Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page I also have the "unsolicited browser pops" problem. Tks
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-09-2008, 10:04 AM   #1 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 5
OS: windowsXP


EEK! I also have the "unsolicited browser pops" problem. Tks
I have this computer for 2 years and never had a virus/spyware problem.
Then yesterday, 11.8.2008 something happened.

WindowsXP Professional
Version 5.1 service pack 3

I have Zone Alarm anti-virus.
I never had any spyware protection.
I have played on pogo.com for years without a problem.
I added HideMyIP about 3 months ago, no problem before.

The only different things I can think of:

1. I have been searching the net since October for a new place
2. I have been to bored.com to play games
3. I updated both windows and zone alarm on 11.8.2008 and maybe somewhat my computer was wide open for a few minutes/hours (I did both at the same time and I will never do it again!)

I was printing and then my printer lost connection, which was very weird.
Then I saw the unsolicited browser popups (scary).
And twice my computer turned off on itself.

I installed spy-bot and then adware and they picked stuff and they were removed.
But whenever I booted the stuff was all back again.

I uninstalled Spybot (do not like it) and Adware found more stuff.

Every reboot AdWatch picks up 1,000+ of notifications queued, meaning modifications in registry or else.

Zone Alarm picked up Trojan.Win32.BHO.hzf twice

There was something with a V on spybot (sorry that I did not save that name), that was huge.

After a lost Saturday, more than 5 scans, install/uninstall, and all, I STILL HAVE the browser popups.

My logs are attached.
Not sure if I did all right.

You all are great.
Tks




GMER

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-09 12:27:37
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0x9F3C98D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0x9F3C66E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0x9F3D3490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0x9F3C9E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x9F3D0C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x9F3D0E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0x9F3D4D50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x9F3C9F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x9F3C6C70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x9F3D3D10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x9F3D3AC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x9F3D0600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0x9F3C33B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0x9F3D4230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x9F3D42B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0x9F3D4FD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0x9F3C6AD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x9F3D24F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0x9F3D22B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0x9F3D4970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x9F3D43D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x9F3C94F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x9F3D47C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x9F3C9AA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x9F3C6EA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0x9F3C3190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x9F3D3800]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x9F3D1580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x9F3D1400]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0x9F3C35D0]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [ 90, 9E, 3C, 9F, 80, 0C, 3D, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2CBE 8050455A 6 Bytes [ 3C, 9F, 10, 3D, 3D, 9F ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D48 805045E4 12 Bytes [ B0, 33, 3C, 9F, 30, 42, 3D, ... ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [9F3CE410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [9F3CE220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [9F3CEB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [9F3CC780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [9F3CC780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [9F3CE410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [9F3CE220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [9F3CEB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [9F3CE410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [9F3CC780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [9F3CEB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [9F3CE220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [9F3CEB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [9F3CE220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [9F3CE410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [9F3CC780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [9F3CE410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [9F3CE220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [9F3CEB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [9F3CE410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [9F3CC780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [9F3CEB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [9F3CE220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip NSDriver.sys (Driver for Ad-Watch network monitoring/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp NSDriver.sys (Driver for Ad-Watch network monitoring/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp NSDriver.sys (Driver for Ad-Watch network monitoring/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp NSDriver.sys (Driver for Ad-Watch network monitoring/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fastfat \Fat kmixer.sys (Kernel Mode Audio Mixer/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Processes - GMER 1.0.14 ----

Process C:\WINDOWS\hh.exe (*** hidden *** ) 2340

---- Registry - GMER 1.0.14 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{267F94DB-C473-0152-0C28-E747A99A9621}

---- EOF - GMER 1.0.14 ----

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

RSIT LOGS (the log copied into the info)

info.txt logfile of random's system information tool 1.04 2008-11-09 12:29:54

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->MsiExec.exe /I{688A3383-3CE7-4094-9188-9C39D1E4FCB6}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Active@ ISO Burner v 1.1-->C:\PROGRA~1\LSOFTT~1\ACTIVE~1\UNWISE.EXE C:\PROGRA~1\LSOFTT~1\ACTIVE~1\INSTALL.LOG
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AOLIcon-->MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
BadCopy Pro-->C:\PROGRA~1\Jufsoft\BadCopy\UNWISE.EXE C:\PROGRA~1\Jufsoft\BadCopy\INSTALL.LOG
BCWipe 3.0-->"C:\WINDOWS\BCUnInstall.exe" C:\Program Files\Jetico\BCWipe\UnInstall.log
BCWipePD 2.0-->"C:\WINDOWS\BCUnInstall.exe" C:\Program Files\Jetico\BCWipePD\UnInstall.log
Dell CinePlayer-->MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience-->MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Support 3.2.1-->MsiExec.exe /X{CEE2252C-4035-4B27-8EC6-0B085DD3A413}
Digital Content Portal-->MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Documentation & Support Launcher-->MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
FinePix Studio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3B3AB03-8ABC-46CF-8CA9-DB5581E1F368}\SETUP.EXE" -l0x9
FinePixViewer Resource-->C:\Program Files\InstallShield Installation Information\{B44529FF-501E-47CD-A06D-223C161BE058}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
FinePixViewer Ver.5.4-->C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
FUJIFILM USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
Games, Music, & Photos Launcher-->MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
Hide My IP 2008-->"C:\Program Files\Hide My IP 2008\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Internet Service Offers Launcher-->MsiExec.exe /X{E42BD75A-FC23-4E3F-9F91-2658334C644F}
iolo technologies' System Mechanic 7-->"C:\Program Files\iolo\System Mechanic 7\unins000.exe"
Java(TM) 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
K-Meleon 1.1.5 en-US (remove only)-->C:\Program Files\K-Meleon\uninstall.exe
Lexmark 5400 Series-->C:\Program Files\Lexmark 5400 Series\Install\x86\Uninst.exe
McAfee SiteAdvisor-->C:\Program Files\SiteAdvisor\6261\uninstall.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Picture It! Photo 2002-->MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Move Networks Player for Internet Explorer-->"C:\Documents and Settings\Butterfly\Application Data\Move Networks\ie_bin\unins000.exe"
Mozilla Firefox (2.0.0.14)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NetExchangePro 3.0-->C:\PROGRA~1\NETEXC~1.0\UNWISE.EXE C:\PROGRA~1\NETEXC~1.0\INSTALL.LOG
Paint.NET v3.22-->MsiExec.exe /X{96C267DA-0926-4C11-B4E7-4D3EF85130D0}
PrimoPDF-->"C:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoPDF4.xml"
QuickBooks Pro 2006-->msiexec.exe /I {688A3383-3CE7-4094-9188-9C39D1E4FCB6} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2006" ADDREMOVE=1
QuickTime-->MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine-->MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Rhapsody-->C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\INSTALL.LOG
Roxio DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio MyDVD LE-->MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Roxio RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Smart Explorer 6.1-->"C:\Program Files\Smart Explorer\unins000.exe"
Sonic Activation Module-->MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
UltraLott Florida 1.2.2-->"C:\Program Files\UltraLott Florida\unins000.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
WD Diagnostics-->MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail-->MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinUndelete-->C:\PROGRA~1\WINUND~1\UNWISE.EXE C:\PROGRA~1\WINUND~1\INSTALL.LOG
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
ZoneAlarm Anti-virus-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Security center information======

AV: ZoneAlarm Anti-virus Antivirus
FW: ZoneAlarm Anti-virus Firewall

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\DLLShared\;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"ASLOGDIR"=C:\Program Files\Intuit\QuickBooks 2006\
"tvdumpflags"=8

-----------------EOF-----------------

Logfile of random's system information tool 1.04 (written by random/random)
Run by Butterfly at 2008-11-09 12:29:47
Microsoft Windows XP Professional Service Pack 3
System drive C: has 274 GB (91%) free of 302 GB
Total RAM: 2038 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:52 PM, on 11/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Hide My IP 2008\SecureSrv.exe
C:\Program Files\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Butterfly.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {0536B141-B343-4F7B-986F-7BEC8583A4Ec} - (no file)
O2 - BHO: (no name) - {99E6C646-C8F3-4742-B2E4-20CDA1ACA9EB} - C:\WINDOWS\system32\byXppPhI.dll (file missing)
O2 - BHO: {855c78ee-8de0-409a-88a4-fa689c722fda} - {adf227c9-86af-4a88-a904-0ed8ee87c558} - C:\WINDOWS\system32\imqrcf.dll
O2 - BHO: (no name) - {B0B3393C-62D1-44D8-ABF5-08E0F067F29E} - C:\WINDOWS\system32\mlJaBUOe.dll
O2 - BHO: (no name) - {BCC5D6E1-C81A-4D13-BD12-F6B50B40DB8D} - C:\WINDOWS\system32\pmnmnKEu.dll (file missing)
O2 - BHO: (no name) - {BF271355-A295-4832-A5F7-66EBD2B8F327} - C:\WINDOWS\system32\awtSljjK.dll
O2 - BHO: (no name) - {F84E8C4C-242A-4900-83DD-4AE76E52BF33} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKLM\..\Run: [14a3f3b1] rundll32.exe "C:\WINDOWS\system32\ksmlujdb.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Butterfly\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [HideMyIP2008] C:\Program Files\Hide My IP 2008\HideMyIP2008.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSC...ws-i586-jc.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/po...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79F95549-09CA-48E7-B953-4E1A71AB9071}: NameServer = 209.84.253.11,209.84.253.12
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O18 - Filter hijack: text/html - {cbfd44e2-b8ca-4bbf-ad3d-1e7de6ffb651} - C:\WINDOWS\system32\msziptools.dll
O20 - AppInit_DLLs: dbyhlk.dll imqrcf.dll
O20 - Winlogon Notify: mlJaBUOe - C:\WINDOWS\SYSTEM32\mlJaBUOe.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: SecureSrv - Unknown owner - C:\Program Files\Hide My IP 2008\SecureSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8471 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0536B141-B343-4F7B-986F-7BEC8583A4Ec}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99E6C646-C8F3-4742-B2E4-20CDA1ACA9EB}]
C:\WINDOWS\system32\byXppPhI.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{adf227c9-86af-4a88-a904-0ed8ee87c558}]
C:\WINDOWS\system32\imqrcf.dll [2008-11-09 103424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B0B3393C-62D1-44D8-ABF5-08E0F067F29E}]
C:\WINDOWS\system32\mlJaBUOe.dll [2008-11-08 35328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BCC5D6E1-C81A-4D13-BD12-F6B50B40DB8D}]
C:\WINDOWS\system32\pmnmnKEu.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF271355-A295-4832-A5F7-66EBD2B8F327}]
C:\WINDOWS\system32\awtSljjK.dll [2008-11-09 245760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F84E8C4C-242A-4900-83DD-4AE76E52BF33}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - Verizon Broadband Toolbar - C:\WINDOWS\DOWNLO~1\vzbb.dll []
{0BF43445-2F28-4351-9252-17FE6E806AA0} - McAfee SiteAdvisor - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll [2008-05-16 927008]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2006-07-21 98304]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2006-07-21 86016]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2006-07-21 81920]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2006-07-06 151552]
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]
"SMSystemAnalyzer"=C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe [2008-05-06 764776]
"Logitech Hardware Abstraction Layer"=KHALMNPR.EXE []
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2006-07-24 282624]
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6172\SiteAdv.exe []
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-05-21 185896]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-10-09 981904]
"lxctmon.exe"=C:\Program Files\Lexmark 5400 Series\lxctmon.exe [2006-06-20 286720]
"Lexmark 5400 Series Fax Server"=C:\Program Files\Lexmark 5400 Series\fm3032.exe [2006-07-10 294912]
"EzPrint"=C:\Program Files\Lexmark 5400 Series\ezprint.exe [2006-06-06 98304]
"LXCTCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll []
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe [2008-11-08 2468200]
"brastk"=C:\WINDOWS\system32\brastk.exe []
"14a3f3b1"=C:\WINDOWS\system32\ksmlujdb.dll [2008-11-09 70144]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 282624]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"cdloader"=C:\Documents and Settings\Butterfly\Application Data\mjusbsp\cdloader2.exe MAGICJACK []
"HideMyIP2008"=C:\Program Files\Hide My IP 2008\HideMyIP2008.exe [2008-04-12 913408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe [2006-08-28 395776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-11-01 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
C:\Program Files\Lexmark 5400 Series\ezprint.exe [2006-06-06 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
C:\Program Files\Lexmark 5400 Series\fm3032.exe [2006-07-10 294912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
C:\Program Files\Lexmark 5400 Series\lxctmon.exe [2006-06-20 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2001-08-16 28738]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\netWaiting.exe [2003-09-10 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE [2002-02-04 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
C:\PROGRA~1\DIGITA~1\DLG.exe [2003-10-29 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe [2000-06-29 24633]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="dbyhlk.dll imqrcf.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2006-07-21 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mlJaBUOe]
C:\WINDOWS\system32\mlJaBUOe.dll [2008-11-08 35328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B0B3393C-62D1-44D8-ABF5-08E0F067F29E}"=C:\WINDOWS\system32\mlJaBUOe.dll [2008-11-08 35328]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\awtSljjK

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\lxctcoms.exe"="C:\WINDOWS\system32\lxctcoms.exe:*:Enabled:Lexmark Communications System"
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Disabled:America Online 9.0"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Documents and Settings\Butterfly\Application Data\mjusbsp\magicJack.exe"="C:\Documents and Settings\Butterfly\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{296afdda-4e0a-11dd-88cc-001676baf5ec}]
shell\AutoRun\command - F:\autorun.exe
shell\phone\command - F:\autorun.exe


======File associations======

.js - open - NOTEPAD.EXE %1
.reg - open - NOTEPAD.EXE %1
.scr - open - NOTEPAD.EXE %1
.vbs - open - NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2008-11-09 12:29:47 ----D---- C:\rsit
2008-11-09 11:17:39 ----A---- C:\WINDOWS\gmer.ini
2008-11-09 11:17:34 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-11-09 11:17:34 ----A---- C:\WINDOWS\gmer.exe
2008-11-09 11:17:34 ----A---- C:\WINDOWS\gmer.dll
2008-11-09 09:57:56 ----D---- C:\Program Files\gmer
2008-11-09 09:48:31 ----A---- C:\Program Files\RSIT.exe
2008-11-09 09:21:36 ----D---- C:\Program Files\Trend Micro
2008-11-09 09:03:55 ----A---- C:\WINDOWS\system32\imqrcf.dll
2008-11-09 09:03:54 ----A---- C:\WINDOWS\system32\oltrlcte.dll
2008-11-09 09:02:06 ----SH---- C:\WINDOWS\system32\bdjulmsk.ini
2008-11-09 09:02:03 ----A---- C:\WINDOWS\system32\ksmlujdb.dll
2008-11-09 09:00:44 ----ASH---- C:\WINDOWS\system32\KjjlStwa.ini2
2008-11-09 09:00:44 ----ASH---- C:\WINDOWS\system32\KjjlStwa.ini
2008-11-09 09:00:40 ----A---- C:\WINDOWS\system32\awtSljjK.dll
2008-11-08 21:42:45 ----ASH---- C:\WINDOWS\system32\IhPppXyb.ini2
2008-11-08 18:24:06 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-08 18:22:58 ----A---- C:\Program Files\aaw2008.exe
2008-11-08 18:03:06 ----A---- C:\WINDOWS\system32\dbyhlk.dll
2008-11-08 18:03:05 ----A---- C:\WINDOWS\system32\dfdopceg.dll
2008-11-08 17:57:05 ----ASH---- C:\WINDOWS\system32\IhPppXyb.ini
2008-11-08 16:24:21 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-08 16:24:21 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 16:04:12 ----A---- C:\WINDOWS\system32\gyjdxp.dll
2008-11-08 16:04:10 ----A---- C:\WINDOWS\system32\tdqqejgq.dll
2008-11-08 16:03:43 ----A---- C:\WINDOWS\system32\1f8037cf-.txt
2008-11-08 16:02:29 ----ASH---- C:\WINDOWS\system32\uEKnmnmp.ini
2008-11-08 16:02:21 ----A---- C:\Program Files\windows-kb890830-v2.3.exe
2008-11-08 15:54:40 ----A---- C:\WINDOWS\system32\mlJaBUOe.dll
2008-11-08 15:54:40 ----A---- C:\WINDOWS\system32\khfGyxuU.dll
2008-11-08 15:54:40 ----A---- C:\WINDOWS\system32\geBuUkiI.dll
2008-11-08 15:54:40 ----A---- C:\WINDOWS\system32\ddcccaYs.dll
2008-11-08 11:36:29 ----D---- C:\WINDOWS\system32\sX3i19
2008-11-08 11:05:49 ----A---- C:\WINDOWS\system32\lxctvs.dll
2008-11-08 11:05:48 ----A---- C:\WINDOWS\system32\lxctcoin.dll
2008-11-08 11:05:25 ----A---- C:\WINDOWS\system32\lxctcaps.dll
2008-11-08 11:05:24 ----A---- C:\WINDOWS\system32\lxctdrs.dll
2008-11-08 11:05:24 ----A---- C:\WINDOWS\system32\lxctcnv4.dll
2008-11-08 11:04:30 ----A---- C:\WINDOWS\system32\lxctpmrc.dll
2008-11-08 11:04:30 ----A---- C:\WINDOWS\system32\lxctpmon.dll
2008-11-08 11:04:30 ----A---- C:\WINDOWS\system32\LXCTFXPU.DLL
2008-11-08 11:02:28 ----D---- C:\Program Files\Lexmark 5400 Series
2008-11-08 11:02:17 ----A---- C:\WINDOWS\system32\LXCTinst.dll
2008-11-08 11:02:16 ----A---- C:\WINDOWS\system32\lxctinpa.dll
2008-11-08 11:02:16 ----A---- C:\WINDOWS\system32\lxctiesc.dll
2008-11-08 11:02:15 ----A---- C:\WINDOWS\system32\lxctutil.dll
2008-11-08 11:02:15 ----A---- C:\WINDOWS\system32\lxctusb1.dll
2008-11-08 11:02:15 ----A---- C:\WINDOWS\system32\lxctserv.dll
2008-11-08 11:02:14 ----A---- C:\WINDOWS\system32\lxctprox.dll
2008-11-08 11:02:14 ----A---- C:\WINDOWS\system32\lxctpplc.dll
2008-11-08 11:02:14 ----A---- C:\WINDOWS\system32\lxctpmui.dll
2008-11-08 11:02:13 ----A---- C:\WINDOWS\system32\lxctlmpm.dll
2008-11-08 11:02:13 ----A---- C:\WINDOWS\system32\lxctjswr.dll
2008-11-08 11:02:13 ----A---- C:\WINDOWS\system32\lxctinsb.dll
2008-11-08 11:02:12 ----A---- C:\WINDOWS\system32\lxctinsr.dll
2008-11-08 11:02:12 ----A---- C:\WINDOWS\system32\lxctins.dll
2008-11-08 11:02:12 ----A---- C:\WINDOWS\system32\lxctih.exe
2008-11-08 11:02:12 ----A---- C:\WINDOWS\system32\lxcthbn3.dll
2008-11-08 11:02:11 ----A---- C:\WINDOWS\system32\lxctgrd.dll
2008-11-08 11:02:11 ----A---- C:\WINDOWS\system32\lxctgf.dll
2008-11-08 11:02:10 ----A---- C:\WINDOWS\system32\lxctcur.dll
2008-11-08 11:02:10 ----A---- C:\WINDOWS\system32\lxctcub.dll
2008-11-08 11:02:10 ----A---- C:\WINDOWS\system32\lxctcu.dll
2008-11-08 11:02:09 ----A---- C:\WINDOWS\system32\lxctcoms.exe
2008-11-08 11:02:09 ----A---- C:\WINDOWS\system32\lxctcomm.dll
2008-11-08 11:02:09 ----A---- C:\WINDOWS\system32\lxctcomc.dll
2008-11-08 11:02:08 ----A---- C:\WINDOWS\system32\lxctcfg.exe
2008-11-08 11:02:07 ----A---- C:\WINDOWS\system32\LXCTcfg.dll
2008-11-08 08:04:47 ----D---- C:\WINDOWS\Prefetch
2008-11-08 08:00:26 ----A---- C:\WINDOWS\system32\zpeng25.dll
2008-11-08 07:57:10 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-08 07:57:03 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-11-08 07:56:55 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-11-08 07:56:48 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-11-08 07:56:38 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-11-08 07:56:31 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-11-08 07:56:24 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-11-08 07:56:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-11-08 07:56:09 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-11-08 07:55:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-11-08 07:55:47 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-11-08 07:55:38 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-11-08 07:55:30 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-11-08 07:55:23 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-11-08 07:55:12 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-11-08 07:55:05 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-11-08 07:50:40 ----D---- C:\WINDOWS\system32\scripting
2008-11-08 07:50:39 ----D---- C:\WINDOWS\system32\en
2008-11-08 07:50:39 ----D---- C:\WINDOWS\system32\bits
2008-11-08 07:50:39 ----D---- C:\WINDOWS\l2schemas
2008-11-08 07:50:39 ----D---- C:\Program Files\msn
2008-11-08 07:48:12 ----D---- C:\WINDOWS\ServicePackFiles
2008-11-08 07:44:36 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-11-02 14:03:46 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-02 14:03:46 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-02 14:03:46 ----A---- C:\WINDOWS\system32\java.exe
2008-11-02 14:03:46 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-10-27 20:28:03 ----HDC---- C:\WINDOWS\$NtUninstallKB952954_0$
2008-10-27 20:27:57 ----HDC---- C:\WINDOWS\$NtUninstallKB946648_0$
2008-10-27 20:27:51 ----HDC---- C:\WINDOWS\$NtUninstallKB956803_0$
2008-10-27 20:27:45 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-27 20:27:40 ----HDC---- C:\WINDOWS\$NtUninstallKB957095_0$
2008-10-27 20:26:17 ----HDC---- C:\WINDOWS\$NtUninstallKB950974_0$
2008-10-27 20:25:58 ----HDC---- C:\WINDOWS\$NtUninstallKB954211_0$
2008-10-27 20:25:46 ----HDC---- C:\WINDOWS\$NtUninstallKB956841_0$
2008-10-27 20:24:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-10-27 20:24:22 ----HDC---- C:\WINDOWS\$NtUninstallKB952287_0$
2008-10-27 20:24:16 ----HDC---- C:\WINDOWS\$NtUninstallKB951066_0$
2008-10-27 20:23:40 ----HDC---- C:\WINDOWS\$NtUninstallKB938464_0$
2008-10-27 20:23:34 ----HDC---- C:\WINDOWS\$NtUninstallKB958644_0$
2008-10-27 20:23:23 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-10-27 18:20:58 ----A---- C:\WINDOWS\system32\wlanapi.dll
2008-10-27 18:20:52 ----A---- C:\WINDOWS\system32\tspkg.dll
2008-10-27 18:20:52 ----A---- C:\WINDOWS\system32\tsgqec.dll
2008-10-27 18:20:50 ----A---- C:\WINDOWS\system32\spupdwxp.exe
2008-10-27 18:20:50 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2008-10-27 18:20:45 ----N---- C:\WINDOWS\slrundll.exe
2008-10-27 18:20:45 ----A---- C:\WINDOWS\system32\slserv.exe
2008-10-27 18:20:45 ----A---- C:\WINDOWS\system32\slrundll.exe
2008-10-27 18:20:45 ----A---- C:\WINDOWS\system32\slgen.dll
2008-10-27 18:20:44 ----A---- C:\WINDOWS\system32\slextspk.dll
2008-10-27 18:20:44 ----A---- C:\WINDOWS\system32\slcoinst.dll
2008-10-27 18:20:43 ----A---- C:\WINDOWS\system32\setupn.exe
2008-10-27 18:20:42 ----A---- C:\WINDOWS\system32\s3gnb.dll
2008-10-27 18:20:42 ----A---- C:\WINDOWS\system32\rhttpaa.dll
2008-10-27 18:20:42 ----A---- C:\WINDOWS\system32\rasqec.dll
2008-10-27 18:20:42 ----A---- C:\WINDOWS\system32\qutil.dll
2008-10-27 18:20:42 ----A---- C:\WINDOWS\system32\qcliprov.dll
2008-10-27 18:20:42 ----A---- C:\WINDOWS\system32\qagentrt.dll
2008-10-27 18:20:42 ----A---- C:\WINDOWS\system32\qagent.dll
2008-10-27 18:20:39 ----A---- C:\WINDOWS\system32\onex.dll
2008-10-27 18:20:36 ----A---- C:\WINDOWS\system32\napstat.exe
2008-10-27 18:20:36 ----A---- C:\WINDOWS\system32\napmontr.dll
2008-10-27 18:20:36 ----A---- C:\WINDOWS\system32\napipsec.dll
2008-10-27 18:20:36 ----A---- C:\WINDOWS\system32\mtxparhd.dll
2008-10-27 18:20:35 ----A---- C:\WINDOWS\system32\msshavmsg.dll
2008-10-27 18:20:35 ----A---- C:\WINDOWS\system32\mssha.dll
2008-10-27 18:20:28 ----A---- C:\WINDOWS\system32\mmcperf.exe
2008-10-27 18:20:28 ----A---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-10-27 18:20:28 ----A---- C:\WINDOWS\system32\mmcex.dll
2008-10-27 18:20:28 ----A---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-10-27 18:20:23 ----A---- C:\WINDOWS\system32\l2gpstore.dll
2008-10-27 18:20:23 ----A---- C:\WINDOWS\system32\kmsvc.dll
2008-10-27 18:20:23 ----A---- C:\WINDOWS\system32\kbdpash.dll
2008-10-27 18:20:23 ----A---- C:\WINDOWS\system32\kbdnepr.dll
2008-10-27 18:20:23 ----A---- C:\WINDOWS\system32\kbdiultn.dll
2008-10-27 18:20:23 ----A---- C:\WINDOWS\system32\kbdbhc.dll
2008-10-27 18:20:17 ----A---- C:\WINDOWS\system32\smtpapi.dll
2008-10-27 18:20:17 ----A---- C:\WINDOWS\system32\rwnh.dll
2008-10-27 18:20:16 ----A---- C:\WINDOWS\system32\comsdupd.exe
2008-10-27 18:20:14 ----A---- C:\WINDOWS\system32\hsfcisp2.dll
2008-10-27 18:20:11 ----A---- C:\WINDOWS\system32\faxpatch.exe
2008-10-27 18:20:10 ----A---- C:\WINDOWS\system32\eapsvc.dll
2008-10-27 18:20:10 ----A---- C:\WINDOWS\system32\eapqec.dll
2008-10-27 18:20:10 ----A---- C:\WINDOWS\system32\eappprxy.dll
2008-10-27 18:20:10 ----A---- C:\WINDOWS\system32\eapphost.dll
2008-10-27 18:20:10 ----A---- C:\WINDOWS\system32\eappgnui.dll
2008-10-27 18:20:10 ----A---- C:\WINDOWS\system32\eappcfg.dll
2008-10-27 18:20:10 ----A---- C:\WINDOWS\system32\eapp3hst.dll
2008-10-27 18:20:10 ----A---- C:\WINDOWS\system32\eapolqec.dll
2008-10-27 18:20:09 ----A---- C:\WINDOWS\system32\dot3ui.dll
2008-10-27 18:20:09 ----A---- C:\WINDOWS\system32\dot3svc.dll
2008-10-27 18:20:09 ----A---- C:\WINDOWS\system32\dot3msm.dll
2008-10-27 18:20:09 ----A---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-10-27 18:20:09 ----A---- C:\WINDOWS\system32\dot3dlg.dll
2008-10-27 18:20:09 ----A---- C:\WINDOWS\system32\dot3cfg.dll
2008-10-27 18:20:09 ----A---- C:\WINDOWS\system32\dot3api.dll
2008-10-27 18:20:08 ----A---- C:\WINDOWS\system32\dimsroam.dll
2008-10-27 18:20:08 ----A---- C:\WINDOWS\system32\dimsntfy.dll
2008-10-27 18:20:08 ----A---- C:\WINDOWS\system32\dhcpqec.dll
2008-10-27 18:20:06 ----A---- C:\WINDOWS\system32\credssp.dll
2008-10-27 18:20:03 ----A---- C:\WINDOWS\system32\bitsprx4.dll
2008-10-27 18:20:03 ----A---- C:\WINDOWS\system32\azroles.dll
2008-10-27 18:20:03 ----A---- C:\WINDOWS\system32\ativvaxx.dll
2008-10-27 18:20:03 ----A---- C:\WINDOWS\system32\ativtmxx.dll
2008-10-27 18:20:02 ----A---- C:\WINDOWS\system32\ati3duag.dll
2008-10-27 18:20:02 ----A---- C:\WINDOWS\system32\ati3d1ag.dll
2008-10-27 18:20:02 ----A---- C:\WINDOWS\system32\ati2dvag.dll
2008-10-27 18:20:02 ----A---- C:\WINDOWS\system32\ati2dvaa.dll
2008-10-27 18:20:02 ----A---- C:\WINDOWS\system32\ati2cqag.dll
2008-10-27 18:20:01 ----A---- C:\WINDOWS\system32\aaclient.dll
2008-10-22 17:02:44 ----D---- C:\Documents and Settings\All Users\Application Data\RLUHVKKCYG
2008-10-19 17:49:05 ----D---- C:\Documents and Settings\All Users\Application Data\XRUHVKKCYG

======List of files/folders modified in the last 1 months======

2008-11-09 12:29:13 ----D---- C:\WINDOWS\Internet Logs
2008-11-09 11:57:51 ----D---- C:\WINDOWS\Temp
2008-11-09 11:56:13 ----D---- C:\Program Files\Lx_cats
2008-11-09 11:55:41 ----A---- C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt
2008-11-09 11:24:07 ----D---- C:\Program Files\Mozilla Firefox
2008-11-09 11:17:39 ----D---- C:\WINDOWS
2008-11-09 11:17:34 ----D---- C:\WINDOWS\system32\drivers
2008-11-09 11:05:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-09 09:57:56 ----D---- C:\Program Files
2008-11-09 09:27:14 ----D---- C:\WINDOWS\system32
2008-11-09 09:03:45 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-09 09:01:40 ----A---- C:\rollback.ini
2008-11-08 21:41:50 ----A---- C:\WINDOWS\wininit.ini
2008-11-08 20:49:37 ----D---- C:\WINDOWS\CSC
2008-11-08 18:27:10 ----SHD---- C:\WINDOWS\Installer
2008-11-08 18:27:10 ----SHD---- C:\Config.Msi
2008-11-08 18:24:50 ----D---- C:\Program Files\Lavasoft
2008-11-08 18:24:06 ----D---- C:\Program Files\Common Files
2008-11-08 17:56:07 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-11-08 15:54:53 ----SHD---- C:\WINDOWS\system32\dllcache
2008-11-08 11:36:29 ----D---- C:\Temp
2008-11-08 11:07:25 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-08 11:05:53 ----HD---- C:\WINDOWS\inf
2008-11-08 11:03:14 ----D---- C:\Program Files\Lexmark Toolbar
2008-11-08 0853 ----A---- C:\WINDOWS\OEWABLog.txt
2008-11-08 0850 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-08 0821 ----A---- C:\WINDOWS\setuplog.txt
2008-11-08 08:04:02 ----D---- C:\WINDOWS\system32\ZoneLabs
2008-11-08 08:04:01 ----D---- C:\WINDOWS\system32\wbem
2008-11-08 08:04:01 ----D---- C:\WINDOWS\system32\Setup
2008-11-08 08:04:01 ----D---- C:\WINDOWS\AppPatch
2008-11-08 08:04:00 ----RSD---- C:\WINDOWS\Fonts
2008-11-08 08:00:54 ----D---- C:\WINDOWS\security
2008-11-08 07:55:15 ----D---- C:\Program Files\Messenger
2008-11-08 07:51:11 ----D---- C:\WINDOWS\WinSxS
2008-11-08 07:50:48 ----D---- C:\WINDOWS\system32\inetsrv
2008-11-08 07:50:48 ----D---- C:\WINDOWS\network diagnostic
2008-11-08 07:50:48 ----D---- C:\WINDOWS\ime
2008-11-08 07:50:48 ----D---- C:\WINDOWS\Help
2008-11-08 07:50:41 ----D---- C:\WINDOWS\system32\usmt
2008-11-08 07:50:41 ----D---- C:\WINDOWS\system32\en-US
2008-11-08 07:50:39 ----D---- C:\WINDOWS\PeerNet
2008-11-08 07:50:39 ----D---- C:\Program Files\Movie Maker
2008-11-08 07:48:04 ----D---- C:\WINDOWS\system32\Restore
2008-11-08 07:48:04 ----D---- C:\WINDOWS\system32\npp
2008-11-08 07:48:04 ----D---- C:\WINDOWS\mui
2008-11-08 07:48:03 ----D---- C:\WINDOWS\msagent
2008-11-08 07:48:02 ----D---- C:\WINDOWS\srchasst
2008-11-08 07:48:01 ----D---- C:\WINDOWS\system32\Com
2008-11-08 07:48:01 ----D---- C:\Program Files\NetMeeting
2008-11-08 07:47:59 ----D---- C:\Program Files\Windows Media Player
2008-11-08 07:47:58 ----D---- C:\Program Files\Windows NT
2008-11-08 07:47:58 ----D---- C:\Program Files\Outlook Express
2008-11-08 07:47:56 ----D---- C:\Program Files\Common Files\System
2008-11-08 07:47:46 ----D---- C:\WINDOWS\system32\oobe
2008-11-08 07:47:44 ----D---- C:\WINDOWS\system
2008-11-08 07:45:55 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-08 07:44:34 ----D---- C:\WINDOWS\ehome
2008-11-06 07:47:26 ----D---- C:\Program Files\BadgeHelp
2008-11-02 14:04:09 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-02 14:03:24 ----D---- C:\Program Files\Java
2008-11-01 20:18:32 ----A---- C:\SearchLine.Txt
2008-10-30 07:07:09 ----D---- C:\Program Files\NetExchange Pro3.0
2008-10-27 20:27:55 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-27 20:27:29 ----D---- C:\Program Files\Internet Explorer
2008-10-27 20:27:23 ----D---- C:\WINDOWS\ie7updates
2008-10-27 20:27:05 ----A---- C:\WINDOWS\win.ini
2008-10-27 20:23:48 ----HDC---- C:\WINDOWS\$NtUninstallKB951748_0$
2008-10-27 17:57:27 ----D---- C:\WINDOWS\Debug
2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2008-09-18 148496]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-10-09 353680]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2007-04-17 8413]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter; \??\C:\WINDOWS\system32\drivers\NSDriver.sys []
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2006-07-19 230400]
R3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-09 85969]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS [2005-03-17 1033600]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-03-17 165504]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2006-07-21 1095968]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 pfc;Padus ASPI Shell; \??\C:\WINDOWS\system32\drivers\pfc.sys []
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-07-24 1156648]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-03-17 705280]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 DSproct;DSproct; \??\C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys []
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 hamachi_oem;PlayLinc Adapter; C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 10664]
S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys []
S3 MREMPR5;MREMPR5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS []
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS []
S3 NAL;Nal Service ; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys []
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 TSP;TSP; \??\C:\WINDOWS\system32\drivers\klif.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter; \??\C:\WINDOWS\system32\drivers\AWRTRD.sys []
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 atapi;Standard IDE/ESDI Hard Disk Controller; C:\WINDOWS\system32\DRIVERS\atapi.sys [2008-04-13 96512]
S4 BCSWAP;BCSWAP; \??\C:\WINDOWS\system32\drivers\BCSWAP.sys []
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-11-08 611664]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2006-07-06 90112]
R2 ioloFileInfoList;iolo FileInfoList Service; C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
R2 ioloSystemService;iolo System Service; C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-02 152984]
R2 lxct_device;lxct_device; C:\WINDOWS\system32\lxctcoms.exe [2006-07-13 528384]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 SiteAdvisor Service;SiteAdvisor Service; C:\Program Files\SiteAdvisor\6261\SAService.exe [2008-05-22 345376]
R2 UTSCSI;CLCV0; C:\WINDOWS\system32\UTSCSI.EXE [2008-07-13 45056]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-10-09 2405776]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 SecureSrv;SecureSrv; C:\Program Files\Hide My IP 2008\SecureSrv.exe [2008-09-05 110880]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------
foreverhappy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 11-11-2008, 12:37 PM   #2 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 8,661
OS: XP SP3


Re: I also have the "unsolicited browser pops" problem. Tks
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  • Double-click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
new HijackThis log

If you have any questions along the way...STOP and ask them before proceeding.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-11-2008, 05:51 PM   #3 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 5
OS: windowsXP


Confused Re: I also have the "unsolicited browser pops" problem. Tks
Tks.
They look a little bit cleaner.



COMBO FIX LOG

ComboFix 08-11-10.01 - Butterfly 2008-11-11 20:37:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1033.18.1441 [GMT -5:00]
Executando de: c:\documents and settings\Butterfly\Desktop\ComboFix.exe
* Criado um novo ponto de restauro
.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-10-12 to 2008-11-12 ))))))))))))))))))))))))))))
.

2008-11-11 20:18 . 2008-11-11 20:18 <DIR> d-------- c:\windows\LastGood
2008-11-10 18:55 . 2008-11-10 19:29 <DIR> d-------- c:\documents and settings\Butterfly\.housecall6.6
2008-11-09 17:50 . 2008-11-09 17:50 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-09 14:59 . 2008-11-09 15:00 3,043,976 -ra------ c:\program files\ComboFix.exe
2008-11-09 12:29 . 2008-11-09 12:31 <DIR> d-------- C:\rsit
2008-11-09 11:17 . 2008-11-09 11:56 250 --a------ c:\windows\gmer.ini
2008-11-09 09:57 . 2008-11-09 09:57 <DIR> d-------- c:\program files\gmer
2008-11-09 09:56 . 2008-11-09 09:57 747,873 --a------ c:\program files\gmer.zip
2008-11-09 09:48 . 2008-11-09 09:48 305,705 --a------ c:\program files\RSIT.exe
2008-11-09 09:21 . 2008-11-09 09:21 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 18:24 . 2008-11-08 18:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-08 18:22 . 2008-11-08 18:23 19,153,264 --a------ c:\program files\aaw2008.exe
2008-11-08 16:24 . 2008-11-09 11:06 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 16:24 . 2008-11-09 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 16:02 . 2008-11-08 16:19 7,478,208 --a------ c:\program files\windows-kb890830-v2.3.exe
2008-11-08 16:02 . 2008-11-08 16:50 1,892 --ahs---- c:\windows\system32\uEKnmnmp.ini
2008-11-08 11:36 . 2008-11-08 11:36 <DIR> d-------- c:\windows\system32\sX3i19
2008-11-08 11:36 . 2008-11-08 11:36 <DIR> d-------- c:\temp\PRE45
2008-11-08 11:05 . 2006-06-20 08:40 692,224 --a------ c:\windows\system32\lxctdrs.dll
2008-11-08 11:05 . 2006-07-11 13:54 335,872 --a------ c:\windows\system32\lxctcoin.dll
2008-11-08 11:05 . 2006-05-18 06:01 65,536 --a------ c:\windows\system32\lxctcaps.dll
2008-11-08 11:05 . 2006-05-03 09:31 61,440 --a------ c:\windows\system32\lxctcnv4.dll
2008-11-08 11:05 . 2005-06-23 21:37 40,960 --a------ c:\windows\system32\lxctvs.dll
2008-11-08 11:04 . 2006-07-10 18:34 40,960 --a------ c:\windows\system32\lxctpmon.dll
2008-11-08 11:04 . 2006-07-10 18:34 32,768 --a------ c:\windows\system32\LXCTFXPU.DLL
2008-11-08 11:04 . 2006-07-10 18:36 12,288 --a------ c:\windows\system32\lxctpmrc.dll
2008-11-08 11:02 . 2008-11-08 11:05 <DIR> d-------- c:\program files\Lexmark 5400 Series
2008-11-08 08:00 . 2008-10-09 14:25 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\system32\scripting
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\system32\en
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\system32\bits
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\l2schemas
2008-11-08 07:48 . 2008-11-08 07:50 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-02 14:03 . 2008-11-02 14:03 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-02 14:03 . 2008-11-02 14:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-27 17:55 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-27 17:51 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-27 17:51 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-27 17:51 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-27 17:51 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-27 17:51 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-27 17:46 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-10-27 17:45 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-10-27 17:43 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 20:16 . 2008-11-09 09:06 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-22 20:16 . 2008-10-22 20:16 1,409 --a------ c:\windows\QTFont.for
2008-10-22 17:02 . 2008-10-22 17:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\RLUHVKKCYG
2008-10-19 17:49 . 2008-10-19 17:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\XRUHVKKCYG

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 01:40 172,146,720 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-12 00:26 --------- d-----w c:\program files\Lx_cats
2008-11-11 13:33 2,286,044 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-08 23:24 --------- d-----w c:\program files\Lavasoft
2008-11-08 22:56 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-08 16:03 --------- d-----w c:\program files\Lexmark Toolbar
2008-11-06 12:47 --------- d-----w c:\program files\BadgeHelp
2008-11-02 19:03 --------- d-----w c:\program files\Java
2008-10-30 12:07 --------- d-----w c:\program files\NetExchange Pro3.0
2008-10-20 03:11 387 ----a-w C:\Board.Dat
2008-10-09 19:25 73,104 ----a-w c:\windows\zllsputility.exe
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-10-02 00:03 --------- d-----w c:\program files\activePDF
2008-09-27 16:11 --------- d-----w c:\program files\FinePixViewer
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-06 21:30 1,201,351 ----a-w c:\program files\hidemyip.exe
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-08-30 05:53 151,552 ----a-w c:\windows\system32\securenet.dll
2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-07-10 23:48 27,579,280 ----a-w c:\program files\zaAvSetup_70_483_000_en.exe
2008-07-06 20:52 214,430 ----a-w c:\program files\handytweakers.zip
2008-05-29 00:22 5,452,082 ----a-w c:\program files\K-Meleon1.1.5en-US.exe
2008-04-18 22:53 210,416 ----a-w c:\program files\zaavSetup_en.exe
2008-02-13 02:57 2,869,264 ----a-w c:\program files\dotNetFx35setup.exe
2008-01-12 22:09 21,216,112 ----a-w c:\program files\aaw2007.exe
2007-05-11 19:31 6,006,832 ----a-w c:\program files\Firefox Setup 2.0.0.3.exe
2007-04-09 21:51 900,168 ----a-w c:\program files\pi19299.exe
2007-04-03 20:23 454,381 ----a-w c:\program files\pipe.rar
2007-03-28 21:26 5,696,136 ----a-w c:\program files\R143248.EXE
2007-03-10 00:39 16,918,488 ----a-w c:\program files\SystemMechanic7.exe
2007-04-01 19:07 88 --sha-r c:\windows\system32\03C2D086F5.sys
2007-04-01 19:09 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-09_16.19.46.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-12 22:36:22 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2008-11-11 01:32:09 29,926 ----a-r c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
- 2008-04-14 00:12:15 139,264 ----a-w c:\windows\system32\cscript.exe
+ 2008-05-07 09:07:23 135,168 ----a-w c:\windows\system32\cscript.exe
+ 2008-05-07 09:07:23 135,168 ------w c:\windows\system32\dllcache\cscript.exe
+ 2008-05-09 10:53:39 512,000 ------w c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53:39 180,224 ------w c:\windows\system32\dllcache\scrobj.dll
+ 2008-05-09 10:53:40 172,032 ------w c:\windows\system32\dllcache\scrrun.dll
+ 2008-05-09 10:53:40 430,080 ------w c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-08 11:24:44 155,648 ------w c:\windows\system32\dllcache\wscript.exe
+ 2008-05-09 10:53:40 90,112 ------w c:\windows\system32\dllcache\wshext.dll
- 2008-04-14 00:11:56 512,000 ----a-w c:\windows\system32\jscript.dll
+ 2008-05-09 10:53:39 512,000 ----a-w c:\windows\system32\jscript.dll
- 2007-04-24 15:32:06 1,485,696 ----a-w c:\windows\system32\LegitCheckControl.DLL
+ 2008-09-06 04:30:06 1,480,232 ----a-w c:\windows\system32\LegitCheckControl.dll
- 2008-04-14 00:12:05 180,224 ----a-w c:\windows\system32\scrobj.dll
+ 2008-05-09 10:53:39 180,224 ----a-w c:\windows\system32\scrobj.dll
- 2008-04-14 00:12:05 172,032 ----a-w c:\windows\system32\scrrun.dll
+ 2008-05-09 10:53:40 172,032 ----a-w c:\windows\system32\scrrun.dll
- 2007-11-30 11:18:51 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:08 434,176 ----a-w c:\windows\system32\vbscript.dll
+ 2008-05-09 10:53:40 430,080 ----a-w c:\windows\system32\vbscript.dll
- 2007-03-15 22:16:42 236,928 ----a-w c:\windows\system32\WgaLogon.dll
+ 2008-09-06 04:30:42 241,704 ----a-w c:\windows\system32\WgaLogon.dll
- 2007-03-15 22:17:08 336,768 ----a-w c:\windows\system32\WgaTray.exe
+ 2008-09-06 04:29:58 917,032 ----a-w c:\windows\system32\WgaTray.exe
- 2008-04-14 00:12:41 155,648 ----a-w c:\windows\system32\wscript.exe
+ 2008-05-08 11:24:44 155,648 ----a-w c:\windows\system32\wscript.exe
- 2008-04-14 00:12:10 90,112 ----a-w c:\windows\system32\wshext.dll
+ 2008-05-09 10:53:40 90,112 ----a-w c:\windows\system32\wshext.dll
- 2008-11-09 21:09:38 645,832 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-11-12 01:36:34 649,640 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-11-12 00:25:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3f0.dat
+ 2008-11-12 00:38:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7f0.dat
.
-- Snapshot resetado para data atual --
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-06-24 303104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Back"= 2 (0x2)
"Btn_Forward"= 2 (0x2)
"Btn_Stop"= 2 (0x2)
"Btn_Refresh"= 2 (0x2)
"Btn_Home"= 2 (0x2)
"Btn_Search"= 2 (0x2)
"Btn_Favorites"= 2 (0x2)
"Btn_History"= 2 (0x2)
"Btn_Folders"= 2 (0x2)
"Btn_Fullscreen"= 2 (0x2)
"Btn_Tools"= 2 (0x2)
"Btn_MailNews"= 2 (0x2)
"Btn_Size"= 2 (0x2)
"Btn_Print"= 2 (0x2)
"Btn_Edit"= 2 (0x2)
"Btn_Discussions"= 2 (0x2)
"Btn_Cut"= 2 (0x2)
"Btn_Copy"= 2 (0x2)
"Btn_Paste"= 2 (0x2)
"Btn_Encoding"= 2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dbyhlk.dll imqrcf.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 22:57 395776 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-11-01 04:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2006-06-06 22:05 98304 c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
--a------ 2006-07-10 18:30 294912 c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
--a------ 2006-06-20 08:37 286720 c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-16 22:41 28738 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 03:24 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--------- 2002-02-04 21:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
R3 SecureSrv;SecureSrv;c:\program files\Hide My IP 2008\SecureSrv.exe [2008-09-05 110880]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-09-27 10664]
S3 NAL;Nal Service ;c:\windows\system32\Drivers\iqvw32.sys [2006-06-05 24064]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSWAP.sys [2007-01-16 91496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{296afdda-4e0a-11dd-88cc-001676baf5ec}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\phone\command - F:\autorun.exe

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
- - - - ORFÃOS REMOVIDOS - - - -

Notify-WgaLogon - (no file)


.
------- Scan Suplementar -------
.
FireFox -: Profile - c:\documents and settings\Butterfly\Application Data\Mozilla\Firefox\Profiles\n5ta2hek.default\
.
.
------- Associação de arquivos/ficheiros -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 20:40:34
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...


**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSOS: c:\windows\system32\lsass.exe
-> c:\windows\system32\securenet.dll
.
Tempo para conclusão: 2008-11-11 20:44:55
ComboFix-quarantined-files.txt 2008-11-12 01:43:52
ComboFix2.txt 2008-11-09 21:21:55

Pré-execução: 287,046,221,824 bytes free
Pós execução: 287,061,291,008 bytes free

263 --- E O F --- 2008-11-11 0153

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:32 PM, on 11/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Hide My IP 2008\SecureSrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hide My IP 2008\HideMyIP2008.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSC...ws-i586-jc.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79F95549-09CA-48E7-B953-4E1A71AB9071}: NameServer = 209.84.253.11,209.84.253.12
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O20 - AppInit_DLLs: dbyhlk.dll imqrcf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: SecureSrv - Unknown owner - C:\Program Files\Hide My IP 2008\SecureSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5564 bytes
foreverhappy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-11-2008, 06:19 PM   #4 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 8,661
OS: XP SP3


Re: I also have the "unsolicited browser pops" problem. Tks
It appears that you ran ComboFix twice.

Go Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\ComboFix2.txt

Please post the ComboFix2.txt in your next reply.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-12-2008, 03:45 PM   #5 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 5
OS: windowsXP


Re: I also have the "unsolicited browser pops" problem. Tks
Trying again...
Tks



ComboFix 08-11-09.01 - Butterfly 2008-11-09 16:05:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1033.18.1403 [GMT -5:00]
Executando de: c:\documents and settings\Butterfly\Desktop\ComboFix.exe
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Butterfly\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\awtSljjK.dll
c:\windows\system32\bdjulmsk.ini
c:\windows\system32\bszip.dll
c:\windows\system32\dbyhlk.dll
c:\windows\system32\ddcccaYs.dll
c:\windows\system32\dfdopceg.dll
c:\windows\system32\geBuUkiI.dll
c:\windows\system32\gyjdxp.dll
c:\windows\system32\IhPppXyb.ini
c:\windows\system32\IhPppXyb.ini2
c:\windows\system32\imqrcf.dll
c:\windows\system32\khfGyxuU.dll
c:\windows\system32\KjjlStwa.ini
c:\windows\system32\KjjlStwa.ini2
c:\windows\system32\ksmlujdb.dll
c:\windows\system32\mlJaBUOe.dll
c:\windows\system32\MSINET.oca
c:\windows\system32\oltrlcte.dll
c:\windows\system32\tdqqejgq.dll
c:\windows\system32\x64
c:\windows\wiaserviv.log

.
(((((((((((((((( Arquivos/Ficheiros criados de 2008-10-09 to 2008-11-09 ))))))))))))))))))))))))))))
.

2008-11-09 14:59 . 2008-11-09 15:00 3,043,976 -ra------ c:\program files\ComboFix.exe
2008-11-09 12:29 . 2008-11-09 12:31 <DIR> d-------- C:\rsit
2008-11-09 11:17 . 2008-11-09 11:56 250 --a------ c:\windows\gmer.ini
2008-11-09 09:57 . 2008-11-09 09:57 <DIR> d-------- c:\program files\gmer
2008-11-09 09:56 . 2008-11-09 09:57 747,873 --a------ c:\program files\gmer.zip
2008-11-09 09:48 . 2008-11-09 09:48 305,705 --a------ c:\program files\RSIT.exe
2008-11-09 09:21 . 2008-11-09 09:21 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 18:24 . 2008-11-08 18:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-08 18:22 . 2008-11-08 18:23 19,153,264 --a------ c:\program files\aaw2008.exe
2008-11-08 16:24 . 2008-11-09 11:06 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 16:24 . 2008-11-09 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 16:02 . 2008-11-08 16:19 7,478,208 --a------ c:\program files\windows-kb890830-v2.3.exe
2008-11-08 16:02 . 2008-11-08 16:50 1,892 --ahs---- c:\windows\system32\uEKnmnmp.ini
2008-11-08 11:36 . 2008-11-08 11:36 <DIR> d-------- c:\windows\system32\sX3i19
2008-11-08 11:36 . 2008-11-08 11:36 <DIR> d-------- c:\temp\PRE45
2008-11-08 11:05 . 2006-06-20 08:40 692,224 --a------ c:\windows\system32\lxctdrs.dll
2008-11-08 11:05 . 2006-07-11 13:54 335,872 --a------ c:\windows\system32\lxctcoin.dll
2008-11-08 11:05 . 2006-05-18 06:01 65,536 --a------ c:\windows\system32\lxctcaps.dll
2008-11-08 11:05 . 2006-05-03 09:31 61,440 --a------ c:\windows\system32\lxctcnv4.dll
2008-11-08 11:05 . 2005-06-23 21:37 40,960 --a------ c:\windows\system32\lxctvs.dll
2008-11-08 11:04 . 2006-07-10 18:34 40,960 --a------ c:\windows\system32\lxctpmon.dll
2008-11-08 11:04 . 2006-07-10 18:34 32,768 --a------ c:\windows\system32\LXCTFXPU.DLL
2008-11-08 11:04 . 2006-07-10 18:36 12,288 --a------ c:\windows\system32\lxctpmrc.dll
2008-11-08 11:02 . 2008-11-08 11:05 <DIR> d-------- c:\program files\Lexmark 5400 Series
2008-11-08 08:00 . 2008-10-09 14:25 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\system32\scripting
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\system32\en
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\system32\bits
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\l2schemas
2008-11-08 07:48 . 2008-11-08 07:50 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-02 14:03 . 2008-11-02 14:03 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-02 14:03 . 2008-11-02 14:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-27 17:55 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-27 17:51 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-27 17:51 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-27 17:51 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-27 17:51 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-27 17:51 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-27 17:46 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-10-27 17:45 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-10-27 17:43 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 20:16 . 2008-11-09 09:06 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-22 20:16 . 2008-10-22 20:16 1,409 --a------ c:\windows\QTFont.for
2008-10-22 17:02 . 2008-10-22 17:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\RLUHVKKCYG
2008-10-19 17:49 . 2008-10-19 17:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\XRUHVKKCYG

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-09 21:14 166,157,856 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-09 21:10 --------- d-----w c:\program files\Lx_cats
2008-11-09 21:08 2,222,876 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-08 23:24 --------- d-----w c:\program files\Lavasoft
2008-11-08 22:56 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-08 16:03 --------- d-----w c:\program files\Lexmark Toolbar
2008-11-06 12:47 --------- d-----w c:\program files\BadgeHelp
2008-11-02 19:03 --------- d-----w c:\program files\Java
2008-10-30 12:07 --------- d-----w c:\program files\NetExchange Pro3.0
2008-10-20 03:11 387 ----a-w C:\Board.Dat
2008-10-09 19:25 73,104 ----a-w c:\windows\zllsputility.exe
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-10-02 00:03 --------- d-----w c:\program files\activePDF
2008-09-27 16:11 --------- d-----w c:\program files\FinePixViewer
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-06 21:30 1,201,351 ----a-w c:\program files\hidemyip.exe
2008-08-30 05:53 151,552 ----a-w c:\windows\system32\securenet.dll
2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-07-10 23:48 27,579,280 ----a-w c:\program files\zaAvSetup_70_483_000_en.exe
2008-07-06 20:52 214,430 ----a-w c:\program files\handytweakers.zip
2008-05-29 00:22 5,452,082 ----a-w c:\program files\K-Meleon1.1.5en-US.exe
2008-04-18 22:53 210,416 ----a-w c:\program files\zaavSetup_en.exe
2008-02-13 02:57 2,869,264 ----a-w c:\program files\dotNetFx35setup.exe
2008-01-12 22:09 21,216,112 ----a-w c:\program files\aaw2007.exe
2007-05-11 19:31 6,006,832 ----a-w c:\program files\Firefox Setup 2.0.0.3.exe
2007-04-09 21:51 900,168 ----a-w c:\program files\pi19299.exe
2007-04-03 20:23 454,381 ----a-w c:\program files\pipe.rar
2007-03-28 21:26 5,696,136 ----a-w c:\program files\R143248.EXE
2007-03-10 00:39 16,918,488 ----a-w c:\program files\SystemMechanic7.exe
2007-04-01 19:07 88 --sha-r c:\windows\system32\03C2D086F5.sys
2007-04-01 19:09 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"HideMyIP2008"="c:\program files\Hide My IP 2008\HideMyIP2008.exe" [2008-04-12 913408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 764776]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-21 185896]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"lxctmon.exe"="c:\program files\Lexmark 5400 Series\lxctmon.exe" [2006-06-20 286720]
"Lexmark 5400 Series Fax Server"="c:\program files\Lexmark 5400 Series\fm3032.exe" [2006-07-10 294912]
"EzPrint"="c:\program files\Lexmark 5400 Series\ezprint.exe" [2006-06-06 98304]
"LXCTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-06-07 106496]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe" [2008-11-08 2468200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-06-24 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dbyhlk.dll imqrcf.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 22:57 395776 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-11-01 04:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2006-06-06 22:05 98304 c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
--a------ 2006-07-10 18:30 294912 c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
--a------ 2006-06-20 08:37 286720 c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-16 22:41 28738 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 03:24 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--------- 2002-02-04 21:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\system32\\sessmgr.exe"=

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
R3 SecureSrv;SecureSrv;c:\program files\Hide My IP 2008\SecureSrv.exe [2008-09-05 110880]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-09-27 10664]
S3 NAL;Nal Service ;c:\windows\system32\Drivers\iqvw32.sys [2006-06-05 24064]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSWAP.sys [2007-01-16 91496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{296afdda-4e0a-11dd-88cc-001676baf5ec}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\phone\command - F:\autorun.exe
.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{B0B3393C-62D1-44D8-ABF5-08E0F067F29E} - c:\windows\system32\mlJaBUOe.dll
BHO-{E20DF4ED-4254-44D6-BDC1-4D4861DC83D3} - c:\windows\system32\awtSljjK.dll
HKCU-Run-cdloader - c:\documents and settings\Butterfly\Application Data\mjusbsp\cdloader2.exe
HKCU-Run-brastk - c:\windows\system32\brastk.exe
HKLM-Run-SiteAdvisor - c:\program files\SiteAdvisor\6172\SiteAdv.exe
HKLM-Run-14a3f3b1 - c:\windows\system32\ksmlujdb.dll
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
ShellExecuteHooks-{B0B3393C-62D1-44D8-ABF5-08E0F067F29E} - c:\windows\system32\mlJaBUOe.dll


.
------- Scan Suplementar -------
.
FireFox -: Profile - c:\documents and settings\Butterfly\Application Data\Mozilla\Firefox\Profiles\n5ta2hek.default\
.
.
------- Associação de arquivos/ficheiros -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 16:11:49
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...


**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSOS: c:\windows\system32\lsass.exe
-> c:\windows\system32\securenet.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxctcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\SiteAdvisor\6261\SAService.exe
c:\windows\system32\UTSCSI.EXE
.
**************************************************************************
.
Tempo para conclusão: 2008-11-09 16:21:52 - Máquina reiniciou [Butterfly]
ComboFix-quarantined-files.txt 2008-11-09 21:20:44

Pré-execução: 287,602,909,184 bytes free
Pós execução: 287,504,506,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

267 --- E O F --- 2008-11-08 12:57:15
foreverhappy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-12-2008, 04:59 PM   #6 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 8,661
OS: XP SP3


Re: I also have the "unsolicited browser pops" problem. Tks
Hello foreverhappy.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

Quote:
File::
c:\windows\system32\uEKnmnmp.ini

Folder::
c:\documents and settings\Butterfly\.housecall6.6\quarantine
c:\windows\system32\sX3i19
c:\temp\PRE45
c:\documents and settings\All Users\Application Data\RLUHVKKCYG
c:\documents and settings\All Users\Application Data\XRUHVKKCYG

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix, please click Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
new HijackThis log
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-13-2008, 03:15 PM   #7 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 5
OS: windowsXP


Re: I also have the "unsolicited browser pops" problem. Tks
Tks. What's next?

COMBO FIX

ComboFix 08-11-12.01 - Butterfly 2008-11-13 18:01:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1033.18.1633 [GMT -5:00]
Executando de: c:\documents and settings\Butterfly\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Butterfly\Desktop\CFScript.txt
* Criado um novo ponto de restauro

FILE ::
c:\windows\system32\uEKnmnmp.ini
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\RLUHVKKCYG
c:\documents and settings\All Users\Application Data\RLUHVKKCYG\2265.Dat
c:\documents and settings\All Users\Application Data\XRUHVKKCYG
c:\documents and settings\All Users\Application Data\XRUHVKKCYG\2427.Dat
c:\documents and settings\Butterfly\.housecall6.6\quarantine
c:\temp\PRE45
c:\windows\system32\sX3i19
c:\windows\system32\uEKnmnmp.ini

.
(((((((((((((((( Arquivos/Ficheiros criados de 2008-10-13 to 2008-11-13 ))))))))))))))))))))))))))))
.

2008-11-11 20:18 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 20:18 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 18:55 . 2008-11-13 18:01 <DIR> d-------- c:\documents and settings\Butterfly\.housecall6.6
2008-11-09 17:50 . 2008-11-09 17:50 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-09 14:59 . 2008-11-09 15:00 3,043,976 -ra------ c:\program files\ComboFix.exe
2008-11-09 12:29 . 2008-11-09 12:31 <DIR> d-------- C:\rsit
2008-11-09 11:17 . 2008-11-09 11:56 250 --a------ c:\windows\gmer.ini
2008-11-09 09:57 . 2008-11-09 09:57 <DIR> d-------- c:\program files\gmer
2008-11-09 09:56 . 2008-11-09 09:57 747,873 --a------ c:\program files\gmer.zip
2008-11-09 09:48 . 2008-11-09 09:48 305,705 --a------ c:\program files\RSIT.exe
2008-11-09 09:21 . 2008-11-09 09:21 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 18:24 . 2008-11-08 18:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-08 18:22 . 2008-11-08 18:23 19,153,264 --a------ c:\program files\aaw2008.exe
2008-11-08 16:24 . 2008-11-09 11:06 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 16:24 . 2008-11-09 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 16:02 . 2008-11-08 16:19 7,478,208 --a------ c:\program files\windows-kb890830-v2.3.exe
2008-11-08 11:05 . 2006-06-20 08:40 692,224 --a------ c:\windows\system32\lxctdrs.dll
2008-11-08 11:05 . 2006-07-11 13:54 335,872 --a------ c:\windows\system32\lxctcoin.dll
2008-11-08 11:05 . 2006-05-18 06:01 65,536 --a------ c:\windows\system32\lxctcaps.dll
2008-11-08 11:05 . 2006-05-03 09:31 61,440 --a------ c:\windows\system32\lxctcnv4.dll
2008-11-08 11:05 . 2005-06-23 21:37 40,960 --a------ c:\windows\system32\lxctvs.dll
2008-11-08 11:04 . 2006-07-10 18:34 40,960 --a------ c:\windows\system32\lxctpmon.dll
2008-11-08 11:04 . 2006-07-10 18:34 32,768 --a------ c:\windows\system32\LXCTFXPU.DLL
2008-11-08 11:04 . 2006-07-10 18:36 12,288 --a------ c:\windows\system32\lxctpmrc.dll
2008-11-08 11:02 . 2008-11-08 11:05 <DIR> d-------- c:\program files\Lexmark 5400 Series
2008-11-08 08:00 . 2008-10-09 14:25 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\system32\scripting
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\system32\en
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\system32\bits
2008-11-08 07:50 . 2008-11-08 07:50 <DIR> d-------- c:\windows\l2schemas
2008-11-08 07:48 . 2008-11-08 07:50 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-02 14:03 . 2008-11-02 14:03 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-02 14:03 . 2008-11-02 14:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-27 17:55 . 2008-09-08 05:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-27 17:51 . 2008-08-14 05:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-27 17:51 . 2008-08-14 05:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-27 17:51 . 2008-08-14 04:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-27 17:51 . 2008-08-14 04:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-27 17:51 . 2008-09-15 07:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-27 17:46 . 2008-05-01 09:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-10-27 17:45 . 2008-04-11 14:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-10-27 17:43 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 20:16 . 2008-11-13 08:22 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-22 20:16 . 2008-10-22 20:16 1,409 --a------ c:\windows\QTFont.for

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 23:04 178,330,912 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-13 15:19 2,365,076 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-13 02:16 --------- d-----w c:\program files\BadgeHelp
2008-11-12 00:26 --------- d-----w c:\program files\Lx_cats
2008-11-08 23:24 --------- d-----w c:\program files\Lavasoft
2008-11-08 22:56 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-08 16:03 --------- d-----w c:\program files\Lexmark Toolbar
2008-11-02 19:03 --------- d-----w c:\program files\Java
2008-10-30 12:07 --------- d-----w c:\program files\NetExchange Pro3.0
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 03:11 387 ----a-w C:\Board.Dat
2008-10-09 19:25 73,104 ----a-w c:\windows\zllsputility.exe
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-10-02 00:03 --------- d-----w c:\program files\activePDF
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-27 16:11 --------- d-----w c:\program files\FinePixViewer
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-06 21:30 1,201,351 ----a-w c:\program files\hidemyip.exe
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-30 05:53 151,552 ----a-w c:\windows\system32\securenet.dll
2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-07-10 23:48 27,579,280 ----a-w c:\program files\zaAvSetup_70_483_000_en.exe
2008-07-06 20:52 214,430 ----a-w c:\program files\handytweakers.zip
2008-05-29 00:22 5,452,082 ----a-w c:\program files\K-Meleon1.1.5en-US.exe
2008-04-18 22:53 210,416 ----a-w c:\program files\zaavSetup_en.exe
2008-02-13 02:57 2,869,264 ----a-w c:\program files\dotNetFx35setup.exe
2008-01-12 22:09 21,216,112 ----a-w c:\program files\aaw2007.exe
2007-05-11 19:31 6,006,832 ----a-w c:\program files\Firefox Setup 2.0.0.3.exe
2007-04-09 21:51 900,168 ----a-w c:\program files\pi19299.exe
2007-04-03 20:23 454,381 ----a-w c:\program files\pipe.rar
2007-03-28 21:26 5,696,136 ----a-w c:\program files\R143248.EXE
2007-03-10 00:39 16,918,488 ----a-w c:\program files\SystemMechanic7.exe
2007-04-01 19:07 88 --sha-r c:\windows\system32\03C2D086F5.sys
2007-04-01 19:09 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-11-11_20.43.36.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-12 02:08:33 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-10-28 01:27:06 12,288 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-11-12 02:09:32 12,288 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-10-28 01:27:06 135,168 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-11-12 02:09:32 135,168 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-10-28 01:27:06 11,264 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-11-12 02:09:32 11,264 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-10-28 01:27:06 27,136 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-11-12 02:09:32 27,136 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-10-28 01:27:06 4,096 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-11-12 02:09:32 4,096 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-10-28 01:27:06 794,624 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-11-12 02:09:32 794,624 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-10-28 01:27:06 23,040 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-11-12 02:09:32 23,040 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-10-28 01:27:06 286,720 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-11-12 02:09:32 286,720 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-10-28 01:27:06 409,600 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-11-12 02:09:32 409,600 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-10-07 17:19:42 16,721,856 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-11-12 01:36:34 649,640 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-11-13 22:59:53 652,552 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-11-13 22:10:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3e8.dat
+ 2008-09-30 21:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 21:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-06-24 303104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Back"= 2 (0x2)
"Btn_Forward"= 2 (0x2)
"Btn_Stop"= 2 (0x2)
"Btn_Refresh"= 2 (0x2)
"Btn_Home"= 2 (0x2)
"Btn_Search"= 2 (0x2)
"Btn_Favorites"= 2 (0x2)
"Btn_History"= 2 (0x2)
"Btn_Folders"= 2 (0x2)
"Btn_Fullscreen"= 2 (0x2)
"Btn_Tools"= 2 (0x2)
"Btn_MailNews"= 2 (0x2)
"Btn_Size"= 2 (0x2)
"Btn_Print"= 2 (0x2)
"Btn_Edit"= 2 (0x2)
"Btn_Discussions"= 2 (0x2)
"Btn_Cut"= 2 (0x2)
"Btn_Copy"= 2 (0x2)
"Btn_Paste"= 2 (0x2)
"Btn_Encoding"= 2 (0x2)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 22:57 395776 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-11-01 04:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2006-06-06 22:05 98304 c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
--a------ 2006-07-10 18:30 294912 c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
--a------ 2006-06-20 08:37 286720 c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-16 22:41 28738 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 03:24 20480 c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--------- 2002-02-04 21:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 566120]
R3 SecureSrv;SecureSrv;c:\program files\Hide My IP 2008\SecureSrv.exe [2008-09-05 110880]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-09-27 10664]
S3 NAL;Nal Service ;c:\windows\system32\Drivers\iqvw32.sys [2006-06-05 24064]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSWAP.sys [2007-01-16 91496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{296afdda-4e0a-11dd-88cc-001676baf5ec}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\phone\command - F:\autorun.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 18:04:37
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...


**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSOS: c:\windows\system32\lsass.exe
-> c:\windows\system32\securenet.dll
.
Tempo para conclusão: 2008-11-13 18:08:45
ComboFix-quarantined-files.txt 2008-11-13 23:07:42
ComboFix2.txt 2008-11-12 01:44:56
ComboFix3.txt 2008-11-09 21:21:55

Pré-execução: 286,849,572,864 bytes free
Pós execução: 286,837,059,584 bytes free

257 --- E O F --- 2008-11-12 02:10:31

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

HT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:22 PM, on 11/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Hide My IP 2008\SecureSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSC...ws-i586-jc.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79F95549-09CA-48E7-B953-4E1A71AB9071}: NameServer = 209.84.253.11,209.84.253.12
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: SecureSrv - Unknown owner - C:\Program Files\Hide My IP 2008\SecureSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5091 bytes
foreverhappy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-13-2008, 04:36 PM   #8 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 8,661
OS: XP SP3


Re: I also have the "unsolicited browser pops" problem. Tks
Hello again, foreverhappy. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
new HijackThis log
report on system behavior
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-13-2008, 06:44 PM   #9 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 5
OS: windowsXP


Re: I also have the "unsolicited browser pops" problem. Tks
Tks Chem!
This is such work! lol

I have not been using my computer as much, but just when checking email I did not see those pop ups anymore.

The virus the Kaspersky got I think are the ones my ZoneAlarm put in quarentine.

I like ZoneAlarm, and I think you all might not like it, but can you recommend which program I should have to leave on for spyware/malware? I do not like SpyBot because it does not catch all and then you have to have a second program.

I would love a "Security Program" for all issues: virus, spy, mal, hijacking, etc.
Any suggestion?

I was surprised to have this issue and I still have no idea where that came from.
I noticed that Windows updates suck, because each time something happens with the computer.
One annoying issue, is that when I open my IE7, instead of going to my home page, it goes to Get IE8 beta. ARGGHHHH!!!!

And my computer is a bit slow, and I did all I thought...
Updates, scans, system mechanic cleaning, and I think those windows updates suck! I guess I already said that! LOL

QUESTION:

When a virus is found, is better to put in quarentine instead of removing right away?
If you put in quarentine, then when is it safe to remove the virus(es)?

Tks for your help, Chem.
It is a lot of repetitive work!



KASPERSKY

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, November 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 13, 2008 18:50:55
Records in database: 1383528
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 98489
Threat name: 3
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 01:05:38


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\dbyhlk.dll.vir Infected: Trojan-Spy.Win32.Agent.evh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dfdopceg.dll.vir Infected: Trojan-Spy.Win32.Agent.evh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gyjdxp.dll.vir Infected: Trojan-Spy.Win32.Agent.evh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\imqrcf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ksmlujdb.dll.vir Infected: Trojan.Win32.Agent.amng 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\oltrlcte.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.esw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdqqejgq.dll.vir Infected: Trojan-Spy.Win32.Agent.evh 1

The selected area was scanned.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


HT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:41 PM, on 11/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Hide My IP 2008\SecureSrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSC...ws-i586-jc.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79F95549-09CA-48E7-B953-4E1A71AB9071}: NameServer = 209.84.253.11,209.84.253.12
O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: SecureSrv - Unknown owner - C:\Program Files\Hide My IP 2008\SecureSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5131 bytes
foreverhappy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-13-2008, 07:01 PM   #10 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 8,661
OS: XP SP3


Re: I also have the "unsolicited browser pops" problem. Tks
The Kaspersky finds are in ComboFix's quarantine folder. We'll delete those shortly.

I will suggest some good programs later. No one program can do it all.

Not sure what's up with the Updates problem.

I suggest you seek expert advice in our Internet Explorer Forum

Viruses put in quarantine can do no harm to your computer. You can delete them once you are sure all your programs work.

Please read the following article: http://www.techsupportforum.com/secu...ning-slow.html

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

C:\WINDOWS\gmer_uninstall.cmd

Press any key to continue once you see that message.

------------------------------------------------------

As far as those infected objects listed in the Kaspersky report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:
combofix /u
This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore points which contain previous infections, and create a fresh, clean System Restore point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  • IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Spybot - Search & Destroy is an excellent spyware remover and also offers real-time protection against critical registry changes. Don't use the Immunize feature in Spybot if you use SpywareBlaster. See tutorial here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
Last edited by chemist; 11-13-2008 at 07:05 PM.
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-14-2008, 05:42 PM   #11 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 5
OS: windowsXP


Re: I also have the "unsolicited browser pops" problem. Tks
Thank you, Chemist.
Followed your instructions.

Just now Zone Alarm picked this up:

Hoax.Win32.Renos.fgo was found in C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP73\A0015811.exe on 11/14/2008 20:08:00

I hope it is not related to all what we did.

For me, my computer is not acting weird with all the ads, so I think we are good to go.

until next time....

be foreverhappy

:)
foreverhappy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-14-2008, 05:59 PM   #12 (permalink)
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
 
Join Date: Oct 2007
Location: Georgia
Posts: 8,661
OS: XP SP3


Re: I also have the "unsolicited browser pops" problem. Tks
You're very welcome, foreverhappy! Glad to have helped.

That file contains an old System Restore Point. Those should have been deleted when you uninstalled ComboFix. Did you uninstall it yet? If not, uninstall it now and let me know.

If you already uninstalled ComboFix, please do the following:
  • Turn off System Restore by clicking Start > Right-click My Computer, and then click Properties.
  • Click the System Restore tab and Check Turn off System Restore or Turn off System Restore on all drives.
  • Click Apply
  • When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK
  • Turn on System Restore by clicking Start > Right-click My Computer, and then click Properties.
  • Click the System Restore tab and Uncheck Turn off System Restore or Turn off System Restore on all drives.
  • Click Apply and then OK
This will create a new System Restore Point and flush out potentially infected older ones.

Let me know either way.
__________________
Our help is free but please donate

Proud member of ASAP
Proud member of UNITE
chemist is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 01:36 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84