Tech Support Forum banner
Cancel

constant pop ups (trojans and worms)

Jump to Latest Follow
Status
Not open for further replies.
1 - 16 of 16 Posts
T

· Registered
Joined
·
8 Posts
Discussion Starter · #1 ·
Having problems with constant pop ups. for temporary help i have disabled internet explorer by giving it a dead ip address
spyware.cyberlog-x
[email protected]
psw.x vir trojan'
[email protected]
malware threats with a black door trojan
i am use avast antivrus and keeps coming up with the warning of
sign of "win32:secbar-b [adw] has been found in C:\windows\system32\zzlccehv.dll" file

Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-09 20:45:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:04 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\mdqbenps.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Rabio\X_se.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - @�B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - @@�497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\Rabio\Rabio.dll
O2 - BHO: (no name) - {354EDFA7-2A9C-4B04-B1BD-BFD65C219E1A} - C:\Program Files\Online Services\ryzycyC:\WINDOWS\system32\doc4\mmildot83122.exe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\ljjifec.dll
O2 - BHO: {1319287c-dc6f-61ea-0a24-e808195a6eb9} - {9be6a591-808e-42a0-ae16-f6cdc7829131} - C:\WINDOWS\system32\mvdpycum.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zzlccehv.dll
O2 - BHO: (no name) - {BC71C8CD-7024-4D93-A435-FE037E16C8AB} - C:\WINDOWS\system32\mlljj.dll
O2 - BHO: (no name) - �@�CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: (no name) - ¨�¨�6-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zzlccehv.dll
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [20ddfb3d] rundll32.exe "C:\WINDOWS\system32\roskfidp.dll",b
O4 - HKLM\..\RunServices: [System Startup] voltio.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [System Startup] voltio.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [System Startup] voltio.exe (User 'Default user')
O4 - S-1-5-18 Startup: Organize.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - Startup: Rabio - Auto Update.lnk = C:\Program Files\Rabio\se.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: ljjifec - C:\WINDOWS\SYSTEM32\ljjifec.dll
O20 - Winlogon Notify: zzlccehv - C:\WINDOWS\SYSTEM32\zzlccehv.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\mdqbenps.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.blackdog.net/downloads/wallpaper/halloween/cat-sm.jpg

--
End of file - 11463 bytes

-- Files created between 2007-11-09 and 2007-12-09 -----------------------------

2007-12-09 20:21:29 0 d-------- C:\Program Files\Trend Micro
2007-12-09 20:02:31 0 d-------- C:\Program Files\SpywareBlaster
2007-12-09 17:18:03 80448 --a------ C:\WINDOWS\system32\mvdpycum.dll
2007-12-09 17:16:01 85568 --a------ C:\WINDOWS\system32\roskfidp.dll
2007-12-09 17:09:29 145984 --a------ C:\WINDOWS\system32\zzlccehv.dll
2007-12-09 17:09:03 145984 --a------ C:\WINDOWS\system32\mwxebjoj.dll
2007-12-09 17:06:03 74304 --a------ C:\WINDOWS\system32\mdqbenps.exe <Not Verified; ; DDC>
2007-12-09 16:19:35 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-09 15:02:31 0 d-------- C:\Documents and Settings\Owner\Application Data\FrostWire
2007-12-09 13:59:21 37376 --a------ C:\WINDOWS\system32\pmnoomn.dll
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2007-12-08 09:17:24 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-08 09:17:24 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-12-08 09:17:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Template
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2007-12-08 09:17:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-08 09:17:23 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-08 09:17:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-08 09:17:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-08 09:17:23 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-08 09:17:23 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-08 09:17:22 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-08 08:59:09 37376 --a------ C:\WINDOWS\system32\ddcaayx.dll
2007-12-07 19:28:12 446863 --ahs---- C:\WINDOWS\system32\jjllm.ini2
2007-12-07 19:28:05 339552 --a------ C:\WINDOWS\system32\mlljj.dll
2007-12-07 19:26:31 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-12-07 19:24:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-07 19:23:49 0 d-------- C:\Program Files\Rabio
2007-12-07 19:23:44 80640 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-12-07 19:23:42 0 d-------- C:\WINDOWS\system32\doc4
2007-12-07 19:23:42 0 d-------- C:\WINDOWS\system32\bbc5
2007-12-07 19:23:42 0 d-------- C:\Program Files\Web Buying
2007-12-07 19:23:40 134 --a------ C:\n.bat
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\vlt2
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\ripd1
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\ashell3
2007-12-07 19:23:25 0 --a------ C:\x.dat
2007-12-07 19:23:23 0 d-------- C:\WINDOWS\system32\rex2
2007-12-07 19:23:19 281 --a------ C:\z.dat
2007-12-07 19:23:16 172032 --a------ C:\winlogon.exe
2007-12-07 19:23:11 0 d-------- C:\WINDOWS\system32\daSgo18
2007-12-07 19:22:56 37376 --a------ C:\WINDOWS\system32\ljjifec.dll
2007-12-07 19:21:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-07 18:47:56 0 d-------- C:\Program Files\Google
2007-11-11 13:23:50 0 d-------- C:\Program Files\iPod


-- Find3M Report ---------------------------------------------------------------

2007-12-09 17:25:38 0 d-------- C:\Program Files\Multimedia Card Reader
2007-12-09 17:13:44 0 d-------- C:\Program Files\iTunes
2007-12-09 15:37:10 0 d-------- C:\Program Files\WildTangent
2007-12-08 11:41:38 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-12-08 09:50:36 0 d-------- C:\Program Files\BitTorrent
2007-11-15 18:10:58 0 d-------- C:\Program Files\Java
2007-11-11 13:22:36 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
12/03/2007 02:27 PM 410896 --a------ C:\Program Files\Rabio\Rabio.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{354EDFA7-2A9C-4B04-B1BD-BFD65C219E1A}]
C:\Program Files\Online Services\ryzycyC:\WINDOWS\system32\doc4\mmildot83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}]
12/07/2007 07:22 PM 37376 --a------ C:\WINDOWS\system32\ljjifec.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9be6a591-808e-42a0-ae16-f6cdc7829131}]
12/09/2007 05:18 PM 80448 --a------ C:\WINDOWS\system32\mvdpycum.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
12/09/2007 05:09 PM 145984 --a------ C:\WINDOWS\system32\zzlccehv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC71C8CD-7024-4D93-A435-FE037E16C8AB}]
12/07/2007 07:28 PM 339552 --a------ C:\WINDOWS\system32\mlljj.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\zzlccehv.dll [12/09/2007 05:09 PM 145984]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [08/14/2003 11:11 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 05:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 01:03 PM]
"PCShield"="regsvr32 /s C:\WINDOWS\system32\sfg.dll" []
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"20ddfb3d"="C:\WINDOWS\system32\roskfidp.dll" [12/09/2007 05:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCShield"="regsvr32 /s C:\WINDOWS\system32\sfg.dll" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"System Startup"=voltio.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"System Startup"=voltio.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Rabio - Auto Update.lnk - C:\Program Files\Rabio\se.exe [12/7/2007 7:23:45 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [5/28/2006 4:50:02 PM]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/3/2004 8:01:48 PM]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [12/4/2006 10:57:38 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}"= C:\WINDOWS\system32\ljjifec.dll [12/07/2007 07:22 PM 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjifec]
ljjifec.dll 12/07/2007 07:22 PM 37376 C:\WINDOWS\system32\ljjifec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zzlccehv]
zzlccehv.dll 12/09/2007 05:09 PM 145984 C:\WINDOWS\system32\zzlccehv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlljj.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Startup]
voltio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32]
C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-12-09 20:47:15 ------------
 

Attachments

Aaflac

· TSF-Enthusiast
Joined
·
923 Posts
#2 ·
Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every
inquiry.


Please download ComboFix
Save to the Desktop <<< Important!!

Now, go to Start > Run, and copy/paste the following command in the Open box:

"%userprofile%\desktop\combofix.exe" /killall


Example:


Click:OK

Follow the prompts to install ComboFix.
Then, type 1 and press Enter to begin the scan.

Do not mouse-click the ComboFix window while it runs. It may cause it to stall.

When finished, a log, ComboFix.txt, is produced.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please post the ComboFix.txt, and a new HijackThis log in your reply.
 
T

· Registered
Joined
·
8 Posts
Discussion Starter · #3 ·
ComboFix 07-12-12.3 - Owner 2007-12-13 14:45:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.626 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Owner\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Owner\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Owner\Favorites\Online Security Guide.lnk
C:\Program Files\Common Files\{30DDF~1
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.6\wbuninst.exe
C:\Program Files\web buying\v1.8.6\webbuying.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\temp\tn3
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\ddcaayx.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\fnktkvsg.dll
C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini2
C:\WINDOWS\system32\ljjifec.dll
C:\WINDOWS\system32\mdqbenps.exe
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\mvdpycum.dll
C:\WINDOWS\system32\mwxebjoj.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pdifksor.ini
C:\WINDOWS\system32\pmnoomn.dll
C:\WINDOWS\system32\roskfidp.dll
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\zzlccehv.dll
C:\WINDOWS\system32\zzlccehv.dllbox
C:\winlogon.exe
C:\x.dat
C:\z.dat
D:\Autorun.inf
C:\WINDOWS\Fonts\'

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-09 20:24 . 2007-12-13 14:27 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-09 20:21 . 2007-12-09 20:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 20:14 . 2007-12-09 20:14 <DIR> d-------- C:\Deckard
2007-12-09 20:02 . 2007-12-09 20:11 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-09 16:19 . 2007-12-09 19:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-09 16:19 . 2007-12-09 16:21 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-09 16:19 . 2007-12-09 16:21 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-09 16:19 . 2007-12-09 16:21 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-09 15:02 . 2007-12-09 15:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\FrostWire
2007-12-09 14:24 . 2007-12-09 14:24 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-08 09:17 . 2003-10-11 00:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-08 09:17 . 2004-03-08 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Template
2007-12-08 09:17 . 2003-10-14 00:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 09:17 . 2003-10-10 23:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 09:17 . 2004-05-05 12:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-08 09:17 . 2003-10-11 00:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-08 09:17 . 2004-03-03 17:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2007-12-08 09:17 . 2004-02-21 19:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2007-12-08 09:17 . 2003-10-14 00:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-08 09:17 . 2004-07-17 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2007-12-07 19:26 . 2007-12-07 19:26 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-07 19:24 . 2007-12-07 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\vlt2
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\ripd1
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\rex2
2007-12-07 19:23 . 2007-12-07 22:56 <DIR> d-------- C:\WINDOWS\system32\doc4
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\daSgo18
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\bbc5
2007-12-07 19:23 . 2007-12-07 19:30 <DIR> d-------- C:\WINDOWS\system32\ashell3
2007-12-07 19:23 . 2007-12-09 17:28 <DIR> d-------- C:\Program Files\Rabio
2007-12-07 19:23 . 2007-12-07 19:23 134 --a------ C:\n.bat
2007-12-07 19:21 . 2007-12-09 15:43 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-07 18:47 . 2007-12-09 15:10 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-09 22:25 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-12-09 22:13 --------- d-----w C:\Program Files\iTunes
2007-12-09 20:37 --------- d-----w C:\Program Files\WildTangent
2007-12-08 16:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-12-08 14:50 --------- d-----w C:\Program Files\BitTorrent
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-15 23:10 --------- d-----w C:\Program Files\Java
2007-11-11 18:23 --------- d-----w C:\Program Files\iPod
2007-11-11 18:22 --------- d-----w C:\Program Files\QuickTime
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
2007-12-03 14:27 410896 --a------ C:\Program Files\Rabio\Rabio.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{354EDFA7-2A9C-4B04-B1BD-BFD65C219E1A}]
C:\Program Files\Online Services\ryzycyC:\WINDOWS\system32\doc4\mmildot83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCShield"="regsvr32 /s C:\WINDOWS\system32\sfg.dll" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 23:11]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"PCShield"="regsvr32 /s C:\WINDOWS\system32\sfg.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"System Startup"="voltio.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"System Startup"="voltio.exe" []

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Rabio - Auto Update.lnk - C:\Program Files\Rabio\se.exe [2007-12-07 19:23:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-05-28 16:50:02]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-03 20:01:48]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 10:57:38]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-05 20:05 344064 --a--c--- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
2003-06-18 21:19 53248 --a--c--- C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
2003-06-22 23:25 24576 --a--c--- c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
2002-10-07 09:23 90112 --a--c--- c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 09:07 114688 --a--c--- C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-05-23 04:55 483328 --a--c--- C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 18:04 52736 --a--c--- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-07-23 18:37 53248 --a--c--- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 23:42 212992 --a--c--- C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Startup]
voltio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32]
C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 14:41:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-10-23 02:23:08 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 15:02:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 15:03:29 - machine was rebooted
.
2007-11-14 23:18:58 --- E O F ---


Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-13 15:04:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:58 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Rabio\X_se.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - @�B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - @@�497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\Rabio\Rabio.dll
O2 - BHO: (no name) - {354EDFA7-2A9C-4B04-B1BD-BFD65C219E1A} - C:\Program Files\Online Services\ryzycyC:\WINDOWS\system32\doc4\mmildot83122.exe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - �@�CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: (no name) - ¨�¨�6-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [System Startup] voltio.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [System Startup] voltio.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [System Startup] voltio.exe (User 'Default user')
O4 - S-1-5-18 Startup: Organize.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - Startup: Rabio - Auto Update.lnk = C:\Program Files\Rabio\se.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.blackdog.net/downloads/wallpaper/halloween/cat-sm.jpg

--
End of file - 10215 bytes

-- Files created between 2007-11-13 and 2007-12-13 -----------------------------

2007-12-09 20:21:29 0 d-------- C:\Program Files\Trend Micro
2007-12-09 20:02:31 0 d-------- C:\Program Files\SpywareBlaster
2007-12-09 16:19:35 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-09 15:02:31 0 d-------- C:\Documents and Settings\Owner\Application Data\FrostWire
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2007-12-08 09:17:24 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-08 09:17:24 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-12-08 09:17:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Template
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2007-12-08 09:17:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-08 09:17:23 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-08 09:17:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-08 09:17:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-08 09:17:23 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-08 09:17:23 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-08 09:17:22 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-07 19:26:31 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-12-07 19:24:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-07 19:23:49 0 d-------- C:\Program Files\Rabio
2007-12-07 19:23:42 0 d-------- C:\WINDOWS\system32\doc4
2007-12-07 19:23:42 0 d-------- C:\WINDOWS\system32\bbc5
2007-12-07 19:23:40 134 --a------ C:\n.bat
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\vlt2
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\ripd1
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\ashell3
2007-12-07 19:23:23 0 d-------- C:\WINDOWS\system32\rex2
2007-12-07 19:23:11 0 d-------- C:\WINDOWS\system32\daSgo18
2007-12-07 19:21:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-07 18:47:56 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2007-12-13 14:54:47 0 d-------- C:\Program Files\Common Files
2007-12-09 17:25:38 0 d-------- C:\Program Files\Multimedia Card Reader
2007-12-09 17:13:44 0 d-------- C:\Program Files\iTunes
2007-12-09 15:37:10 0 d-------- C:\Program Files\WildTangent
2007-12-08 11:41:38 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-12-08 09:50:36 0 d-------- C:\Program Files\BitTorrent
2007-11-15 18:10:58 0 d-------- C:\Program Files\Java
2007-11-11 13:23:50 0 d-------- C:\Program Files\iPod
2007-11-11 13:22:36 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
12/03/2007 02:27 PM 410896 --a------ C:\Program Files\Rabio\Rabio.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{354EDFA7-2A9C-4B04-B1BD-BFD65C219E1A}]
C:\Program Files\Online Services\ryzycyC:\WINDOWS\system32\doc4\mmildot83122.exe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [08/14/2003 11:11 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 01:03 PM]
"PCShield"="regsvr32 /s C:\WINDOWS\system32\sfg.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCShield"="regsvr32 /s C:\WINDOWS\system32\sfg.dll" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"System Startup"=voltio.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"System Startup"=voltio.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Rabio - Auto Update.lnk - C:\Program Files\Rabio\se.exe [12/7/2007 7:23:45 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [5/28/2006 4:50:02 PM]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/3/2004 8:01:48 PM]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [12/4/2006 10:57:38 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Startup]
voltio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32]
C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-12-13 15:05:14 ------------
 
Aaflac

· TSF-Enthusiast
Joined
·
923 Posts
#4 ·
The type of malware in the system has the ability to capture login names and passwords for every site you visit, including paypal, amazon, mail accounts, etc.

You need to take a look at the contents of two files to see which passwords need changed.

To open the files and see their contents, go to Start > Run > and copy/paste the following, then click OK:

C:\Qoobox\Quarantine\C\z.dat.vir


You will be presented with this:


Click: Select a program from a list
Click OK.

At the next prompt…


In the Programs box, highlight Notepad.
Uncheck: Always use the selected program to open this kind of file
Click: OK

The text file opens, and any stolen data is revealed.
Check all accounts in this data file, and ensure you change all related passwords.

If you have access to another computer, use it to change all passwords listed in the C:\z.txt and C:\x.txt as soon as possible!!!

Do the same to reveal the contents of:
C:\Qoobox\Quarantine\C\x.dat.vir


Post back when you have done the above.
 
Aaflac

· TSF-Enthusiast
Joined
·
923 Posts
#6 ·
Please download Flash_Disinfector
Save it to the Desktop.

Double-click Flash_Disinfector.exe to run it and follow the prompts.
The utility may ask you to insert your flash drive and/or other removable drives.
Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.

Restart the computer.

~~~~
Next, open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

File::
C:\WINDOWS\system32\mcrh.tmp
C:\n.bat

Folder::
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Rabio
C:\Program Files\Rabio
C:\Win32

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{354EDFA7-2A9C-4B04-B1BD-BFD65C219E1A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"System Startup"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"System Startup"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32]

DirLook::
C:\WINDOWS\system32\ripd1
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\ashell3
C:\WINDOWS\system32\daSgo01
C:\WINDOWS\system32\vlt2


Save as CFScript.txt <<< Important!!
Change the Save as type to: All Files
Save it to the Desktop


Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Run HijackThis once again, and Scan, to obtain a new log.

~~~~
Please provide the contents of the new ComboFix log, and the new HijackThis log in your reply.
 
T

· Registered
Joined
·
8 Posts
Discussion Starter · #7 ·
ComboFix 07-12-12.3 - Owner 2007-12-17 11:01:23.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.610 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\n.bat
C:\WINDOWS\system32\mcrh.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\n.bat
C:\Win32
C:\Win32\dll\client.cfg
C:\Win32\dll\FahCore_ff.exe
C:\Win32\dll\FAHlog-Prev.txt
C:\Win32\dll\FAHlog.txt
C:\Win32\dll\MyFolding.html
C:\Win32\dll\queue.dat
C:\Win32\dll\Win32.exe
C:\Win32\dll\work\logfile_04.txt
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-14 17:40 . 2007-12-14 17:40 <DIR> d-------- C:\Program Files\DNA
2007-12-14 17:40 . 2007-12-17 10:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DNA
2007-12-09 20:21 . 2007-12-09 20:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 20:14 . 2007-12-09 20:14 <DIR> d-------- C:\Deckard
2007-12-09 20:02 . 2007-12-15 11:30 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-09 16:19 . 2007-12-09 19:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-09 16:19 . 2007-12-09 16:21 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-09 16:19 . 2007-12-09 16:21 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-09 16:19 . 2007-12-09 16:21 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-09 15:02 . 2007-12-09 15:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\FrostWire
2007-12-09 14:24 . 2007-12-09 14:24 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-08 09:17 . 2003-10-11 00:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-08 09:17 . 2004-03-08 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Template
2007-12-08 09:17 . 2003-10-14 00:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 09:17 . 2003-10-10 23:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 09:17 . 2004-05-05 12:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-08 09:17 . 2003-10-11 00:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-08 09:17 . 2004-03-03 17:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2007-12-08 09:17 . 2004-02-21 19:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2007-12-08 09:17 . 2003-10-14 00:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-08 09:17 . 2004-07-17 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2007-12-07 19:26 . 2007-12-07 19:26 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\vlt2
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\ripd1
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\rex2
2007-12-07 19:23 . 2007-12-07 22:56 <DIR> d-------- C:\WINDOWS\system32\doc4
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\daSgo18
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\bbc5
2007-12-07 19:23 . 2007-12-07 19:30 <DIR> d-------- C:\WINDOWS\system32\ashell3
2007-12-07 19:21 . 2007-12-09 15:43 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-07 18:47 . 2007-12-09 15:10 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 22:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-12-14 22:43 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-14 22:40 --------- d-----w C:\Program Files\BitTorrent
2007-12-14 22:32 --------- d-----w C:\Program Files\Yahoo!
2007-12-14 22:31 --------- d-----w C:\Program Files\AIM
2007-12-09 22:25 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-12-09 22:13 --------- d-----w C:\Program Files\iTunes
2007-12-09 20:37 --------- d-----w C:\Program Files\WildTangent
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-15 23:10 --------- d-----w C:\Program Files\Java
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 18:23 --------- d-----w C:\Program Files\iPod
2007-11-11 18:22 --------- d-----w C:\Program Files\QuickTime
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-07-05 09:33 472,000 -c--a-w C:\WINDOWS\inf\WPN311\WPN311.sys
2005-01-27 14:59 35,232 -c--a-w C:\WINDOWS\inf\WPN311\ME_INST.EXE
2005-01-27 14:59 26,112 -c--a-w C:\WINDOWS\inf\WPN311\install.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\ashell3 ----


---- Directory of C:\WINDOWS\system32\bbc5 ----

2007-11-16 02:07 117913 --a------ C:\WINDOWS\system32\bbc5\gstdrvr8.exe

---- Directory of C:\WINDOWS\system32\daSgo01 ----

C:\WINDOWS\system32\daSgo01\

---- Directory of C:\WINDOWS\system32\doc4 ----


---- Directory of C:\WINDOWS\system32\rex2 ----


---- Directory of C:\WINDOWS\system32\ripd1 ----


---- Directory of C:\WINDOWS\system32\vlt2 ----

2007-12-03 15:40 921016 --a------ C:\WINDOWS\system32\vlt2\viodrivr3.exe


((((((((((((((((((((((((((((( [email protected]_15.03.03.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-12 17:38:59 65,536 -c--a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\PM_Designer.exe
+ 2007-12-14 22:52:48 65,536 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\PM_Designer.exe
- 2007-09-12 17:38:56 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe
+ 2007-12-14 22:52:48 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe
- 2007-09-12 17:38:59 25,214 -c--a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat_Standard.exe
+ 2007-12-14 22:52:48 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat_Standard.exe
- 2007-09-12 17:38:59 25,214 -c--a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Distiller.exe
+ 2007-12-14 22:52:48 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Distiller.exe
- 2007-09-12 17:38:59 7,278 -c--a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_ELEMENTS_DT.exe
+ 2007-12-14 22:52:48 7,278 ----a-r C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_ELEMENTS_DT.exe
- 2006-10-23 15:17:51 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2007-10-11 06:13:44 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2006-10-23 15:17:51 151,040 -c--a-w C:\WINDOWS\system32\cdfview.dll
+ 2007-10-11 06:13:44 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2006-10-23 15:17:51 1,054,208 -c--a-w C:\WINDOWS\system32\danim.dll
+ 2007-10-11 06:13:44 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2006-10-23 15:17:51 1,022,976 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2007-10-11 06:13:44 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2006-10-23 15:17:51 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2007-10-11 06:13:44 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2006-10-23 15:17:51 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2007-10-11 06:13:44 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2006-10-23 15:17:52 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-10-11 06:13:44 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2006-10-23 15:17:52 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-11 06:13:44 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2006-10-23 15:17:52 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-11 06:13:44 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2006-10-23 11:00:41 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-10-10 11:16:27 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2006-10-23 15:17:52 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-10-11 06:13:44 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2006-10-23 15:17:52 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-10-11 06:13:44 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2006-10-23 15:17:52 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-11 06:13:44 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2006-10-23 15:17:52 3,055,104 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 10:16:33 3,058,688 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2006-10-23 15:17:52 448,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-11 06:13:45 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2006-10-23 15:17:52 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-11 06:13:45 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2006-10-23 15:17:52 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-11 06:13:45 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2006-10-23 15:17:52 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-10-11 06:13:45 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-10-29 22:43:03 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-10-23 15:17:53 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2007-10-11 06:13:45 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2006-10-23 15:17:53 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2007-10-11 06:13:45 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2006-10-23 15:17:53 613,888 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-11 06:13:45 615,424 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2006-12-19 18:08:07 852,480 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-06-26 15:13:22 851,968 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2006-10-23 15:17:53 658,944 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-11 06:13:45 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-10-19 02:47:18 222,208 -c--a-w C:\WINDOWS\system32\dllcache\WMASF.dll
+ 2007-10-27 22:40:30 222,720 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2006-10-23 15:17:52 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-10-11 06:13:44 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2006-10-23 15:17:52 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-11 06:13:44 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2006-10-23 15:17:52 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-11 06:13:44 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2006-10-23 15:17:52 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-10-11 06:13:44 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2006-10-23 15:17:52 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-10-11 06:13:44 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2006-10-23 15:17:52 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-11 06:13:44 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-10-23 15:17:52 3,055,104 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 10:16:33 3,058,688 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2006-10-23 15:17:52 448,512 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-11 06:13:45 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2006-10-23 15:17:52 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-11 06:13:45 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2006-10-23 15:17:52 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-11 06:13:45 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2006-10-23 15:17:52 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-10-11 06:13:45 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-10-23 15:17:53 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2007-10-11 06:13:45 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2006-10-23 15:17:53 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2007-10-11 06:13:45 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2006-10-23 15:17:53 613,888 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-11 06:13:45 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2006-10-23 15:17:53 658,944 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-11 06:13:45 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-12-17 15:57:22 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_198.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCShield"="regsvr32 /s C:\WINDOWS\system32\sfg.dll" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2007-12-14 17:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 23:11]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"PCShield"="regsvr32 /s C:\WINDOWS\system32\sfg.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-05-28 16:50:02]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-03 20:01:48]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 10:57:38]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-05 20:05 344064 --a--c--- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
2003-06-18 21:19 53248 --a--c--- C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
2003-06-22 23:25 24576 --a--c--- c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
2002-10-07 09:23 90112 --a--c--- c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 09:07 114688 --a--c--- C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-05-23 04:55 483328 --a--c--- C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 18:04 52736 --a--c--- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-07-23 18:37 53248 --a--c--- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 23:42 212992 --a--c--- C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Startup]
voltio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 14:41:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-10-23 02:23:08 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 11:04:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 11:05:02
C:\ComboFix2.txt ... 2007-12-13 15:03
.
2007-12-13 20:11:58 --- E O F ---


Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-17 11:07:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:34 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - @�B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - @@�497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - �@�CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: (no name) - ¨�¨�6-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - S-1-5-18 Startup: Organize.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.blackdog.net/downloads/wallpaper/halloween/cat-sm.jpg

--
End of file - 8989 bytes

-- Files created between 2007-11-17 and 2007-12-17 -----------------------------

2007-12-17 10:55:30 0 drahs---- C:\autorun.inf
2007-12-14 17:40:00 0 d-------- C:\Program Files\DNA
2007-12-14 17:40:00 0 d-------- C:\Documents and Settings\Owner\Application Data\DNA
2007-12-09 20:21:29 0 d-------- C:\Program Files\Trend Micro
2007-12-09 20:02:31 0 d-------- C:\Program Files\SpywareBlaster
2007-12-09 16:19:35 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-09 15:02:31 0 d-------- C:\Documents and Settings\Owner\Application Data\FrostWire
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2007-12-08 09:17:24 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-08 09:17:24 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-12-08 09:17:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Template
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2007-12-08 09:17:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-08 09:17:23 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-08 09:17:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-08 09:17:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-08 09:17:23 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-08 09:17:23 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-08 09:17:22 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-07 19:26:31 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-12-07 19:23:42 0 d-------- C:\WINDOWS\system32\doc4
2007-12-07 19:23:42 0 d-------- C:\WINDOWS\system32\bbc5
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\vlt2
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\ripd1
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\ashell3
2007-12-07 19:23:23 0 d-------- C:\WINDOWS\system32\rex2
2007-12-07 19:23:11 0 d-------- C:\WINDOWS\system32\daSgo18
2007-12-07 19:21:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-07 18:47:56 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2007-12-14 17:53:30 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-12-14 17:43:26 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-14 17:40:05 0 d-------- C:\Program Files\BitTorrent
2007-12-14 17:32:57 0 d-------- C:\Program Files\Yahoo!
2007-12-14 17:31:50 0 d-------- C:\Program Files\AIM
2007-12-13 14:54:47 0 d-------- C:\Program Files\Common Files
2007-12-09 17:25:38 0 d-------- C:\Program Files\Multimedia Card Reader
2007-12-09 17:13:44 0 d-------- C:\Program Files\iTunes
2007-12-09 15:37:10 0 d-------- C:\Program Files\WildTangent
2007-11-15 18:10:58 0 d-------- C:\Program Files\Java
2007-11-11 13:23:50 0 d-------- C:\Program Files\iPod
2007-11-11 13:22:36 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [08/14/2003 11:11 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 01:03 PM]
"PCShield"="regsvr32 /s C:\WINDOWS\system32\sfg.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCShield"="regsvr32 /s C:\WINDOWS\system32\sfg.dll" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [12/14/2007 05:40 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [5/28/2006 4:50:02 PM]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/3/2004 8:01:48 PM]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [12/4/2006 10:57:38 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Startup]
voltio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-12-17 11:07:52 ------------
 
Aaflac

· TSF-Enthusiast
Joined
·
923 Posts
#8 ·
Please run HijackThis, Scan
Check box for:

O2 - BHO: (no name) - @�B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - @@�497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - �@�CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: (no name) - ¨�¨�6-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll"
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll"

Select: Fix checked

~~~~
Next, turn off the real time scanner of your AntiVirus program while performing the following:

Open the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed. There is no option to clean/disinfect, however, we need to analyze the information on the report.





To obtain the report:
Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save, and provide the information in your reply.

~~~~
Also update your version of Java!
There are vulnerabilities in older versions.

Go to Start > Control Panel > Add/Remove Programs
In the list of Currently Installed Programs, look for all previous versions of Java:
J2SE Runtime Environment number x, etc.
Select the entry and then Remove

Next, download and install the newest version:
Java Runtime Environment (JRE) 6 Update 3

~~~~
Run HijackThis once again, and Scan, to obtain a new log.

~~~~
Please post the contents of the Kaspersky Online Scanner Report , and a new HijackThis log in your reply.
 
T

· Registered
Joined
·
8 Posts
Discussion Starter · #9 ·
Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-19 17:39:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:43 PM, on 12/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - S-1-5-18 Startup: Organize.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.blackdog.net/downloads/wallpaper/halloween/cat-sm.jpg

--
End of file - 8746 bytes

-- Files created between 2007-11-19 and 2007-12-19 -----------------------------

2007-12-19 16:42:26 0 d-------- C:\Program Files\Sun
2007-12-19 13:24:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-19 13:24:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-19 13:24:46 0 d-------- C:\WINDOWS\LastGood
2007-12-17 10:55:30 0 drahs---- C:\autorun.inf
2007-12-14 17:40:00 0 d-------- C:\Program Files\DNA
2007-12-14 17:40:00 0 d-------- C:\Documents and Settings\Owner\Application Data\DNA
2007-12-09 20:21:29 0 d-------- C:\Program Files\Trend Micro
2007-12-09 20:02:31 0 d-------- C:\Program Files\SpywareBlaster
2007-12-09 16:19:35 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-09 15:02:31 0 d-------- C:\Documents and Settings\Owner\Application Data\FrostWire
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2007-12-08 09:17:24 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-08 09:17:24 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-12-08 09:17:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Template
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2007-12-08 09:17:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-08 09:17:23 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-08 09:17:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-08 09:17:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-08 09:17:23 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-08 09:17:23 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-08 09:17:22 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-07 19:26:31 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-12-07 19:23:42 0 d-------- C:\WINDOWS\system32\doc4
2007-12-07 19:23:42 0 d-------- C:\WINDOWS\system32\bbc5
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\vlt2
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\ripd1
2007-12-07 19:23:34 0 d-------- C:\WINDOWS\system32\ashell3
2007-12-07 19:23:23 0 d-------- C:\WINDOWS\system32\rex2
2007-12-07 19:23:11 0 d-------- C:\WINDOWS\system32\daSgo18
2007-12-07 19:21:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-07 18:47:56 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2007-12-19 16:42:20 0 d-------- C:\Program Files\Java
2007-12-14 17:53:30 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-12-14 17:43:26 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-14 17:40:05 0 d-------- C:\Program Files\BitTorrent
2007-12-14 17:32:57 0 d-------- C:\Program Files\Yahoo!
2007-12-14 17:31:50 0 d-------- C:\Program Files\AIM
2007-12-13 14:54:47 0 d-------- C:\Program Files\Common Files
2007-12-09 17:25:38 0 d-------- C:\Program Files\Multimedia Card Reader
2007-12-09 17:13:44 0 d-------- C:\Program Files\iTunes
2007-12-09 15:37:10 0 d-------- C:\Program Files\WildTangent
2007-11-11 13:23:50 0 d-------- C:\Program Files\iPod
2007-11-11 13:22:36 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [08/14/2003 11:11 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [12/14/2007 05:40 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [5/28/2006 4:50:02 PM]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/3/2004 8:01:48 PM]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [12/4/2006 10:57:38 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Startup]
voltio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-12-19 17:39:58 ------------


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 19, 2007 4:27:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/12/2007
Kaspersky Anti-Virus database records: 489182
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 112961
Number of viruses found: 11
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 01:24:20

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\caqlyuvv.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\dlwixoql.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\dswtmhmj.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\efcgxlvu.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\exjegpqb.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\gcaaqyqf.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\gfnsaqmf.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\gitobxmn.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\hqhmhmdi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\kjymxiuq.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\lpllfrfy.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\mofugclq.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\ngproxvf.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\peuagbsx.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\qrjatydi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\rhvqsuwb.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\sheqipoi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\ujjivnwv.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\urclqecd.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\vntmrykt.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\xqedqkpr.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\DOCUME~1\Owner\LOCALS~1\Temp\ywuecxwm.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Deckard\System Scanner\20071209204557\backup\WINDOWS\temp\hsperfdata_SYSTEM\2008 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ddcaayx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\fnktkvsg.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\mvdpycum.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\mwxebjoj.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\pmnoomn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\roskfidp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\zzlccehv.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\qoobox\Quarantine\catchme2007-12-13_150151.70.zip/ljjifec.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\qoobox\Quarantine\catchme2007-12-13_150151.70.zip/zzlccehv.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\qoobox\Quarantine\catchme2007-12-13_150151.70.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP472\A0121000.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP472\A0121474.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP472\A0122328.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP472\A0122356.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP473\A0122357.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP475\A0126522.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP475\A0126523.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP475\A0126524.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP475\A0126525.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP475\A0126526.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP475\A0126527.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP475\A0126536.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP475\A0126538.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP475\A0126544.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP489\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Quarantine\1EFC22FC Infected: Backdoor.Win32.Rbot.gen skipped
C:\WINDOWS\Quarantine\2C992938.exe Infected: Backdoor.Win32.Rbot.bm skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\PreUninstall.exe Infected: not-a-virus:AdWare.Win32.Suggestor.g skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4ec.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_f8.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped

Scan process completed.
 
Aaflac

· TSF-Enthusiast
Joined
·
923 Posts
#10 ·
We will deal with the items found by Kaspersky later, when we wrap up.

Now, please run HijackThis once again, and Scan
Check box for:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

O24 - Desktop Component 0: (no name) - http://www.blackdog.net/downloads/wa...een/cat-sm.jpg

Slect: Fix checked

~~~~
Open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

Folder::
C:\WINDOWS\system32\ashell3
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\daSgo01
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\ripd1
C:\WINDOWS\system32\vlt2
C:\Program Files\Viewpoint
C:\Program Files\WildTangent

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCShield"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCShield"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]


Save as CFScript.txt <<< Important!!
Change the Save as type to: All Files
Save it to the Desktop


Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Next, download the Free Trial version of SuperAntiSpyware Professional
  • Run SuperAntiSpyware and click: Check for updates
  • Once the update is finished, on the main screen, click: Scan your computer
  • Check: Perform Complete Scan
  • Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
  • Click: Preferences
  • Click the Statistics/Logs tab
  • Under Scanner Logs, double-click SuperAntiSpyware Scan Log (It opens in your default text editor, such as Notepad)

~~~~
Run HijackThis once again, and Scan, to obtain a new log.

~~~~
Please provide the contents of the new ComboFix log, the SuperAntiSpyware log, and the new HijackThis log in your reply.
 
T

· Registered
Joined
·
8 Posts
Discussion Starter · #11 ·
ComboFix 07-12-31.4 - Owner 2007-12-31 15:16:35.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.587 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 11:17 . 2007-12-31 11:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-31 11:17 . 2007-12-31 11:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 11:17 . 2007-12-31 11:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-31 11:17 . 2007-12-31 11:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-19 16:42 . 2007-12-19 16:42 <DIR> d-------- C:\Program Files\Sun
2007-12-19 16:42 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-19 13:24 . 2007-12-19 13:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-19 13:24 . 2007-12-19 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-14 17:40 . 2007-12-14 17:40 <DIR> d-------- C:\Program Files\DNA
2007-12-14 17:40 . 2007-12-31 15:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DNA
2007-12-13 14:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-09 20:21 . 2007-12-09 20:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-09 20:14 . 2007-12-09 20:14 <DIR> d-------- C:\Deckard
2007-12-09 20:02 . 2007-12-15 11:30 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-09 16:19 . 2007-12-31 13:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-09 16:19 . 2007-12-09 16:21 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-09 16:19 . 2007-12-09 16:21 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-09 16:19 . 2007-12-09 16:21 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-09 15:02 . 2007-12-09 15:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\FrostWire
2007-12-09 14:24 . 2007-12-09 14:24 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-08 09:17 . 2003-10-11 00:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-08 09:17 . 2004-03-08 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Template
2007-12-08 09:17 . 2003-10-14 00:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 09:17 . 2003-10-10 23:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 09:17 . 2004-05-05 12:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-08 09:17 . 2003-10-11 00:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-08 09:17 . 2004-03-03 17:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2007-12-08 09:17 . 2004-02-21 19:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2007-12-08 09:17 . 2003-10-14 00:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-08 09:17 . 2004-07-17 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2007-12-07 19:26 . 2007-12-07 19:26 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-07 19:23 . 2007-12-07 19:23 <DIR> d-------- C:\WINDOWS\system32\daSgo18
2007-12-07 19:21 . 2007-12-09 15:43 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-07 18:47 . 2007-12-18 11:20 <DIR> d-------- C:\Program Files\Google
2007-11-11 13:23 . 2007-11-11 13:23 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 21:42 --------- d-----w C:\Program Files\Java
2007-12-14 22:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-12-14 22:43 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-14 22:40 --------- d-----w C:\Program Files\BitTorrent
2007-12-14 22:32 --------- d-----w C:\Program Files\Yahoo!
2007-12-14 22:31 --------- d-----w C:\Program Files\AIM
2007-12-09 22:25 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-12-09 22:13 --------- d-----w C:\Program Files\iTunes
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 18:22 --------- d-----w C:\Program Files\QuickTime
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-07-05 09:33 472,000 -c--a-w C:\WINDOWS\inf\WPN311\WPN311.sys
2005-01-27 14:59 35,232 -c--a-w C:\WINDOWS\inf\WPN311\ME_INST.EXE
2005-01-27 14:59 26,112 -c--a-w C:\WINDOWS\inf\WPN311\install.exe
.

((((((((((((((((((((((((((((( [email protected]_11.15.42.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-31 16:17:54 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
+ 2007-12-31 16:17:54 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-31 20:10:42 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4d0.dat
+ 2007-12-31 20:10:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_724.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2007-12-14 17:40 290112]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 23:11 139264]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-05-28 16:50:02]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-03 20:01:48]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 10:57:38]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-05 20:05 344064 --a--c--- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
2003-06-18 21:19 53248 --a--c--- C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
2003-06-22 23:25 24576 --a--c--- c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
2002-10-07 09:23 90112 --a--c--- c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 09:07 114688 --a--c--- C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-05-23 04:55 483328 --a--c--- C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 18:04 52736 --a--c--- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 18:36 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-07-23 18:37 53248 --a--c--- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 23:42 212992 --a--c--- C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Startup]
voltio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 04:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 04:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 14:41:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-10-23 02:23:08 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 15:20:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 15:21:03
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 20:20:54
C:\qoobox\ComboFix2.txt 2007-12-31 16:16:07
C:\qoobox\ComboFix3.txt 2007-12-17 16:05:04
C:\qoobox\ComboFix4.txt 2007-12-13 20:03:30
.
2007-12-21 16:48:20 --- E O F ---


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/31/2007 at 01:43 PM

Application Version : 3.9.1008

Core Rules Database Version : 3371
Trace Rules Database Version: 1366

Scan type : Complete Scan
Total Scan Time : 02:23:16

Memory items scanned : 433
Memory threats detected : 0
Registry items scanned : 6105
Registry threats detected : 0
File items scanned : 49944
File threats detected : 217

Adware.Tracking Cookie
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][3].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][3].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][3].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][3].txt
C:\Documents and Settings\Owner\cookies\[email protected][3].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\cookies\[email protected][2].txt
C:\Documents and Settings\Owner\cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected]********pussyfuck.mail.everyone[1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected]********pussyfuck.mail.everyone[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\[email protected]-2.stats.esomniture[2].txt

Trojan.Downloader-Gen/TaLDrv
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BBC5\GSTDRVR8.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP496\A0128767.EXE

Adware.SearchAssistant
C:\WINDOWS\SYSTEM32\PREUNINSTALL.EXE


Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-31 15:21:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:04 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Organize.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8293 bytes

-- Files created between 2007-11-30 and 2007-12-31 -----------------------------

2007-12-31 11:17:57 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-31 11:17:52 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-31 11:17:52 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-31 11:17:28 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-19 16:42:26 0 d-------- C:\Program Files\Sun
2007-12-19 13:24:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-19 13:24:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-17 10:55:30 0 drahs---- C:\autorun.inf
2007-12-14 17:40:00 0 d-------- C:\Program Files\DNA
2007-12-14 17:40:00 0 d-------- C:\Documents and Settings\Owner\Application Data\DNA
2007-12-09 20:21:29 0 d-------- C:\Program Files\Trend Micro
2007-12-09 20:02:31 0 d-------- C:\Program Files\SpywareBlaster
2007-12-09 16:19:35 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-09 15:02:31 0 d-------- C:\Documents and Settings\Owner\Application Data\FrostWire
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-08 09:17:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\ArcSoft
2007-12-08 09:17:24 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-08 09:17:24 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-12-08 09:17:24 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Template
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-12-08 09:17:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2007-12-08 09:17:24 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-08 09:17:23 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-08 09:17:23 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-08 09:17:23 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-08 09:17:23 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-08 09:17:23 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-12-08 09:17:23 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-08 09:17:22 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-07 19:26:31 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-12-07 19:23:11 0 d-------- C:\WINDOWS\system32\daSgo18
2007-12-07 19:21:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-07 18:47:56 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2007-12-31 11:17:28 0 d-------- C:\Program Files\Common Files
2007-12-19 16:42:20 0 d-------- C:\Program Files\Java
2007-12-14 17:53:30 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2007-12-14 17:43:26 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-14 17:40:05 0 d-------- C:\Program Files\BitTorrent
2007-12-14 17:32:57 0 d-------- C:\Program Files\Yahoo!
2007-12-14 17:31:50 0 d-------- C:\Program Files\AIM
2007-12-09 17:25:38 0 d-------- C:\Program Files\Multimedia Card Reader
2007-12-09 17:13:44 0 d-------- C:\Program Files\iTunes
2007-11-11 13:23:50 0 d-------- C:\Program Files\iPod
2007-11-11 13:22:36 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [08/14/2003 11:11 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [12/14/2007 05:40 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [5/28/2006 4:50:02 PM]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/3/2004 8:01:48 PM]
NETGEAR WPN311 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN311\wlancfg5.exe [12/4/2006 10:57:38 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
C:\hp\bin\AUTOTKIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
LTMSG.exe 7

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Startup]
voltio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2007-12-31 15:22:23 ------------
 
Aaflac

· TSF-Enthusiast
Joined
·
923 Posts
#14 ·
Missed an entry…

Please launch Notepad, (Start > Run, type in: notepad)

Copy/paste all the blue REGEDIT below to it

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Startup]

In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: clean.reg
Save as Type: All files
Click: Save
Exit out of Notepad.

Back on the Desktop, double-click on the clean.reg file just saved and click on Yes when asked to merge the information into the Registry.

~~~~
Next, enable the viewing of Hidden Files and Folders as follows:
  • At your Desktop, go to Start > My Computer
  • Select the Tools menu and then Folder Options
  • After the new window appears select the View tab
  • Select: Display the contents of system folders
  • Under the Hidden files and folders section select: Show hidden files and folders
  • Remove the checkmark from: Hide file extensions for known file types
  • Remove the checkmark from: Hide protected operating system files (Recommended)
  • Press the Apply button
  • Click OK

Search for, and if found, remove the following file:
C:\WINDOWS\System32\voltio.exe

~~~~
Other than the above, the logs look OK. If you are not having malware problems, you are good to go!

Please do the following to wrap up:
  • Go to Start, then select: Run
  • Type Combofix /u in the Open box, and click OK. (Notice the space before /u)
  • This command uninstalls ComboFix, implements some cleanup procedures, and resets System Restore points.


Also remove the following:
Clean.reg (right-click and select: Delete)


Some of the best suggestions and programs to remain malware free are contained in Tony Klein’s article:
How Did I Get Infected In The First Place

It is also a very good practice to perform an online virus scan on a regular basis.
Scanners do not have identical malware definitions, and what one misses, another one can catch.
Some of the scanners are:
BitDefender Online Scanner
ESET NOD32 Online Scanner
F-Secure Online Scanner
Panda ActiveScan
TrendMicro HouseCall

~~~~
If you have any questions or comments, post back. Otherwise...

Good luck, and safe journey through the Internet!!
 
1 - 16 of 16 Posts
Status
Not open for further replies.
About this Discussion
15 Replies
2 Participants
Last post:
Aaflac
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top