Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

outerinfo looksky vundo [RESOLVED]

Started by Ashley Poole , Jan 25 2008 08:21 AM

  • This topic is locked This topic is locked

#1
Ashley Poole
Posted 25 January 2008 - 08:21 AM

Ashley Poole

    Member

  • Member
  • PipPip
  • 54 posts
1st problem---I have a "services and controller app has encountered a problem and needs to close window". if i click on anything [debug, send, dont send], it counts down from 60 seconds before reboot. It says it was authorized by NT AUTHORITY/SYSTEM.
I, also, have 2 icons in the quick launch place in bottom right hand corner of my screen: 1 looks like the combatfix.exe icon. [red circle w/ white x] It says my computer is infected with spyware, it needs special antispyware tools and windows will now download the most up to date antispyware for me. The other is a yellow triangle icon with a black exclamation mark/point. [it says "YOU computer has an infection!"] LOL.
A windows box pops up and tells me something, I have to go through task manager to end the application. When I do so, it ends it, as well as the 2 icons at the bottom right.
When I get on the internet [or TRY], I am almost immediately directed to a site called "porntube" if I try to search for antivirus or anything. The top 2 websites listed almost every time are thinklocal.com and monster(something).com. Which are both porn sites. But after the 1st time, I knew not to click on them. =D
Ok, THAT'S NOT IT! I was looking at my registry (I'm not a professional, so I didn't edit anything), but I noticed on one of the hives that it had something or someone other than my name, users, system, restricted. Maybe that has somehting to do with it??? But the permissions were marked as read only. The reason for my looking at the registry is because when I clicked on internet options [either way] while on the web, it had restrictions and told me to talk to the administrator [which IS ME!]. However, that problem is fixed now.
I downloaded bad software and got these viruses and everything else. I havent been able to do anything on the computer for 3-4 days. I uninstalled outerinfo and deleted the folder, but it keeps popping back up with my antivirus.
Over and over....vundo and looksky as well. I scanned with trend micro and it found several files, I deleted all but:
c:/windows/system32/dla/tfswctrl.exe
jusched.exe
intelmem.exe
The ones that were infected that I deleted were:
realsched.exe
pcmservice.exe
hpwvschd2.exe (the v could be a u, my handwriting is awful!]
lsass.exe (not LSASS.exe)
KmxFw.sys (wasnt working properly)

NEEDLESS TO SAY, windows task scheduler is not working, microsoft update worked for a minute, then stopped. I don't know whats going on or what to do now! The CA support people should call back within 24-48 hours.

I had avg, brighthouse told me to delete it and download their software, which is CA SECURITY SUITE and one of the support guys did remote assistance and it took him 3 hours to what seemed to be he fixed my computer...boy was I wrong. 30 minutes later, I got the same problems back again. He ran combofix.exe, spybot, smitfraudfix.exe, vundofix.exe. He ran hijackthis, etc. I do not see a combofix log on the desktop, did a search with no luck. I will post my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 19:19, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\DOCUME~1\Ashley\LOCALS~1\Temp\Customer-6.0.6.0.exe
C:\DOCUME~1\Ashley\LOCALS~1\Temp\winvnc.exe
C:\Documents and Settings\Ashley\Desktop\Autoruns\autoruns.exe
C:\Documents and Settings\Ashley\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvpet.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1 .EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00F5A157-D564-4D5E-95F9-AD3D533D5D35} (FamilyFantastic.PhotoFantastic) - http://www.familyfan...toFantastic.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...tup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.exe
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://forsaleintamp...geUploader4.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://www.talkingbu...m/tbinstall.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.c...oad/XUpload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...841/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe



THANKS FOR READING THIS AND HOPEFULLY HELPING ME GET THIS STRAIGHTENED OUT, ONCE AND FOR ALL!
THANK YOU!

by the way: i ran bit defender and so far this is what I have:

trojan.generic.25658 [2]
trojan.qrap.b
trojan.pakes.bc
trojan.dropper.vundo.d [2]
trojan.vundo.dvo
trojan.vundo.dvs [6]
trojan.downloader.bho.nxv [2]
trojan.downloader.wma.wimad.e

Edited by Ashley Poole, 25 January 2008 - 10:23 AM.

  • 0

Advertisements

#2
Rorschach112
Posted 25 January 2008 - 10:16 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
Ashley Poole
Posted 25 January 2008 - 10:56 AM

Ashley Poole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
OK, BEFORE I POST ALL THE LOGS...let me just tell you one thing. I keep having the english language bar pop up on my taskbar. I keep removing it, but it is very persistant and keeps coming back.

HIJACK THIS LOG:
HijacLogfile of HijackThis v1.99.1
Scan saved at 11:43:23 AM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ashley\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvpet.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00F5A157-D564-4D5E-95F9-AD3D533D5D35} (FamilyFantastic.PhotoFantastic) - http://www.familyfan...toFantastic.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} -
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1201224961093
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} -
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://forsaleintamp...geUploader4.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://www.talkingbu...m/tbinstall.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.c...oad/XUpload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...841/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe











COMBOFIX LOG:

ComboFix 08-01-23.1B - Ashley 2008-01-25 11:27:15.2 - NTFSx86
Running from: C:\Documents and Settings\Ashley\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Helper
C:\Program Files\Helper\Helper9.dll
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\lsass.exe
C:\WINDOWS\system32\components
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\SYSTEM32\ijkmp.ini
C:\WINDOWS\SYSTEM32\ijkmp.ini2
C:\WINDOWS\system32\ljjjggf.dll
C:\WINDOWS\SYSTEM32\qpqss.ini
C:\WINDOWS\SYSTEM32\qpqss.ini2
C:\WINDOWS\system32\winmoy32.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 09:58 . 2008-01-25 09:58 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-25 09:58 . 2008-01-25 11:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-25 09:50 . 2008-01-25 09:50 <DIR> d-------- C:\Program Files\CCleaner
2008-01-24 22:45 . 2008-01-24 22:45 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-24 21:50 . 2008-01-24 21:58 <DIR> d-------- C:\Program Files\YPOPs
2008-01-24 19:52 . 2008-01-24 19:52 4,246 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-24 19:29 . 2008-01-24 19:29 <DIR> d-------- C:\VundoFix Backups
2008-01-24 17:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 13:50 . 2008-01-24 13:50 18,944 --a------ C:\WINDOWS\SYSTEM32\drvpet.dll
2008-01-23 18:29 . 2008-01-23 18:29 444 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2008-01-23 16:29 . 2008-01-24 21:27 144,166 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k0
2008-01-23 16:29 . 2008-01-24 21:27 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k7
2008-01-23 16:29 . 2008-01-24 21:27 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k6
2008-01-23 16:29 . 2008-01-24 21:27 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k5
2008-01-23 16:29 . 2008-01-24 21:27 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k4
2008-01-23 16:29 . 2008-01-24 21:27 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k3
2008-01-23 16:29 . 2008-01-24 21:27 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k2
2008-01-23 16:29 . 2008-01-24 21:27 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k1
2008-01-23 14:28 . 2008-01-25 10:33 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-01-23 14:09 . 2007-08-20 13:42 879,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2008-01-23 14:09 . 2007-08-20 13:42 108,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2008-01-23 14:09 . 2007-08-20 13:42 99,592 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2008-01-23 14:09 . 2007-08-20 13:42 79,424 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2008-01-23 14:09 . 2007-08-20 13:42 75,016 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2008-01-23 14:09 . 2007-08-20 13:42 32,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2008-01-23 14:09 . 2007-08-20 13:42 26,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2008-01-23 14:09 . 2007-08-20 13:42 21,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2008-01-23 14:09 . 2007-08-20 13:42 21,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2008-01-23 14:07 . 2008-01-23 14:07 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-23 14:05 . 2008-01-23 14:07 <DIR> d-------- C:\Program Files\CA
2008-01-22 16:52 . 2008-01-22 16:52 69,489 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\svchost .exe
2008-01-22 16:51 . 2008-01-23 11:16 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray .exe
2008-01-22 16:50 . 2008-01-23 10:14 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-01-22 16:04 . 54,764 C:\WINDOWS\SYSTEM32\ztx86.sys
2008-01-22 16:04 . 2008-01-22 16:06 2 --a------ C:\1894360244
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 15:41 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 14:30 155,648 ----a-w C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-01-24 14:30 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-01-24 14:30 15,360 ----a-w C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-01-24 14:30 --------- d-----w C:\Program Files\QuickTime
2008-01-24 14:30 --------- d-----w C:\Program Files\iTunes
2008-01-23 20:49 --------- d-----w C:\Program Files\Zonate11
2008-01-23 17:24 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\msconfig.exe.tmp
2008-01-23 15:14 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSConfig .exe
2007-12-16 16:13 --------- d-----w C:\Program Files\Shareaza
2007-12-05 19:23 --------- d-----w C:\Program Files\Yahoo!
2007-12-05 19:09 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-11-04 18:19 278,528 ----a-w C:\WINDOWS\SYSTEM32\livesnth.dll
2007-11-04 18:19 203,776 ----a-w C:\WINDOWS\SYSTEM32\clrviddc.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.
<pre>
----a-w		   110,592 2008-01-23 16:16:00  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w		   579,072 2008-01-23 15:20:27  C:\Program Files\Grisoft\AVG Free\avgcc .exe
----a-w		   221,184 2008-01-23 16:16:09  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w		   286,720 2008-01-23 16:16:07  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   132,496 2008-01-23 16:16:04  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w			98,304 2008-01-24 14:30:55  C:\Program Files\QuickTime\qttask	  .exe
----a-w			98,304 2008-01-23 17:24:12  C:\Program Files\QuickTime\qttask	 .exe
----a-w			98,304 2008-01-23 17:24:13  C:\Program Files\QuickTime\qttask	.exe
----a-w			98,304 2008-01-23 17:24:13  C:\Program Files\QuickTime\qttask   .exe
----a-w			98,304 2008-01-23 17:24:14  C:\Program Files\QuickTime\qttask  .exe
----a-w			98,304 2008-01-23 17:24:14  C:\Program Files\QuickTime\qttask .exe
----a-w		 4,662,776 2008-01-23 16:16:30  C:\Program Files\Yahoo!\Messenger\YAHOOM~1   .EXE
----a-w		 4,662,776 2008-01-23 17:24:24  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
----a-w		 4,662,776 2008-01-23 17:24:28  C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w		   158,208 2008-01-23 15:14:22  C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSConfig .exe
----a-w			15,360 2008-01-23 15:14:30  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w		   155,648 2008-01-23 16:16:09  C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w		   122,939 2008-01-23 16:16:15  C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
----a-w			69,489 2008-01-22 21:52:29  C:\WINDOWS\SYSTEM32\DRIVERS\svchost .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-24 09:30 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-24 09:30 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-24 09:30 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-24 09:30 286720]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2008-01-24 09:30 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-24 09:30 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-24 09:30 122939]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-01-24 09:30 177416]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-01-24 09:30 14088]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-01-24 09:30 230664]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-01-24 09:30 1193224]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-01-24 09:30 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-01-24 09:30 253952]
"MSDisp32"="C:\WINDOWS\system32\drvpet.dll" [2008-01-24 13:50 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-24 09:30 5562368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\SYSTEM32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-07-24 17:00]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-07-24 17:00]
R2 dvdmmg;dvdmmg;C:\WINDOWS\system32\drivers\dvdmmg.sys [2007-09-06 05:15]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-07-24 17:00]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-05-18 14:30]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-07-24 17:00]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-07-24 17:37]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 14:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-05-18 14:30]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 21:10]
S1 Webp6Fw;Webp6Fw;C:\WINDOWS\system32\drivers\srvmf.sys []
S3 iatmunin;iatmunin;C:\DOCUME~1\Ashley\LOCALS~1\Temp\iatmunin.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 05:00]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 00:11:15 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Ashley at 2 08 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 11:36:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 11:40:21
ComboFix-quarantined-files.txt 2008-01-25 16:40:09
.
2008-01-25 02:52:40 --- E O F ---












BIT DEFENDER SCAN REPORT LOG:

BitDefender Online Scanner



Scan report generated at: Fri, Jan 25, 2008 - 11:20:23





Scan path: C:\;D:\;







Statistics

Time
01:18:06

Files
432333

Folders
6033

Boot Sectors
4

Archives
3335

Packed Files
19416




Results

Identified Viruses
13

Infected Files
23

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
26




Engines Info

Virus Definitions
977057

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
41

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\lsass.exe.bac_a01908=>(Quarantine-4)
Infected with: Trojan.Dropper.Vundo.D

C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\lsass.exe.bac_a01908=>(Quarantine-4)
Deleted

C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\pmkji.exe.bac_a01908=>(Quarantine-4)
Infected with: Trojan.Dropper.Vundo.D

C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\pmkji.exe.bac_a01908=>(Quarantine-4)
Deleted

C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\pmnkkji.dll.bac_a01908
Infected with: Trojan.Vundo.DVO

C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\pmnkkji.dll.bac_a01908
Disinfection failed

C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\pmnkkji.dll.bac_a01908
Deleted

C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\son bay four- a puro dolor 04.wma.bac_a03004=>(Quarantine-4)
Infected with: Trojan.Downloader.WMA.Wimad.E

C:\Documents and Settings\Ashley\.housecall6.6\Quarantine\son bay four- a puro dolor 04.wma.bac_a03004=>(Quarantine-4)
Deleted

C:\Documents and Settings\Ashley\Application Data\VideoEgg\Updater\updater.exe
Infected with: Trojan.Generic.25658

C:\Documents and Settings\Ashley\Application Data\VideoEgg\Updater\updater.exe
Deleted

C:\Documents and Settings\Ashley\Desktop\backups\backup-20080124-192145-132.inf
Detected with: Application.MWS

C:\Documents and Settings\Ashley\Desktop\backups\backup-20080124-192145-132.inf
Deleted

C:\Documents and Settings\Ashley\My Documents\Downloads\Programs\NimoPack10.exe=>(NSIS o)=>lzma_solid_nsis0002
Infected with: Trojan.Qrap.B

C:\Documents and Settings\Ashley\My Documents\Downloads\Programs\NimoPack10.exe=>(NSIS o)=>lzma_solid_nsis0002
Deleted

C:\Documents and Settings\Ashley\My Documents\Downloads\Programs\NimoPack10.exe=>(NSIS o)
Update failed

C:\Documents and Settings\Ashley\My Documents\Downloads\Programs\NimoPack10.exe=>(NSIS o)=>lzma_solid_nsis0003
Infected with: Trojan.Pakes.BC

C:\Documents and Settings\Ashley\My Documents\Downloads\Programs\NimoPack10.exe=>(NSIS o)=>lzma_solid_nsis0003
Deleted

C:\Documents and Settings\Ashley\My Documents\Downloads\Programs\NimoPack10.exe=>(NSIS o)
Update failed

C:\Program Files\MSN Messenger\riched20.dll
Detected with: Adware.MyWebSearch.AV

C:\Program Files\MSN Messenger\riched20.dll
Disinfection failed

C:\Program Files\MSN Messenger\riched20.dll
Deleted

C:\QooBox\Quarantine\C\Program Files\Helper\Helper9.dll.vir
Infected with: Trojan.Downloader.BHO.NXV

C:\QooBox\Quarantine\C\Program Files\Helper\Helper9.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\Program Files\Helper\Helper9.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijkmp.ini.vir
Infected with: Trojan.Vundo.DVS

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijkmp.ini.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijkmp.ini.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijkmp.ini2.vir
Infected with: Trojan.Vundo.DVS

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijkmp.ini2.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijkmp.ini2.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qpqss.ini.vir
Infected with: Trojan.Vundo.DVS

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qpqss.ini.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qpqss.ini.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qpqss.ini2.vir
Infected with: Trojan.Vundo.DVS

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qpqss.ini2.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qpqss.ini2.vir
Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000043.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000043.ini
Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000043.ini
Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000044.ini
Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000044.ini
Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000044.ini
Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000045.dll
Infected with: Trojan.Downloader.BHO.NXV

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000045.dll
Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000045.dll
Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002705.exe
Infected with: Trojan.Generic.25658

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002705.exe
Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002706.inf
Detected with: Application.MWS

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002706.inf
Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002709.dll
Detected with: Adware.MyWebSearch.AV

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002709.dll
Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002709.dll
Deleted

C:\WINDOWS\SYSTEM32\nxscript.exe=>(NSIS o)=>zlib_nsis0001
Detected with: Adware.Splnet.A

C:\WINDOWS\SYSTEM32\nxscript.exe=>(NSIS o)=>zlib_nsis0001
Deleted

C:\WINDOWS\SYSTEM32\nxscript.exe=>(NSIS o)
Update failed

C:\WINDOWS\SYSTEM32\nxscript.exe=>(NSIS o)=>zlib_nsis0002
Infected with: Trojan.Clicker.Vb.DN

C:\WINDOWS\SYSTEM32\nxscript.exe=>(NSIS o)=>zlib_nsis0002
Deleted

C:\WINDOWS\SYSTEM32\nxscript.exe=>(NSIS o)
Update failed

C:\WINDOWS\SYSTEM32\nxscript.exe=>(NSIS o)=>zlib_nsis0003
Infected with: Trojan.Vb.SY

C:\WINDOWS\SYSTEM32\nxscript.exe=>(NSIS o)=>zlib_nsis0003
Deleted

C:\WINDOWS\SYSTEM32\nxscript.exe=>(NSIS o)
Update failed
  • 0

#4
Rorschach112
Posted 25 January 2008 - 11:58 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Please only do the scans that I ask you to do. The infection you have can result in serious problems if you are not careful


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\SYSTEM32\drvpet.dll
C:\WINDOWS\SYSTEM32\ztx86.sys

Driver::
Webp6Fw
iatmunin

RenV::
----a-w 110,592 2008-01-23 16:16:00 C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w 579,072 2008-01-23 15:20:27 C:\Program Files\Grisoft\AVG Free\avgcc .exe
----a-w 221,184 2008-01-23 16:16:09 C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w 286,720 2008-01-23 16:16:07 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 132,496 2008-01-23 16:16:04 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 98,304 2008-01-24 14:30:55 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-01-23 17:24:12 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-01-23 17:24:13 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-01-23 17:24:13 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-01-23 17:24:14 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-01-23 17:24:14 C:\Program Files\QuickTime\qttask .exe
----a-w 4,662,776 2008-01-23 16:16:30 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w 4,662,776 2008-01-23 17:24:24 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w 4,662,776 2008-01-23 17:24:28 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w 158,208 2008-01-23 15:14:22 C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSConfig .exe
----a-w 15,360 2008-01-23 15:14:30 C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w 155,648 2008-01-23 16:16:09 C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 122,939 2008-01-23 16:16:15 C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
----a-w 69,489 2008-01-22 21:52:29 C:\WINDOWS\SYSTEM32\DRIVERS\svchost .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#5
Ashley Poole
Posted 25 January 2008 - 03:34 PM

Ashley Poole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Sorry...I had already done the scan, so I was just adding the information thinking it might help you.
So far so good with the pop ups at the bottom...I haven't had anymore since the reboot after combofix. =) Is it fixed, or do I have more steps to take??? I want to thank you for your time helping me with this. I really appreciate it! =D
Ok, I did as you said for your last reply, here is the log:

ComboFix 08-01-23.1B - Ashley 2008-01-25 15:03:39.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.50 [GMT -5:00]Running from: C:\Documents and Settings\Ashley\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\icqmlib.exe
C:\WINDOWS\system32\iepref32.dll
C:\WINDOWS\system32\ierplc.dll
C:\WINDOWS\system32\ips.dll
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\laprxy.dllexe
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\SYSTEM32\ztx86.sys
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\SYSTEM32\drvpet.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IATMUNIN
-------\LEGACY_WEBP6FW
-------\iatmunin
-------\Webp6Fw




((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 09:58 . 2008-01-25 11:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-25 09:50 . 2008-01-25 09:50 <DIR> d-------- C:\Program Files\CCleaner
2008-01-24 21:50 . 2008-01-24 21:58 <DIR> d-------- C:\Program Files\YPOPs
2008-01-24 19:52 . 2008-01-24 19:52 4,246 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-24 19:29 . 2008-01-24 19:29 <DIR> d-------- C:\VundoFix Backups
2008-01-24 17:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 18:29 . 2008-01-23 18:29 444 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2008-01-23 16:29 . 2008-01-25 15:17 62,398 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k0
2008-01-23 16:29 . 2008-01-25 15:17 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k7
2008-01-23 16:29 . 2008-01-25 15:17 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k6
2008-01-23 16:29 . 2008-01-25 15:17 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k5
2008-01-23 16:29 . 2008-01-25 15:17 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k4
2008-01-23 16:29 . 2008-01-25 15:17 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k3
2008-01-23 16:29 . 2008-01-25 15:17 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k2
2008-01-23 16:29 . 2008-01-25 15:17 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k1
2008-01-23 14:28 . 2008-01-25 13:03 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-01-23 14:09 . 2007-08-20 13:42 879,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2008-01-23 14:09 . 2007-08-20 13:42 108,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2008-01-23 14:09 . 2007-08-20 13:42 99,592 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2008-01-23 14:09 . 2007-08-20 13:42 79,424 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2008-01-23 14:09 . 2007-08-20 13:42 75,016 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2008-01-23 14:09 . 2007-08-20 13:42 32,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2008-01-23 14:09 . 2007-08-20 13:42 26,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2008-01-23 14:09 . 2007-08-20 13:42 21,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2008-01-23 14:09 . 2007-08-20 13:42 21,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2008-01-23 14:07 . 2008-01-23 14:07 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-23 14:05 . 2008-01-23 14:07 <DIR> d-------- C:\Program Files\CA
2008-01-22 16:51 . 2008-01-23 11:16 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-01-22 16:50 . 2008-01-23 10:14 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-01-22 16:04 . 2008-01-22 16:06 2 --a------ C:\1894360244
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 18:44 --------- d-----w C:\Program Files\QuickTime
2008-01-25 18:44 --------- d-----w C:\Program Files\iTunes
2008-01-25 15:41 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 14:30 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-01-23 20:49 --------- d-----w C:\Program Files\Zonate11
2008-01-23 17:24 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\msconfig.exe.tmp
2008-01-23 15:14 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSConfig.exe
2007-12-16 16:13 --------- d-----w C:\Program Files\Shareaza
2007-12-05 19:23 --------- d-----w C:\Program Files\Yahoo!
2007-12-05 19:09 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-11-04 18:19 278,528 ----a-w C:\WINDOWS\SYSTEM32\livesnth.dll
2007-11-04 18:19 203,776 ----a-w C:\WINDOWS\SYSTEM32\clrviddc.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.
<pre>
----a-w			98,304 2008-01-24 14:30:55  C:\Program Files\QuickTime\qttask	  .exe
----a-w			98,304 2008-01-23 17:24:12  C:\Program Files\QuickTime\qttask	 .exe
----a-w			98,304 2008-01-23 17:24:13  C:\Program Files\QuickTime\qttask	.exe
----a-w			98,304 2008-01-23 17:24:13  C:\Program Files\QuickTime\qttask   .exe
----a-w			98,304 2008-01-23 17:24:14  C:\Program Files\QuickTime\qttask  .exe
----a-w		 4,662,776 2008-01-23 16:16:30  C:\Program Files\Yahoo!\Messenger\YAHOOM~1   .EXE
----a-w		 4,662,776 2008-01-23 17:24:24  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-25_11.38.59.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-16 03:12:38 312,680 ----a-w C:\WINDOWS\Downloaded Program Files\avsniff.dll
+ 2008-01-16 03:12:40 255,336 ----a-w C:\WINDOWS\Downloaded Program Files\avsniffdlgs.dll
+ 2008-01-16 03:02:44 42,112 ----a-w C:\WINDOWS\Downloaded Program Files\ecmldr32.dll
+ 2008-01-23 06:00:00 284,016 ----a-w C:\WINDOWS\Downloaded Program Files\ecmsvr32.dll
+ 2008-01-16 03:02:58 201,896 ----a-w C:\WINDOWS\Downloaded Program Files\navapi32.dll
+ 2008-01-23 06:00:00 128,368 ----a-w C:\WINDOWS\Downloaded Program Files\naveng32.dll
+ 2008-01-23 06:00:00 943,472 ----a-w C:\WINDOWS\Downloaded Program Files\navex32a.dll
+ 2008-01-16 03:12:48 296,336 ----a-w C:\WINDOWS\Downloaded Program Files\rufsi.dll
+ 2008-01-23 06:00:00 97,776 ----a-w C:\WINDOWS\Downloaded Program Files\scrauth.dat
+ 2008-01-23 06:00:00 403,360 ----a-w C:\WINDOWS\Downloaded Program Files\tcdefs.dat
+ 2008-01-23 06:00:00 2,666,609 ----a-w C:\WINDOWS\Downloaded Program Files\tcscan7.dat
+ 2008-01-23 06:00:00 440,643 ----a-w C:\WINDOWS\Downloaded Program Files\tcscan8.dat
+ 2008-01-23 06:00:00 1,025,485 ----a-w C:\WINDOWS\Downloaded Program Files\tcscan9.dat
+ 2008-01-23 06:00:00 68,399 ----a-w C:\WINDOWS\Downloaded Program Files\tscan1.dat
+ 2008-01-23 06:00:00 3,294 ----a-w C:\WINDOWS\Downloaded Program Files\tscan1hd.dat
+ 2008-01-23 06:00:00 998,515 ----a-w C:\WINDOWS\Downloaded Program Files\virscan1.dat
+ 2008-01-23 06:00:00 570,966 ----a-w C:\WINDOWS\Downloaded Program Files\virscan2.dat
+ 2008-01-23 06:00:00 151,148 ----a-w C:\WINDOWS\Downloaded Program Files\virscan3.dat
+ 2008-01-23 06:00:00 320,253 ----a-w C:\WINDOWS\Downloaded Program Files\virscan4.dat
+ 2008-01-23 06:00:00 5,918,237 ----a-w C:\WINDOWS\Downloaded Program Files\virscan5.dat
+ 2008-01-23 06:00:00 392,748 ----a-w C:\WINDOWS\Downloaded Program Files\virscan6.dat
+ 2008-01-23 06:00:00 20,633,896 ----a-w C:\WINDOWS\Downloaded Program Files\virscan7.dat
+ 2008-01-23 06:00:00 1,926,766 ----a-w C:\WINDOWS\Downloaded Program Files\virscan8.dat
+ 2008-01-23 06:00:00 5,574,507 ----a-w C:\WINDOWS\Downloaded Program Files\virscan9.dat
- 2008-01-24 22:58:07 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-25 18:43:10 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 22:58:08 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-25 18:43:10 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 22:58:08 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-25 18:43:10 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-24 22:58:08 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-25 18:43:10 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 22:58:09 8,519,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-25 18:43:11 8,519,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-24 22:58:09 204,800 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-25 18:43:11 204,800 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-10-16 05:06:25 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-01-25 18:38:55 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2007-10-16 05:06:25 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2008-01-25 18:38:56 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2007-10-16 05:06:25 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-01-25 18:38:55 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2007-10-16 05:06:25 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-01-25 18:38:56 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2007-10-16 05:06:25 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-01-25 18:38:56 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2007-10-16 05:06:25 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-01-25 18:38:56 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2007-10-16 05:06:25 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-01-25 18:38:55 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2007-10-16 05:06:25 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-01-25 18:38:55 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2007-10-16 05:06:25 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-01-25 18:38:57 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2007-10-16 05:06:25 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-01-25 18:38:55 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2007-10-16 05:06:25 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-01-25 18:38:55 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-01-24 14:30:56 122,939 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
+ 2008-01-23 16:16:15 122,939 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
+ 2008-01-25 20:18:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_520.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-23 10:14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-23 11:16 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-23 11:16 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-23 11:16 286720]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2008-01-23 11:16 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-23 11:16 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-23 11:16 122939]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-01-24 09:30 177416]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-01-24 09:30 14088]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-01-24 09:30 230664]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-01-24 09:30 1193224]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-01-24 09:30 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-01-24 09:30 253952]
"MSDisp32"="C:\WINDOWS\system32\drvpet.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-24 09:30 5562368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\SYSTEM32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-07-24 17:00]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-07-24 17:00]
R2 dvdmmg;dvdmmg;C:\WINDOWS\system32\drivers\dvdmmg.sys [2007-09-06 05:15]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-07-24 17:00]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-05-18 14:30]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-07-24 17:00]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-07-24 17:37]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 14:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-05-18 14:30]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 21:10]
S1 ztx86;ztx86;C:\WINDOWS\system32\ztx86.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 05:00]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 00:11:15 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Ashley at 2 08 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 15:40:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 15:54:25 - machine was rebooted [Ashley]
ComboFix-quarantined-files.txt 2008-01-25 20:53:35
ComboFix2.txt 2008-01-25 16:40:24
.
2008-01-25 02:52:40 --- E O F ---
  • 0

#6
Rorschach112
Posted 25 January 2008 - 03:39 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
We are nearly done

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE

Driver::
ztx86

RenV::
----a-w 98,304 2008-01-24 14:30:55 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-01-23 17:24:12 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-01-23 17:24:13 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-01-23 17:24:13 C:\Program Files\QuickTime\qttask .exe
----a-w 98,304 2008-01-23 17:24:14 C:\Program Files\QuickTime\qttask .exe
----a-w 4,662,776 2008-01-23 16:16:30 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w 4,662,776 2008-01-23 17:24:24 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Edited by Rorschach112, 25 January 2008 - 03:40 PM.

  • 0

#7
Ashley Poole
Posted 25 January 2008 - 06:59 PM

Ashley Poole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Ok, DONE IT! Here it is: =)


ComboFix 08-01-23.1B - Ashley 2008-01-25 19:24:32.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.61 [GMT -5:00]
Running from: C:\Documents and Settings\Ashley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ashley\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
  • 0

#8
Rorschach112
Posted 25 January 2008 - 06:59 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Need to see all of the log please
  • 0

#9
Ashley Poole
Posted 26 January 2008 - 12:29 AM

Ashley Poole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
That was all of the log. I edit>select all, copy & pasted it. I just double checked to be sure. WHat should I do now? run the program again???
  • 0

#10
Rorschach112
Posted 26 January 2008 - 07:24 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes run the program again and post the log
  • 0

Advertisements

#11
Ashley Poole
Posted 26 January 2008 - 07:43 AM

Ashley Poole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
I ran the program again, with the same results...I dont know whats going on. I'll try again.
  • 0

#12
Ashley Poole
Posted 26 January 2008 - 08:21 AM

Ashley Poole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
THIS IS WHAT IT SAYS NOW:


ComboFix 08-01-23.1B - Ashley 2008-01-26 8:44:27.7 - NTFSx86
Running from: C:\Documents and Settings\Ashley\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
  • 0

#13
Rorschach112
Posted 26 January 2008 - 09:15 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Very strange

Try this

Delete ComboFix.exe and the folder C:\qoobox

Then re-download it and run it again


If it fails then do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#14
Ashley Poole
Posted 27 January 2008 - 07:29 AM

Ashley Poole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
While attempting to find combofix.exe online, I found this: [it says combofix will delete all files from system drive]

http://icrontic.com/...ead.php?t=54508

I will do what you said, anyways, but that posting made me very nervous.
  • 0

#15
Ashley Poole
Posted 27 January 2008 - 07:58 AM

Ashley Poole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
ComboFix 08-01-23.1C - Ashley 2008-01-27 8:35:11.8 - NTFSx86
Running from: C:\Documents and Settings\Ashley\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-25 09:58 . 2008-01-25 11:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-25 09:50 . 2008-01-25 09:50 <DIR> d-------- C:\Program Files\CCleaner
2008-01-24 21:50 . 2008-01-24 21:58 <DIR> d-------- C:\Program Files\YPOPs
2008-01-24 19:52 . 2008-01-24 19:52 4,246 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-24 19:29 . 2008-01-24 19:29 <DIR> d-------- C:\VundoFix Backups
2008-01-24 17:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 18:29 . 2008-01-23 18:29 444 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2008-01-23 16:29 . 2008-01-26 09:15 62,398 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k0
2008-01-23 16:29 . 2008-01-26 09:15 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k7
2008-01-23 16:29 . 2008-01-26 09:15 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k6
2008-01-23 16:29 . 2008-01-26 09:15 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k5
2008-01-23 16:29 . 2008-01-26 09:15 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k4
2008-01-23 16:29 . 2008-01-26 09:15 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k3
2008-01-23 16:29 . 2008-01-26 09:15 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k2
2008-01-23 16:29 . 2008-01-26 09:15 64 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kmxcfg.u2k1
2008-01-23 14:28 . 2008-01-26 08:31 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-01-23 14:09 . 2007-08-20 13:42 879,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2008-01-23 14:09 . 2007-08-20 13:42 108,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2008-01-23 14:09 . 2007-08-20 13:42 99,592 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2008-01-23 14:09 . 2007-08-20 13:42 79,424 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2008-01-23 14:09 . 2007-08-20 13:42 75,016 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2008-01-23 14:09 . 2007-08-20 13:42 32,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2008-01-23 14:09 . 2007-08-20 13:42 26,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2008-01-23 14:09 . 2007-08-20 13:42 21,512 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2008-01-23 14:09 . 2007-08-20 13:42 21,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2008-01-23 14:07 . 2008-01-23 14:07 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-23 14:05 . 2008-01-23 14:07 <DIR> d-------- C:\Program Files\CA
2008-01-22 16:51 . 2008-01-23 11:16 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-01-22 16:50 . 2008-01-23 10:14 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-01-22 16:04 . 2008-01-22 16:06 2 --a------ C:\1894360244
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 18:44 --------- d-----w C:\Program Files\QuickTime
2008-01-25 18:44 --------- d-----w C:\Program Files\iTunes
2008-01-25 15:41 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 14:30 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-01-23 20:49 --------- d-----w C:\Program Files\Zonate11
2008-01-23 17:24 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\msconfig.exe.tmp
2008-01-23 15:14 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSConfig.exe
2007-12-16 16:13 --------- d-----w C:\Program Files\Shareaza
2007-12-05 19:23 --------- d-----w C:\Program Files\Yahoo!
2007-12-05 19:09 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-11-04 18:19 278,528 ----a-w C:\WINDOWS\SYSTEM32\livesnth.dll
2007-11-04 18:19 203,776 ----a-w C:\WINDOWS\SYSTEM32\clrviddc.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
.
<pre>
----a-w			98,304 2008-01-24 14:30:55  C:\Program Files\QuickTime\qttask	  .exe
----a-w			98,304 2008-01-23 17:24:12  C:\Program Files\QuickTime\qttask	 .exe
----a-w			98,304 2008-01-23 17:24:13  C:\Program Files\QuickTime\qttask	.exe
----a-w			98,304 2008-01-23 17:24:13  C:\Program Files\QuickTime\qttask   .exe
----a-w			98,304 2008-01-23 17:24:14  C:\Program Files\QuickTime\qttask  .exe
----a-w		 4,662,776 2008-01-23 16:16:30  C:\Program Files\Yahoo!\Messenger\YAHOOM~1   .EXE
----a-w		 4,662,776 2008-01-23 17:24:24  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-23 10:14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-23 11:16 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-23 11:16 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-23 11:16 286720]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2008-01-23 11:16 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-23 11:16 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-23 11:16 122939]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-01-24 09:30 177416]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-01-24 09:30 14088]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-01-24 09:30 230664]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-01-24 09:30 1193224]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-01-24 09:30 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-01-24 09:30 253952]
"MSDisp32"="C:\WINDOWS\system32\drvpet.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-24 09:30 5562368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\SYSTEM32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-07-24 17:00]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-07-24 17:00]
R2 dvdmmg;dvdmmg;C:\WINDOWS\system32\drivers\dvdmmg.sys [2007-09-06 05:15]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-07-24 17:00]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-05-18 14:30]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-07-24 17:00]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-07-24 17:37]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 14:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-05-18 14:30]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 21:10]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 05:00]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 00:11:15 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Ashley at 2 08 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 08:46:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 8:51:06
.
2008-01-25 02:52:40 --- E O F ---
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP