Unable to update windows and remove trojan.vundo comreso.dll [RESOLVED

Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

I do have combo fix installed on the desktop but when I follow the instructions using combo fix to do the install of the recovery consol I receive CFScript name error "Were you trying to run CFScript? The name, CFScript appears to be incorrectly spelt".

I was not able to install the recovery consol as it stops Service pack 2 setup error "setup could not verify the integraty of the file Update.inf. Makes sure the Cryptographic service is running on this computer" and when I check on Cryptographic service the service is running.

So where do we go from here?
as I feel stuck in a loop..... like a hamster in a wheel LOL

Just run ComboFix.exe then

Ok here is the Combo Fix log and Hijackthis log... as you can see the Comreso.dll failed to delete..... so where do go from here?

ComboFix 08-05-08.1 - batrask 2008-05-09 14:56:47.6 - NTFSx86

Running from: H:\Documents and Settings\Batrask.AARDWOLFCOM1\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\WINDOWS\system32\comreso.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BWROVNII
-------\Service_bwrovnii


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 05:03 . 2008-05-05 20:46 27,048 --a------ H:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-09 05:03 . 2008-05-05 20:46 15,864 --a------ H:\WINDOWS\system32\drivers\mbam.sys
2008-05-07 19:55 . 2008-05-07 19:59 <DIR> d-------- H:\Documents and Settings\TEMP
2008-05-04 11:22 . 2008-05-04 11:22 <DIR> d-------- H:\VundoFix Backups
2008-05-04 00:25 . 2008-05-03 16:12 524,288 --a------ H:\WINDOWS\system32\secur 0508.evt
2008-05-03 16:37 . 2008-05-03 22:09 <DIR> d-------- H:\Documents and Settings\All Users\family photos
2008-04-30 17:12 . 1998-09-14 08:41 285,216 --a------ H:\WINDOWS\system32\drivers\Onsio.sys
2008-04-30 17:12 . 1998-08-01 12:00 60,928 --a------ H:\WINDOWS\system32\drivers\Smplscsi.sys
2008-04-30 17:12 . 2003-06-11 12:03 15,396 --a------ H:\WINDOWS\system32\Msmusd5.dll
2008-04-30 17:12 . 2001-06-20 15:44 13,962 --a------ H:\WINDOWS\system32\Msmusd6.dll
2008-04-30 17:12 . 2003-07-17 16:12 12,499 --a------ H:\WINDOWS\system32\Msmusd7.dll
2008-04-30 17:12 . 1997-02-14 13:10 7,680 --a------ H:\WINDOWS\system32\drivers\Onsreged.sys
2008-04-25 17:02 . 2008-04-25 17:02 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Malwarebytes
2008-04-25 16:56 . 2008-05-09 05:03 <DIR> d-------- H:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 16:56 . 2008-04-25 16:56 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 09:31 . 2008-04-25 09:31 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\sentinel
2008-04-25 09:17 . 2008-04-25 09:17 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Backup
2008-04-24 12:14 . 2008-04-24 12:14 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\TmpRecentIcons
2008-04-24 11:53 . 2008-04-24 11:53 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\McAfee
2008-04-24 11:10 . 2008-04-24 11:10 61,224 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\GoToAssistDownloadHelper.exe
2008-04-24 10:18 . 2008-04-24 10:18 <DIR> d--h----- H:\WINDOWS\PIF
2008-04-24 09:27 . 2008-05-04 00:04 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\xelkrmte
2008-04-22 16:59 . 2008-04-24 15:27 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware
2008-04-22 07:33 . 2008-04-22 08:03 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\ErrorSmart
2008-04-18 08:41 . 2008-04-18 09:03 <DIR> d-------- H:\Program Files\Microsoft Money Plus
2008-04-13 15:39 . 2008-04-13 15:39 <DIR> d-------- H:\Program Files\Siber Systems
2008-04-13 15:39 . 2008-04-13 15:42 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\GoodSync
2008-04-13 14:21 . 2008-04-13 14:21 75 --a------ H:\WINDOWS\cdplayer.ini
2008-04-11 09:47 . 2004-08-03 23:56 21,504 --a------ H:\WINDOWS\system32\SET86.tmp
2008-04-11 09:47 . 2004-08-03 23:56 21,504 --a------ H:\WINDOWS\system32\SET83.tmp
2008-04-09 17:54 . 2008-04-23 18:30 <DIR> d-------- H:\Program Files\Digi-Watcher.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 19:34 --------- d-----w H:\Program Files\Support Tools
2008-05-09 00:21 --------- d-----w H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\AdobeUM
2008-05-03 23:21 --------- d--h--w H:\Program Files\InstallShield Installation Information
2008-05-03 23:21 --------- d-----w H:\Program Files\Common Files\Panda Software
2008-04-22 23:34 20,608 ----a-w H:\WINDOWS\system32\drivers\ppwxaxdt.dat
2008-04-18 15:40 --------- d-----w H:\Program Files\Microsoft Money
2008-04-11 18:18 --------- d-----w H:\Program Files\DYMO Label
2008-04-07 21:19 --------- d-----w H:\Program Files\LucasArts
2008-04-07 21:09 --------- d-----w H:\Program Files\palm
2008-04-07 19:33 --------- d-----w H:\Program Files\Microsoft ActiveSync
2008-04-05 15:52 --------- d-----w H:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-05 01:17 --------- d-----w H:\Program Files\Common Files\Mozilla Shared
2008-04-04 01:10 196,608 ----a-w H:\WINDOWS\system32\libssl32.dll
2008-04-04 01:10 1,015,808 ----a-w H:\WINDOWS\system32\libeay32.dll
2008-03-11 05:16 --------- d-----w H:\Program Files\Logitech
2008-03-11 05:16 --------- d-----w H:\Program Files\Common Files\Logitech
2008-03-10 23:13 --------- d-----w H:\Program Files\SuperStar
2006-08-17 18:12 531,760 ----a-w H:\Documents and Settings\Corp Files\GenuineCheck.exe
2006-08-05 20:31 5,438,696 ----a-w H:\Documents and Settings\Corp Files\Credit Repair.exe
2006-08-05 20:27 1,214,040 ----a-w H:\Documents and Settings\Corp Files\ClipArt.exe
2006-08-05 20:26 742,080 ----a-w H:\Documents and Settings\Corp Files\ODBA_EN.exe
2006-08-05 20:24 480,816 ----a-w H:\Documents and Settings\Corp Files\Sounds.EXE
2006-08-05 18:26 13,005,632 ----a-w H:\Documents and Settings\Corp Files\Business Legal Forms & Agreements.exe
2006-08-05 18:23 1,797,152 ----a-w H:\Documents and Settings\Corp Files\FreeBonusProduct.exe
2006-08-05 18:22 9,974,008 ----a-w H:\Documents and Settings\Corp Files\Corporate Records.exe
2006-04-20 06:41 8,142,234 ----a-w H:\Documents and Settings\Bradley.AARDWOLFSCOMINC\CSEAgent-Default.exe
.

------- Sigcheck -------

2003-03-31 05:00 12800 0f7d9c87b0ce1fa520473119752c6f79 H:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 H:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 H:\WINDOWS\system32\svchost.exe

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 H:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2004-06-17 10:58 560128 31fb2d788a9aa618452c02e8375b6dcd H:\WINDOWS\$NtServicePackUninstall$\user32.dll
2003-03-31 05:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb H:\WINDOWS\$NtUninstallKB840987$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 H:\WINDOWS\$NtUninstallKB890859$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 H:\WINDOWS\ServicePackFiles\i386\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 H:\WINDOWS\system32\user32.dll

2003-03-31 05:00 75264 8529c295df59b564d37a73b5629162b1 H:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 H:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 H:\WINDOWS\system32\ws2_32.dll

2004-09-29 11:27 656896 2c07195588d69a067c2afdaa31759295 H:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2005-01-27 10:08 657920 a8eac5330876548e9966a7d13025d196 H:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 13:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 H:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-03-10 00:43 657920 c8663b488996e89a84c3d17c1d12b79e H:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
2005-09-02 16:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c H:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-07-02 19:09 659456 6e533d155b259eb2363d3e04b5be309f H:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2005-10-20 20:38 661504 af785c4947676a7fc1673fdc5c8d0b5b H:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 20:58 663552 c0845ecbf4f9164e618ee381b79c9032 H:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2004-08-23 20:32 589312 01893ed35886aff539b58a025736f7ed H:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 H:\WINDOWS\$NtUninstallKB834707$\wininet.dll
2004-09-29 11:47 656896 cba65b573c66fe23f647ff96e3a10994 H:\WINDOWS\$NtUninstallKB867282$\wininet.dll
2005-03-10 01:02 656896 6f018d6319be4f96426ea829b79e05d5 H:\WINDOWS\$NtUninstallKB883939$\wininet.dll
2003-03-31 05:00 599040 f3587750a7481dccbea13d473a0700be H:\WINDOWS\$NtUninstallKB889293-IE6SP1-20041111.235619$\wininet.dll
2005-01-27 10:13 656896 b5e043e440b210014e021b24cf0a72e3 H:\WINDOWS\$NtUninstallKB890923$\wininet.dll
2005-07-02 19:11 658432 5b5ff992c0fa762ccf8655fc290e6e52 H:\WINDOWS\$NtUninstallKB896688$\wininet.dll
2005-05-02 13:52 657920 1a078af3f85d10ba56444c23b3a18e74 H:\WINDOWS\$NtUninstallKB896727$\wininet.dll
2005-09-02 16:52 658432 af61ebb1f550175eff406d545d6ab086 H:\WINDOWS\$NtUninstallKB905915$\wininet.dll
2005-10-20 20:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 H:\WINDOWS\$NtUninstallKB912812$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 H:\WINDOWS\ServicePackFiles\i386\wininet.dll
2006-03-03 20:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 H:\WINDOWS\system32\wininet.dll

2005-05-25 12:07 359936 63fdfea54eb53de2d863ee454937ce1e H:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 10:07 360448 5562cc0a47b2aef06d3417b733f3c195 H:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2003-03-31 05:00 332928 244a2f9816bc9b593957281ef577d976 H:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c H:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 12:04 359808 88763a98a4c26c409741b4aa162720c9 H:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c H:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2006-01-12 19:28 359808 583e063fdc888ca30d05c2724b0d7ef4 H:\WINDOWS\system32\drivers\tcpip.sys

2004-05-26 18:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e H:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2003-03-31 05:00 516608 2246d8d8f4714a2cedb21ab9b1849abb H:\WINDOWS\$NtUninstallKB841533$\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe H:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe H:\WINDOWS\system32\winlogon.exe

2003-03-31 05:00 167552 3b350e5a2a5e951453f3993275a4523a H:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e H:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e H:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 H:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 H:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 17:36 2056832 d8aba3eab509627e707a3b14f00fbb6b H:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2004-10-22 00:29 1955840 efa7883018f42295d927121808ae6cee H:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2003-03-31 05:00 1947904 0e8efb15746878a9b256e75267337233 H:\WINDOWS\$NtUninstallKB885835_0$\ntkrnlpa.exe
2004-08-03 22:59 2015232 fb142b7007ca2eea76966c6c5cc12150 H:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 17:34 2056832 81013f36b21c7f72cf784cc6731e0002 H:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-03 22:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 H:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2005-03-01 17:34 2015232 3cd941e472ddf3534e53038535719771 H:\WINDOWS\system32\ntkrnlpa.exe

2005-03-01 18:04 2179456 28187802b7c368c0d3aef7d4c382aabb H:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2004-10-22 01:33 2088448 5a7eb0c9f96917b7ecf5adf70c4b1bae H:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2003-03-31 05:00 2042240 b9080d97dbd631aadf9128f7316958d2 H:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe
2004-08-03 23:18 2148352 626309040459c3915997ef98ec1c8d40 H:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 17:59 2179328 4d4cf2c14550a4b7718e94a6e581856e H:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-03 23:19 2180992 ce218bc7088681faa06633e218596ca7 H:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2005-03-01 17:57 2135552 48b3e89af7074cee0314a3e0c7faffdb H:\WINDOWS\system32\ntoskrnl.exe

2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 H:\WINDOWS\explorer.exe
2003-03-31 05:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a H:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 H:\WINDOWS\ServicePackFiles\i386\explorer.exe

2003-03-31 05:00 101376 e3df4a0252d287c44606ee55355e1623 H:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 H:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 H:\WINDOWS\system32\services.exe

2003-03-31 05:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b H:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 H:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 H:\WINDOWS\system32\lsass.exe

2003-03-31 05:00 13312 414de7cf9d3f19c3ea902f1bb38ec116 H:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 H:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 H:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot_2008-05-08_20.24.30.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 03:11:57 2,048 --s-a-w H:\WINDOWS\bootstat.dat
+ 2008-05-09 22:06:08 2,048 --s-a-w H:\WINDOWS\bootstat.dat
- 2008-05-09 03:08:08 4,835 ----a-w H:\WINDOWS\bthservsdp.dat
+ 2008-05-09 22:02:12 4,835 ----a-w H:\WINDOWS\bthservsdp.dat
- 2008-05-09 03:12:48 221,921 ----a-w H:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-09 22:06:33 221,930 ----a-w H:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-05-09 03:12:48 16,384 ----atw H:\WINDOWS\TEMP\Perflib_Perfdata_1b0.dat
+ 2008-05-09 22:06:36 16,384 ----atw H:\WINDOWS\TEMP\Perflib_Perfdata_1b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C49D0693-E30B-4264-A7CA-34BDD410C746}]
2007-11-29 16:06 0 --a------ H:\WINDOWS\system32\dx8vba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3D31485-E523-41C2-9400-91886185280A}]
2003-03-31 05:00 82432 --a------ h:\windows\system32\comreso.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"LogitechSoftwareUpdate"="H:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 15:44 196608]
"H/PC Connection Agent"="H:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128]
"msnmsgr"="H:\Program Files\MSN Messenger\msnmsgr.exe" [2006-06-16 14:38 5324584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"Acecad.Wtxpload"="H:\WINDOWS\Acecad\Wtxpload.exe" [2003-01-17 03:03 45056]
"3Dlabs Taskbar Display Manager"="H:\WINDOWS\system32\3dlTB.exe" [2006-02-16 18:44 235008]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 H:\WINDOWS\system32\bthprops.cpl]
"itype"="h:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"IntelliPoint"="h:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 16:52 849280]
"Google Desktop Search"="H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-02 14:26 1862144]
"LogitechVideoRepair"="H:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 16:24 458752]
"LogitechVideoTray"="H:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 16:14 217088]
"combofix"="H:\WINDOWS\system32\CF17976.exe" [2004-08-04 00:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

H:\Documents and Settings\batrask.AARDWOLFSCOMINC\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003 (2).lnk - H:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2004-12-11 23:19:00 794624]
Motorola Share.lnk - H:\Program Files\Motorola Share\agent.exe [2005-11-07 20:06:09 126976]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 21:37:56 217194]
Adobe Gamma Loader.lnk - H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-30 17:34:51 110592]
Microsoft Office OneNote 2003 Quick Launch.lnk - H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 13:23:32 51776]
Microtek Scanner Finder.lnk - H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-04-30 17:12:19 344064]
NaturalColorLoad.lnk - H:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2007-01-09 12:29:04 155715]
WinZip Quick Pick.lnk - H:\Program Files\WinZip\WZQKPICK.EXE [2008-02-08 12:10:00 394856]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Google Updater.lnk - H:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-28 12:41:15 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
comreso.dll 2003-03-31 05:00 82432 H:\WINDOWS\system32\comreso.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=H:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"REELDRV"= IMPEG32.DLL
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"H:\Program Files\Microsoft ActiveSync\rapimgr.exe"= H:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"H:\Program Files\Microsoft ActiveSync\wcescomm.exe"= H:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"H:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= H:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 18:52:57 H:\WINDOWS\Tasks\Antispyware Scheduled Scan.job"
- H:\Program Files\AntiSpywareApp\AntiSpyware.ex
- H:\Program Files\AntiSpywareApp
"2008-05-04 18:52:56 H:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- H:\Program Files\ErrorSmart\ErrorSmart.ex
- H:\Program Files\ErrorSmart
"2008-05-09 00:54:59 H:\WINDOWS\Tasks\RegCure Program Check.job"
- H:\Program Files\RegCure\RegCure.exe
"2008-05-09 00:55:01 H:\WINDOWS\Tasks\RegCure.job"
- H:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 15:07:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj]
"ImagePath"="system32\drivers\ppwxaxdt.dat"
.
------------------------ Other Running Processes ------------------------
.
H:\WINDOWS\system32\wintab32.exe
H:\WINDOWS\system32\netdde.exe
H:\WINDOWS\Downloaded Program Files\WebEx\319\atnthost.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\Downloaded Program Files\WebEx\319\raagtapp.exe
H:\WINDOWS\system32\drivers\CDAC11BA.EXE
H:\WINDOWS\system32\dllhost.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\WINDOWS\system32\inetsrv\inetinfo.exe
H:\WINDOWS\system32\tcpsvcs.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\MiaSvc.exe
H:\WINDOWS\system32\msdtc.exe
H:\WINDOWS\system32\locator.exe
H:\WINDOWS\system32\snmp.exe
H:\WINDOWS\system32\tlntsvr.exe
H:\WINDOWS\system32\mqsvc.exe
H:\WINDOWS\system32\mqtgsvc.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\system32\msiexec.exe
H:\PROGRA~1\MI3AA1~1\rapimgr.exe
H:\WINDOWS\system32\LVCOMSX.EXE
H:\Program Files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2008-05-09 15:19:26 - machine was rebooted [batrask]
ComboFix-quarantined-files.txt 2008-05-09 22:18:58
ComboFix2.txt 2008-05-09 03:25:53
ComboFix3.txt 2008-05-04 19:33:48
ComboFix4.txt 2008-05-04 01:41:37
ComboFix5.txt 2008-04-28 03:18:56

Pre-Run: 23,910,838,272 bytes free
Post-Run: 23,912,947,712 bytes free

288

________________________________________________________________________________
_________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:21 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Wintab32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\netdde.exe
H:\WINDOWS\DOWNLO~1\WebEx\319\atnthost.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\DOWNLO~1\WebEx\319\RAAGTAPP.EXE
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\drivers\CDAC11BA.EXE
H:\WINDOWS\System32\dllhost.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\inetsrv\inetinfo.exe
H:\WINDOWS\System32\tcpsvcs.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\MiaSvc.exe
H:\WINDOWS\System32\msdtc.exe
H:\WINDOWS\System32\locator.exe
H:\WINDOWS\System32\snmp.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\tlntsvr.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\mqsvc.exe
H:\WINDOWS\system32\mqtgsvc.exe
H:\WINDOWS\System32\alg.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Microsoft IntelliType Pro\itype.exe
H:\Program Files\Microsoft IntelliPoint\ipoint.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Logitech\Video\LogiTray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Microsoft ActiveSync\wcescomm.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
H:\PROGRA~1\MI3AA1~1\rapimgr.exe
H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
H:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
H:\Program Files\WinZip\WZQKPICK.EXE
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\WINDOWS\system32\LVComsX.exe
H:\Program Files\Logitech\Video\FxSvr2.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\WINDOWS\system32\NOTEPAD.EXE
H:\Documents and Settings\Batrask.AARDWOLFCOM1\My Documents\My Received Files\it programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {C49D0693-E30B-4264-A7CA-34BDD410C746} - H:\WINDOWS\system32\dx8vba.dll
O2 - BHO: (no name) - {E3D31485-E523-41C2-9400-91886185280A} - h:\windows\system32\comreso.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acecad.Wtxpload] H:\WINDOWS\Acecad\Wtxpload.exe Acecad
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] H:\WINDOWS\system32\3dlTB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [itype] "h:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "h:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [LogitechVideoRepair] H:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] H:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "H:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-73586283-1563985344-1417001333-1007\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1563985344-1417001333-1007\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-73586283-1563985344-1417001333-1007 Startup: E-mail.lnk = ? (User '?')
O4 - Startup: E-mail.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...34/sdcregie.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://aardwolfscom0...uter/nshelp.dll
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://microsoft.dem.../proxy/srdp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qbp.webex.co.../ra/ieatgpc.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O16 - DPF: {FB298ECE-4D17-414A-A5E8-FABC938796B2} (ActiveWebParts Illustration Viewer) - http://www.kohlerplu...awingViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aardwolfscominc.local
O17 - HKLM\Software\..\Telephony: DomainName = aardwolfscominc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aardwolfscominc.local
O20 - AppInit_DLLs: H:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - H:\WINDOWS\
O20 - Winlogon Notify: iqzxawyt - H:\WINDOWS\SYSTEM32\comreso.dll
O23 - Service: AT Host Service (atnthost) - WebEx - H:\WINDOWS\DOWNLO~1\WebEx\319\atnthost.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - H:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: 3Dlabs LMM (miasvc) - Unknown owner - H:\WINDOWS\system32\MiaSvc.exe
O23 - Service: Wintab32 - Unknown owner - H:\WINDOWS\system32\Wintab32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11545 bytes

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
H:\WINDOWS\system32\comreso.dll

DirLook::
H:\Documents and Settings\All Users\Application Data\xelkrmte
H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

OK wow I had to abridge this log since it is 953 pages log and kills efforts to post the whole log so I put a red flaging on the area I had to cut out but it looks much of the same info as you can tell.


Combo fix 08-05-08.1 - batrask 2008-05-09 15:58:01.7 - NTFSx86

Running from: H:\Documents and Settings\Batrask.AARDWOLFCOM1\Desktop\ComboFix.exe
Command switches used :: H:\Documents and Settings\Batrask.AARDWOLFCOM1\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
H:\WINDOWS\system32\comreso.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\windows\system32\comreso.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bwrovnii


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 05:03 . 2008-05-05 20:46 27,048 --a------ H:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-09 05:03 . 2008-05-05 20:46 15,864 --a------ H:\WINDOWS\system32\drivers\mbam.sys
2008-05-07 19:55 . 2008-05-07 19:59 <DIR> d-------- H:\Documents and Settings\TEMP
2008-05-04 11:22 . 2008-05-04 11:22 <DIR> d-------- H:\VundoFix Backups
2008-05-04 00:25 . 2008-05-03 16:12 524,288 --a------ H:\WINDOWS\system32\secur 0508.evt
2008-05-03 16:37 . 2008-05-03 22:09 <DIR> d-------- H:\Documents and Settings\All Users\family photos
2008-04-30 17:12 . 1998-09-14 08:41 285,216 --a------ H:\WINDOWS\system32\drivers\Onsio.sys
2008-04-30 17:12 . 1998-08-01 12:00 60,928 --a------ H:\WINDOWS\system32\drivers\Smplscsi.sys
2008-04-30 17:12 . 2003-06-11 12:03 15,396 --a------ H:\WINDOWS\system32\Msmusd5.dll
2008-04-30 17:12 . 2001-06-20 15:44 13,962 --a------ H:\WINDOWS\system32\Msmusd6.dll
2008-04-30 17:12 . 2003-07-17 16:12 12,499 --a------ H:\WINDOWS\system32\Msmusd7.dll
2008-04-30 17:12 . 1997-02-14 13:10 7,680 --a------ H:\WINDOWS\system32\drivers\Onsreged.sys
2008-04-25 17:02 . 2008-04-25 17:02 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Malwarebytes
2008-04-25 16:56 . 2008-05-09 05:03 <DIR> d-------- H:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 16:56 . 2008-04-25 16:56 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 09:31 . 2008-04-25 09:31 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\sentinel
2008-04-25 09:17 . 2008-04-25 09:17 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Backup
2008-04-24 12:14 . 2008-04-24 12:14 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\TmpRecentIcons
2008-04-24 11:53 . 2008-04-24 11:53 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\McAfee
2008-04-24 11:10 . 2008-04-24 11:10 61,224 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\GoToAssistDownloadHelper.exe
2008-04-24 10:18 . 2008-04-24 10:18 <DIR> d--h----- H:\WINDOWS\PIF
2008-04-24 09:27 . 2008-05-04 00:04 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\xelkrmte
2008-04-22 16:59 . 2008-04-24 15:27 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware
2008-04-22 07:33 . 2008-04-22 08:03 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\ErrorSmart
2008-04-18 08:41 . 2008-04-18 09:03 <DIR> d-------- H:\Program Files\Microsoft Money Plus
2008-04-13 15:39 . 2008-04-13 15:39 <DIR> d-------- H:\Program Files\Siber Systems
2008-04-13 15:39 . 2008-04-13 15:42 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\GoodSync
2008-04-13 14:21 . 2008-04-13 14:21 75 --a------ H:\WINDOWS\cdplayer.ini
2008-04-11 09:47 . 2004-08-03 23:56 21,504 --a------ H:\WINDOWS\system32\SET86.tmp
2008-04-11 09:47 . 2004-08-03 23:56 21,504 --a------ H:\WINDOWS\system32\SET83.tmp
2008-04-09 17:54 . 2008-04-23 18:30 <DIR> d-------- H:\Program Files\Digi-Watcher.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 19:34 --------- d-----w H:\Program Files\Support Tools
2008-05-09 00:21 --------- d-----w H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\AdobeUM
2008-05-03 23:21 --------- d--h--w H:\Program Files\InstallShield Installation Information
2008-05-03 23:21 --------- d-----w H:\Program Files\Common Files\Panda Software
2008-04-22 23:34 20,608 ----a-w H:\WINDOWS\system32\drivers\ppwxaxdt.dat
2008-04-18 15:40 --------- d-----w H:\Program Files\Microsoft Money
2008-04-11 18:18 --------- d-----w H:\Program Files\DYMO Label
2008-04-07 21:19 --------- d-----w H:\Program Files\LucasArts
2008-04-07 21:09 --------- d-----w H:\Program Files\palm
2008-04-07 19:33 --------- d-----w H:\Program Files\Microsoft ActiveSync
2008-04-05 15:52 --------- d-----w H:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-05 01:17 --------- d-----w H:\Program Files\Common Files\Mozilla Shared
2008-03-11 05:16 --------- d-----w H:\Program Files\Logitech
2008-03-11 05:16 --------- d-----w H:\Program Files\Common Files\Logitech
2008-03-10 23:13 --------- d-----w H:\Program Files\SuperStar
2006-08-17 18:12 531,760 ----a-w H:\Documents and Settings\Corp Files\GenuineCheck.exe
2006-08-05 20:31 5,438,696 ----a-w H:\Documents and Settings\Corp Files\Credit Repair.exe
2006-08-05 20:27 1,214,040 ----a-w H:\Documents and Settings\Corp Files\ClipArt.exe
2006-08-05 20:26 742,080 ----a-w H:\Documents and Settings\Corp Files\ODBA_EN.exe
2006-08-05 20:24 480,816 ----a-w H:\Documents and Settings\Corp Files\Sounds.EXE
2006-08-05 18:26 13,005,632 ----a-w H:\Documents and Settings\Corp Files\Business Legal Forms & Agreements.exe
2006-08-05 18:23 1,797,152 ----a-w H:\Documents and Settings\Corp Files\FreeBonusProduct.exe
2006-08-05 18:22 9,974,008 ----a-w H:\Documents and Settings\Corp Files\Corporate Records.exe
2006-04-20 06:41 8,142,234 ----a-w H:\Documents and Settings\Bradley.AARDWOLFSCOMINC\CSEAgent-Default.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of H:\Documents and Settings\All Users\Application Data\xelkrmte ----


---- Directory of H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware ----

2008-04-27 06:15 2845 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Log\2008 Apr 27 - 06_08_09 AM_250.log
2008-04-26 03:03 0 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\rs.dat
2008-04-24 15:33 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\8.qnf
2008-04-24 15:33 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\7.qnf
2008-04-24 15:33 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\6.qnf
2008-04-24 15:33 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\5.qnf
2008-04-24 15:33 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\4.qnf
2008-04-24 15:33 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\3.qnf
2008-04-24 15:33 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\2.qnf
2008-04-24 15:33 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\1.qnf
2008-04-24 15:33 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\0.qnf
2008-04-24 15:33 57 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\9.qnf
2008-04-24 15:33 204 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-33-20\9.qit
2008-04-24 15:20 95 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\41.qnf
2008-04-24 15:20 95 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\13.qnf
2008-04-24 15:20 92 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\17.qnf
2008-04-24 15:20 92 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\16.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\30.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\26.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\25.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\24.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\23.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\22.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\21.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\20.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\19.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\18.qnf
2008-04-24 15:20 91 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\15.qnf
2008-04-24 15:20 90 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\29.qnf
2008-04-24 15:20 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\3.qnf
2008-04-24 15:20 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\27.qnf
2008-04-24 15:20 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\2.qnf
2008-04-24 15:20 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\12.qnf
2008-04-24 15:20 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\11.qnf
2008-04-24 15:20 89 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\10.qnf
2008-04-24 15:20 88 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\9.qnf
2008-04-24 15:20 88 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\8.qnf
2008-04-24 15:20 88 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\7.qnf
2008-04-24 15:20 88 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\6.qnf
2008-04-24 15:20 88 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\5.qnf
2008-04-24 15:20 88 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\4.qnf
2008-04-24 15:20 88 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\28.qnf
2008-04-24 15:20 86 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\40.qnf
2008-04-24 15:20 85 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\14.qnf

********************************************************************************
*********************************************************************************
********************

2008-04-09 19:49 43 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\50.qit
2008-04-09 19:49 23870 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\47.qit
2008-04-09 19:49 14916 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\49.qit
2008-04-09 19:49 1304 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\24-04-2008-15-20-13\52.qit
2008-04-08 10:20 70 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\63.qit
2008-04-06 18:34 1034 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\62.qit
2008-04-06 13:58 88 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\64.qit
2008-04-04 16:45 268 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\26.qit
2008-04-04 15:58 315 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\34.qit
2008-04-04 15:25 284 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\88.qit
2008-04-04 15:25 2 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\97.qit
2008-04-04 15:25 2 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\95.qit
2008-04-04 15:25 2 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\91.qit
2008-04-04 15:25 118 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\87.qit
2008-04-04 15:25 1078 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\93.qit
2008-04-04 15:24 4997 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\100.qit
2008-04-04 15:24 10642 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\90.qit
2008-04-04 15:05 274 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\35.qit
2008-03-10 22:58 668 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\73.qit
2008-03-10 22:55 111 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\72.qit
2008-03-08 19:39 183 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\40.qit
2008-03-03 18:36 1149 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\36.qit
2008-02-27 22:58 275 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\5.qit
2008-02-27 12:27 1050 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\43.qit
2008-02-25 14:58 240 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\77.qit
2008-01-03 19:03 412 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\38.qit
2007-12-31 14:07 229 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\47.qit
2007-12-28 22:15 188 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\53.qit
2007-12-01 18:06 488 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\65.qit
2007-12-01 17:26 107 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\13.qit
2007-11-29 11:55 339 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\79.qit
2007-11-29 11:55 238 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\41.qit
2007-11-29 11:55 1156 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\23.qit
2007-11-15 14:46 87 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\11.qit
2007-11-15 14:46 147 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\10.qit
2007-11-15 14:46 119 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\12.qit
2007-11-14 13:21 473 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\58.qit
2007-11-12 13:33 550 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\44.qit
2007-11-05 18:21 63 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\21.qit
2007-06-10 22:12 107 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\3.qit
2007-06-01 07:57 392 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\19.qit
2007-05-31 09:01 1452 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\67.qit
2007-05-31 08:43 80 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\68.qit
2007-05-18 16:52 76 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\82.qit
2007-05-18 16:10 594 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\83.qit
2007-05-18 16:09 84 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\81.qit
2007-05-18 16:08 84 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\80.qit
2007-04-26 14:59 106 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\59.qit
2007-04-18 13:09 101 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\31.qit
2006-02-28 20:08 26837 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\85.qit
2006-02-12 19:55 4649 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\86.qit
2006-02-12 19:55 41024 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\129.qit
2006-02-12 19:55 29340 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\99.qit
2005-12-29 22:59 6041600 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\109.qit
2005-12-29 22:59 5610 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\135.qit
2005-12-29 22:59 5610 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\108.qit
2005-12-29 22:59 3128 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\136.qit
2005-12-29 22:59 3128 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\110.qit
2005-12-29 22:59 3 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\137.qit
2005-12-29 22:59 3 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\112.qit
2005-12-29 22:59 28672 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\113.qit
2005-12-29 22:59 26710 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\139.qit
2005-12-29 22:59 26710 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\115.qit
2005-12-29 22:59 20529 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\138.qit
2005-12-29 22:59 20529 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\114.qit
2005-12-29 22:59 125 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\140.qit
2005-12-29 22:59 125 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\117.qit
2005-12-08 16:39 700466 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\126.qit
2005-12-08 16:39 626739 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\131.qit
2005-12-08 16:39 606261 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\127.qit
2005-12-08 16:39 53307 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\124.qit
2005-12-08 16:39 53304 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\132.qit
2005-12-08 16:39 528435 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\125.qit
2005-12-08 16:39 229428 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\130.qit
2005-12-08 16:39 221235 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\133.qit
2005-12-08 16:39 208945 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\106.qit
2005-12-08 16:39 204853 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\121.qit
2005-12-08 16:39 167989 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\120.qit
2005-12-08 16:39 163894 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\122.qit
2005-12-08 16:39 1171507 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\123.qit
2005-07-20 12:58 417 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\89.qit
2004-01-13 19:21 5610 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\145.qit
2004-01-13 19:09 88 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\105.qit
2004-01-13 19:09 86066 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\128.qit
2004-01-13 19:09 61440 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\144.qit
2004-01-13 19:09 372783 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\111.qit
2004-01-13 19:09 365 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\143.qit
2004-01-13 19:09 364593 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\107.qit
2004-01-13 19:09 3128 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\146.qit
2004-01-13 19:09 3 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\147.qit
2004-01-13 19:09 26710 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\149.qit
2004-01-13 19:09 266 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\153.qit
2004-01-13 19:09 225329 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\104.qit
2004-01-13 19:09 217153 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\116.qit
2004-01-13 19:09 20529 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\148.qit
2004-01-13 19:09 192559 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\119.qit
2004-01-13 19:09 176176 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\152.qit
2004-01-13 19:09 125 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\150.qit
2004-01-13 19:09 122927 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Quarantine\22-04-2008-17-29-19\118.qit


------- Sigcheck -------

2003-03-31 05:00 12800 0f7d9c87b0ce1fa520473119752c6f79 H:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 H:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 H:\WINDOWS\system32\svchost.exe

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 H:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2004-06-17 10:58 560128 31fb2d788a9aa618452c02e8375b6dcd H:\WINDOWS\$NtServicePackUninstall$\user32.dll
2003-03-31 05:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb H:\WINDOWS\$NtUninstallKB840987$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 H:\WINDOWS\$NtUninstallKB890859$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 H:\WINDOWS\ServicePackFiles\i386\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 H:\WINDOWS\system32\user32.dll

2003-03-31 05:00 75264 8529c295df59b564d37a73b5629162b1 H:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 H:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 H:\WINDOWS\system32\ws2_32.dll

2004-09-29 11:27 656896 2c07195588d69a067c2afdaa31759295 H:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2005-01-27 10:08 657920 a8eac5330876548e9966a7d13025d196 H:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 13:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 H:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-03-10 00:43 657920 c8663b488996e89a84c3d17c1d12b79e H:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
2005-09-02 16:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c H:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-07-02 19:09 659456 6e533d155b259eb2363d3e04b5be309f H:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2005-10-20 20:38 661504 af785c4947676a7fc1673fdc5c8d0b5b H:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 20:58 663552 c0845ecbf4f9164e618ee381b79c9032 H:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2004-08-23 20:32 589312 01893ed35886aff539b58a025736f7ed H:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 H:\WINDOWS\$NtUninstallKB834707$\wininet.dll
2004-09-29 11:47 656896 cba65b573c66fe23f647ff96e3a10994 H:\WINDOWS\$NtUninstallKB867282$\wininet.dll
2005-03-10 01:02 656896 6f018d6319be4f96426ea829b79e05d5 H:\WINDOWS\$NtUninstallKB883939$\wininet.dll
2003-03-31 05:00 599040 f3587750a7481dccbea13d473a0700be H:\WINDOWS\$NtUninstallKB889293-IE6SP1-20041111.235619$\wininet.dll
2005-01-27 10:13 656896 b5e043e440b210014e021b24cf0a72e3 H:\WINDOWS\$NtUninstallKB890923$\wininet.dll
2005-07-02 19:11 658432 5b5ff992c0fa762ccf8655fc290e6e52 H:\WINDOWS\$NtUninstallKB896688$\wininet.dll
2005-05-02 13:52 657920 1a078af3f85d10ba56444c23b3a18e74 H:\WINDOWS\$NtUninstallKB896727$\wininet.dll
2005-09-02 16:52 658432 af61ebb1f550175eff406d545d6ab086 H:\WINDOWS\$NtUninstallKB905915$\wininet.dll
2005-10-20 20:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 H:\WINDOWS\$NtUninstallKB912812$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 H:\WINDOWS\ServicePackFiles\i386\wininet.dll
2006-03-03 20:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 H:\WINDOWS\system32\wininet.dll

2005-05-25 12:07 359936 63fdfea54eb53de2d863ee454937ce1e H:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 10:07 360448 5562cc0a47b2aef06d3417b733f3c195 H:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2003-03-31 05:00 332928 244a2f9816bc9b593957281ef577d976 H:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c H:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 12:04 359808 88763a98a4c26c409741b4aa162720c9 H:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c H:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2006-01-12 19:28 359808 583e063fdc888ca30d05c2724b0d7ef4 H:\WINDOWS\system32\drivers\tcpip.sys

2004-05-26 18:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e H:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2003-03-31 05:00 516608 2246d8d8f4714a2cedb21ab9b1849abb H:\WINDOWS\$NtUninstallKB841533$\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe H:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe H:\WINDOWS\system32\winlogon.exe

2003-03-31 05:00 167552 3b350e5a2a5e951453f3993275a4523a H:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e H:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e H:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 H:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 H:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 17:36 2056832 d8aba3eab509627e707a3b14f00fbb6b H:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2004-10-22 00:29 1955840 efa7883018f42295d927121808ae6cee H:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2003-03-31 05:00 1947904 0e8efb15746878a9b256e75267337233 H:\WINDOWS\$NtUninstallKB885835_0$\ntkrnlpa.exe
2004-08-03 22:59 2015232 fb142b7007ca2eea76966c6c5cc12150 H:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 17:34 2056832 81013f36b21c7f72cf784cc6731e0002 H:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-03 22:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 H:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2005-03-01 17:34 2015232 3cd941e472ddf3534e53038535719771 H:\WINDOWS\system32\ntkrnlpa.exe

2005-03-01 18:04 2179456 28187802b7c368c0d3aef7d4c382aabb H:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2004-10-22 01:33 2088448 5a7eb0c9f96917b7ecf5adf70c4b1bae H:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2003-03-31 05:00 2042240 b9080d97dbd631aadf9128f7316958d2 H:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe
2004-08-03 23:18 2148352 626309040459c3915997ef98ec1c8d40 H:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 17:59 2179328 4d4cf2c14550a4b7718e94a6e581856e H:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-03 23:19 2180992 ce218bc7088681faa06633e218596ca7 H:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2005-03-01 17:57 2135552 48b3e89af7074cee0314a3e0c7faffdb H:\WINDOWS\system32\ntoskrnl.exe

2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 H:\WINDOWS\explorer.exe
2003-03-31 05:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a H:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 H:\WINDOWS\ServicePackFiles\i386\explorer.exe

2003-03-31 05:00 101376 e3df4a0252d287c44606ee55355e1623 H:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 H:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 H:\WINDOWS\system32\services.exe

2003-03-31 05:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b H:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 H:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 H:\WINDOWS\system32\lsass.exe

2003-03-31 05:00 13312 414de7cf9d3f19c3ea902f1bb38ec116 H:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 H:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 H:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot_2008-05-08_20.24.30.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 03:11:57 2,048 --s-a-w H:\WINDOWS\bootstat.dat
+ 2008-05-09 23:05:42 2,048 --s-a-w H:\WINDOWS\bootstat.dat
- 2008-05-09 03:08:08 4,835 ----a-w H:\WINDOWS\bthservsdp.dat
+ 2008-05-09 23:01:52 4,835 ----a-w H:\WINDOWS\bthservsdp.dat
- 2008-05-09 03:12:48 221,921 ----a-w H:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-09 23:10:02 221,920 ----a-w H:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-09 23:06:12 16,384 ----atw H:\WINDOWS\TEMP\Perflib_Perfdata_1cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C49D0693-E30B-4264-A7CA-34BDD410C746}]
2007-11-29 16:06 0 --a------ H:\WINDOWS\system32\dx8vba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3D31485-E523-41C2-9400-91886185280A}]
2008-05-09 16:01 82432 --a------ h:\windows\system32\comreso.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"LogitechSoftwareUpdate"="H:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 15:44 196608]
"H/PC Connection Agent"="H:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128]
"msnmsgr"="H:\Program Files\MSN Messenger\msnmsgr.exe" [2006-06-16 14:38 5324584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"Acecad.Wtxpload"="H:\WINDOWS\Acecad\Wtxpload.exe" [2003-01-17 03:03 45056]
"3Dlabs Taskbar Display Manager"="H:\WINDOWS\system32\3dlTB.exe" [2006-02-16 18:44 235008]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 H:\WINDOWS\system32\bthprops.cpl]
"itype"="h:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"IntelliPoint"="h:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 16:52 849280]
"Google Desktop Search"="H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-02 14:26 1862144]
"LogitechVideoRepair"="H:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 16:24 458752]
"LogitechVideoTray"="H:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 16:14 217088]
"combofix"="H:\WINDOWS\system32\CF29295.exe" [2004-08-04 00:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

H:\Documents and Settings\batrask.AARDWOLFSCOMINC\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003 (2).lnk - H:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2004-12-11 23:19:00 794624]
Motorola Share.lnk - H:\Program Files\Motorola Share\agent.exe [2005-11-07 20:06:09 126976]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 21:37:56 217194]
Adobe Gamma Loader.lnk - H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-30 17:34:51 110592]
Microsoft Office OneNote 2003 Quick Launch.lnk - H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 13:23:32 51776]
Microtek Scanner Finder.lnk - H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-04-30 17:12:19 344064]
NaturalColorLoad.lnk - H:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2007-01-09 12:29:04 155715]
WinZip Quick Pick.lnk - H:\Program Files\WinZip\WZQKPICK.EXE [2008-02-08 12:10:00 394856]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Google Updater.lnk - H:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-28 12:41:15 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
comreso.dll 2008-05-09 16:01 82432 H:\WINDOWS\system32\comreso.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=H:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"REELDRV"= IMPEG32.DLL
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"H:\Program Files\Microsoft ActiveSync\rapimgr.exe"= H:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"H:\Program Files\Microsoft ActiveSync\wcescomm.exe"= H:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"H:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= H:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 18:52:57 H:\WINDOWS\Tasks\Antispyware Scheduled Scan.job"
- H:\Program Files\AntiSpywareApp\AntiSpyware.ex
- H:\Program Files\AntiSpywareApp
"2008-05-04 18:52:56 H:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- H:\Program Files\ErrorSmart\ErrorSmart.ex
- H:\Program Files\ErrorSmart
"2008-05-09 00:54:59 H:\WINDOWS\Tasks\RegCure Program Check.job"
- H:\Program Files\RegCure\RegCure.exe
"2008-05-09 00:55:01 H:\WINDOWS\Tasks\RegCure.job"
- H:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 16:08:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


H:\Documents and Settings\Batrask.AARDWOLFCOM1\Local Settings\Application Data\Google\Google Desktop\802d83920233\fic 97414 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj]
"ImagePath"="system32\drivers\ppwxaxdt.dat"
.
------------------------ Other Running Processes ------------------------
.
H:\WINDOWS\system32\wintab32.exe
H:\WINDOWS\system32\netdde.exe
H:\WINDOWS\Downloaded Program Files\WebEx\319\atnthost.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\Downloaded Program Files\WebEx\319\raagtapp.exe
H:\WINDOWS\system32\drivers\CDAC11BA.EXE
H:\WINDOWS\system32\dllhost.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\WINDOWS\system32\inetsrv\inetinfo.exe
H:\WINDOWS\system32\tcpsvcs.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\MiaSvc.exe
H:\WINDOWS\system32\msdtc.exe
H:\WINDOWS\system32\locator.exe
H:\WINDOWS\system32\snmp.exe
H:\WINDOWS\system32\tlntsvr.exe
H:\WINDOWS\system32\mqsvc.exe
H:\WINDOWS\system32\mqtgsvc.exe
H:\WINDOWS\system32\rundll32.exe
H:\PROGRA~1\MI3AA1~1\rapimgr.exe
H:\WINDOWS\system32\LVCOMSX.EXE
H:\Program Files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2008-05-09 16:20:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 23:20:11
ComboFix2.txt 2008-05-09 22:19:28
ComboFix3.txt 2008-05-09 03:25:53
ComboFix4.txt 2008-05-04 19:33:48
ComboFix5.txt 2008-05-04 01:41:37

Pre-Run: 23,922,216,960 bytes free
Post-Run: 23,910,592,512 bytes free

14488

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:37 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Wintab32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\netdde.exe
H:\WINDOWS\DOWNLO~1\WebEx\319\atnthost.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\DOWNLO~1\WebEx\319\RAAGTAPP.EXE
H:\WINDOWS\system32\drivers\CDAC11BA.EXE
H:\WINDOWS\System32\dllhost.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\inetsrv\inetinfo.exe
H:\WINDOWS\System32\tcpsvcs.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\MiaSvc.exe
H:\WINDOWS\System32\snmp.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\tlntsvr.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\mqsvc.exe
H:\WINDOWS\system32\mqtgsvc.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Microsoft IntelliType Pro\itype.exe
H:\Program Files\Microsoft IntelliPoint\ipoint.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Logitech\Video\LogiTray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Microsoft ActiveSync\wcescomm.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
H:\PROGRA~1\MI3AA1~1\rapimgr.exe
H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
H:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
H:\Program Files\WinZip\WZQKPICK.EXE
H:\WINDOWS\system32\LVComsX.exe
H:\Program Files\Logitech\Video\FxSvr2.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Documents and Settings\Batrask.AARDWOLFCOM1\My Documents\My Received Files\it programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {C49D0693-E30B-4264-A7CA-34BDD410C746} - H:\WINDOWS\system32\dx8vba.dll
O2 - BHO: (no name) - {E3D31485-E523-41C2-9400-91886185280A} - h:\windows\system32\comreso.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acecad.Wtxpload] H:\WINDOWS\Acecad\Wtxpload.exe Acecad
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] H:\WINDOWS\system32\3dlTB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [itype] "h:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "h:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [LogitechVideoRepair] H:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] H:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "H:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-73586283-1563985344-1417001333-1007\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1563985344-1417001333-1007\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-73586283-1563985344-1417001333-1007 Startup: E-mail.lnk = ? (User '?')
O4 - Startup: E-mail.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = H:\Program Files\

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
H:\WINDOWS\system32\comreso.dll

Folder::
H:\Documents and Settings\All Users\Application Data\xelkrmte
H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

This last one took some time to go through But it still failed to delete comreso.dll I closed everything before starting combo fix. Do you want me to do it again? At least this time I don’t have a 953 page log.



ComboFix 08-05-08.1 - batrask 2008-05-09 17:43:53.8 - NTFSx86

Running from: H:\Documents and Settings\Batrask.AARDWOLFCOM1\Desktop\ComboFix.exe
Command switches used :: H:\Documents and Settings\Batrask.AARDWOLFCOM1\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
H:\WINDOWS\system32\comreso.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\Documents and Settings\All Users\Application Data\xelkrmte
H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware
H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\fp.dat
H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\Log\2008 Apr 27 - 06_08_09 AM_250.log
H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Antispyware\rs.dat
H:\WINDOWS\system32\comreso.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-04-10 to 2008-05-10 )))))))))))))))))))))))))))))))
.

2008-05-09 05:03 . 2008-05-05 20:46 27,048 --a------ H:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-09 05:03 . 2008-05-05 20:46 15,864 --a------ H:\WINDOWS\system32\drivers\mbam.sys
2008-05-07 19:55 . 2008-05-07 19:59 <DIR> d-------- H:\Documents and Settings\TEMP
2008-05-04 11:22 . 2008-05-04 11:22 <DIR> d-------- H:\VundoFix Backups
2008-05-04 00:25 . 2008-05-03 16:12 524,288 --a------ H:\WINDOWS\system32\secur 0508.evt
2008-05-03 16:37 . 2008-05-03 22:09 <DIR> d-------- H:\Documents and Settings\All Users\family photos
2008-04-30 17:12 . 1998-09-14 08:41 285,216 --a------ H:\WINDOWS\system32\drivers\Onsio.sys
2008-04-30 17:12 . 1998-08-01 12:00 60,928 --a------ H:\WINDOWS\system32\drivers\Smplscsi.sys
2008-04-30 17:12 . 2003-06-11 12:03 15,396 --a------ H:\WINDOWS\system32\Msmusd5.dll
2008-04-30 17:12 . 2001-06-20 15:44 13,962 --a------ H:\WINDOWS\system32\Msmusd6.dll
2008-04-30 17:12 . 2003-07-17 16:12 12,499 --a------ H:\WINDOWS\system32\Msmusd7.dll
2008-04-30 17:12 . 1997-02-14 13:10 7,680 --a------ H:\WINDOWS\system32\drivers\Onsreged.sys
2008-04-25 17:02 . 2008-04-25 17:02 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\Malwarebytes
2008-04-25 16:56 . 2008-05-09 05:03 <DIR> d-------- H:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 16:56 . 2008-04-25 16:56 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 09:31 . 2008-04-25 09:31 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\sentinel
2008-04-25 09:17 . 2008-04-25 09:17 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Backup
2008-04-24 12:14 . 2008-04-24 12:14 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\TmpRecentIcons
2008-04-24 11:53 . 2008-04-24 11:53 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\McAfee
2008-04-24 11:10 . 2008-04-24 11:10 61,224 --a------ H:\Documents and Settings\Batrask.AARDWOLFCOM1\GoToAssistDownloadHelper.exe
2008-04-24 10:18 . 2008-04-24 10:18 <DIR> d--h----- H:\WINDOWS\PIF
2008-04-22 07:33 . 2008-04-22 08:03 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\ErrorSmart
2008-04-18 08:41 . 2008-04-18 09:03 <DIR> d-------- H:\Program Files\Microsoft Money Plus
2008-04-13 15:39 . 2008-04-13 15:39 <DIR> d-------- H:\Program Files\Siber Systems
2008-04-13 15:39 . 2008-04-13 15:42 <DIR> d-------- H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\GoodSync
2008-04-13 14:21 . 2008-04-13 14:21 75 --a------ H:\WINDOWS\cdplayer.ini
2008-04-11 09:47 . 2004-08-03 23:56 21,504 --a------ H:\WINDOWS\system32\SET86.tmp
2008-04-11 09:47 . 2004-08-03 23:56 21,504 --a------ H:\WINDOWS\system32\SET83.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 23:01 82,432 ----a-w H:\WINDOWS\system32\comreso.dll
2008-05-09 19:34 --------- d-----w H:\Program Files\Support Tools
2008-05-09 00:21 --------- d-----w H:\Documents and Settings\Batrask.AARDWOLFCOM1\Application Data\AdobeUM
2008-05-03 23:21 --------- d--h--w H:\Program Files\InstallShield Installation Information
2008-05-03 23:21 --------- d-----w H:\Program Files\Common Files\Panda Software
2008-04-24 01:30 --------- d-----w H:\Program Files\Digi-Watcher.com
2008-04-22 23:34 20,608 ----a-w H:\WINDOWS\system32\drivers\ppwxaxdt.dat
2008-04-18 15:40 --------- d-----w H:\Program Files\Microsoft Money
2008-04-11 18:18 --------- d-----w H:\Program Files\DYMO Label
2008-04-07 21:19 --------- d-----w H:\Program Files\LucasArts
2008-04-07 21:09 --------- d-----w H:\Program Files\palm
2008-04-07 19:33 --------- d-----w H:\Program Files\Microsoft ActiveSync
2008-04-05 15:52 --------- d-----w H:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-05 01:17 --------- d-----w H:\Program Files\Common Files\Mozilla Shared
2008-04-04 01:10 196,608 ----a-w H:\WINDOWS\system32\libssl32.dll
2008-04-04 01:10 1,015,808 ----a-w H:\WINDOWS\system32\libeay32.dll
2008-03-11 05:16 --------- d-----w H:\Program Files\Logitech
2008-03-11 05:16 --------- d-----w H:\Program Files\Common Files\Logitech
2008-03-10 23:13 --------- d-----w H:\Program Files\SuperStar
2006-08-17 18:12 531,760 ----a-w H:\Documents and Settings\Corp Files\GenuineCheck.exe
2006-08-05 20:31 5,438,696 ----a-w H:\Documents and Settings\Corp Files\Credit Repair.exe
2006-08-05 20:27 1,214,040 ----a-w H:\Documents and Settings\Corp Files\ClipArt.exe
2006-08-05 20:26 742,080 ----a-w H:\Documents and Settings\Corp Files\ODBA_EN.exe
2006-08-05 20:24 480,816 ----a-w H:\Documents and Settings\Corp Files\Sounds.EXE
2006-08-05 18:26 13,005,632 ----a-w H:\Documents and Settings\Corp Files\Business Legal Forms & Agreements.exe
2006-08-05 18:23 1,797,152 ----a-w H:\Documents and Settings\Corp Files\FreeBonusProduct.exe
2006-08-05 18:22 9,974,008 ----a-w H:\Documents and Settings\Corp Files\Corporate Records.exe
2006-04-20 06:41 8,142,234 ----a-w H:\Documents and Settings\Bradley.AARDWOLFSCOMINC\CSEAgent-Default.exe
.

------- Sigcheck -------

2003-03-31 05:00 12800 0f7d9c87b0ce1fa520473119752c6f79 H:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 H:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 H:\WINDOWS\system32\svchost.exe

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 H:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2004-06-17 10:58 560128 31fb2d788a9aa618452c02e8375b6dcd H:\WINDOWS\$NtServicePackUninstall$\user32.dll
2003-03-31 05:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb H:\WINDOWS\$NtUninstallKB840987$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 H:\WINDOWS\$NtUninstallKB890859$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 H:\WINDOWS\ServicePackFiles\i386\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 H:\WINDOWS\system32\user32.dll

2003-03-31 05:00 75264 8529c295df59b564d37a73b5629162b1 H:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 H:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 H:\WINDOWS\system32\ws2_32.dll

2004-09-29 11:27 656896 2c07195588d69a067c2afdaa31759295 H:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2005-01-27 10:08 657920 a8eac5330876548e9966a7d13025d196 H:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
2005-05-02 13:57 658944 e1e18136f9dd3df1ad9c82193a5898a6 H:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-03-10 00:43 657920 c8663b488996e89a84c3d17c1d12b79e H:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
2005-09-02 16:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c H:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
2005-07-02 19:09 659456 6e533d155b259eb2363d3e04b5be309f H:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
2005-10-20 20:38 661504 af785c4947676a7fc1673fdc5c8d0b5b H:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
2006-03-03 20:58 663552 c0845ecbf4f9164e618ee381b79c9032 H:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2004-08-23 20:32 589312 01893ed35886aff539b58a025736f7ed H:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 H:\WINDOWS\$NtUninstallKB834707$\wininet.dll
2004-09-29 11:47 656896 cba65b573c66fe23f647ff96e3a10994 H:\WINDOWS\$NtUninstallKB867282$\wininet.dll
2005-03-10 01:02 656896 6f018d6319be4f96426ea829b79e05d5 H:\WINDOWS\$NtUninstallKB883939$\wininet.dll
2003-03-31 05:00 599040 f3587750a7481dccbea13d473a0700be H:\WINDOWS\$NtUninstallKB889293-IE6SP1-20041111.235619$\wininet.dll
2005-01-27 10:13 656896 b5e043e440b210014e021b24cf0a72e3 H:\WINDOWS\$NtUninstallKB890923$\wininet.dll
2005-07-02 19:11 658432 5b5ff992c0fa762ccf8655fc290e6e52 H:\WINDOWS\$NtUninstallKB896688$\wininet.dll
2005-05-02 13:52 657920 1a078af3f85d10ba56444c23b3a18e74 H:\WINDOWS\$NtUninstallKB896727$\wininet.dll
2005-09-02 16:52 658432 af61ebb1f550175eff406d545d6ab086 H:\WINDOWS\$NtUninstallKB905915$\wininet.dll
2005-10-20 20:39 658432 e7b27b6b6e06ce34ea019fd8b858c613 H:\WINDOWS\$NtUninstallKB912812$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 H:\WINDOWS\ServicePackFiles\i386\wininet.dll
2006-03-03 20:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 H:\WINDOWS\system32\wininet.dll

2005-05-25 12:07 359936 63fdfea54eb53de2d863ee454937ce1e H:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 10:07 360448 5562cc0a47b2aef06d3417b733f3c195 H:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2003-03-31 05:00 332928 244a2f9816bc9b593957281ef577d976 H:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c H:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 12:04 359808 88763a98a4c26c409741b4aa162720c9 H:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c H:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2006-01-12 19:28 359808 583e063fdc888ca30d05c2724b0d7ef4 H:\WINDOWS\system32\drivers\tcpip.sys

2004-05-26 18:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e H:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2003-03-31 05:00 516608 2246d8d8f4714a2cedb21ab9b1849abb H:\WINDOWS\$NtUninstallKB841533$\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe H:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe H:\WINDOWS\system32\winlogon.exe

2003-03-31 05:00 167552 3b350e5a2a5e951453f3993275a4523a H:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e H:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e H:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 H:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 H:\WINDOWS\system32\drivers\ip6fw.sys

2005-03-01 17:36 2056832 d8aba3eab509627e707a3b14f00fbb6b H:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2004-10-22 00:29 1955840 efa7883018f42295d927121808ae6cee H:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2003-03-31 05:00 1947904 0e8efb15746878a9b256e75267337233 H:\WINDOWS\$NtUninstallKB885835_0$\ntkrnlpa.exe
2004-08-03 22:59 2015232 fb142b7007ca2eea76966c6c5cc12150 H:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 17:34 2056832 81013f36b21c7f72cf784cc6731e0002 H:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-03 22:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 H:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2005-03-01 17:34 2015232 3cd941e472ddf3534e53038535719771 H:\WINDOWS\system32\ntkrnlpa.exe

2005-03-01 18:04 2179456 28187802b7c368c0d3aef7d4c382aabb H:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2004-10-22 01:33 2088448 5a7eb0c9f96917b7ecf5adf70c4b1bae H:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2003-03-31 05:00 2042240 b9080d97dbd631aadf9128f7316958d2 H:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe
2004-08-03 23:18 2148352 626309040459c3915997ef98ec1c8d40 H:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 17:59 2179328 4d4cf2c14550a4b7718e94a6e581856e H:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-03 23:19 2180992 ce218bc7088681faa06633e218596ca7 H:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2005-03-01 17:57 2135552 48b3e89af7074cee0314a3e0c7faffdb H:\WINDOWS\system32\ntoskrnl.exe

2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 H:\WINDOWS\explorer.exe
2003-03-31 05:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a H:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 H:\WINDOWS\ServicePackFiles\i386\explorer.exe

2003-03-31 05:00 101376 e3df4a0252d287c44606ee55355e1623 H:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 H:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 H:\WINDOWS\system32\services.exe

2003-03-31 05:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b H:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 H:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 H:\WINDOWS\system32\lsass.exe

2003-03-31 05:00 13312 414de7cf9d3f19c3ea902f1bb38ec116 H:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 H:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 H:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot_2008-05-08_20.24.30.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 03:11:57 2,048 --s-a-w H:\WINDOWS\bootstat.dat
+ 2008-05-10 02:47:08 2,048 --s-a-w H:\WINDOWS\bootstat.dat
- 2008-05-09 03:08:08 4,835 ----a-w H:\WINDOWS\bthservsdp.dat
+ 2008-05-10 02:43:19 4,835 ----a-w H:\WINDOWS\bthservsdp.dat
+ 2008-05-10 02:43:21 1,544 ----a-w H:\WINDOWS\SoftwareDistribution\EventCache\{F6C59940-B8B1-4B9F-A3EF-8F00A776D897}.bin
- 2008-05-09 03:12:48 221,921 ----a-w H:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-10 02:51:28 221,921 ----a-w H:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-10 02:47:37 16,384 ----atw H:\WINDOWS\TEMP\Perflib_Perfdata_1d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C49D0693-E30B-4264-A7CA-34BDD410C746}]
2007-11-29 16:06 0 --a------ H:\WINDOWS\system32\dx8vba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3D31485-E523-41C2-9400-91886185280A}]
2008-05-09 16:01 82432 --a------ h:\windows\system32\comreso.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"LogitechSoftwareUpdate"="H:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 15:44 196608]
"H/PC Connection Agent"="H:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128]
"msnmsgr"="H:\Program Files\MSN Messenger\msnmsgr.exe" [2006-06-16 14:38 5324584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"Acecad.Wtxpload"="H:\WINDOWS\Acecad\Wtxpload.exe" [2003-01-17 03:03 45056]
"3Dlabs Taskbar Display Manager"="H:\WINDOWS\system32\3dlTB.exe" [2006-02-16 18:44 235008]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 H:\WINDOWS\system32\bthprops.cpl]
"itype"="h:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"IntelliPoint"="h:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 16:52 849280]
"Google Desktop Search"="H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-02 14:26 1862144]
"LogitechVideoRepair"="H:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 16:24 458752]
"LogitechVideoTray"="H:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 16:14 217088]
"combofix"="H:\WINDOWS\system32\CF17943.exe" [2004-08-04 00:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

H:\Documents and Settings\batrask.AARDWOLFSCOMINC\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003 (2).lnk - H:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2004-12-11 23:19:00 794624]
Motorola Share.lnk - H:\Program Files\Motorola Share\agent.exe [2005-11-07 20:06:09 126976]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 21:37:56 217194]
Adobe Gamma Loader.lnk - H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-30 17:34:51 110592]
Microsoft Office OneNote 2003 Quick Launch.lnk - H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 13:23:32 51776]
Microtek Scanner Finder.lnk - H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-04-30 17:12:19 344064]
NaturalColorLoad.lnk - H:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2007-01-09 12:29:04 155715]
WinZip Quick Pick.lnk - H:\Program Files\WinZip\WZQKPICK.EXE [2008-02-08 12:10:00 394856]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Google Updater.lnk - H:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-28 12:41:15 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
comreso.dll 2008-05-09 16:01 82432 H:\WINDOWS\system32\comreso.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=H:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"REELDRV"= IMPEG32.DLL
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"H:\Program Files\Microsoft ActiveSync\rapimgr.exe"= H:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"H:\Program Files\Microsoft ActiveSync\wcescomm.exe"= H:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"H:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= H:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 18:52:57 H:\WINDOWS\Tasks\Antispyware Scheduled Scan.job"
- H:\Program Files\AntiSpywareApp\AntiSpyware.ex
- H:\Program Files\AntiSpywareApp
"2008-05-04 18:52:56 H:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- H:\Program Files\ErrorSmart\ErrorSmart.ex
- H:\Program Files\ErrorSmart
"2008-05-09 00:54:59 H:\WINDOWS\Tasks\RegCure Program Check.job"
- H:\Program Files\RegCure\RegCure.exe
"2008-05-09 00:55:01 H:\WINDOWS\Tasks\RegCure.job"
- H:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 19:52:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj]
"ImagePath"="system32\drivers\ppwxaxdt.dat"
.
------------------------ Other Running Processes ------------------------
.
H:\WINDOWS\system32\wintab32.exe
H:\WINDOWS\system32\netdde.exe
H:\WINDOWS\Downloaded Program Files\WebEx\319\atnthost.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\Downloaded Program Files\WebEx\319\raagtapp.exe
H:\WINDOWS\system32\drivers\CDAC11BA.EXE
H:\WINDOWS\system32\dllhost.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\WINDOWS\system32\inetsrv\inetinfo.exe
H:\WINDOWS\system32\tcpsvcs.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\MiaSvc.exe
H:\WINDOWS\system32\msdtc.exe
H:\WINDOWS\system32\locator.exe
H:\WINDOWS\system32\snmp.exe
H:\WINDOWS\system32\tlntsvr.exe
H:\WINDOWS\system32\mqsvc.exe
H:\WINDOWS\system32\mqtgsvc.exe
H:\WINDOWS\system32\rundll32.exe
H:\PROGRA~1\MI3AA1~1\rapimgr.exe
H:\WINDOWS\system32\LVCOMSX.EXE
H:\Program Files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2008-05-09 20:04:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-10 03:04:32
ComboFix2.txt 2008-05-09 23:20:45
ComboFix3.txt 2008-05-09 22:19:28
ComboFix4.txt 2008-05-09 03:25:53
ComboFix5.txt 2008-05-04 19:33:48

Pre-Run: 23,912,259,584 bytes free
Post-Run: 23,891,337,216 bytes free

288
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:47 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Wintab32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\netdde.exe
H:\WINDOWS\DOWNLO~1\WebEx\319\atnthost.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\DOWNLO~1\WebEx\319\RAAGTAPP.EXE
H:\WINDOWS\system32\drivers\CDAC11BA.EXE
H:\WINDOWS\System32\dllhost.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\inetsrv\inetinfo.exe
H:\WINDOWS\System32\tcpsvcs.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\MiaSvc.exe
H:\WINDOWS\system32\sessmgr.exe
H:\WINDOWS\System32\snmp.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\tlntsvr.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\mqsvc.exe
H:\WINDOWS\system32\mqtgsvc.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Microsoft IntelliType Pro\itype.exe
H:\Program Files\Microsoft IntelliPoint\ipoint.exe
H:\Program Files\Logitech\Video\LogiTray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Microsoft ActiveSync\wcescomm.exe
H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
H:\WINDOWS\system32\LVComsX.exe
H:\PROGRA~1\MI3AA1~1\rapimgr.exe
H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
H:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
H:\Program Files\Logitech\Video\FxSvr2.exe
H:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
H:\Documents and Settings\Batrask.AARDWOLFCOM1\My Documents\My Received Files\it programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {C49D0693-E30B-4264-A7CA-34BDD410C746} - H:\WINDOWS\system32\dx8vba.dll
O2 - BHO: (no name) - {E3D31485-E523-41C2-9400-91886185280A} - h:\windows\system32\comreso.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acecad.Wtxpload] H:\WINDOWS\Acecad\Wtxpload.exe Acecad
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] H:\WINDOWS\system32\3dlTB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [itype] "h:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "h:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [LogitechVideoRepair] H:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] H:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "H:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-73586283-1563985344-1417001333-1007\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1563985344-1417001333-1007\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-73586283-1563985344-1417001333-1007 Startup: E-mail.lnk = ? (User '?')
O4 - Startup: E-mail.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...34/sdcregie.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://aardwolfscom0...uter/nshelp.dll
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://microsoft.dem.../proxy/srdp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qbp.webex.co.../ra/ieatgpc.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O16 - DPF: {FB298ECE-4D17-414A-A5E8-FABC938796B2} (ActiveWebParts Illustration Viewer) - http://www.kohlerplu...awingViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aardwolfscominc.local
O17 - HKLM\Software\..\Telephony: DomainName = aardwolfscominc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aardwolfscominc.local
O20 - AppInit_DLLs: H:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - H:\WINDOWS\
O23 - Service: AT Host Service (atnthost) - WebEx - H:\WINDOWS\DOWNLO~1\WebEx\319\atnthost.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - H:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: 3Dlabs LMM (miasvc) - Unknown owner - H:\WINDOWS\system32\MiaSvc.exe
O23 - Service: Wintab32 - Unknown owner - H:\WINDOWS\system32\Wintab32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11036 bytes

Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum

• Click on "New Topic"
• Put your name, e-mail address, and this as the title: "H:\WINDOWS\system32\comreso.dll"
• Put a link to this topic in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  
  
  
  • H:\WINDOWS\system32\comreso.dll
  
  
• Click Open.
• Click Post.

Thank you!



1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
H:\WINDOWS\system32\comreso.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

I have listed the issue on the other site as requested and run advenger as requested and here are the results

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at H:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "H:\WINDOWS\system32\comreso.dll"
Deletion of file "H:\WINDOWS\system32\comreso.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj" for deletion
Deletion of registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:53 AM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Wintab32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\netdde.exe
H:\WINDOWS\DOWNLO~1\WebEx\319\atnthost.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\DOWNLO~1\WebEx\319\RAAGTAPP.EXE
H:\WINDOWS\system32\drivers\CDAC11BA.EXE
H:\WINDOWS\System32\dllhost.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\inetsrv\inetinfo.exe
H:\WINDOWS\System32\tcpsvcs.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\MiaSvc.exe
H:\WINDOWS\System32\snmp.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\tlntsvr.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\mqsvc.exe
H:\WINDOWS\system32\mqtgsvc.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Microsoft IntelliType Pro\itype.exe
H:\Program Files\Microsoft IntelliPoint\ipoint.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Logitech\Video\LogiTray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Microsoft ActiveSync\wcescomm.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
H:\PROGRA~1\MI3AA1~1\rapimgr.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
H:\WINDOWS\system32\LVComsX.exe
H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
H:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
H:\Program Files\WinZip\WZQKPICK.EXE
H:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
H:\Program Files\Logitech\Video\FxSvr2.exe
H:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Documents and Settings\Batrask.AARDWOLFCOM1\My Documents\My Received Files\it programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {C49D0693-E30B-4264-A7CA-34BDD410C746} - H:\WINDOWS\system32\dx8vba.dll
O2 - BHO: (no name) - {E3D31485-E523-41C2-9400-91886185280A} - h:\windows\system32\comreso.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acecad.Wtxpload] H:\WINDOWS\Acecad\Wtxpload.exe Acecad
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] H:\WINDOWS\system32\3dlTB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [itype] "h:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "h:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [LogitechVideoRepair] H:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] H:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "H:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-73586283-1563985344-1417001333-1007\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1563985344-1417001333-1007\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-73586283-1563985344-1417001333-1007 Startup: E-mail.lnk = ? (User '?')
O4 - Startup: E-mail.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...34/sdcregie.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://aardwolfscom0...uter/nshelp.dll
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://microsoft.dem.../proxy/srdp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qbp.webex.co.../ra/ieatgpc.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O16 - DPF: {FB298ECE-4D17-414A-A5E8-FABC938796B2} (ActiveWebParts Illustration Viewer) - http://www.kohlerplu...awingViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aardwolfscominc.local
O17 - HKLM\Software\..\Telephony: DomainName = aardwolfscominc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aardwolfscominc.local
O20 - AppInit_DLLs: H:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - H:\WINDOWS\
O23 - Service: AT Host Service (atnthost) - WebEx - H:\WINDOWS\DOWNLO~1\WebEx\319\atnthost.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - H:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: 3Dlabs LMM (miasvc) - Unknown owner - H:\WINDOWS\system32\MiaSvc.exe
O23 - Service: Wintab32 - Unknown owner - H:\WINDOWS\system32\Wintab32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11387 bytes

Looks like we are in for some fun

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
H:\WINDOWS\system32\dx8vba.dll
h:\windows\system32\comreso.dll

Registry key to delete:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj

Driver to delete:
ljtglpkj

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

I looked at HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj and it has
Image Path pointing to "system32\drivers\ppwxaxdt.dat"

OK this is what was the outcome from Avenger


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at H:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "H:\WINDOWS\system32\dx8vba.dll"
Deletion of file "H:\WINDOWS\system32\dx8vba.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: could not open file "h:\windows\system32\comreso.dll"
Deletion of file "h:\windows\system32\comreso.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: file "Registry key to delete:" not found!
Deletion of file "Registry key to delete:" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj"
Deletion of file "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ljtglpkj" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error: file "Driver to delete:" not found!
Deletion of file "Driver to delete:" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not query attributes of file "ljtglpkj"
Deletion of file "ljtglpkj" failed!
Status: 0xc0000010


Completed script processing.

*******************

Finished! Terminate.

Post a HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:34 AM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Wintab32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\netdde.exe
H:\WINDOWS\DOWNLO~1\WebEx\319\atnthost.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\DOWNLO~1\WebEx\319\RAAGTAPP.EXE
H:\WINDOWS\system32\drivers\CDAC11BA.EXE
H:\WINDOWS\System32\dllhost.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\inetsrv\inetinfo.exe
H:\WINDOWS\System32\tcpsvcs.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\MiaSvc.exe
H:\WINDOWS\System32\snmp.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\tlntsvr.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\mqsvc.exe
H:\WINDOWS\system32\mqtgsvc.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Microsoft IntelliType Pro\itype.exe
H:\Program Files\Microsoft IntelliPoint\ipoint.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Logitech\Video\LogiTray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Microsoft ActiveSync\wcescomm.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\PROGRA~1\MI3AA1~1\rapimgr.exe
H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
H:\WINDOWS\system32\LVComsX.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
H:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
H:\Program Files\WinZip\WZQKPICK.EXE
H:\Program Files\Logitech\Video\FxSvr2.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\WINDOWS\regedit.exe
H:\Documents and Settings\Batrask.AARDWOLFCOM1\My Documents\My Received Files\it programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {C49D0693-E30B-4264-A7CA-34BDD410C746} - H:\WINDOWS\system32\dx8vba.dll
O2 - BHO: (no name) - {E3D31485-E523-41C2-9400-91886185280A} - h:\windows\system32\comreso.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acecad.Wtxpload] H:\WINDOWS\Acecad\Wtxpload.exe Acecad
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] H:\WINDOWS\system32\3dlTB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [itype] "h:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "h:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [LogitechVideoRepair] H:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] H:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "H:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-73586283-1563985344-1417001333-1007\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-73586283-1563985344-1417001333-1007\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-73586283-1563985344-1417001333-1007 Startup: E-mail.lnk = ? (User '?')
O4 - Startup: E-mail.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = H:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = H:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = H:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @H:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...34/sdcregie.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://aardwolfscom0...uter/nshelp.dll
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (CSurgientTerminal Object) - http://microsoft.dem.../proxy/srdp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qbp.webex.co.../ra/ieatgpc.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O16 - DPF: {FB298ECE-4D17-414A-A5E8-FABC938796B2} (ActiveWebParts Illustration Viewer) - http://www.kohlerplu...awingViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aardwolfscominc.local
O17 - HKLM\Software\..\Telephony: DomainName = aardwolfscominc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aardwolfscominc.local
O20 - AppInit_DLLs: H:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - H:\WINDOWS\
O23 - Service: AT Host Service (atnthost) - WebEx - H:\WINDOWS\DOWNLO~1\WebEx\319\atnthost.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - H:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: 3Dlabs LMM (miasvc) - Unknown owner - H:\WINDOWS\system32\MiaSvc.exe
O23 - Service: Wintab32 - Unknown owner - H:\WINDOWS\system32\Wintab32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11215 bytes