help please!

[wiwazevedo]

i lent the laptop to a friend
and it came back all messed up
no admin rights
heres the hijack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:16 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINNT\system32\ZuneBusEnum.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\Router\Router.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\mrofinu.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF968951185EFC41280C9D7DBE80DC744B6CDE39577AF10FB68AD6
O4 - HKLM\..\Run: [a8a28f57] rundll32.exe "C:\WINNT\system32\trrwylbi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [desktop_light.pxx] "C:\Program Files\Tavultesoft\Keyman Desktop Light 7.0\kmshell.exe"
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://home.myspace.com
O15 - Trusted Zone: http://messaging.myspace.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (RingCentral Message Player Control) - http://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.230.73.133/activex/AMC.cab
O20 - AppInit_DLLs: C:\WINNT\system32\skuns.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINNT\system32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\profsyx.html

--
End of file - 7822 bytes



thanx guys

 

[ceewi1]

Your system is quite badly infected.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please post

• The ComboFix log
• The SDFix log
• A new HijackThis log

 

[wiwazevedo]

Here is the combofix log:


ComboFix 08-02-20.2 - Eli 2008-02-20 3:00:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.424 [GMT -8:00]
Running from: C:\Documents and Settings\Eli\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINNT\system32\ljjki.dll
C:\WINNT\system32\pmnmjgf.dll
C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Eli\Application Data\WinTouch
C:\Documents and Settings\Eli\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Eli\err.log
C:\onoes.exe
C:\Program Files\inetget2
C:\Program Files\Insider
C:\Program Files\ISM2
C:\Program Files\ISM2\adhydraupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\Messenger\profsyx.html
C:\Program Files\outlook
C:\Program Files\outlook\outlook.exe
C:\Program Files\outlook\p.zip
C:\Program Files\outlook\v.tmp
C:\Program Files\Router
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\svhost
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERIns.exe
C:\Program Files\WinAble
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\temp\tn3
C:\WINNT\b103.exe
C:\WINNT\b116.exe
C:\WINNT\b122.exe
C:\WINNT\b138.exe
C:\WINNT\b143.exe
C:\WINNT\b147.exe
C:\WINNT\b151.exe
C:\WINNT\b153.exe
C:\WINNT\cookies.ini
C:\WINNT\cs_cache.ini
C:\WINNT\Fonts\a.zip
C:\WINNT\mrofinu1188.exe
C:\WINNT\stem~1
C:\WINNT\system32\atmtd.dll._
C:\WINNT\system32\bronto.dll
C:\WINNT\system32\bszip.dll
C:\WINNT\system32\cmd.com
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\npf.sys
C:\WINNT\system32\ehxuslxp.ini
C:\WINNT\system32\hkhdafli.ini
C:\WINNT\system32\iblywrrt.ini
C:\WINNT\system32\ikjjl.bak1
C:\WINNT\system32\ikjjl.bak2
C:\WINNT\system32\ikjjl.ini
C:\WINNT\system32\khfebay.dll
C:\WINNT\system32\lfjtvxxu.ini
C:\WINNT\system32\ljjki.dll
C:\WINNT\system32\lrjqslbu.dll
C:\WINNT\system32\MabryObj.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\msdtexch.dll
C:\WINNT\system32\msftedswc.dll
C:\WINNT\system32\mskvtns.dll
C:\WINNT\system32\netstat.com
C:\WINNT\system32\ngefidyd.ini
C:\WINNT\system32\nGpxx18
C:\WINNT\system32\nGpxx18\nGpxx182328.exe
C:\WINNT\system32\nmullsqt.dll
C:\WINNT\system32\nvs2.inf
C:\WINNT\system32\o09PrEz
C:\WINNT\system32\oTt02e
C:\WINNT\system32\oTt02e\oTt02e1065.exe
C:\WINNT\system32\pac.txt
C:\WINNT\system32\packet.dll
C:\WINNT\system32\ping.com
C:\WINNT\system32\pmnmjgf.dll
C:\WINNT\system32\protector.exe
C:\WINNT\system32\qbrjelci.dll
C:\WINNT\system32\regedit.com
C:\WINNT\system32\S1
C:\WINNT\system32\S2
C:\WINNT\system32\S4
C:\WINNT\system32\S6
C:\WINNT\system32\S7
C:\WINNT\system32\taskkill.com
C:\WINNT\system32\tasklist.com
C:\WINNT\system32\tracert.com
C:\WINNT\system32\trrwylbi.dll
C:\WINNT\system32\updppjai.dll
C:\WINNT\system32\vefstfde.dll
C:\WINNT\system32\vrenhr.dat
C:\WINNT\system32\vrenhr_nav.dat
C:\WINNT\system32\vrenhr_navps.dat
C:\WINNT\system32\win
C:\WINNT\system32\wnscpsv32.exe
C:\WINNT\system32\wpcap.dll
C:\WINNT\system32\ystem~1
C:\WINNT\system32\ystem~1\?ystem\
C:\WINNT\wr.txt
C:\WINNT\Fonts\'

----- BITS: Possible infected sites -----

hxxp://resources.zune.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NTIO256
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\ApiMon
-------\nm
-------\ntio256


((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 21:41 . 2008-02-19 21:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-17 16:53 . 2008-02-17 16:53 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-16 16:49 . 2008-02-16 16:50 <DIR> d-------- C:\Program Files\Any Video Converter Professional
2008-02-16 16:49 . 2008-02-16 17:56 <DIR> d-------- C:\Documents and Settings\Eli\Application Data\Any Video Converter Professional
2008-02-16 16:17 . 2008-02-16 16:17 147,456 --a------ C:\WINNT\system32\vbzip10.dll
2008-02-16 11:28 . 2008-02-16 11:28 <DIR> d-------- C:\Program Files\Any Video Converter
2008-02-16 11:28 . 2008-02-16 12:33 <DIR> d-------- C:\Documents and Settings\Eli\Application Data\Any Video Converter
2008-02-14 22:09 . 2008-02-14 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tavultesoft
2008-02-14 22:04 . 2008-02-14 22:04 <DIR> d-------- C:\Program Files\Common Files\Tavultesoft
2008-02-14 22:03 . 2008-02-14 22:04 <DIR> d-------- C:\Program Files\Tavultesoft
2008-02-14 22:01 . 2008-02-14 22:02 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-14 21:35 . 2008-02-14 21:38 <DIR> d-------- C:\Program Files\AIM Invader
2008-02-11 20:43 . 2008-02-11 20:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2008-02-11 19:56 . 2008-02-13 07:45 1,374 --a------ C:\WINNT\imsins.BAK
2008-02-09 03:34 . 2008-02-15 18:54 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-02-09 03:34 . 2008-02-09 03:34 1,409 --a------ C:\WINNT\QTFont.for
2008-02-05 07:46 . 2008-02-05 07:46 <DIR> d-------- C:\windows
2008-02-05 01:37 . 2008-02-17 20:44 <DIR> d-------- C:\Program Files\Counter-Strike 1.6
2008-01-31 23:00 . 2008-01-31 23:02 <DIR> d-------- C:\Program Files\AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 17:41 --------- d-----w C:\Documents and Settings\Eli\Application Data\LimeWire
2008-02-16 07:44 --------- d-----w C:\Program Files\Zune
2008-02-12 12:38 --------- d-----w C:\Program Files\AIM
2008-02-12 12:28 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-11 22:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-03 17:09 --------- d-----w C:\Program Files\Bulent's Screen Recorder 4
2008-02-01 07:01 --------- d-----w C:\Program Files\Viewpoint
2008-02-01 07:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-01 07:00 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-01 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-27 01:15 --------- d-----w C:\Documents and Settings\Eli\Application Data\Apple Computer
2008-01-13 21:46 165 ----a-w C:\Program Files\fun_maze_cbble.txt
2008-01-12 10:53 518,204 ----a-w C:\Program Files\fun_maze_cbble.bsp
2007-12-26 08:55 0 ---ha-w C:\WINNT\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-26 08:55 0 ---ha-w C:\WINNT\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2006-07-01 21:38 70,920 ----a-w C:\Documents and Settings\Eli\Application Data\GDIPFONTCACHEV1.DAT
2006-06-17 05:59 70,920 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2006-06-09 04:12 70,920 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-01-10 22:35 69,984 ----a-w C:\Documents and Settings\All Users\Application Data\GDIPFONTCACHEV1.DAT
2004-08-04 08:56 561,179 ----a-w C:\Program Files\Common Files\dao360.dll
1998-04-27 07:00 570,128 ----a-w C:\Program Files\Common Files\DAO350.DLL
2004-02-29 01:42 32 --sha-w C:\WINNT\{5A1DE60E-63D4-411F-819C-8A27E968C34B}.dat
2004-02-29 01:44 32 --sha-w C:\WINNT\{77F34DDC-BE64-4C66-968A-710FD450DF9B}.dat
2004-02-29 01:42 32 --sha-w C:\WINNT\{9383845D-FCDF-4F3E-B9ED-6D7A80014D9B}.dat
2004-02-29 01:43 32 --sha-w C:\WINNT\{9AB54738-7DF1-4C00-9904-724052B1CBA3}.dat
2004-02-29 01:42 32 --sha-w C:\WINNT\{B473FFAC-ADCC-4471-ACAB-22211CD3B66C}.dat
2004-02-29 01:44 32 --sha-w C:\WINNT\{B83C3FD1-AF69-4C98-860F-8B93571A7A20}.dat
2007-10-19 13:26 8,434 --sha-w C:\WINNT\system32\rrrqr.bak1
2007-10-19 22:11 6,717 --sha-w C:\WINNT\system32\rrrqr.bak2
2007-10-20 09:38 7,666 --sha-w C:\WINNT\system32\rrrqr.ini2
2004-02-29 01:44 32 --sha-w C:\WINNT\system32\{4ED47025-B944-4999-B941-BA0A8CCD7C5C}.dat
2004-02-29 01:42 32 --sha-w C:\WINNT\system32\{9D4A8C51-12B5-4B1B-B280-4A82ADDC6A20}.dat
2004-02-29 01:43 32 --sha-w C:\WINNT\system32\{B4E78FFD-5507-47A5-AABD-7063002FED4B}.dat
2004-02-29 01:42 32 --sha-w C:\WINNT\system32\{BFE21B32-E04B-47C5-B65E-E7678177DA9D}.dat
2004-02-29 01:44 32 --sha-w C:\WINNT\system32\{C3FFBBD3-535C-4BB1-B187-47AD9BAC05D8}.dat
2004-02-29 01:42 32 --sha-w C:\WINNT\system32\{FAF8EF9A-AE41-4381-8369-AB595EC8BC08}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
C:\Program Files\ISM\BndDrive7.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-29 15:10 68856]
"desktop_light.pxx"="C:\Program Files\Tavultesoft\Keyman Desktop Light 7.0\kmshell.exe" [2007-11-27 14:49 1288048]
"xInsIDE"="C:\Program Files\xInsIDE\xInsIDE.exe" [2008-02-17 16:53 53248]
"Router"="C:\Program Files\Router\Router.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjjhf]
jkkjjhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrr]
C:\WINNT\system32\rqrrr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINNT\System32\LgNotify.dll 2003-02-28 14:01 110592 C:\WINNT\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINNT\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINNT\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINNT\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
backup=C:\WINNT\pss\autos.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu.lnk
backup=C:\WINNT\pss\eFax Tray Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINNT\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINNT\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=C:\WINNT\pss\Live Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINNT\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RingCentral Call Controller.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RingCentral Call Controller.lnk
backup=C:\WINNT\pss\RingCentral Call Controller.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINNT\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eli^Start Menu^Programs^Startup^infos.exe]
path=C:\Documents and Settings\Eli\Start Menu\Programs\Startup\infos.exe
backup=C:\WINNT\pss\infos.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eli^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Eli\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINNT\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-03 16:50 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVSystemCare]
C:\Program Files\AVSystemCare\pgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-06-04 18:05 116328 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClientGW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost]
--a------ 2007-11-18 15:59 16384 C:\WINNT\devadwp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eSnips]
C:\PROGRA~1\eSnips\ClientGW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
--a------ 2003-11-05 10:23 303180 C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
--a------ 2002-08-14 15:21 94208 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
C:\WINNT\system32\cnsqknxo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-10-02 12:19 118784 C:\WINNT\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-01-30 18:55 196608 C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
--a------ 2003-01-30 18:55 311296 C:\WINNT\system32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINNT\System32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplorer]
C:\WINNT\system32\iexplorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-10-02 12:37 155648 C:\WINNT\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-08-09 06:03 81920 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-06-28 08:14 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjodxn]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINNT\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lwxbkua]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msia]
C:\WINNT\system32\YSTEM~1\tracert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-06-25 21:00 771440 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.0.3.16\InstallStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Projector Manager]
C:\Program Files\InFocus\Projector Manager\Projmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule9]
C:\Program Files\QdrModule\QdrModule9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
C:\Program Files\QdrPack\QdrPack9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qekyamxdvg]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 08:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
--a------ 2006-05-02 16:48 14848 C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
C:\Documents and Settings\Eli\Application Data\Microsoft\Windows\rayiou.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simple Star PhotoShow Media Manager]
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smwenmxamy]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
C:\Program Files\SpywareBot\SpywareBot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startkey]
C:\WINNT\_system32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-03-29 15:10 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2003-01-02 18:11 577536 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2003-01-02 18:12 126976 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufhmbhqg]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
C:\WINNT\system32\winter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINNT\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdyjrdxxusfhk]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\whttqurheltf]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
C:\WINNT\wupdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 17:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
C:\winstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Eli\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wpknfgqwxj]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrraekunyuaj]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPIAgent5"=2 (0x2)
"SAVScan"=3 (0x3)
"gusvc"=2 (0x2)
"SQLAgent$PARAMOUNT"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$PARAMOUNT"=2 (0x2)
"iPod Service"=3 (0x3)
"Speed Disk service"=2 (0x2)
"NProtectService"=2 (0x2)
"GhostStartService"=2 (0x2)

R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 15:11]
R1 oreans32;oreans32;C:\WINNT\system32\drivers\oreans32.sys [2006-09-07 16:52]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINNT\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINNT\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINNT\system32\drivers\hphius09.sys [2003-01-30 18:55]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Bots\GameGuard\dump_wmimmc.sys []
S3 IFCUSB;IFCUSB;C:\WINNT\system32\drivers\IFCUSB.SYS [2001-05-22 21:55]
S3 NPDriver;Norton Unerase Protection Driver;C:\WINNT\System32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINNT\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]
S4 MSSQL$PARAMOUNT;MSSQL$PARAMOUNT;C:\Program Files\Microsoft SQL Server\MSSQL$PARAMOUNT\Binn\sqlservr.exe [2002-12-17 17:26]
S4 SQLAgent$PARAMOUNT;SQLAgent$PARAMOUNT;C:\Program Files\Microsoft SQL Server\MSSQL$PARAMOUNT\Binn\sqlagent.EXE [2002-12-17 17:23]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-14 20:45:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-20 11:48:39 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-12 04:00:00 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - Eli.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-02 01:30:00 C:\WINNT\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-02-20 11:00:00 C:\WINNT\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
"2008-02-16 00:00:00 C:\WINNT\Tasks\{271C803A-1298-428D-ADB0-440CC94F98D3}_ASOUSASTU_Annette Sousa.job"
- C:\WINNT\system32\mobsync.exeL /Schedule=
"2008-02-20 00:00:00 C:\WINNT\Tasks\{2D186DD2-FA0F-48F7-A7DD-1473C92EB67A}_ASOUSASTU_Annette Sousa.job"
- C:\WINNT\system32\mobsync.exeL /Schedule=
"2008-02-19 17:00:00 C:\WINNT\Tasks\{A7FD14B9-2705-4CE2-A53C-23060B45984D}_ASOUSASTU_Annette Sousa.job"
- C:\WINNT\system32\mobsync.exeL /Schedule=
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 04:00:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
.
**************************************************************************
.
Completion time: 2008-02-20 4:07:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 12:06:56
.
2008-02-14 20:25:36 --- E O F ---

 

[wiwazevedo]

Here is the SDFix log:



SDFix: Version 1.144

Run by Eli on Wed 02/20/2008 at 04:16 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Checking Files:

Trojan Files Found:

C:\PROGRA~1\MESSEN~1\LAVUK183 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK351 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK403 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK423 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK628 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK981 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK987 - Deleted
C:\Program Files\xInsIDE\xInsIDE.exe - Deleted
C:\WINNT\tsitra572.exe.tmp - Deleted
C:\WINNT\Fonts\Setup.exe - Deleted
C:\WINNT\system32\rerolpxei.le - Deleted



Folder C:\Program Files\xInsIDE - Removed


Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 04:54:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:8c2bd29a
"s1"=dword:7eede99c
"s2"=dword:4ca776ef
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:33,e6,ca,a4,d6,56,c8,ce,72,1b,36,47,a7,8b,2a,d8,95,df,c0,de,2f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:33,e6,ca,a4,d6,56,c8,ce,72,1b,36,47,a7,8b,2a,d8,95,df,c0,de,2f,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 24 Sep 2004 33,280 A..H. --- "C:\Data\stuff\~WRL0057.tmp"
Fri 7 Sep 2007 7,559 A.SH. --- "C:\WINNT\system32\rrrqr.tmp"
Fri 19 Oct 2007 8,434 A.SH. --- "C:\WINNT\system32\rrrqr.bak1"
Fri 19 Oct 2007 6,717 A.SH. --- "C:\WINNT\system32\rrrqr.bak2"
Sat 16 Jun 2007 1,644,119 A.SH. --- "C:\WINNT\system32\vxyxx.tmp"
Fri 4 Mar 2005 41,472 A..H. --- "C:\Data\Family\Kimba\~WRL1167.tmp"
Sun 16 Jul 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 10 Mar 2006 30,208 A..H. --- "C:\Data\work\Real Estate\Forms\~WRL3441.tmp"
Tue 26 Nov 2002 25,600 A..H. --- "C:\Data\work\Real Estate\Marketing\~WRL0004.tmp"
Wed 26 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 12 Dec 2003 24,064 A..H. --- "C:\Data\work\Real Estate\Clients\Beck\~WRL0002.tmp"
Mon 15 Mar 2004 6,838 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Sun 7 Mar 2004 8,246 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Sun 7 Mar 2004 8,246 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"
Wed 14 Aug 2002 65,088 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM"
Wed 14 Aug 2002 12,732 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM"
Wed 14 Aug 2002 26,424 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM"
Wed 14 Aug 2002 28,062 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM"
Wed 14 Aug 2002 10,710 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM"
Wed 14 Aug 2002 10,083 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM"
Wed 14 Aug 2002 10,257 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM"
Wed 14 Aug 2002 29,499 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM"
Wed 14 Aug 2002 12,660 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM"
Wed 14 Aug 2002 11,031 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM"
Wed 14 Aug 2002 17,952 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM"
Wed 14 Aug 2002 9,424 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM"
Wed 14 Aug 2002 13,673 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM"
Wed 14 Aug 2002 14,438 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM"
Wed 14 Aug 2002 7,243 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM"
Wed 14 Aug 2002 24,767 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM"
Wed 14 Aug 2002 7,463 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM"
Wed 14 Aug 2002 7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM"
Wed 14 Aug 2002 10,286 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM"
Wed 14 Aug 2002 25,460 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM"
Wed 14 Aug 2002 28,866 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM"
Wed 14 Aug 2002 14,438 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM"
Wed 14 Aug 2002 8,544 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys"
Wed 14 Aug 2002 33,149 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys"
Wed 28 May 2003 51,150 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS"
Wed 14 Aug 2002 35,340 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS"
Wed 14 Aug 2002 14,378 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS"
Wed 14 Aug 2002 37,984 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS"
Wed 14 Aug 2002 44,828 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS"
Wed 14 Aug 2002 29,628 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS"
Wed 28 May 2003 52,106 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS"
Wed 14 Aug 2002 49,242 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS"
Wed 14 Aug 2002 50,606 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS"
Wed 14 Aug 2002 161,792 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS"
Wed 14 Aug 2002 174,080 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys"
Wed 14 Aug 2002 21,971 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS"
Wed 14 Aug 2002 30,955 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS"
Wed 14 Aug 2002 202,517 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE"
Wed 14 Aug 2002 374,038 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE"
Wed 14 Aug 2002 22,158 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS"
Wed 14 Aug 2002 1,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM"
Wed 14 Aug 2002 15,345 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS"
Wed 14 Aug 2002 7,840 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS"
Wed 14 Aug 2002 56,821 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE"
Wed 14 Aug 2002 64,425 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS"
Wed 14 Aug 2002 32,396 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE"
Wed 14 Aug 2002 14,160 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS"
Wed 14 Aug 2002 10,898 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM"
Wed 14 Aug 2002 53,556 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS"
Wed 14 Aug 2002 15,777 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM"
Wed 14 Aug 2002 37,681 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM"
Wed 14 Aug 2002 354,304 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys"
Wed 14 Aug 2002 21,180 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE"
Wed 14 Aug 2002 354,263 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe"
Wed 14 Aug 2002 8,513 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM"
Wed 14 Aug 2002 41,302 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS"
Wed 14 Aug 2002 129,240 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE"
Wed 14 Aug 2002 28,439 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com"
Wed 14 Aug 2002 13,770 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE"
Wed 14 Aug 2002 130,980 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE"
Wed 14 Aug 2002 11,854 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM"
Wed 14 Aug 2002 52,715 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM"
Wed 14 Aug 2002 62,391 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM"
Wed 14 Aug 2002 11,491 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com"
Wed 14 Aug 2002 17,791 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com"
Wed 14 Aug 2002 17,043 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com"
Wed 14 Aug 2002 11,786 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com"
Wed 14 Aug 2002 18,300 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com"
Wed 14 Aug 2002 48,224 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com"
Wed 14 Aug 2002 13,360 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com"
Wed 14 Aug 2002 9,190 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com"
Wed 14 Aug 2002 12,567 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com"
Wed 14 Aug 2002 44,640 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM"
Wed 14 Aug 2002 56,896 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com"
Wed 14 Aug 2002 44,640 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com"
Wed 14 Aug 2002 9,692 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com"
Wed 14 Aug 2002 9,537 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM"
Wed 14 Aug 2002 32,484 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com"
Wed 14 Aug 2002 52,225 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe"
Wed 14 Aug 2002 48,491 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe"
Wed 14 Aug 2002 50,405 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com"
Wed 14 Aug 2002 33,860 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe"
Wed 14 Aug 2002 50,175 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe"
Wed 14 Aug 2002 50,795 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe"
Wed 14 Aug 2002 48,223 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com"
Wed 14 Aug 2002 48,641 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe"
Wed 14 Aug 2002 49,015 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com"
Wed 14 Aug 2002 53,786 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command.com"
Wed 14 Aug 2002 44,240 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM"
Wed 14 Aug 2002 42,550 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM"

Finished!




Here is the new Hijackthis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:26 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINNT\system32\ZuneBusEnum.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [desktop_light.pxx] "C:\Program Files\Tavultesoft\Keyman Desktop Light 7.0\kmshell.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://home.myspace.com
O15 - Trusted Zone: http://messaging.myspace.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (RingCentral Message Player Control) - http://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.230.73.133/activex/AMC.cab
O20 - Winlogon Notify: jkkjjhf - jkkjjhf.dll (file missing)
O20 - Winlogon Notify: rqrrr - C:\WINNT\system32\rqrrr.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINNT\system32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7540 bytes

 

[ceewi1]

We're making progress, but there's still work to be done.

Your logfile shows signs of Viewpoint Manager.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. It is known to be intrusive, but there is some possibility that it is now being used by those companies to give them info about your habits. It is not considered spyware since this is not clear, but I would not tolerate it on my machine if I didn't install it.

I suggest you remove it. To do so, click on Start -> Control Panel -> Add or Remove Programs. Click on Viewpoint Manager and click Remove.

• Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\WINNT\system32\rrrqr.bak1
  C:\WINNT\system32\rrrqr.bak2
  C:\WINNT\system32\rrrqr.ini2
  C:\WINNT\devadwp.exe
  C:\WINNT\Tasks\SpywareBot Scheduled Scan.job
  
  Folder::
  C:\Program Files\SpywareBot
  
  Registry::
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjjhf]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrr]
  [-HKLM\~\startupfolder\C:^Documents and Settings^Eli^Start Menu^Programs^Startup^infos.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVSystemCare]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplorer]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjodxn]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lwxbkua]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msia]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule9]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qekyamxdvg]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smwenmxamy]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startkey]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufhmbhqg]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdyjrdxxusfhk]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\whttqurheltf]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wpknfgqwxj]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrraekunyuaj]

• Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
  
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

• O15 - Trusted Zone: http://click.getmirar.com (HKLM)
• O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
• O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
• O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

If you chose to remove Viewpoint Manager, please also check the following entry (if still present):

• O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Please close all open windows except for HijackThis and choose Fix checked

While there are a number of Symantec entries in your log, they don't indicate the presence of an active anti-virus program.

If you don't have an active antivirus program, please download one of the following free antivirus clients and allow it to run a full scan before proceeding: AVG, AntiVir or avast!.

Please reboot your PC and post

• The ComboFix log
• A new HijackThis log
• An update on how your PC is running now

 

[wiwazevedo]

ComboFix 08-02-20.2 - Eli 2008-02-20 20:07:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.442 [GMT -8:00]
Running from: C:..Documents and Settings..Eli..Desktop..ComboFix.exe
Command switches used :: C:..Documents and Settings..Eli..Desktop..CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-20 04:13 . 2008-02-20 04:13 .. d-------- C:..WINNT..ERUNT
2008-02-20 04:08 . 2008-02-20 05:06 .. d-------- C:..SDFix
2008-02-19 21:41 . 2008-02-19 21:41 .. d-------- C:..Program Files..Trend Micro
2008-02-16 16:49 . 2008-02-16 16:50 .. d-------- C:..Program Files..Any Video Converter Professional
2008-02-16 16:49 . 2008-02-16 17:56 .. d-------- C:..Documents and Settings..Eli..Application Data..Any Video Converter Professional
2008-02-16 16:17 . 2008-02-16 16:17 147,456 --a------ C:..WINNT..system32..vbzip10.dll
2008-02-16 11:28 . 2008-02-16 11:28 .. d-------- C:..Program Files..Any Video Converter
2008-02-16 11:28 . 2008-02-16 12:33 .. d-------- C:..Documents and Settings..Eli..Application Data..Any Video Converter
2008-02-14 22:09 . 2008-02-14 22:09 .. d-------- C:..Documents and Settings..All Users..Application Data..Tavultesoft
2008-02-14 22:04 . 2008-02-14 22:04 .. d-------- C:..Program Files..Common Files..Tavultesoft
2008-02-14 22:03 . 2008-02-14 22:04 .. d-------- C:..Program Files..Tavultesoft
2008-02-14 22:01 . 2008-02-14 22:02 .. d-------- C:..Program Files..Microsoft Silverlight
2008-02-14 21:35 . 2008-02-14 21:38 .. d-------- C:..Program Files..AIM Invader
2008-02-11 20:43 . 2008-02-11 20:43 .. d-------- C:..Documents and Settings..Owner..Application Data..acccore
2008-02-11 19:56 . 2008-02-13 07:45 1,374 --a------ C:..WINNT..imsins.BAK
2008-02-09 03:34 . 2008-02-15 18:54 54,156 --ah----- C:..WINNT..QTFont.qfn
2008-02-09 03:34 . 2008-02-09 03:34 1,409 --a------ C:..WINNT..QTFont.for
2008-02-05 07:46 . 2008-02-05 07:46 .. d-------- C:..windows
2008-02-05 01:37 . 2008-02-17 20:44 .. d-------- C:..Program Files..Counter-Strike 1.6
2008-01-31 23:00 . 2008-01-31 23:02 .. d-------- C:..Program Files..AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 03:51 --------- d-----w C:..Documents and Settings..All Users..Application Data..Viewpoint
2008-02-21 03:50 --------- d-----w C:..Program Files..Viewpoint
2008-02-17 17:41 --------- d-----w C:..Documents and Settings..Eli..Application Data..LimeWire
2008-02-16 07:44 --------- d-----w C:..Program Files..Zune
2008-02-12 12:38 --------- d-----w C:..Program Files..AIM
2008-02-12 12:28 --------- d-----w C:..Program Files..Common Files..Adobe
2008-02-11 22:37 --------- d-----w C:..Program Files..Common Files..Symantec Shared
2008-02-03 17:09 --------- d-----w C:..Program Files..Bulent's Screen Recorder 4
2008-02-01 07:00 --------- d-----w C:..Program Files..Common Files..AOL
2008-02-01 07:00 --------- d-----w C:..Documents and Settings..All Users..Application Data..AOL
2008-01-27 01:15 --------- d-----w C:..Documents and Settings..Eli..Application Data..Apple Computer
2008-01-13 21:46 165 ----a-w C:..Program Files..fun_maze_cbble.txt
2008-01-12 10:53 518,204 ----a-w C:..Program Files..fun_maze_cbble.bsp
2007-12-26 08:55 0 ---ha-w C:..WINNT..system32..drivers..MsftWdf_Kernel_01005_Coinstall
er_Critical.Wdf
2007-12-26 08:55 0 ---ha-w C:..WINNT..system32..drivers..Msft_Kernel_zumbus_01005.Wdf
2006-07-01 21:38 70,920 ----a-w C:..Documents and Settings..Eli..Application Data..GDIPFONTCACHEV1.DAT
2006-06-17 05:59 70,920 ----a-w C:..Documents and Settings..Guest..Application Data..GDIPFONTCACHEV1.DAT
2006-06-09 04:12 70,920 ----a-w C:..Documents and Settings..Owner..Application Data..GDIPFONTCACHEV1.DAT
2005-01-10 22:35 69,984 ----a-w C:..Documents and Settings..All Users..Application Data..GDIPFONTCACHEV1.DAT
2004-08-04 08:56 561,179 ----a-w C:..Program Files..Common Files..dao360.dll
1998-04-27 07:00 570,128 ----a-w C:..Program Files..Common Files..DAO350.DLL
2004-02-29 01:42 32 --sha-w C:..WINNT..{5A1DE60E-63D4-411F-819C-8A27E968C34B}.dat
2004-02-29 01:44 32 --sha-w C:..WINNT..{77F34DDC-BE64-4C66-968A-710FD450DF9B}.dat
2004-02-29 01:42 32 --sha-w C:..WINNT..{9383845D-FCDF-4F3E-B9ED-6D7A80014D9B}.dat
2004-02-29 01:43 32 --sha-w C:..WINNT..{9AB54738-7DF1-4C00-9904-724052B1CBA3}.dat
2004-02-29 01:42 32 --sha-w C:..WINNT..{B473FFAC-ADCC-4471-ACAB-22211CD3B66C}.dat
2004-02-29 01:44 32 --sha-w C:..WINNT..{B83C3FD1-AF69-4C98-860F-8B93571A7A20}.dat
2007-10-19 13:26 8,434 --sha-w C:..WINNT..system32..rrrqr.bak1
2007-10-19 22:11 6,717 --sha-w C:..WINNT..system32..rrrqr.bak2
2007-10-20 09:38 7,666 --sha-w C:..WINNT..system32..rrrqr.ini2
2004-02-29 01:44 32 --sha-w C:..WINNT..system32..{4ED47025-B944-4999-B941-BA0A8CCD7C5C}.
dat
2004-02-29 01:42 32 --sha-w C:..WINNT..system32..{9D4A8C51-12B5-4B1B-B280-4A82ADDC6A20}.
dat
2004-02-29 01:43 32 --sha-w C:..WINNT..system32..{B4E78FFD-5507-47A5-AABD-7063002FED4B}.
dat
2004-02-29 01:42 32 --sha-w C:..WINNT..system32..{BFE21B32-E04B-47C5-B65E-E7678177DA9D}.
dat
2004-02-29 01:44 32 --sha-w C:..WINNT..system32..{C3FFBBD3-535C-4BB1-B187-47AD9BAC05D8}.
dat
2004-02-29 01:42 32 --sha-w C:..WINNT..system32..{FAF8EF9A-AE41-4381-8369-AB595EC8BC08}.
dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER..SOFTWARE..Microsoft..Windows..CurrentVer
sion..Run]
"Aim6"="" []
"ctfmon.exe"="C:..WINNT..system32..ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:..Program Files..Google..GoogleToolbarNotifier..GoogleToolbarNotifier.
exe" [2007-03-29 15:10 68856]
"desktop_light.pxx"="C:..Program Files..Tavultesoft..Keyman Desktop Light 7.0..kmshell.exe" [2007-11-27 14:49 1288048]

[HKEY_USERS...DEFAULT..Software..Microsoft..Windows..Current
Version..Run]
"DWQueuedReporting"="C:..PROGRA~1..COMMON~1..MICROS~1..DW..d
wtrig20.exe" [2007-02-26 01:01 437160]

[HKEY_LOCAL_MACHINE..software..microsoft..windows nt..currentversion..winlogon..notify..Sebring]
C:..WINNT..System32..LgNotify.dll 2003-02-28 14:01 110592 C:..WINNT..system32..LgNotify.dll

[HKEY_LOCAL_MACHINE..system..currentcontrolset..control..lsa
]
Notification Packages REG_MULTI_SZ scecli scecli scecli

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Acrobat Assistant.lnk
backup=C:..WINNT..pss..Acrobat Assistant.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Adobe Gamma Loader.lnk
backup=C:..WINNT..pss..Adobe Gamma Loader.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Adobe Reader Speed Launch.lnk
backup=C:..WINNT..pss..Adobe Reader Speed Launch.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Adobe Reader Synchronizer.lnk
backup=C:..WINNT..pss..Adobe Reader Synchronizer.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..autos.exe
backup=C:..WINNT..pss..autos.exeCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..eFax Tray Menu.lnk
backup=C:..WINNT..pss..eFax Tray Menu.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Google Updater.lnk
backup=C:..WINNT..pss..Google Updater.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Kodak EasyShare software.lnk
backup=C:..WINNT..pss..Kodak EasyShare software.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..KODAK Software Updater.lnk
backup=C:..WINNT..pss..KODAK Software Updater.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Live Menu.lnk
backup=C:..WINNT..pss..Live Menu.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Microsoft Office.lnk
backup=C:..WINNT..pss..Microsoft Office.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..officejet 6100.lnk
backup=C:..WINNT..pss..officejet 6100.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RingCentral Call Controller.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..RingCentral Call Controller.lnk
backup=C:..WINNT..pss..RingCentral Call Controller.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Service Manager.lnk
backup=C:..WINNT..pss..Service Manager.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..WinZip Quick Pick.lnk
backup=C:..WINNT..pss..WinZip Quick Pick.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^Eli^Start Menu^Programs^Startup^Xfire.lnk]
path=C:..Documents and Settings..Eli..Start Menu..Programs..Startup..Xfire.lnk
backup=C:..WINNT..pss..Xfire.lnkStartup

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..AdaptecDirectCD]
--a------ 2002-10-03 16:50 684032 C:..Program Files..Roxio..Easy CD Creator 5..DirectCD..DirectCD.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..AGRSMMSG]


[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..AIM]
C:..Program Files..AIM..aim.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..BitTorrent]
C:..Program Files..BitTorrent..bittorrent.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ccApp]
--a------ 2007-06-04 18:05 116328 C:..Program Files..Common Files..Symantec Shared..ccApp.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ClientGW]

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:..WINNT..system32..ctfmon.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..eSnips]
C:..PROGRA~1..eSnips..ClientGW.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Gateway Ink Monitor]
--a------ 2003-11-05 10:23 303180 C:..Program Files..Gateway..Gateway Ink Monitor..GWInkMonitor.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..GhostStartTrayApp]
--a------ 2002-08-14 15:21 94208 C:..Program Files..Norton SystemWorks..Norton Ghost..GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Google Desktop Search]
C:..Program Files..Google..Google Desktop Search..GoogleDesktop.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..H/PC Connection Agent]
C:..Program Files..Microsoft ActiveSync..WCESCOMM.EXE

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..HotKeysCmds]
--a------ 2003-10-02 12:19 118784 C:..WINNT..System32..hkcmd.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..HPDJ Taskbar Utility]
--a------ 2003-01-30 18:55 196608 C:..WINNT..system32..spool..drivers..w32x86..3..hpztsb04.exe


[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..HPHmon03]
--a------ 2003-01-30 18:55 311296 C:..WINNT..system32..hphmon03.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..HPHmon04]
C:..WINNT..System32..hphmon04.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..IgfxTray]
--a------ 2003-10-02 12:37 155648 C:..WINNT..System32..igfxtray.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:..PROGRA~1..COMMON~1..INSTAL~1..UPDATE~1..ISUSPM.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ISUSScheduler]
--a------ 2004-08-09 06:03 81920 C:..PROGRA~1..COMMON~1..INSTAL~1..UPDATE~1..issch.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..iTunesHelper]
--a------ 2007-06-28 08:14 270648 C:..Program Files..iTunes..iTunesHelper.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..KernelFaultCheck]
C:..WINNT..system32..dumprep 0 -k

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..LtMoh]
C:..Program Files..ltmoh..Ltmoh.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..mmtask]
c:..Program Files..MusicMatch..MusicMatch Jukebox..mmtask.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..MSMSGS]
--------- 2004-10-13 08:24 1694208 C:..Program Files..Messenger..msmsgs.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..msnmsgr]
C:..Program Files..MSN Messenger..msnmsgr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..osCheck]
--a------ 2007-06-25 21:00 771440 C:..Program Files..Norton AntiVirus..osCheck.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..PhotoShow Deluxe Media Manager]
C:..PROGRA~1..SIMPLE~1..PHOTOS~1..data..Xtras..mssysmgr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..PlaxoUpdate]
C:..Program Files..Plaxo..2.0.3.16..InstallStub.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Projector Manager]
C:..Program Files..InFocus..Projector Manager..Projmgr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..QD FastAndSafe]


[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..QuickTime Task]
--a------ 2007-04-27 08:41 282624 C:..Program Files..QuickTime..qttask.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..RAMBooster.Net]
C:..Program Files..RAMBooster.Net..RAMBooster.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..RCHotKey]
--a------ 2006-05-02 16:48 14848 C:..Program Files..RingCentral..RingCentral Call Controller..RCHotKey.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Simple Star PhotoShow Media Manager]
C:..PROGRA~1..SIMPLE~1..PHOTOS~1..data..Xtras..mssysmgr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Spyware Doctor]
C:..Program Files..Spyware Doctor..swdoctor.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..SSC_UserPrompt]
C:..Program Files..Common Files..Symantec Shared..Security Center..UsrPrmpt.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Steam]
C:..Program Files..Valve..Steam..Steam.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:..Program Files..Java..jre1.5.0_03..bin..jusched.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..swg]
--a------ 2007-03-29 15:10 68856 C:..Program Files..Google..GoogleToolbarNotifier..GoogleToolbarNotifier.
exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Symantec NetDriver Monitor]
C:..PROGRA~1..SYMNET~1..SNDMon.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..SynTPEnh]
--a------ 2003-01-02 18:11 577536 C:..Program Files..Synaptics..SynTP..SynTPEnh.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..SynTPLpr]
--a------ 2003-01-02 18:12 126976 C:..Program Files..Synaptics..SynTP..SynTPLpr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..TkBellExe]
C:..Program Files..Common Files..Real..Update_OB..realsched.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..UserFaultCheck]
C:..WINNT..system32..dumprep 0 -u

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ViewMgr]
C:..Program Files..Viewpoint..Viewpoint Manager..ViewMgr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..vptray]
C:..PROGRA~1..SYMANT~1..VPTray.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Windows Defender]
--a------ 2006-11-03 17:20 866584 C:..Program Files..Windows Defender..MSASCui.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:..PROGRA~1..Yahoo!..MESSEN~1..YAHOOM~1.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..services]
"SPIAgent5"=2 (0x2)
"SAVScan"=3 (0x3)
"gusvc"=2 (0x2)
"SQLAgent$PARAMOUNT"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$PARAMOUNT"=2 (0x2)
"iPod Service"=3 (0x3)
"Speed Disk service"=2 (0x2)
"NProtectService"=2 (0x2)
"GhostStartService"=2 (0x2)

R1 GhPciScan;GhostPciScanner;C:..Program Files..Norton SystemWorks..Norton Ghost..ghpciscan.sys [2002-08-14 15:11]
R1 oreans32;oreans32;C:..WINNT..system32..drivers..oreans32.sys
[2006-09-07 16:52]
R2 zumbus;Zune Bus Enumerator Driver;C:..WINNT..system32..DRIVERS..zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:..WINNT..system32..ZuneBusEnum.exe [2007-11-15 21:51]
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:..WINNT..system32..drivers..hphius09.sys [2003-01-30 18:55]
S3 dump_wmimmc;dump_wmimmc;C:..Program Files..Bots..GameGuard..dump_wmimmc.sys []
S3 IFCUSB;IFCUSB;C:..WINNT..system32..drivers..IFCUSB.SYS [2001-05-22 21:55]
S3 NPDriver;Norton Unerase Protection Driver;C:..WINNT..System32..Drivers..NPDRIVER.SYS [2002-08-14 06:03]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:..WINNT..system32..ZuneWlanCfgSvc.exe [2007-11-15 21:51]
S4 MSSQL$PARAMOUNT;MSSQL$PARAMOUNT;C:..Program Files..Microsoft SQL Server..MSSQL$PARAMOUNT..Binn..sqlservr.exe [2002-12-17 17:26]
S4 SQLAgent$PARAMOUNT;SQLAgent$PARAMOUNT;C:..Program Files..Microsoft SQL Server..MSSQL$PARAMOUNT..Binn..sqlagent.EXE [2002-12-17 17:23]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-14 20:45:02 C:..WINNT..Tasks..AppleSoftwareUpdate.job"
- C:..Program Files..Apple Software Update..SoftwareUpdate.exe
"2008-02-21 04:20:59 C:..WINNT..Tasks..MP Scheduled Scan.job"
- C:..Program Files..Windows Defender..MpCmdRun.exe
"2008-02-12 04:00:00 C:..WINNT..Tasks..Norton AntiVirus - Run Full System Scan - Eli.job"
- C:..Program Files..Norton AntiVirus..Navw32.exeh/TASK:
"2008-02-02 01:30:00 C:..WINNT..Tasks..Norton SystemWorks One Button Checkup.job"
- C:..Program Files..Norton SystemWorks..OBC.exe
"2008-02-20 11:00:00 C:..WINNT..Tasks..SpywareBot Scheduled Scan.job"
- C:..Program Files..SpywareBot..SpywareBot.ex
- C:..Program Files..SpywareBot
"2008-02-16 00:00:00 C:..WINNT..Tasks..{271C803A-1298-428D-ADB0-440CC94F98D3}_ASO
USASTU_Annette Sousa.job"
- C:..WINNT..system32..mobsync.exeL /Schedule=
"2008-02-20 00:00:00 C:..WINNT..Tasks..{2D186DD2-FA0F-48F7-A7DD-1473C92EB67A}_ASO
USASTU_Annette Sousa.job"
- C:..WINNT..system32..mobsync.exeL /Schedule=
"2008-02-20 17:00:00 C:..WINNT..Tasks..{A7FD14B9-2705-4CE2-A53C-23060B45984D}_ASO
USASTU_Annette Sousa.job"
- C:..WINNT..system32..mobsync.exeL /Schedule=
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 20:21:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:..Program Files..Windows Defender..MsMpEng.exe
C:..WINNT..System32..S24EvMon.exe
C:..Program Files..Common Files..Symantec Shared..ccSvcHst.exe
C:..Program Files..Common Files..Symantec Shared..AppCore..AppSvc32.exe
C:..WINNT..system32..ZCfgSvc.exe
C:..Program Files..Common Files..Apple..Mobile Device Support..bin..AppleMobileDeviceService.exe
C:..WINNT..System32..RegSrvc.exe
C:..WINNT..System32..RoamMgr.exe
C:..Program Files..Intel..Switching..User..RoamSvc.exe
C:..WINNT..System32..imapi.exe
C:..WINNT..system32..wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-20 20:29:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-21 04:29:07
ComboFix2.txt 2008-02-20 12:07:02
.
2008-02-14 20:25:36 --- E O F ---















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:26 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:..WINNT..System32..smss.exe
C:..WINNT..system32..winlogon.exe
C:..WINNT..system32..services.exe
C:..WINNT..system32..lsass.exe
C:..WINNT..system32..svchost.exe
C:..Program Files..Windows Defender..MsMpEng.exe
C:..WINNT..System32..svchost.exe
C:..WINNT..system32..svchost.exe
C:..WINNT..System32..S24EvMon.exe
C:..Program Files..Common Files..Symantec Shared..ccSvcHst.exe
C:..Program Files..Common Files..Symantec Shared..AppCore..AppSvc32.exe
C:..WINNT..system32..spoolsv.exe
C:..Program Files..Common Files..Apple..Mobile Device Support..bin..AppleMobileDeviceService.exe
C:..Program Files..Symantec..LiveUpdate..ALUSchedulerSvc.exe
C:..Program Files..Common Files..Microsoft Shared..VS7Debug..mdm.exe
C:..WINNT..System32..RegSrvc.exe
C:..WINNT..System32..RoamMgr.exe
C:..WINNT..System32..svchost.exe
C:..Program Files..Viewpoint..Common..ViewpointService.exe
c:..WINNT..system32..ZuneBusEnum.exe
C:..Program Files..Intel..Switching..User..RoamSvc.exe
C:..WINNT..system32..ZCfgSvc.exe
C:..WINNT..Explorer.EXE
C:..WINNT..system32..wscntfy.exe
C:..WINNT..system32..ctfmon.exe
C:..Program Files..Google..GoogleToolbarNotifier..GoogleToolbarNotifier.
exe
C:..WINNT..system32..wuauclt.exe
C:..Program Files..Trend Micro..HijackThis..HijackThis.exe

R1 - HKLM..Software..Microsoft..Internet Explorer..Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM..Software..Microsoft..Internet Explorer..Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8.r{}

 

[wiwazevedo]

background is back
can get to the control panel now
thank you soooooo much!



ALL HAIL CEEW1

 

[ceewi1]

Thanks, and glad your problems seem to be fixed. It seems a few of those files weren't deleted by ComboFix.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINNT\system32\rrrqr.bak1
  C:\WINNT\system32\rrrqr.bak2
  C:\WINNT\system32\rrrqr.ini2
  C:\WINNT\devadwp.exe
  C:\WINNT\Tasks\SpywareBot Scheduled Scan.job

• Return to OTMoveIt2, right click in the Paste Standard List of Files/Folders to be Moved window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. These results are also located at C:\_OTMoveIt\MovedFiles\Date_Time.log, where Date_Time is the date and time you ran OTMoveIt.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post a new HijackThis log, as the old one seems to have been cut off.

I'd also like to see the results of an online scan, just to be sure there's nothing malicious left.

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add Or Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Please post

• The OTMoveIt2 report
• A new HijackThis log
• The results of the Kaspersky scan