 20:22 <DIR> d-------- C:\Documents and Settings\vkamdar\Application Data\Grisoft 2007-09-30 20:22 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-09-30 20:21 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-09-30 14:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-30 13:19 <DIR> d-------- C:\WINDOWS\system32\GB9 2007-09-30 13:19 <DIR> d-------- C:\WINDOWS\system32\DL1 2007-09-30 13:19 <DIR> d-------- C:\Temp 2007-09-30 09:37 <DIR> d-------- C:\Program Files\iPod 2007-09-24 20:22 <DIR> d-------- C:\RegBackup 2007-09-21 18:38 <DIR> d-------- C:\Program Files\Apple Software Update . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-20 01:14 --------- d-----w C:\Program Files\Java 2007-10-18 03:08 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Easy Macro Recorder 2007-10-18 03:08 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Easy Macro Recorder 2007-10-18 03:08 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Easy Macro Recorder 2007-10-17 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2007-10-16 01:25 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-15 13:35 --------- d-----w C:\Program Files\Google 2007-10-15 02:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-10-07 16:48 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-07 16:48 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-07 16:48 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\.BitTornado 2007-10-07 02:47 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-05 13:28 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\AdobeUM 2007-10-05 13:28 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\AdobeUM 2007-10-05 13:28 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\AdobeUM 2007-09-30 13:58 --------- d-----w C:\Program Files\QuickTime 2007-09-15 20:02 --------- d-----w C:\Program Files\MSN Messenger 2007-09-15 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Easy Macro Recorder 2007-09-06 01:07 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\dvdcss 2007-09-06 01:07 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\dvdcss 2007-09-06 01:07 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\dvdcss 2007-09-03 19:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit 2007-09-03 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP 2007-09-01 14:44 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\gtk-2.0 2007-09-01 14:44 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\gtk-2.0 2007-09-01 14:44 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\gtk-2.0 2007-08-26 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2007-08-25 16:05 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\vlc 2007-08-25 16:05 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\vlc 2007-08-25 16:05 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\vlc 2007-08-21 13:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Program Files\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Documents and Settings\vkamdar\Application Data\Juniper Networks 2007-08-21 04:40 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Juniper Networks 2007-08-21 02:48 --------- d-----w C:\Program Files\MSECache 2007-08-16 02:28 81 ----a-w C:\CTX.DAT 2007-06-29 22:58 948 ----a-w C:\Documents and Settings\vkamdar\notepad.exe . ((((((((((((((((((((((((((((( snapshot@2007-10-17_18.52.30.95 ))))))))))))))))))))))))))))))))))))))))) . + 2007-10-19 02:49:35 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe + 2007-10-19 02:49:35 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe + 2007-10-19 02:49:35 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe + 2007-10-19 02:49:35 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe + 2004-11-02 21:41:52 516,832 ----a-w C:\WINDOWS\system32\capicom.dll + 2007-07-11 21:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys + 2007-08-07 20:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys + 2007-08-07 20:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys - 2007-10-12 07:04:30 390,384 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT + 2007-10-18 13:41:24 370,488 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT + 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll + 2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe - 2007-10-18 01:52:29 70,852 ----a-w C:\WINDOWS\system32\perfc009.dat + 2007-10-19 12:49:19 70,968 ----a-w C:\WINDOWS\system32\perfc009.dat - 2007-10-18 01:52:29 438,956 ----a-w C:\WINDOWS\system32\perfh009.dat + 2007-10-19 12:49:19 439,264 ----a-w C:\WINDOWS\system32\perfh009.dat + 2007-03-15 19:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll + 2007-03-15 19:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 11:12] "BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 16:48] "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=sockspy.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CARD Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CARD Monitor.lnk backup=C:\WINDOWS\pss\CARD Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BroadWaveRun] "C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe" -logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] CTXFIHLP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4] "C:\Program Files\ISM\ISMModule4.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service] d:\Program Files\Essentials Codec Pack\update.exe -silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] d:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemotelyAnywhere GUI] "D:\Program Files\RemotelyAnywhere\x86\RAGui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WZCSVC"=2 (0x2) "Pml Driver HPZ12"=3 (0x3) "FileZilla Server"=2 (0x2) "ERSvc"=2 (0x2) "dsNcService"=2 (0x2) R2 RAInfo;RemotelyAnywhere Kernel Information Provider;\??\D:\Program Files\RemotelyAnywhere\x86\RaInfo.sys R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;\??\C:\WINDOWS\system32\drivers\RARfsDriver.sys R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys R3 ramirr;ramirr;C:\WINDOWS\system32\DRIVERS\ramirr.sys S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys . Contents of the 'Scheduled Tasks' folder "2007-10-16 23:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2007-10-15 00:30:33 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1184454664.job" - D:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-19 18:18:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-19 18:19:58 - machine was rebooted C:\ComboFix2.txt ... 2007-10-19 07:16 C:\ComboFix3.txt ... 2007-10-18 19:11 . --- E O F --- ============================ Pandascan Report Incident Status Location Adware:adware/adbars Not disinfected Windows Registry Dialer:dialer.xd Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{54645654-2225-4455-44A1-9F4543D34546} Adware:adware/activesearch Not disinfected Windows Registry Adware:adware/whenusearch Not disinfected Windows Registry Adware:adware/404search Not disinfected Windows Registry Adware:adware/adblaster Not disinfected Windows Registry Adware:adware/adsincontext Not disinfected Windows Registry Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\vkamdar\Desktop\ComboFix.exe[nircmd.exe] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\vkamdar\Desktop\ComboFix.exe[nircmd.cfexe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\vkamdar\Desktop\SmitfraudFix\Process.exe Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\vkamdar\Desktop\SmitfraudFix\Reboot.exe Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\vkamdar\Desktop\SmitfraudFix\restart.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe Potentially unwanted tool:Application/SuperFast Not disinfected C:\Program Files\Mozilla Firefox\SmitfraudFix\restart.exe Adware:Adware/Yazzle Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\Yazzle1162OinUninstaller.exe.vir Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\hggefgh.dll.vir Adware:Adware/Adband Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\Z2\mon33dll.exe.vir[BndDrive4.dll] Adware:Adware/Amera Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\Z2\mon33dll.exe.vir[ISMModule4.exe] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe =========================== Hijackthis.log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:27:30 PM, on 10/19/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe D:\PROGRA~1\TRENDM~1\HIJACK~1\hijackthis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://gs.reyrey.com O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/Cli...dvancedCAB.CAB O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/...lateviewer.cab O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (File Transfer ActiveX Client) - https://home:2000/activex/RACtrl.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1183834216265 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1185639133265 O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.gs.reyrey.com/clientdll/arview2.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.callutheran.edu/dana...niperSetup.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...91/mcfscan.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://10.40.13.151:2000/activex/RACtrl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{694FF3D2-94BC-4697-818E-FCBA3D5A91B4}: NameServer = 10.40.13.91,10.40.13.95 O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC69EA4-2394-47D6-B67B-DD4C4C0DFCB1}: NameServer = 192.168.0.1 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - D:\Program Files\RemotelyAnywhere\x86\RaMaint.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 8440 bytes |
|
|
|
|
10-20-2007, 11:53 AM
|
#16 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: help with huijackthis log
Hello again vikkam
Reg Fix Go to Start->Run and type in regedit and hit OK.Go to HKEY_LOCAL_MACHINE and click on it>then right-click on HKEY_LOCAL_MACHINE and select export. Save the registry somewhere as a backup. Close the Registry Editor now. Open notepad and copy/paste the text in the quotebox below: (don't forget to copy and paste REGEDIT4) Quote:
It should look like this:  Double click on the Fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. ==================================================== Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) O15 - Trusted Zone: http://gs.reyrey.com<---Did you put this in the trusted zone,if so leave alone O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (File Transfer ActiveX Client) - https://home:2000/activex/RACtrl.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.callutheran.edu/dana...niperSetup.cab Please remember to close all other windows, including browsers then click Fix checked. ===================================================== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ======================================================= Logs Required Hijackthis log |
|
|
|
|
|
10-20-2007, 06:02 PM
|
#17 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 15
OS: xp pro
|
Re: help with huijackthis log
Bruce
Thanks much for all your help and guidence. I have done steps 1 and 2. (exported regedit and made nd merged "Fix.reg". I have some questions about step 3. quote O15 - Trusted Zone: http://gs.reyrey.com<---Did you put this in the trusted zone,if so leave alone .......... I know this is dealership management company;s website and known site O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (File Transfer ActiveX Client) - https://home:2000/activex/RACtrl.cab I believe this is Remotely anywhere program which I use to connect remotely to my work computer. O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.callutheran.edu/dana...niperSetup.cab I believe this is program which I use to connect remotely to another work machine. unquote Do you want me to still kill this sites in hijackthis ? thanks once again vikkam |
|
|
|
| Thread Tools | |
|
|
located at the bottom of the page.
then click 
