Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack log- comp. is infected...tons of popups

Started by jcato , Jan 25 2008 05:01 PM

  • This topic is locked This topic is locked

#1
jcato
Posted 25 January 2008 - 05:01 PM

jcato

    Member

  • Member
  • PipPip
  • 62 posts
Hi, can you please look at my hijack log- i can't get rid of a ton of popups and errors...and running really slow. Thanks

Jcato


Logfile of HijackThis v1.99.1
Scan saved at 2:55:44 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\eyalaxfk.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\DRWATSON\Desktop\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://bellerock.mi...lay/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\eyalaxfk.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

Advertisements

#2
kahdah
Posted 25 January 2008 - 06:40 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello jcato

Welcome to G2Go. :)
===================
The first thing I will need you to do is to Download this anti-virus program and install it.
This is free.
AVG free
=========================================================
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Edited by kahdah, 25 January 2008 - 06:53 PM.

  • 0

#3
jcato
Posted 26 January 2008 - 03:07 AM

jcato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Thanks. Here our my logs....


ComboFix 08-01-23.1C - Jason 2008-01-26 0:36:13.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.94 [GMT -8:00]
Running from: C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\8X670XQF\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Jason\Application Data\SCURIT~1
C:\Documents and Settings\Jason\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\Jason\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Jason\err.log
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\My Documents\ECURIT~1
C:\Program Files\My Documents\MCROSO~1
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\WA6P
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N99M2908NetInstaller.exe
C:\WINDOWS\FONTS\acrsecB.fon
C:\WINDOWS\FONTS\acrsecI.fon
C:\WINDOWS\mwinsys.ini
C:\WINDOWS\notedad.exe
C:\WINDOWS\System\AlxRes071109.exe
C:\WINDOWS\SYSTEM32\aasmelfr.ini
C:\WINDOWS\system32\adibfsei.dll
C:\WINDOWS\system32\agopvgdx.dll
C:\WINDOWS\system32\aitoiwju.dll
C:\WINDOWS\SYSTEM32\aqfjgfye.ini
C:\WINDOWS\system32\auto.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\SYSTEM32\bfpwnbys.ini
C:\WINDOWS\system32\cbxurpo.dll
C:\WINDOWS\system32\cujjptau.dll
C:\WINDOWS\SYSTEM32\dllmylgm.ini
C:\WINDOWS\system32\dmyhvnmy.dll
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\SYSTEM32\dwhwregl.ini
C:\WINDOWS\SYSTEM32\dwhwregl.ini2
C:\WINDOWS\SYSTEM32\ecrtbxox.ini
C:\WINDOWS\system32\edlbeqel.dll
C:\WINDOWS\system32\ejfiflav.dll
C:\WINDOWS\system32\eooribyy.dll
C:\WINDOWS\system32\epyelauu.dll
C:\WINDOWS\system32\etfxhaci.dll
C:\WINDOWS\system32\eudswsrs.dll
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\eyalaxfk.exe
C:\WINDOWS\system32\eyfgjfqa.dll
C:\WINDOWS\SYSTEM32\fagmgeky.ini
C:\WINDOWS\SYSTEM32\feeaamet.ini
C:\WINDOWS\SYSTEM32\fehjl.ini
C:\WINDOWS\SYSTEM32\fehjl.ini2
C:\WINDOWS\system32\fohwoybq.dll
C:\WINDOWS\system32\fpfnmhkk.dll
C:\WINDOWS\system32\fthcikxv.dll
C:\WINDOWS\system32\G1
C:\WINDOWS\system32\G11
C:\WINDOWS\system32\G3
C:\WINDOWS\system32\G3\wr725.exe
C:\WINDOWS\system32\G7
C:\WINDOWS\system32\G9
C:\WINDOWS\SYSTEM32\gijwdwqh.ini
C:\WINDOWS\system32\hggdayw.dll
C:\WINDOWS\system32\hqwdwjig.dll
C:\WINDOWS\SYSTEM32\icahxfte.ini
C:\WINDOWS\SYSTEM32\iesfbida.ini
C:\WINDOWS\system32\iliaoghu.dll
C:\WINDOWS\system32\inf\scrsys071109.scr
C:\WINDOWS\system32\inf\scrsys080122.scr
C:\WINDOWS\system32\inf\scrsys16_071109.dll
C:\WINDOWS\system32\inf\scrsys16_080122.dll
C:\WINDOWS\system32\inf\svchost.exe
C:\WINDOWS\SYSTEM32\jgcuniys.ini
C:\WINDOWS\system32\jhumwtgn.dll
C:\WINDOWS\system32\k1
C:\WINDOWS\system32\k1\IKtzudll2.exe
C:\WINDOWS\system32\katzppd.exe
C:\WINDOWS\system32\khfdbbc.dll
C:\WINDOWS\system32\khffcde.dll
C:\WINDOWS\SYSTEM32\leqeblde.ini
C:\WINDOWS\system32\lgerwhwd.dll
C:\WINDOWS\SYSTEM32\lklnn.bak1
C:\WINDOWS\SYSTEM32\lklnn.bak2
C:\WINDOWS\SYSTEM32\lklnn.ini
C:\WINDOWS\system32\lwisys16_080122.dll
C:\WINDOWS\system32\mglymlld.dll
C:\WINDOWS\SYSTEM32\mhuqxakw.ini
C:\WINDOWS\SYSTEM32\mmfgrcrs.ini
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\mywebhit.ini
C:\WINDOWS\SYSTEM32\ngtwmuhj.ini
C:\WINDOWS\SYSTEM32\nmoqr.ini
C:\WINDOWS\SYSTEM32\nmoqr.ini2
C:\WINDOWS\system32\nnlkl.dll
C:\WINDOWS\system32\nxqwcbyy.dll
C:\WINDOWS\system32\oiwwxumo.exe
C:\WINDOWS\system32\okaastqo.dll
C:\WINDOWS\SYSTEM32\oqtsaako.ini
C:\WINDOWS\system32\ovnffsbp.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\pbsffnvo.ini
C:\WINDOWS\system32\pmnljjh.dll
C:\WINDOWS\system32\qacxpmyx.dll
C:\WINDOWS\system32\qvijrrot.dll
C:\WINDOWS\system32\rflemsaa.dll
C:\WINDOWS\SYSTEM32\rstwa.ini
C:\WINDOWS\SYSTEM32\rstwa.ini2
C:\WINDOWS\system32\srcrgfmm.dll
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\sybnwpfb.dll
C:\WINDOWS\system32\syinucgj.dll
C:\WINDOWS\system32\temaaeef.dll
C:\WINDOWS\SYSTEM32\torrjivq.ini
C:\WINDOWS\SYSTEM32\ujwiotia.ini
C:\WINDOWS\system32\ulrcvnwq.dll
C:\WINDOWS\system32\urqnlki.dll
C:\WINDOWS\system32\urqrqpn.dll
C:\WINDOWS\system32\vmmhcpap.dll
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
C:\WINDOWS\system32\vtuuusp.dll
C:\WINDOWS\SYSTEM32\vwvyb.ini2
C:\WINDOWS\SYSTEM32\vxkichtf.ini
C:\WINDOWS\system32\win
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\winsys16_071109.dll
C:\WINDOWS\system32\winsys32_071109.dll
C:\WINDOWS\system32\wkaxquhm.dll
C:\WINDOWS\system32\wtyxvukx.dll
C:\WINDOWS\SYSTEM32\xdgvpoga.ini
C:\WINDOWS\SYSTEM32\xkuvxytw.ini
C:\WINDOWS\system32\xoxbtrce.dll
C:\WINDOWS\system32\xyutwuig.dll
C:\WINDOWS\system32\yayvvuu.dll
C:\WINDOWS\system32\ykegmgaf.dll
C:\WINDOWS\system32\ymtfwjsv.dll
C:\WINDOWS\system32\ywysrnni.dll
C:\WINDOWS\SYSTEM32\yybcwqxn.ini
C:\WINDOWS\SYSTEM32\yybirooe.ini
C:\WINDOWS\system32\z8
C:\WINDOWS\system32\z8\srwv12drll.exe
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\tsitra11.exe
C:\WINDOWS\tsitra572.exe
C:\WINDOWS\WebAssist.dll
C:\WINDOWS\wr.txt

----- BITS: Possible infected sites -----

hxxp://resources.secureonlinegaming.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_MSUPDATE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-26 00:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 04:11 . 2008-01-24 04:18 6,724 --a------ C:\WINDOWS\SYSTEM32\mywehit.ini.tmp
2008-01-24 04:09 . 2008-01-24 04:10 211,456 --a------ C:\WINDOWS\SYSTEM32\mwisys32_080122.dll
2008-01-24 04:09 . 2008-01-24 04:09 113,008 --a------ C:\WINDOWS\SYSTEM\sslxpes080122.exe
2008-01-21 21:09 . 2008-01-21 21:09 <DIR> d-------- C:\Program Files\iPod
2008-01-21 21:08 . 2008-01-21 21:08 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 01:27 . 2008-01-24 04:08 211,456 --------- C:\WINDOWS\SYSTEM32\mwisys32_080120.dll
2008-01-20 14:31 . 2008-01-21 01:02 1,071,406 ---hs---- C:\WINDOWS\SYSTEM32\wknoraob.ini
2008-01-18 10:57 . 2008-01-19 00:54 1,073,301 ---hs---- C:\WINDOWS\SYSTEM32\xnfnytpx.ini
2008-01-15 20:06 . 2008-01-21 01:01 321 ---hs---- C:\WINDOWS\SYSTEM32\xyxbc.ini
2008-01-15 01:11 . 2008-01-15 17:55 334,704 ---hs---- C:\WINDOWS\SYSTEM32\ortwa.ini
2008-01-14 17:13 . 2008-01-14 17:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\URTTemp
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-01-06 17:30 . 2008-01-06 17:30 503 --a------ C:\office.lnk
2008-01-06 11:26 . 2008-01-10 21:33 321 ---hs---- C:\WINDOWS\SYSTEM32\orutv.ini
2008-01-03 17:22 . 2008-01-03 21:44 1,038,424 ---hs---- C:\WINDOWS\SYSTEM32\ilasjjyl.ini
2008-01-02 12:20 . 2008-01-02 17:15 1,031,458 ---hs---- C:\WINDOWS\SYSTEM32\ucpplgbt.ini
2007-12-30 21:08 . 2007-12-30 21:08 <DIR> d--hs---- C:\FOUND.028
2007-12-30 10:25 . 2007-12-30 20:22 1,031,517 ---hs---- C:\WINDOWS\SYSTEM32\bddtgjox.ini
2007-12-29 00:34 . 2008-01-04 17:22 6,627 ---hs---- C:\WINDOWS\SYSTEM32\ruvut.ini
2007-12-29 00:08 . 2007-12-29 00:08 <DIR> d-------- C:\Program Files\ConnectToCasino
2007-12-28 22:19 . 2007-12-29 22:20 1,031,379 ---hs---- C:\WINDOWS\SYSTEM32\khbevdaf.ini
2007-12-28 19:55 . 2007-12-28 22:19 1,031,199 ---hs---- C:\WINDOWS\SYSTEM32\tpjeurme.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 20:48 --------- d-----w C:\Program Files\LimeWire
2007-12-25 20:10 --------- d-----w C:\Program Files\Apple Software Update
2007-12-25 20:08 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-23 00:58 --------- d-----w C:\Program Files\Casino Share Flash Casino
2007-12-20 02:18 --------- d-----w C:\Program Files\BetRoyal Casino
2007-12-18 07:27 --------- d-----w C:\Program Files\Prism Casino
2007-12-16 06:37 --------- d-----w C:\Program Files\Virtual Casino
2007-12-16 00:52 --------- d-----w C:\Program Files\Millionaire Casino
2007-12-13 06:57 --------- d-----w C:\Program Files\Shark Casino
2007-12-11 06:23 --------- d-----w C:\Program Files\Slots of Vegas
2007-12-10 00:43 --------- d-----w C:\Program Files\MayanFortune
2007-12-09 02:51 --------- d-----w C:\Program Files\Golden Riviera Guest Play Flash Casino
2007-12-08 23:54 22,016 --sh--r C:\WINDOWS\SYSTEM32\wcheck.dll
2007-12-08 07:23 --------- d-----w C:\Program Files\Cirrus Casino
2007-12-05 07:10 28,168 --sh--r C:\WINDOWS\SYSTEM32\wincheck071204.exe
2007-12-05 07:10 27,136 --sh--r C:\WINDOWS\SYSTEM32\wincheck071204.dll
2007-12-05 02:30 --------- d-----w C:\Program Files\Common Files\Totem Shared
2007-11-27 22:19 28,052 --sh--r C:\WINDOWS\SYSTEM32\wincheck071128.exe
2007-11-27 22:19 27,136 --sh--r C:\WINDOWS\SYSTEM32\wincheck071128.dll
2007-11-27 06:08 --------- d-----w C:\Program Files\Paradise8
2007-11-25 20:56 204,800 ------w C:\WINDOWS\SYSTEM32\mwisys32_071124.dll
2007-11-10 08:23 3,072 ----a-w C:\WINDOWS\SYSTEM32\ SOUNDMAN.EXE
2002-11-09 21:50 128,975 ----a-w C:\Program Files\winmail.dat
2002-11-03 22:04 232,638 ----a-w C:\Program Files\42acplug_setup.exe
2001-06-21 23:06 271 --sh--w C:\Program Files\desktop.ini
2001-06-21 23:06 23,357 ---h--w C:\Program Files\folder.htt
2002-08-23 02:18 8 --sh--w C:\WINDOWS\DRM\pdrm.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 102,400 2002-06-10 22:21:32 C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE
----a-w 102,400 2002-06-10 22:21:32 C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

----a-w 45,056 2002-06-20 20:25:56 C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe
----a-w 45,056 2002-06-20 20:25:56 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

----a-w 4,662,776 2006-10-25 00:10:18 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 4,670,968 2007-03-27 23:22:56 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

----a-w 282,624 2006-12-16 02:24:38 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-01-10 23:27:36 C:\Program Files\QuickTime\QTTask.exe

----a-w 311,350 2000-08-08 21:00:00 C:\Program Files\Microsoft Works\bak\WksSb.exe
----a-w 311,350 2000-08-08 21:00:00 C:\Program Files\Microsoft Works\WksSb.exe

----a-r 307,200 2005-10-24 23:53:40 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

----a-w 1,310,720 2007-01-22 07:14:20 C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe

----a-w 75,520 2006-12-15 11:23:28 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22 4670968]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 13:00:00 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"MyUserinit"= C:\WINDOWS\system32\inf\svchosts.exe C:\WINDOWS\system32\lwisys16_080122.dll start

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"mscheck"= rundll32.exe C:\WINDOWS\system32\wincheck071204.dll mymain

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AtiPTA"=Atiptaxx.exe
"SVAPlayer"=C:\Program Files\SVA Player\SVAPLAYER.EXE
"NVQuickTweak"=RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
"Uninstall0001"="C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagay.com!StatsVirtuaGuy
"Uninstall0002"="C:\Program Files\Common Files\Totem Shared\Uninstall0002\upd.exe" LASTCALL!adverts.virtuagay.com!StatsVirtuaGuy
"MediaLoads Installer"="C:\Program Files\DownloadWare\dw.exe" /H

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS [2006-05-10 15:22]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 13:58]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-06-10 14:16]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 07:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-01-26 03:08:20 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-01-23 09:00:28 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2008-01-01 08:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
"2005-02-05 18:58:30 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-01-26 09:00:02 C:\WINDOWS\Tasks\AB2A19A791119333.job"
- c:\docume~1\jason\applic~1\01acid~1\Movesafeaxis.exe
"2008-01-20 02:11:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 00:59:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Program Files\AOL Games
C:\Program Files\GameHouse
C:\Program Files\PopCap Games
C:\Program Files\Raptisoft
C:\Program Files\SuperiorCasino
C:\Program Files\Vegas Strip
C:\Program Files\Orchid Online
C:\Program Files\Bonjour
C:\Program Files\Paradise8
C:\Program Files\Cirrus Casino
C:\Program Files\Golden Riviera Guest Play Flash Casino
C:\Program Files\MayanFortune
C:\Program Files\Slots of Vegas
C:\Program Files\Shark Casino
C:\Program Files\Millionaire Casino
C:\Program Files\Virtual Casino
C:\Program Files\Prism Casino
C:\Program Files\BetRoyal Casino
C:\Program Files\Casino Share Flash Casino
C:\Program Files\Apple Software Update
C:\Program Files\LimeWire
C:\Program Files\ConnectToCasino
C:\Program Files\iTunes
C:\Program Files\iPod
C:\WINDOWS\system32wcheck.dll 32768 bytes
C:\WINDOWS\system32jganxqla.ini 720896 bytes
C:\WINDOWS\system32umcibaff.ini 491520 bytes
C:\WINDOWS\system32khtnokbw.dll 98304 bytes
C:\WINDOWS\system32mwisys32_080120.dll 229376 bytes
C:\WINDOWS\system32mwisys32_080122.dll 229376 bytes
C:\WINDOWS\system32suusjcxg.dll 98304 bytes
C:\WINDOWS\system32unimdmat.dll 98304 bytes
C:\WINDOWS\system32unimdm.tsp 229376 bytes
C:\WINDOWS\system32umpnpmgr.dll 131072 bytes
C:\WINDOWS\system32umandlg.dll 65536 bytes
C:\WINDOWS\system32tracert.exe 32768 bytes
C:\WINDOWS\system32termsrv.dll 327680 bytes
C:\WINDOWS\system32termmgr.dll 360448 bytes
C:\WINDOWS\system32tcpmib.dll 32768 bytes
C:\WINDOWS\system32tapi32.dll 196608 bytes
C:\WINDOWS\system32tapi3.dll 884736 bytes
C:\WINDOWS\system32svchost.exe 32768 bytes
C:\WINDOWS\system32strmdll.dll 262144 bytes
C:\WINDOWS\system32stimon.exe 32768 bytes
C:\WINDOWS\system32sstext3d.scr 688128 bytes
C:\WINDOWS\system32ssdpapi.dll 65536 bytes
C:\WINDOWS\system32ssbezier.scr 32768 bytes
C:\WINDOWS\system32srrstr.dll 262144 bytes
C:\WINDOWS\system32sqlsrv32.rll 98304 bytes
C:\WINDOWS\system32sqlsrv32.dll 458752 bytes
C:\WINDOWS\system32spoolsv.exe 65536 bytes
C:\WINDOWS\system32spoolss.dll 98304 bytes
C:\WINDOWS\system32spider.exe 557056 bytes
C:\WINDOWS\system32skeys.exe 32768 bytes
C:\WINDOWS\system32shscrap.dll 32768 bytes
C:\WINDOWS\system32LTIMG12n.DLL 196608 bytes
C:\WINDOWS\system32LTKRN12n.DLL 425984 bytes
C:\WINDOWS\system32LTOCX12n.INF 32768 bytes
C:\WINDOWS\system32LTTWN12n.DLL 65536 bytes
C:\WINDOWS\system32wbkonthk.ini 491520 bytes
C:\WINDOWS\system32shimgvw.dll 458752 bytes
C:\WINDOWS\system32shimeng.dll 65536 bytes
C:\WINDOWS\system32shgina.dll 98304 bytes
C:\WINDOWS\system32VFind.exe 65536 bytes
C:\WINDOWS\system32shdoclc.dll 557056 bytes
C:\WINDOWS\system32sfcfiles.dll 1605632 bytes
C:\WINDOWS\system32sfc.dll 32768 bytes
C:\WINDOWS\system32setup.exe 32768 bytes
C:\WINDOWS\system32sens.dll 65536 bytes
C:\WINDOWS\system32sendmail.dll 65536 bytes
C:\WINDOWS\system32seclogon.dll 32768 bytes
C:\WINDOWS\system32sdbinst.exe 98304 bytes
C:\WINDOWS\system32scesrv.dll 327680 bytes
C:\WINDOWS\system32scecli.dll 196608 bytes
C:\WINDOWS\system32sccsccp.dll 196608 bytes
C:\WINDOWS\system32rtipxmib.dll 32768 bytes
C:\WINDOWS\system32jdekcxgl.ini 491520 bytes
C:\WINDOWS\system32rpcrt4.dll 589824 bytes
C:\WINDOWS\system32riched20.dll 458752 bytes
C:\WINDOWS\system32rexec.exe 32768 bytes
C:\WINDOWS\system32remotesp.tsp 98304 bytes
C:\WINDOWS\system32regapi.dll 65536 bytes
C:\WINDOWS\system32reg.exe 65536 bytes
C:\WINDOWS\system32rassapi.dll 32768 bytes
C:\WINDOWS\system32rasphone.exe 65536 bytes
C:\WINDOWS\system32raschap.dll 98304 bytes
C:\WINDOWS\system32rasadhlp.dll 32768 bytes
C:\WINDOWS\system32racpldlg.dll 65536 bytes
C:\WINDOWS\system32quartz.dll 1310720 bytes
C:\WINDOWS\system32qdvd.dll 393216 bytes
C:\WINDOWS\system32pstorec.dll 65536 bytes
C:\WINDOWS\system32psapi.dll 32768 bytes
C:\WINDOWS\system32proquota.exe 65536 bytes
C:\WINDOWS\system32proctexe.ocx 98304 bytes
C:\WINDOWS\system32powercfg.cpl 131072 bytes
C:\WINDOWS\system32ping.exe 32768 bytes
C:\WINDOWS\system32offfilt.dll 131072 bytes
C:\WINDOWS\system32odbcp32r.dll 32768 bytes
C:\WINDOWS\system32odbcjt32.dll 294912 bytes
C:\WINDOWS\system32odbccu32.dll 65536 bytes
C:\WINDOWS\system32odbccr32.dll 65536 bytes
C:\WINDOWS\system32odbccp32.dll 131072 bytes
C:\WINDOWS\system32odbccp32.cpl 32768 bytes
C:\WINDOWS\system32odbcconf.rsp 32768 bytes
C:\WINDOWS\system32odbcconf.dll 163840 bytes
C:\WINDOWS\system32odbcbcp.dll 32768 bytes
C:\WINDOWS\system32odbcad32.exe 32768 bytes
C:\WINDOWS\system32odbc32gt.dll 32768 bytes
C:\WINDOWS\system32odbc32.dll 262144 bytes
C:\WINDOWS\system32occache.dll 98304 bytes
C:\WINDOWS\system32nusrmgr.cpl 262144 bytes
C:\WINDOWS\system32ntmssvc.dll 458752 bytes
C:\WINDOWS\system32ntlanman.dll 65536 bytes
C:\WINDOWS\system32ntdsapi.dll 98304 bytes
C:\WINDOWS\system32npptools.dll 65536 bytes
C:\WINDOWS\system32newdev.dll 262144 bytes
C:\WINDOWS\system32netui1.dll 262144 bytes
C:\WINDOWS\system32netui0.dll 98304 bytes
C:\WINDOWS\system32netstat.exe 65536 bytes
C:\WINDOWS\system32netsh.exe 98304 bytes
C:\WINDOWS\system32netplwiz.dll 884736 bytes
C:\WINDOWS\system32netlogon.dll 425984 bytes
C:\WINDOWS\system32netid.dll 163840 bytes
C:\WINDOWS\system32netapi32.dll 360448 bytes
C:\WINDOWS\system32net1.exe 131072 bytes
C:\WINDOWS\system32nddenb32.dll 32768 bytes
C:\WINDOWS\system32ncobjapi.dll 65536 bytes
C:\WINDOWS\system32narrator.exe 65536 bytes
C:\WINDOWS\system32mtxclu.dll 98304 bytes
C:\WINDOWS\system32msxml2.dll 720896 bytes
C:\WINDOWS\system32msvcrt40.dll 65536 bytes
C:\WINDOWS\system32msvcp60.dll 425984 bytes
C:\WINDOWS\system32msvcirt.dll 65536 bytes
C:\WINDOWS\system32mstinit.exe 32768 bytes
C:\WINDOWS\system32mspaint.exe 360448 bytes
C:\WINDOWS\system32msorc32r.dll 32768 bytes
C:\WINDOWS\system32msoert2.dll 131072 bytes
C:\WINDOWS\system32msimtf.dll 163840 bytes
C:\WINDOWS\system32msimg32.dll 32768 bytes
C:\WINDOWS\system32ntmqodlt.ini 589824 bytes
C:\WINDOWS\system32msieftp.dll 262144 bytes
C:\WINDOWS\system32msidle.dll 32768 bytes
C:\WINDOWS\system32msident.dll 65536 bytes
C:\WINDOWS\system32mshtmler.dll 65536 bytes
C:\WINDOWS\system32mshta.exe 32768 bytes
C:\WINDOWS\system32msexcl40.dll 327680 bytes
C:\WINDOWS\system32msctfp.dll 98304 bytes
C:\WINDOWS\system32mscpx32r.dll 32768 bytes
C:\WINDOWS\system32msconf.dll 98304 bytes
C:\WINDOWS\system32msaud32.acm 294912 bytes
C:\WINDOWS\system32msasn1.dll 65536 bytes
C:\WINDOWS\system32msapsspc.dll 98304 bytes
C:\WINDOWS\system32msadds32.ax 229376 bytes
C:\WINDOWS\system32mprapi.dll 98304 bytes
C:\WINDOWS\system32mpr.dll 65536 bytes
C:\WINDOWS\system32mplay32.exe 131072 bytes
C:\WINDOWS\system32mobsync.exe 163840 bytes
C:\WINDOWS\system32miglibnt.dll 65536 bytes
C:\WINDOWS\system32mfcsubs.dll 32768 bytes
C:\WINDOWS\system32mfc42u.dll 1048576 bytes
C:\WINDOWS\system32mf3216.dll 65536 bytes
C:\WINDOWS\system32mciwave.dll 32768 bytes
C:\WINDOWS\system32lprhelp.dll 32768 bytes
C:\WINDOWS\system32licwmi.dll 65536 bytes
C:\WINDOWS\system32vtegjitf.ini 589824 bytes
C:\WINDOWS\system32keymgr.dll 163840 bytes
C:\WINDOWS\system32kd1394.dll 32768 bytes
C:\WINDOWS\system32joy.cpl 98304 bytes
C:\WINDOWS\system32ipsecsnp.dll 360448 bytes
C:\WINDOWS\system32ipconfig.exe 65536 bytes
C:\WINDOWS\system32intl.cpl 131072 bytes
C:\WINDOWS\system32inetmib1.dll 65536 bytes
C:\WINDOWS\system32imgutil.dll 65536 bytes
C:\WINDOWS\system32ils.dll 98304 bytes
C:\WINDOWS\system32icm32.dll 262144 bytes
C:\WINDOWS\system32iasrad.dll 131072 bytes
C:\WINDOWS\system32hidphone.tsp 32768 bytes
C:\WINDOWS\system32hid.dll 32768 bytes
C:\WINDOWS\system32hdwwiz.cpl 163840 bytes
C:\WINDOWS\system32grpconv.exe 65536 bytes
C:\WINDOWS\system32framebuf.dll 32768 bytes
C:\WINDOWS\system32eudcedit.exe 196608 bytes
C:\WINDOWS\system32es.dll 262144 bytes
C:\WINDOWS\system32ersvc.dll 32768 bytes
C:\WINDOWS\system32els.dll 196608 bytes
C:\WINDOWS\system32dumprep.exe 32768 bytes
C:\WINDOWS\system32dssec.dll 65536 bytes
C:\WINDOWS\system32dnsrslvr.dll 65536 bytes
C:\WINDOWS\system32dnsapi.dll 163840 bytes
C:\WINDOWS\system32dmutil.dll 65536 bytes
C:\WINDOWS\system32dmscript.dll 98304 bytes
C:\WINDOWS\system32ddeshare.exe 32768 bytes
C:\WINDOWS\system32dcache.bin 32768 bytes
C:\WINDOWS\system32dataclen.dll 65536 bytes
C:\WINDOWS\system32cscui.dll 327680 bytes
C:\WINDOWS\system32cscript.exe 98304 bytes
C:\WINDOWS\system32cryptui.dll 524288 bytes
C:\WINDOWS\system32cryptsvc.dll 65536 bytes
C:\WINDOWS\system32cryptnet.dll 65536 bytes
C:\WINDOWS\system32cryptext.dll 65536 bytes
C:\WINDOWS\system32cryptdlg.dll 98304 bytes
C:\WINDOWS\system32credui.dll 163840 bytes
C:\WINDOWS\system32corpol.dll 65536 bytes
C:\WINDOWS\system32comuid.dll 557056 bytes
C:\WINDOWS\system32comres.dll 819200 bytes
C:\WINDOWS\system32compstui.dll 229376 bytes
C:\WINDOWS\system32cnbjmon.dll 65536 bytes
C:\WINDOWS\system32cmutil.dll 65536 bytes
C:\WINDOWS\system32clipsrv.exe 65536 bytes
C:\WINDOWS\system32clbcatex.dll 131072 bytes
C:\WINDOWS\system32ciodm.dll 98304 bytes
C:\WINDOWS\system32cfgbkend.dll 65536 bytes
C:\WINDOWS\system32cdosys.dll 2097152 bytes
C:\WINDOWS\system32catsrvps.dll 98304 bytes
C:\WINDOWS\system32camocx.dll 65536 bytes
C:\WINDOWS\system32browsewm.dll 98304 bytes
C:\WINDOWS\system32nnpoq.ini 32768 bytes
C:\WINDOWS\system32browser.dll 98304 bytes
C:\WINDOWS\system32basesrv.dll 65536 bytes
C:\WINDOWS\system32avifil32.dll 98304 bytes
C:\WINDOWS\system32audiosrv.dll 65536 bytes
C:\WINDOWS\system32atmlib.dll 32768 bytes
C:\WINDOWS\system32atmadm.exe 32768 bytes
C:\WINDOWS\system32ati3d2ag.dll 1081344 bytes
C:\WINDOWS\system32apphelp.dll 131072 bytes
C:\WINDOWS\system32amstream.dll 98304 bytes
C:\WINDOWS\system32alg.exe 65536 bytes
C:\WINDOWS\system32adsnt.dll 294912 bytes
C:\WINDOWS\system32adsldp.dll 196608 bytes
C:\WINDOWS\system32actmovie.exe 32768 bytes
C:\WINDOWS\system32hpguapi.ini 32768 bytes
C:\WINDOWS\system32aclui.dll 131072 bytes
C:\WINDOWS\system32ntbackup.exe 1212416 bytes
C:\WINDOWS\system32xpob2res.dll 458752 bytes
C:\WINDOWS\system32xmlprov.dll 131072 bytes
C:\WINDOWS\system32wuauserv.dll 32768 bytes
C:\WINDOWS\system32wshbth.dll 131072 bytes
C:\WINDOWS\system32wscui.cpl 163840 bytes
C:\WINDOWS\system32wscsvc.dll 98304 bytes
C:\WINDOWS\system32wscntfy.exe 32768 bytes
C:\WINDOWS\system32ummjkmwn.ini 589824 bytes
C:\WINDOWS\system32wmp.dll 4882432 bytes
C:\WINDOWS\system32ikokyudt.ini 589824 bytes
C:\WINDOWS\system32winshfhc.dll 32768 bytes
C:\WINDOWS\system32winhttp.dll 360448 bytes
C:\WINDOWS\system32winbrand.dll 950272 bytes
C:\WINDOWS\system32xwvut.ini 32768 bytes
C:\WINDOWS\system32twext.dll 65536 bytes
C:\WINDOWS\system32strmfilt.dll 98304 bytes
C:\WINDOWS\system32spupdwxp.exe 32768 bytes
C:\WINDOWS\system32spnpinst.exe 32768 bytes
C:\WINDOWS\system32smbinst.exe 32768 bytes
C:\WINDOWS\system32slserv.exe 98304 bytes
C:\WINDOWS\system32slrundll.exe 65536 bytes
C:\WINDOWS\system32slgen.dll 196608 bytes
C:\WINDOWS\system32slextspk.dll 294912 bytes
C:\WINDOWS\system32slcoinst.dll 98304 bytes
C:\WINDOWS\system32sdhcinst.dll 32768 bytes
C:\WINDOWS\system32sbeio.dll 163840 bytes
C:\WINDOWS\system32qmgr.dll 393216 bytes
C:\WINDOWS\system32powercfg.exe 65536 bytes
C:\WINDOWS\system32pnrpnsp.dll 65536 bytes
C:\WINDOWS\system32p2psvc.dll 557056 bytes
C:\WINDOWS\system32p2pnetsh.dll 98304 bytes
C:\WINDOWS\system32p2pgraph.dll 327680 bytes
C:\WINDOWS\system32p2pgasvc.dll 98304 bytes
C:\WINDOWS\system32p2p.dll 131072 bytes
C:\WINDOWS\system32mtxparhd.dll 1769472 bytes
C:\WINDOWS\system32mssap.dll 163840 bytes
C:\WINDOWS\system32msftedit.dll 557056 bytes
C:\WINDOWS\system32msctfime.ime 196608 bytes
C:\WINDOWS\system32mdmxsdk.dll 98304 bytes
C:\WINDOWS\system32kbdukx.dll 32768 bytes
C:\WINDOWS\system32kbdsmsno.dll 32768 bytes
C:\WINDOWS\system32kbdsmsfi.dll 32768 bytes
C:\WINDOWS\system32kbdno1.dll 32768 bytes
C:\WINDOWS\system32kbdmlt48.dll 32768 bytes
C:\WINDOWS\system32kbdmlt47.dll 32768 bytes
C:\WINDOWS\system32kbdmaori.dll 32768 bytes
C:\WINDOWS\system32kbdinmal.dll 32768 bytes
C:\WINDOWS\system32kbdinben.dll 32768 bytes
C:\WINDOWS\system32kbdinbe1.dll 32768 bytes
C:\WINDOWS\system32kbdfi1.dll 32768 bytes
C:\WINDOWS\system32ivfsrc.ax 163840 bytes
C:\WINDOWS\system32ir50_qcx.dll 196608 bytes
C:\WINDOWS\system32iac25_32.ax 229376 bytes
C:\WINDOWS\system32httpapi.dll 32768 bytes
C:\WINDOWS\system32html.iec 425984 bytes
C:\WINDOWS\system32hsfcisp2.dll 32768 bytes
C:\WINDOWS\system32hccoin.dll 32768 bytes
C:\WINDOWS\system32fsquirt.exe 196608 bytes
C:\WINDOWS\system32fltmc.exe 32768 bytes
C:\WINDOWS\system32fltlib.dll 32768 bytes
C:\WINDOWS\system32firewall.cpl 98304 bytes
C:\WINDOWS\system32faxpatch.exe 32768 bytes
C:\WINDOWS\system32encdec.dll 196608 bytes
C:\WINDOWS\system32btpanui.dll 65536 bytes
C:\WINDOWS\system32bthserv.dll 32768 bytes
C:\WINDOWS\system32bthprops.cpl 131072 bytes
C:\WINDOWS\system32bthci.dll 32768 bytes
C:\WINDOWS\system32blastcln.exe 98304 bytes
C:\WINDOWS\system32bitsprx3.dll 32768 bytes
C:\WINDOWS\system32ativvaxx.dll 524288 bytes
C:\WINDOWS\system32ativtmxx.dll 32768 bytes
C:\WINDOWS\system32ativmvxx.ax 32768 bytes
C:\WINDOWS\system32ati3d1ag.dll 884736 bytes
C:\WINDOWS\system32wstpager.ax 196608 bytes
C:\WINDOWS\system32wstrenderer.ax 262144 bytes
C:\WINDOWS\system32vbicodec.ax 65536 bytes
C:\WINDOWS\system32secedit.exe 32768 bytes
C:\WINDOWS\system32spiisupd.exe 32768 bytes
C:\WINDOWS\system32asr_pfu.exe 32768 bytes
C:\WINDOWS\system32vhcqcmcc.ini 1245184 bytes
C:\WINDOWS\system32Camapi32.dll 65536 bytes
C:\WINDOWS\system32mywehit.ini 32768 bytes
C:\WINDOWS\system32dns-sd.exe 65536 bytes
C:\WINDOWS\system32orqru.ini 32768 bytes
C:\WINDOWS\system32klrxlpbo.ini 1114112 bytes
C:\WINDOWS\system32dnssd.dll 65536 bytes
C:\WINDOWS\system32E300.dll 327680 bytes
C:\WINDOWS\system32 SOUNDMAN.EXE 32768 bytes
C:\WINDOWS\system32Comm32.dll 32768 bytes
C:\WINDOWS\system32DC210V204_32.dll 65536 bytes
C:\WINDOWS\system32Dc50ip32.dll 131072 bytes
C:\WINDOWS\system32Dc50v11_32.dll 131072 bytes
C:\WINDOWS\system32E300str.dll 32768 bytes
C:\WINDOWS\system32ImgLibLead.dll 32768 bytes
C:\WINDOWS\system32LFCMP70n.DLL 229376 bytes
C:\WINDOWS\system32Lfbmp70n.dll 32768 bytes
C:\WINDOWS\system32Ltfil70n.dll 65536 bytes
C:\WINDOWS\system32Ltkrn70n.dll 360448 bytes
C:\WINDOWS\system32Nkdscsi.dll 65536 bytes
C:\WINDOWS\system32Nkdserl.dll 65536 bytes
C:\WINDOWS\system32mwisys32_071124.dll 229376 bytes
C:\WINDOWS\system32TWAIN_32.DLL 98304 bytes
C:\WINDOWS\system32msls2.dll 98304 bytes
C:\WINDOWS\system32hlp95en.dll 32768 bytes
C:\WINDOWS\system32ochlp30e.dll 65536 bytes
C:\WINDOWS\system32Ltwvc11n.dll 720896 bytes
C:\WINDOWS\system32ltkrn11n.dll 393216 bytes
C:\WINDOWS\system32ltimg11n.dll 131072 bytes
C:\WINDOWS\system32ltfil11n.DLL 131072 bytes
C:\WINDOWS\system32LTDIS11n.dll 294912 bytes
C:\WINDOWS\system32lfwmf11n.dll 65536 bytes
C:\WINDOWS\system32lftif11n.dll 163840 bytes
C:\WINDOWS\system32lftga11n.dll 32768 bytes
C:\WINDOWS\system32lfpsd11n.dll 65536 bytes
C:\WINDOWS\system32Lfpng11n.dll 196608 bytes
C:\WINDOWS\system32lfpcx11n.dll 65536 bytes
C:\WINDOWS\system32lfpcd11n.dll 32768 bytes
C:\WINDOWS\system32lfgif11n.dll 65536 bytes
C:\WINDOWS\system32lffax11n.dll 98304 bytes
C:\WINDOWS\system32lfeps11n.dll 32768 bytes
C:\WINDOWS\system32LFCMP11n.DLL 294912 bytes
C:\WINDOWS\system32lfbmp11n.dll 65536 bytes
C:\WINDOWS\system32Pubole32.dll 98304 bytes
C:\WINDOWS\system32yxxyb.ini 32768 bytes
C:\WINDOWS\system32MSRECR40.DLL 32768 bytes
C:\WINDOWS\system32TWUNK_16.EXE 65536 bytes
C:\WINDOWS\system32TWUNK_32.EXE 98304 bytes
C:\WINDOWS\system32VEN2232.OLB 65536 bytes
C:\WINDOWS\system32VBAEND32.OLB 32768 bytes
C:\WINDOWS\system32VBAEN32.OLB 32768 bytes
C:\WINDOWS\system32VBAME.DLL 65536 bytes
C:\WINDOWS\system32MFC42ENU.DLL 65536 bytes
C:\WINDOWS\system32rtsut.ini 32768 bytes
C:\WINDOWS\system32URTTemp
C:\WINDOWS\system32mkpollca.ini 819200 bytes
C:\WINDOWS\system32juditsto.ini 819200 bytes
C:\WINDOWS\system32NtmsData
C:\WINDOWS\system32phijwdvv.ini 819200 bytes
C:\WINDOWS\system32ZWebAuth.dll 32768 bytes
C:\WINDOWS\system32wincheck071128.exe 32768 bytes
C:\WINDOWS\system32qqrqr.ini 32768 bytes
C:\WINDOWS\system32wincheck071128.dll 32768 bytes
C:\WINDOWS\system32wincheck071204.exe 32768 bytes
C:\WINDOWS\system32dromqund.ini 851968 bytes
C:\WINDOWS\system32mhmufudh.ini 819200 bytes
C:\WINDOWS\system32cfhhk.ini 32768 bytes
C:\WINDOWS\system32hpgud32.dll 262144 bytes
C:\WINDOWS\system32hpguapi.dll 131072 bytes
C:\WINDOWS\system32hpg4400.dll 65536 bytes
C:\WINDOWS\system32rts8891u.dll 425984 bytes
C:\WINDOWS\system32hpgtpusd.dll 229376 bytes
C:\WINDOWS\system32hpsjvset.dll 131072 bytes
C:\WINDOWS\system32hpgtulbz.dll 262144 bytes
C:\WINDOWS\system32wincheck071204.dll 32768 bytes
C:\WINDOWS\system32edccf.ini 458752 bytes
C:\WINDOWS\system32ucpplgbt.ini 1048576 bytes
C:\WINDOWS\system32QuickTimeVR.qtx 98304 bytes
C:\WINDOWS\system32mywehit.ini.tmp 32768 bytes
C:\WINDOWS\system32hijlm.ini 458752 bytes
C:\WINDOWS\system32hhjjl.ini 32768 bytes
C:\WINDOWS\system32taenofcy.ini 983040 bytes
C:\WINDOWS\system32ilasjjyl.ini 1048576 bytes
C:\WINDOWS\system32DRVSTORE
C:\WINDOWS\system32ruvut.ini 32768 bytes
C:\Documents and Settings\Jason\Application DataInstaller352
C:\Documents and Settings\Jason\Application DataIconCache.db 2654208 bytes
C:\Documents and Settings\Jason\Application DataGiantPalace
C:\Documents and Settings\Jason\Application DataApple Computer
C:\Documents and Settings\Jason\Application DataRiverdeep Interactive Learning Limited
C:\Documents and Settings\Jason\Application Datafusioncache.dat 32768 bytes
C:\Documents and Settings\Jason\Application DataApple

scan completed successfully
hidden files: 404

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\WINDOWS\system32\mwisys32_080122.dll
.
Completion time: 2008-01-26 1:02:39 - machine was rebooted
ComboFix3.txt 2007-04-07 05:59:50
ComboFix4.txt 2007-03-25 03:09:28
ComboFix2.txt 2007-05-19 05:39:24
ComboFix-quarantined-files.txt 2008-01-26 09:02:34


Logfile of HijackThis v1.99.1
Scan saved at 1:05:40 AM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\DRWATSON\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://bellerock.mi...lay/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#4
kahdah
Posted 26 January 2008 - 06:12 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ComboFix from Here to your Desktop.

Then go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#5
jcato
Posted 27 January 2008 - 01:15 PM

jcato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Ok i tried doing that and combo fix starts up but then a error pops up saying the boot c.ini disc is incorrectly formated and then it just closes and after that happened my internet wasn't working until i restarted my computer then it worked again...?

thanks
jcato
  • 0

#6
kahdah
Posted 27 January 2008 - 01:53 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Okay for now let's skip the Recovery Console.

Then:
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo...ps-t185062.html

Collect::
C:\WINDOWS\SYSTEM32\mywehit.ini.tmp
C:\WINDOWS\SYSTEM32\mwisys32_080122.dll
C:\WINDOWS\SYSTEM\sslxpes080122.exe
C:\WINDOWS\SYSTEM32\mwisys32_080120.dll
C:\WINDOWS\SYSTEM32\wknoraob.ini
C:\WINDOWS\SYSTEM32\xnfnytpx.ini
C:\WINDOWS\SYSTEM32\xyxbc.ini
C:\WINDOWS\SYSTEM32\ortwa.ini
C:\WINDOWS\SYSTEM32\ilasjjyl.ini
C:\WINDOWS\SYSTEM32\ucpplgbt.ini
C:\WINDOWS\SYSTEM32\bddtgjox.ini
C:\WINDOWS\SYSTEM32\khbevdaf.ini
C:\WINDOWS\SYSTEM32\tpjeurme.ini
C:\WINDOWS\SYSTEM32\wcheck.dll
C:\WINDOWS\SYSTEM32\wincheck071204.exe
C:\WINDOWS\SYSTEM32\wincheck071204.dll
C:\WINDOWS\SYSTEM32\mwisys32_071124.dll
C:\WINDOWS\system32\lwisys16_080122.dll
C:\Program Files\DownloadWare\dw.exe
File::
C:\WINDOWS\SYSTEM32\orutv.ini
C:\WINDOWS\SYSTEM32\ruvut.ini
C:\WINDOWS\system32\lwisys16_080122.dll
C:\WINDOWS\Tasks\AB2A19A791119333.job
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\system32\jganxqla.ini
C:\WINDOWS\system32\umcibaff.ini
C:\WINDOWS\system32\khtnokbw.dll
C:\WINDOWS\system32\suusjcxg.dll
C:\WINDOWS\system32\tracert.exe
C:\WINDOWS\system32\wbkonthk.ini
C:\WINDOWS\system32\jdekcxgl.ini
C:\WINDOWS\system32\ummjkmwn.ini
C:\WINDOWS\system32\ikokyudt.ini
C:\WINDOWS\system32\xwvut.ini
C:\WINDOWS\system32\orqru.ini
C:\WINDOWS\system32\klrxlpbo.ini
C:\WINDOWS\system32\mwisys32_071124.dll
C:\WINDOWS\system32\yxxyb.ini
C:\WINDOWS\system32\rtsut.ini
C:\WINDOWS\system32\phijwdvv.ini
C:\WINDOWS\system32\wincheck071128.exe
C:\WINDOWS\system32\qqrqr.ini
C:\WINDOWS\system32\wincheck071128.dll
C:\WINDOWS\system32\wincheck071204.exe
C:\WINDOWS\system32\dromqund.ini
C:\WINDOWS\system32\mhmufudh.ini
C:\WINDOWS\system32\cfhhk.ini
C:\WINDOWS\system32\wincheck071204.dll
C:\WINDOWS\system32\edccf.ini
C:\WINDOWS\system32\ucpplgbt.ini
C:\WINDOWS\system32\hijlm.ini
C:\WINDOWS\system32\hhjjl.ini
C:\WINDOWS\system32\taenofcy.ini
C:\WINDOWS\system32\ilasjjyl.ini
Folder::
c:\docume~1\jason\applic~1\01acid~1
C:\Program Files\DownloadWare
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"MyUserinit"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"mscheck"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"MediaLoads Installer"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

  • 0

#7
jcato
Posted 27 January 2008 - 02:47 PM

jcato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
ok i did what you told me to and combofix ran but i didn't see the zip folders on my desktop and at the very end a error did pop up saying : unable to create folder C:\windows\erdnt\subs\f3m- i don't know if thats something you need to know or not...anyways here's my logs...


ComboFix 08-01-23.1C - Jason 2008-01-27 12:24:15.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.132 [GMT -8:00]
Running from: C:\WINDOWS\DRWATSON\Desktop\ComboFix.exe
Command switches used :: C:\WINDOWS\DRWATSON\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\cfhhk.ini
C:\WINDOWS\system32\dromqund.ini
C:\WINDOWS\system32\edccf.ini
C:\WINDOWS\system32\hhjjl.ini
C:\WINDOWS\system32\hijlm.ini
C:\WINDOWS\system32\ikokyudt.ini
C:\WINDOWS\system32\ilasjjyl.ini
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\system32\jdekcxgl.ini
C:\WINDOWS\system32\jganxqla.ini
C:\WINDOWS\system32\khtnokbw.dll
C:\WINDOWS\system32\klrxlpbo.ini
C:\WINDOWS\system32\lwisys16_080122.dll
C:\WINDOWS\system32\mhmufudh.ini
C:\WINDOWS\system32\mwisys32_071124.dll
C:\WINDOWS\system32\orqru.ini
C:\WINDOWS\SYSTEM32\orutv.ini
C:\WINDOWS\system32\phijwdvv.ini
C:\WINDOWS\system32\qqrqr.ini
C:\WINDOWS\system32\rtsut.ini
C:\WINDOWS\SYSTEM32\ruvut.ini
C:\WINDOWS\system32\suusjcxg.dll
C:\WINDOWS\system32\taenofcy.ini
C:\WINDOWS\system32\tracert.exe
C:\WINDOWS\system32\ucpplgbt.ini
C:\WINDOWS\system32\umcibaff.ini
C:\WINDOWS\system32\ummjkmwn.ini
C:\WINDOWS\system32\wbkonthk.ini
C:\WINDOWS\system32\wincheck071128.dll
C:\WINDOWS\system32\wincheck071128.exe
C:\WINDOWS\system32\wincheck071204.dll
C:\WINDOWS\system32\wincheck071204.exe
C:\WINDOWS\system32\xwvut.ini
C:\WINDOWS\system32\yxxyb.ini
C:\WINDOWS\Tasks\AB2A19A791119333.job
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\jason\applic~1\01acid~1
c:\docume~1\jason\applic~1\01acid~1\5252B2D3
C:\WINDOWS\SYSTEM32\aqfjgfye.ini
C:\WINDOWS\SYSTEM32\bddtgjox.ini
C:\WINDOWS\system32\cfhhk.ini
C:\WINDOWS\SYSTEM32\dllmylgm.ini
C:\WINDOWS\system32\dromqund.ini
C:\WINDOWS\SYSTEM32\edccf.ini
C:\WINDOWS\system32\epyelauu.dll
C:\WINDOWS\system32\etfxhaci.dll
C:\WINDOWS\system32\eudswsrs.dll
C:\WINDOWS\system32\eyfgjfqa.dll
C:\WINDOWS\system32\fohwoybq.dll
C:\WINDOWS\system32\fpfnmhkk.dll
C:\WINDOWS\system32\fthcikxv.dll
C:\WINDOWS\SYSTEM32\gijwdwqh.ini
C:\WINDOWS\system32\hggdayw.dll
C:\WINDOWS\system32\hhjjl.ini
C:\WINDOWS\SYSTEM32\hijlm.ini
C:\WINDOWS\system32\hqwdwjig.dll
C:\WINDOWS\SYSTEM32\icahxfte.ini
C:\WINDOWS\system32\ikokyudt.ini
C:\WINDOWS\SYSTEM32\ilasjjyl.ini
C:\WINDOWS\system32\iliaoghu.dll
C:\WINDOWS\system32\inf\svchosts.exe
C:\WINDOWS\system32\jdekcxgl.ini
C:\WINDOWS\system32\jganxqla.ini
C:\WINDOWS\system32\jhumwtgn.dll
C:\WINDOWS\SYSTEM32\juditsto.ini
C:\WINDOWS\SYSTEM32\khbevdaf.ini
C:\WINDOWS\system32\khfdbbc.dll
C:\WINDOWS\system32\khffcde.dll
C:\WINDOWS\system32\khtnokbw.dll
C:\WINDOWS\system32\klrxlpbo.ini
C:\WINDOWS\system32\lgerwhwd.dll
C:\WINDOWS\system32\mglymlld.dll
C:\WINDOWS\system32\mhmufudh.ini
C:\WINDOWS\SYSTEM32\mkpollca.ini
C:\WINDOWS\system32\mwisys32_071124.dll
C:\WINDOWS\SYSTEM32\mwisys32_080122.dll
C:\WINDOWS\SYSTEM32\ngtwmuhj.ini
C:\WINDOWS\system32\orqru.ini
C:\WINDOWS\SYSTEM32\ortwa.ini
C:\WINDOWS\SYSTEM32\orutv.ini
C:\WINDOWS\SYSTEM32\phijwdvv.ini
C:\WINDOWS\system32\qqrqr.ini
C:\WINDOWS\system32\rtsut.ini
C:\WINDOWS\SYSTEM32\ruvut.ini
C:\WINDOWS\system32\suusjcxg.dll
C:\WINDOWS\SYSTEM32\taenofcy.ini
C:\WINDOWS\SYSTEM32\tpjeurme.ini
C:\WINDOWS\system32\tracert.exe
C:\WINDOWS\SYSTEM32\ucpplgbt.ini
C:\WINDOWS\system32\umcibaff.ini
C:\WINDOWS\system32\ummjkmwn.ini
C:\WINDOWS\SYSTEM32\vxkichtf.ini
C:\WINDOWS\system32\wbkonthk.ini
C:\WINDOWS\system32\wincheck071128.dll
C:\WINDOWS\system32\wincheck071128.exe
C:\WINDOWS\SYSTEM32\wincheck071204.dll
C:\WINDOWS\system32\wincheck071204.exe
C:\WINDOWS\SYSTEM32\wknoraob.ini
C:\WINDOWS\SYSTEM32\xdgvpoga.ini
C:\WINDOWS\SYSTEM32\xnfnytpx.ini
C:\WINDOWS\system32\xwvut.ini
C:\WINDOWS\SYSTEM32\xyxbc.ini
C:\WINDOWS\system32\yxxyb.ini
C:\WINDOWS\SYSTEM32\yybcwqxn.ini
C:\WINDOWS\Tasks\AB2A19A791119333.job

.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-27 12:28 . 2008-01-27 12:28 40 --a------ C:\WINDOWS\pwisys.ini
2008-01-27 12:24 . 2008-01-27 12:24 1,453,899 --a------ C:\catchme.zip
2008-01-27 10:37 . 2008-01-27 10:37 <DIR> d-------- C:\Program Files\UsUsden200F
2008-01-26 21:03 . 2008-01-26 21:03 18 --a------ C:\WINDOWS\checkcj.ini
2008-01-26 19:03 . 2008-01-26 19:03 <DIR> d--hs---- C:\FOUND.029
2008-01-26 00:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 21:09 . 2008-01-21 21:09 <DIR> d-------- C:\Program Files\iPod
2008-01-21 21:08 . 2008-01-21 21:08 <DIR> d-------- C:\Program Files\iTunes
2008-01-14 17:13 . 2008-01-14 17:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\URTTemp
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-01-06 17:30 . 2008-01-06 17:30 503 --a------ C:\office.lnk
2007-12-30 21:08 . 2007-12-30 21:08 <DIR> d--hs---- C:\FOUND.028
2007-12-29 00:08 . 2007-12-29 00:08 <DIR> d-------- C:\Program Files\ConnectToCasino

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 20:48 --------- d-----w C:\Program Files\LimeWire
2007-12-25 20:10 --------- d-----w C:\Program Files\Apple Software Update
2007-12-25 20:08 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-23 00:58 --------- d-----w C:\Program Files\Casino Share Flash Casino
2007-12-20 02:18 --------- d-----w C:\Program Files\BetRoyal Casino
2007-12-18 07:27 --------- d-----w C:\Program Files\Prism Casino
2007-12-16 06:37 --------- d-----w C:\Program Files\Virtual Casino
2007-12-16 00:52 --------- d-----w C:\Program Files\Millionaire Casino
2007-12-13 06:57 --------- d-----w C:\Program Files\Shark Casino
2007-12-11 06:23 --------- d-----w C:\Program Files\Slots of Vegas
2007-12-10 00:43 --------- d-----w C:\Program Files\MayanFortune
2007-12-09 02:51 --------- d-----w C:\Program Files\Golden Riviera Guest Play Flash Casino
2007-12-08 07:23 --------- d-----w C:\Program Files\Cirrus Casino
2007-12-05 02:30 --------- d-----w C:\Program Files\Common Files\Totem Shared
2007-11-27 06:08 --------- d-----w C:\Program Files\Paradise8
2007-11-10 08:23 3,072 ----a-w C:\WINDOWS\SYSTEM32\ SOUNDMAN.EXE
2002-11-09 21:50 128,975 ----a-w C:\Program Files\winmail.dat
2002-11-03 22:04 232,638 ----a-w C:\Program Files\42acplug_setup.exe
2001-06-21 23:06 271 --sh--w C:\Program Files\desktop.ini
2001-06-21 23:06 23,357 ---h--w C:\Program Files\folder.htt
2002-08-23 02:18 8 --sh--w C:\WINDOWS\DRM\pdrm.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-26_ 1.01.49.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-12 12:00:36 501,136 ----a-w C:\WINDOWS\DRWATSON\Desktop\backups\backup-20080127-030347-837.dll
+ 2008-01-27 19:01:40 4,608,744 ----a-w C:\WINDOWS\DRWATSON\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
- 2008-01-26 08:34:40 1,167,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-27 20:23:36 1,167,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-26 08:34:40 503,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 20:23:36 503,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 08:34:40 1,163,264 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-27 20:23:38 1,163,264 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-26 08:34:40 503,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 20:23:38 503,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 08:34:46 15,286,272 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-27 20:23:42 15,314,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-26 08:34:46 663,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 20:23:42 663,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2004-08-04 07:56:58 12,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tracert.exe
+ 2007-11-21 00:04:14 218,496 ----a-r C:\WINDOWS\SYSTEM32\MACROMED\FLASH\FlashUtil9e.exe
+ 2008-01-27 10:07:16 74,137 ----a-w C:\WINDOWS\SYSTEM32\MACROMED\FLASH\uninstall_activeX.exe
- 2008-01-15 02:27:22 453,724 ----a-w C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
+ 2008-01-27 11:14:16 613,416 ----a-w C:\WINDOWS\SYSTEM32\Restore\rstrlog.dat
+ 2006-12-02 06:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 08:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 08:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 08:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 08:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 08:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 08:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 08:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 08:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 08:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 08:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 08:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 08:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 08:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 08:46:44 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 102,400 2002-06-10 22:21:32 C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE
----a-w 102,400 2002-06-10 22:21:32 C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

----a-w 45,056 2002-06-20 20:25:56 C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe
----a-w 45,056 2002-06-20 20:25:56 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

----a-w 4,662,776 2006-10-25 00:10:18 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 3,810,544 2007-12-18 01:13:36 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

----a-w 282,624 2006-12-16 02:24:38 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-01-10 23:27:36 C:\Program Files\QuickTime\QTTask.exe

----a-w 311,350 2000-08-08 21:00:00 C:\Program Files\Microsoft Works\bak\WksSb.exe
----a-w 311,350 2000-08-08 21:00:00 C:\Program Files\Microsoft Works\WksSb.exe

----a-r 307,200 2005-10-24 23:53:40 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

----a-w 1,310,720 2007-01-22 07:14:20 C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe

----a-w 75,520 2006-12-15 11:23:28 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 13:00:00 24633]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AtiPTA"=Atiptaxx.exe
"SVAPlayer"=C:\Program Files\SVA Player\SVAPLAYER.EXE
"NVQuickTweak"=RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
"Uninstall0001"="C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagay.com!StatsVirtuaGuy
"Uninstall0002"="C:\Program Files\Common Files\Totem Shared\Uninstall0002\upd.exe" LASTCALL!adverts.virtuagay.com!StatsVirtuaGuy

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS [2006-05-10 15:22]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 13:58]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-06-10 14:16]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 07:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-01-26 21:12:26 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-01-23 09:00:28 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2008-01-01 08:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
"2005-02-05 18:58:30 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-01-20 02:11:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 12:32:33
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Program Files\AOL Games
C:\Program Files\GameHouse
C:\Program Files\PopCap Games
C:\Program Files\Raptisoft
C:\Program Files\SuperiorCasino
C:\Program Files\Vegas Strip
C:\Program Files\Orchid Online
C:\Program Files\Bonjour
C:\Program Files\Paradise8
C:\Program Files\Cirrus Casino
C:\Program Files\Golden Riviera Guest Play Flash Casino
C:\Program Files\MayanFortune
C:\Program Files\Slots of Vegas
C:\Program Files\Shark Casino
C:\Program Files\Millionaire Casino
C:\Program Files\Virtual Casino
C:\Program Files\Prism Casino
C:\Program Files\BetRoyal Casino
C:\Program Files\Casino Share Flash Casino
C:\Program Files\Apple Software Update
C:\Program Files\LimeWire
C:\Program Files\ConnectToCasino
C:\Program Files\iTunes
C:\Program Files\iPod
C:\Program Files\UsUsden200F
C:\WINDOWS\system32unimdmat.dll 98304 bytes
C:\WINDOWS\system32unimdm.tsp 229376 bytes
C:\WINDOWS\system32umpnpmgr.dll 131072 bytes
C:\WINDOWS\system32umandlg.dll 65536 bytes
C:\WINDOWS\system32termsrv.dll 327680 bytes
C:\WINDOWS\system32termmgr.dll 360448 bytes
C:\WINDOWS\system32tcpmib.dll 32768 bytes
C:\WINDOWS\system32tapi32.dll 196608 bytes
C:\WINDOWS\system32tapi3.dll 884736 bytes
C:\WINDOWS\system32svchost.exe 32768 bytes
C:\WINDOWS\system32strmdll.dll 262144 bytes
C:\WINDOWS\system32stimon.exe 32768 bytes
C:\WINDOWS\system32sstext3d.scr 688128 bytes
C:\WINDOWS\system32ssdpapi.dll 65536 bytes
C:\WINDOWS\system32ssbezier.scr 32768 bytes
C:\WINDOWS\system32srrstr.dll 262144 bytes
C:\WINDOWS\system32sqlsrv32.rll 98304 bytes
C:\WINDOWS\system32sqlsrv32.dll 458752 bytes
C:\WINDOWS\system32spoolsv.exe 65536 bytes
C:\WINDOWS\system32spoolss.dll 98304 bytes
C:\WINDOWS\system32spider.exe 557056 bytes
C:\WINDOWS\system32skeys.exe 32768 bytes
C:\WINDOWS\system32shscrap.dll 32768 bytes
C:\WINDOWS\system32LTIMG12n.DLL 196608 bytes
C:\WINDOWS\system32LTKRN12n.DLL 425984 bytes
C:\WINDOWS\system32LTOCX12n.INF 32768 bytes
C:\WINDOWS\system32LTTWN12n.DLL 65536 bytes
C:\WINDOWS\system32shimgvw.dll 458752 bytes
C:\WINDOWS\system32shimeng.dll 65536 bytes
C:\WINDOWS\system32shgina.dll 98304 bytes
C:\WINDOWS\system32shdoclc.dll 557056 bytes
C:\WINDOWS\system32sfcfiles.dll 1605632 bytes
C:\WINDOWS\system32sfc.dll 32768 bytes
C:\WINDOWS\system32setup.exe 32768 bytes
C:\WINDOWS\system32sens.dll 65536 bytes
C:\WINDOWS\system32sendmail.dll 65536 bytes
C:\WINDOWS\system32seclogon.dll 32768 bytes
C:\WINDOWS\system32sdbinst.exe 98304 bytes
C:\WINDOWS\system32scesrv.dll 327680 bytes
C:\WINDOWS\system32scecli.dll 196608 bytes
C:\WINDOWS\system32sccsccp.dll 196608 bytes
C:\WINDOWS\system32rtipxmib.dll 32768 bytes
C:\WINDOWS\system32rpcrt4.dll 589824 bytes
C:\WINDOWS\system32riched20.dll 458752 bytes
C:\WINDOWS\system32rexec.exe 32768 bytes
C:\WINDOWS\system32remotesp.tsp 98304 bytes
C:\WINDOWS\system32regapi.dll 65536 bytes
C:\WINDOWS\system32reg.exe 65536 bytes
C:\WINDOWS\system32rassapi.dll 32768 bytes
C:\WINDOWS\system32rasphone.exe 65536 bytes
C:\WINDOWS\system32raschap.dll 98304 bytes
C:\WINDOWS\system32rasadhlp.dll 32768 bytes
C:\WINDOWS\system32racpldlg.dll 65536 bytes
C:\WINDOWS\system32quartz.dll 1310720 bytes
C:\WINDOWS\system32qdvd.dll 393216 bytes
C:\WINDOWS\system32pstorec.dll 65536 bytes
C:\WINDOWS\system32psapi.dll 32768 bytes
C:\WINDOWS\system32proquota.exe 65536 bytes
C:\WINDOWS\system32proctexe.ocx 98304 bytes
C:\WINDOWS\system32powercfg.cpl 131072 bytes
C:\WINDOWS\system32ping.exe 32768 bytes
C:\WINDOWS\system32offfilt.dll 131072 bytes
C:\WINDOWS\system32odbcp32r.dll 32768 bytes
C:\WINDOWS\system32odbcjt32.dll 294912 bytes
C:\WINDOWS\system32odbccu32.dll 65536 bytes
C:\WINDOWS\system32odbccr32.dll 65536 bytes
C:\WINDOWS\system32odbccp32.dll 131072 bytes
C:\WINDOWS\system32odbccp32.cpl 32768 bytes
C:\WINDOWS\system32odbcconf.rsp 32768 bytes
C:\WINDOWS\system32odbcconf.dll 163840 bytes
C:\WINDOWS\system32odbcbcp.dll 32768 bytes
C:\WINDOWS\system32odbcad32.exe 32768 bytes
C:\WINDOWS\system32odbc32gt.dll 32768 bytes
C:\WINDOWS\system32odbc32.dll 262144 bytes
C:\WINDOWS\system32occache.dll 98304 bytes
C:\WINDOWS\system32nusrmgr.cpl 262144 bytes
C:\WINDOWS\system32ntmssvc.dll 458752 bytes
C:\WINDOWS\system32ntlanman.dll 65536 bytes
C:\WINDOWS\system32ntdsapi.dll 98304 bytes
C:\WINDOWS\system32npptools.dll 65536 bytes
C:\WINDOWS\system32newdev.dll 262144 bytes
C:\WINDOWS\system32netui1.dll 262144 bytes
C:\WINDOWS\system32netui0.dll 98304 bytes
C:\WINDOWS\system32netstat.exe 65536 bytes
C:\WINDOWS\system32netsh.exe 98304 bytes
C:\WINDOWS\system32netplwiz.dll 884736 bytes
C:\WINDOWS\system32netlogon.dll 425984 bytes
C:\WINDOWS\system32netid.dll 163840 bytes
C:\WINDOWS\system32netapi32.dll 360448 bytes
C:\WINDOWS\system32net1.exe 131072 bytes
C:\WINDOWS\system32nddenb32.dll 32768 bytes
C:\WINDOWS\system32ncobjapi.dll 65536 bytes
C:\WINDOWS\system32narrator.exe 65536 bytes
C:\WINDOWS\system32mtxclu.dll 98304 bytes
C:\WINDOWS\system32msxml2.dll 720896 bytes
C:\WINDOWS\system32msvcrt40.dll 65536 bytes
C:\WINDOWS\system32msvcp60.dll 425984 bytes
C:\WINDOWS\system32msvcirt.dll 65536 bytes
C:\WINDOWS\system32mstinit.exe 32768 bytes
C:\WINDOWS\system32mspaint.exe 360448 bytes
C:\WINDOWS\system32msorc32r.dll 32768 bytes
C:\WINDOWS\system32msoert2.dll 131072 bytes
C:\WINDOWS\system32msimtf.dll 163840 bytes
C:\WINDOWS\system32msimg32.dll 32768 bytes
C:\WINDOWS\system32ntmqodlt.ini 589824 bytes
C:\WINDOWS\system32msieftp.dll 262144 bytes
C:\WINDOWS\system32msidle.dll 32768 bytes
C:\WINDOWS\system32msident.dll 65536 bytes
C:\WINDOWS\system32mshtmler.dll 65536 bytes
C:\WINDOWS\system32mshta.exe 32768 bytes
C:\WINDOWS\system32msexcl40.dll 327680 bytes
C:\WINDOWS\system32msctfp.dll 98304 bytes
C:\WINDOWS\system32mscpx32r.dll 32768 bytes
C:\WINDOWS\system32msconf.dll 98304 bytes
C:\WINDOWS\system32msaud32.acm 294912 bytes
C:\WINDOWS\system32msasn1.dll 65536 bytes
C:\WINDOWS\system32msapsspc.dll 98304 bytes
C:\WINDOWS\system32msadds32.ax 229376 bytes
C:\WINDOWS\system32mprapi.dll 98304 bytes
C:\WINDOWS\system32mpr.dll 65536 bytes
C:\WINDOWS\system32mplay32.exe 131072 bytes
C:\WINDOWS\system32mobsync.exe 163840 bytes
C:\WINDOWS\system32miglibnt.dll 65536 bytes
C:\WINDOWS\system32mfcsubs.dll 32768 bytes
C:\WINDOWS\system32mfc42u.dll 1048576 bytes
C:\WINDOWS\system32mf3216.dll 65536 bytes
C:\WINDOWS\system32mciwave.dll 32768 bytes
C:\WINDOWS\system32lprhelp.dll 32768 bytes
C:\WINDOWS\system32licwmi.dll 65536 bytes
C:\WINDOWS\system32vtegjitf.ini 589824 bytes
C:\WINDOWS\system32keymgr.dll 163840 bytes
C:\WINDOWS\system32kd1394.dll 32768 bytes
C:\WINDOWS\system32joy.cpl 98304 bytes
C:\WINDOWS\system32ipsecsnp.dll 360448 bytes
C:\WINDOWS\system32ipconfig.exe 65536 bytes
C:\WINDOWS\system32intl.cpl 131072 bytes
C:\WINDOWS\system32inetmib1.dll 65536 bytes
C:\WINDOWS\system32imgutil.dll 65536 bytes
C:\WINDOWS\system32ils.dll 98304 bytes
C:\WINDOWS\system32icm32.dll 262144 bytes
C:\WINDOWS\system32iasrad.dll 131072 bytes
C:\WINDOWS\system32hidphone.tsp 32768 bytes
C:\WINDOWS\system32hid.dll 32768 bytes
C:\WINDOWS\system32hdwwiz.cpl 163840 bytes
C:\WINDOWS\system32grpconv.exe 65536 bytes
C:\WINDOWS\system32framebuf.dll 32768 bytes
C:\WINDOWS\system32eudcedit.exe 196608 bytes
C:\WINDOWS\system32es.dll 262144 bytes
C:\WINDOWS\system32ersvc.dll 32768 bytes
C:\WINDOWS\system32els.dll 196608 bytes
C:\WINDOWS\system32dumprep.exe 32768 bytes
C:\WINDOWS\system32dssec.dll 65536 bytes
C:\WINDOWS\system32dnsrslvr.dll 65536 bytes
C:\WINDOWS\system32dnsapi.dll 163840 bytes
C:\WINDOWS\system32dmutil.dll 65536 bytes
C:\WINDOWS\system32dmscript.dll 98304 bytes
C:\WINDOWS\system32ddeshare.exe 32768 bytes
C:\WINDOWS\system32dcache.bin 32768 bytes
C:\WINDOWS\system32dataclen.dll 65536 bytes
C:\WINDOWS\system32cscui.dll 327680 bytes
C:\WINDOWS\system32cscript.exe 98304 bytes
C:\WINDOWS\system32cryptui.dll 524288 bytes
C:\WINDOWS\system32cryptsvc.dll 65536 bytes
C:\WINDOWS\system32cryptnet.dll 65536 bytes
C:\WINDOWS\system32cryptext.dll 65536 bytes
C:\WINDOWS\system32cryptdlg.dll 98304 bytes
C:\WINDOWS\system32credui.dll 163840 bytes
C:\WINDOWS\system32corpol.dll 65536 bytes
C:\WINDOWS\system32comuid.dll 557056 bytes
C:\WINDOWS\system32comres.dll 819200 bytes
C:\WINDOWS\system32compstui.dll 229376 bytes
C:\WINDOWS\system32cnbjmon.dll 65536 bytes
C:\WINDOWS\system32cmutil.dll 65536 bytes
C:\WINDOWS\system32clipsrv.exe 65536 bytes
C:\WINDOWS\system32clbcatex.dll 131072 bytes
C:\WINDOWS\system32ciodm.dll 98304 bytes
C:\WINDOWS\system32cfgbkend.dll 65536 bytes
C:\WINDOWS\system32cdosys.dll 2097152 bytes
C:\WINDOWS\system32catsrvps.dll 98304 bytes
C:\WINDOWS\system32camocx.dll 65536 bytes
C:\WINDOWS\system32browsewm.dll 98304 bytes
C:\WINDOWS\system32nnpoq.ini 32768 bytes
C:\WINDOWS\system32browser.dll 98304 bytes
C:\WINDOWS\system32basesrv.dll 65536 bytes
C:\WINDOWS\system32avifil32.dll 98304 bytes
C:\WINDOWS\system32audiosrv.dll 65536 bytes
C:\WINDOWS\system32atmlib.dll 32768 bytes
C:\WINDOWS\system32atmadm.exe 32768 bytes
C:\WINDOWS\system32ati3d2ag.dll 1081344 bytes
C:\WINDOWS\system32apphelp.dll 131072 bytes
C:\WINDOWS\system32amstream.dll 98304 bytes
C:\WINDOWS\system32alg.exe 65536 bytes
C:\WINDOWS\system32adsnt.dll 294912 bytes
C:\WINDOWS\system32adsldp.dll 196608 bytes
C:\WINDOWS\system32actmovie.exe 32768 bytes
C:\WINDOWS\system32hpguapi.ini 32768 bytes
C:\WINDOWS\system32aclui.dll 131072 bytes
C:\WINDOWS\system32ntbackup.exe 1212416 bytes
C:\WINDOWS\system32xpob2res.dll 458752 bytes
C:\WINDOWS\system32xmlprov.dll 131072 bytes
C:\WINDOWS\system32wuauserv.dll 32768 bytes
C:\WINDOWS\system32wshbth.dll 131072 bytes
C:\WINDOWS\system32wscui.cpl 163840 bytes
C:\WINDOWS\system32wscsvc.dll 98304 bytes
C:\WINDOWS\system32wscntfy.exe 32768 bytes
C:\WINDOWS\system32wmp.dll 4882432 bytes
C:\WINDOWS\system32winshfhc.dll 32768 bytes
C:\WINDOWS\system32winhttp.dll 360448 bytes
C:\WINDOWS\system32winbrand.dll 950272 bytes
C:\WINDOWS\system32twext.dll 65536 bytes
C:\WINDOWS\system32strmfilt.dll 98304 bytes
C:\WINDOWS\system32spupdwxp.exe 32768 bytes
C:\WINDOWS\system32spnpinst.exe 32768 bytes
C:\WINDOWS\system32smbinst.exe 32768 bytes
C:\WINDOWS\system32slserv.exe 98304 bytes
C:\WINDOWS\system32slrundll.exe 65536 bytes
C:\WINDOWS\system32slgen.dll 196608 bytes
C:\WINDOWS\system32slextspk.dll 294912 bytes
C:\WINDOWS\system32slcoinst.dll 98304 bytes
C:\WINDOWS\system32sdhcinst.dll 32768 bytes
C:\WINDOWS\system32sbeio.dll 163840 bytes
C:\WINDOWS\system32qmgr.dll 393216 bytes
C:\WINDOWS\system32powercfg.exe 65536 bytes
C:\WINDOWS\system32pnrpnsp.dll 65536 bytes
C:\WINDOWS\system32p2psvc.dll 557056 bytes
C:\WINDOWS\system32p2pnetsh.dll 98304 bytes
C:\WINDOWS\system32p2pgraph.dll 327680 bytes
C:\WINDOWS\system32p2pgasvc.dll 98304 bytes
C:\WINDOWS\system32p2p.dll 131072 bytes
C:\WINDOWS\system32mtxparhd.dll 1769472 bytes
C:\WINDOWS\system32mssap.dll 163840 bytes
C:\WINDOWS\system32msftedit.dll 557056 bytes
C:\WINDOWS\system32msctfime.ime 196608 bytes
C:\WINDOWS\system32mdmxsdk.dll 98304 bytes
C:\WINDOWS\system32kbdukx.dll 32768 bytes
C:\WINDOWS\system32kbdsmsno.dll 32768 bytes
C:\WINDOWS\system32kbdsmsfi.dll 32768 bytes
C:\WINDOWS\system32kbdno1.dll 32768 bytes
C:\WINDOWS\system32kbdmlt48.dll 32768 bytes
C:\WINDOWS\system32kbdmlt47.dll 32768 bytes
C:\WINDOWS\system32kbdmaori.dll 32768 bytes
C:\WINDOWS\system32kbdinmal.dll 32768 bytes
C:\WINDOWS\system32kbdinben.dll 32768 bytes
C:\WINDOWS\system32kbdinbe1.dll 32768 bytes
C:\WINDOWS\system32kbdfi1.dll 32768 bytes
C:\WINDOWS\system32ivfsrc.ax 163840 bytes
C:\WINDOWS\system32ir50_qcx.dll 196608 bytes
C:\WINDOWS\system32iac25_32.ax 229376 bytes
C:\WINDOWS\system32httpapi.dll 32768 bytes
C:\WINDOWS\system32html.iec 425984 bytes
C:\WINDOWS\system32hsfcisp2.dll 32768 bytes
C:\WINDOWS\system32hccoin.dll 32768 bytes
C:\WINDOWS\system32fsquirt.exe 196608 bytes
C:\WINDOWS\system32fltmc.exe 32768 bytes
C:\WINDOWS\system32fltlib.dll 32768 bytes
C:\WINDOWS\system32firewall.cpl 98304 bytes
C:\WINDOWS\system32faxpatch.exe 32768 bytes
C:\WINDOWS\system32encdec.dll 196608 bytes
C:\WINDOWS\system32btpanui.dll 65536 bytes
C:\WINDOWS\system32bthserv.dll 32768 bytes
C:\WINDOWS\system32bthprops.cpl 131072 bytes
C:\WINDOWS\system32bthci.dll 32768 bytes
C:\WINDOWS\system32blastcln.exe 98304 bytes
C:\WINDOWS\system32bitsprx3.dll 32768 bytes
C:\WINDOWS\system32ativvaxx.dll 524288 bytes
C:\WINDOWS\system32ativtmxx.dll 32768 bytes
C:\WINDOWS\system32ativmvxx.ax 32768 bytes
C:\WINDOWS\system32ati3d1ag.dll 884736 bytes
C:\WINDOWS\system32wstpager.ax 196608 bytes
C:\WINDOWS\system32wstrenderer.ax 262144 bytes
C:\WINDOWS\system32vbicodec.ax 65536 bytes
C:\WINDOWS\system32secedit.exe 32768 bytes
C:\WINDOWS\system32spiisupd.exe 32768 bytes
C:\WINDOWS\system32asr_pfu.exe 32768 bytes
C:\WINDOWS\system32vhcqcmcc.ini 1245184 bytes
C:\WINDOWS\system32Camapi32.dll 65536 bytes
C:\WINDOWS\system32dns-sd.exe 65536 bytes
C:\WINDOWS\system32dnssd.dll 65536 bytes
C:\WINDOWS\system32E300.dll 327680 bytes
C:\WINDOWS\system32 SOUNDMAN.EXE 32768 bytes
C:\WINDOWS\system32Comm32.dll 32768 bytes
C:\WINDOWS\system32DC210V204_32.dll 65536 bytes
C:\WINDOWS\system32Dc50ip32.dll 131072 bytes
C:\WINDOWS\system32Dc50v11_32.dll 131072 bytes
C:\WINDOWS\system32E300str.dll 32768 bytes
C:\WINDOWS\system32ImgLibLead.dll 32768 bytes
C:\WINDOWS\system32LFCMP70n.DLL 229376 bytes
C:\WINDOWS\system32Lfbmp70n.dll 32768 bytes
C:\WINDOWS\system32Ltfil70n.dll 65536 bytes
C:\WINDOWS\system32Ltkrn70n.dll 360448 bytes
C:\WINDOWS\system32Nkdscsi.dll 65536 bytes
C:\WINDOWS\system32Nkdserl.dll 65536 bytes
C:\WINDOWS\system32TWAIN_32.DLL 98304 bytes
C:\WINDOWS\system32msls2.dll 98304 bytes
C:\WINDOWS\system32hlp95en.dll 32768 bytes
C:\WINDOWS\system32ochlp30e.dll 65536 bytes
C:\WINDOWS\system32Ltwvc11n.dll 720896 bytes
C:\WINDOWS\system32ltkrn11n.dll 393216 bytes
C:\WINDOWS\system32ltimg11n.dll 131072 bytes
C:\WINDOWS\system32ltfil11n.DLL 131072 bytes
C:\WINDOWS\system32LTDIS11n.dll 294912 bytes
C:\WINDOWS\system32lfwmf11n.dll 65536 bytes
C:\WINDOWS\system32lftif11n.dll 163840 bytes
C:\WINDOWS\system32lftga11n.dll 32768 bytes
C:\WINDOWS\system32lfpsd11n.dll 65536 bytes
C:\WINDOWS\system32Lfpng11n.dll 196608 bytes
C:\WINDOWS\system32lfpcx11n.dll 65536 bytes
C:\WINDOWS\system32lfpcd11n.dll 32768 bytes
C:\WINDOWS\system32lfgif11n.dll 65536 bytes
C:\WINDOWS\system32lffax11n.dll 98304 bytes
C:\WINDOWS\system32lfeps11n.dll 32768 bytes
C:\WINDOWS\system32LFCMP11n.DLL 294912 bytes
C:\WINDOWS\system32lfbmp11n.dll 65536 bytes
C:\WINDOWS\system32Pubole32.dll 98304 bytes
C:\WINDOWS\system32MSRECR40.DLL 32768 bytes
C:\WINDOWS\system32TWUNK_16.EXE 65536 bytes
C:\WINDOWS\system32TWUNK_32.EXE 98304 bytes
C:\WINDOWS\system32VEN2232.OLB 65536 bytes
C:\WINDOWS\system32VBAEND32.OLB 32768 bytes
C:\WINDOWS\system32VBAEN32.OLB 32768 bytes
C:\WINDOWS\system32VBAME.DLL 65536 bytes
C:\WINDOWS\system32MFC42ENU.DLL 65536 bytes
C:\WINDOWS\system32URTTemp
C:\WINDOWS\system32NtmsData
C:\WINDOWS\system32ZWebAuth.dll 32768 bytes
C:\WINDOWS\system32hpgud32.dll 262144 bytes
C:\WINDOWS\system32hpguapi.dll 131072 bytes
C:\WINDOWS\system32hpg4400.dll 65536 bytes
C:\WINDOWS\system32rts8891u.dll 425984 bytes
C:\WINDOWS\system32hpgtpusd.dll 229376 bytes
C:\WINDOWS\system32hpsjvset.dll 131072 bytes
C:\WINDOWS\system32hpgtulbz.dll 262144 bytes
C:\WINDOWS\system32QuickTimeVR.qtx 98304 bytes
C:\WINDOWS\system32DRVSTORE
C:\Documents and Settings\Jason\Application DataInstaller352
C:\Documents and Settings\Jason\Application DataIconCache.db 0 bytes
C:\Documents and Settings\Jason\Application DataGiantPalace
C:\Documents and Settings\Jason\Application DataApple Computer
C:\Documents and Settings\Jason\Application DataRiverdeep Interactive Learning Limited
C:\Documents and Settings\Jason\Application Datafusioncache.dat 32768 bytes
C:\Documents and Settings\Jason\Application DataApple

scan completed successfully
hidden files: 366

**************************************************************************
.
Completion time: 2008-01-27 12:37:18 - machine was rebooted
ComboFix4.txt 2007-04-07 05:59:50
ComboFix5.txt 2007-03-25 03:09:28
ComboFix3.txt 2007-05-19 05:39:24
ComboFix-quarantined-files.txt 2008-01-27 20:37:14
ComboFix2.txt 2008-01-26 09:02:40




Logfile of HijackThis v1.99.1
Scan saved at 12:46:39 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\DRWATSON\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: office.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://bellerock.mi...lay/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...ploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#8
kahdah
Posted 27 January 2008 - 03:31 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That is ok it deleted all of the files anyway.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\pwisys.ini
C:\WINDOWS\checkcj.ini
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
================
Next:
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#9
jcato
Posted 27 January 2008 - 10:18 PM

jcato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
ComboFix 08-01-23.1C - Jason 2008-01-27 19:56:02.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.102 [GMT -8:00]
Running from: C:\WINDOWS\DRWATSON\Desktop\ComboFix.exe
Command switches used :: C:\WINDOWS\DRWATSON\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\checkcj.ini
C:\WINDOWS\pwisys.ini
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\checkcj.ini
C:\WINDOWS\pwisys.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 12:24 . 2008-01-27 12:24 1,453,899 --a------ C:\catchme.zip
2008-01-27 10:37 . 2008-01-27 10:37 <DIR> d-------- C:\Program Files\UsUsden200F
2008-01-26 19:03 . 2008-01-26 19:03 <DIR> d--hs---- C:\FOUND.029
2008-01-26 00:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 21:09 . 2008-01-21 21:09 <DIR> d-------- C:\Program Files\iPod
2008-01-21 21:08 . 2008-01-21 21:08 <DIR> d-------- C:\Program Files\iTunes
2008-01-14 17:13 . 2008-01-14 17:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\URTTemp
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-01-06 17:30 . 2008-01-06 17:30 503 --a------ C:\office.lnk
2007-12-30 21:08 . 2007-12-30 21:08 <DIR> d--hs---- C:\FOUND.028
2007-12-29 00:08 . 2007-12-29 00:08 <DIR> d-------- C:\Program Files\ConnectToCasino

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 20:48 --------- d-----w C:\Program Files\LimeWire
2007-12-25 20:10 --------- d-----w C:\Program Files\Apple Software Update
2007-12-25 20:08 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-23 00:58 --------- d-----w C:\Program Files\Casino Share Flash Casino
2007-12-20 02:18 --------- d-----w C:\Program Files\BetRoyal Casino
2007-12-18 07:27 --------- d-----w C:\Program Files\Prism Casino
2007-12-16 06:37 --------- d-----w C:\Program Files\Virtual Casino
2007-12-16 00:52 --------- d-----w C:\Program Files\Millionaire Casino
2007-12-13 06:57 --------- d-----w C:\Program Files\Shark Casino
2007-12-11 06:23 --------- d-----w C:\Program Files\Slots of Vegas
2007-12-10 00:43 --------- d-----w C:\Program Files\MayanFortune
2007-12-09 02:51 --------- d-----w C:\Program Files\Golden Riviera Guest Play Flash Casino
2007-12-08 07:23 --------- d-----w C:\Program Files\Cirrus Casino
2007-12-05 02:30 --------- d-----w C:\Program Files\Common Files\Totem Shared
2007-11-10 08:23 3,072 ----a-w C:\WINDOWS\SYSTEM32\ SOUNDMAN.EXE
2002-11-09 21:50 128,975 ----a-w C:\Program Files\winmail.dat
2002-11-03 22:04 232,638 ----a-w C:\Program Files\42acplug_setup.exe
2001-06-21 23:06 271 --sh--w C:\Program Files\desktop.ini
2001-06-21 23:06 23,357 ---h--w C:\Program Files\folder.htt
2002-08-23 02:18 8 --sh--w C:\WINDOWS\DRM\pdrm.dat
.

((((((((((((((((((((((((((((( snapshot_2008-01-27_12.34.46.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-27 20:23:36 1,167,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-28 03:55:32 1,167,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-27 20:23:36 503,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-28 03:55:32 503,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-27 20:23:38 1,163,264 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-28 03:55:32 1,163,264 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-27 20:23:38 503,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-28 03:55:32 503,808 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-27 20:23:42 15,314,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-28 03:55:38 15,347,712 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-27 20:23:42 663,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-28 03:55:38 663,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2004-08-04 07:56:58 12,288 ----a-w C:\WINDOWS\SYSTEM32\tracert.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 102,400 2002-06-10 22:21:32 C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE
----a-w 102,400 2002-06-10 22:21:32 C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

----a-w 45,056 2002-06-20 20:25:56 C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe
----a-w 45,056 2002-06-20 20:25:56 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

----a-w 4,662,776 2006-10-25 00:10:18 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 3,810,544 2007-12-18 01:13:36 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

----a-w 282,624 2006-12-16 02:24:38 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-01-10 23:27:36 C:\Program Files\QuickTime\QTTask.exe

----a-w 311,350 2000-08-08 21:00:00 C:\Program Files\Microsoft Works\bak\WksSb.exe
----a-w 311,350 2000-08-08 21:00:00 C:\Program Files\Microsoft Works\WksSb.exe

----a-r 307,200 2005-10-24 23:53:40 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

----a-w 1,310,720 2007-01-22 07:14:20 C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe

----a-w 75,520 2006-12-15 11:23:28 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 13:00:00 24633]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AtiPTA"=Atiptaxx.exe
"SVAPlayer"=C:\Program Files\SVA Player\SVAPLAYER.EXE
"NVQuickTweak"=RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
"Uninstall0001"="C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagay.com!StatsVirtuaGuy
"Uninstall0002"="C:\Program Files\Common Files\Totem Shared\Uninstall0002\upd.exe" LASTCALL!adverts.virtuagay.com!StatsVirtuaGuy

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS [2006-05-10 15:22]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 13:58]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-06-10 14:16]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 07:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-01-28 03:11:36 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-01-23 09:00:28 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2008-01-01 08:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
"2005-02-05 18:58:30 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-01-20 02:11:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 20:05:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Program Files\AOL Games
C:\Program Files\GameHouse
C:\Program Files\PopCap Games
C:\Program Files\Raptisoft
C:\Program Files\SuperiorCasino
C:\Program Files\Vegas Strip
C:\Program Files\Orchid Online
C:\Program Files\Bonjour
C:\Program Files\Paradise8
C:\Program Files\Cirrus Casino
C:\Program Files\Golden Riviera Guest Play Flash Casino
C:\Program Files\MayanFortune
C:\Program Files\Slots of Vegas
C:\Program Files\Shark Casino
C:\Program Files\Millionaire Casino
C:\Program Files\Virtual Casino
C:\Program Files\Prism Casino
C:\Program Files\BetRoyal Casino
C:\Program Files\Casino Share Flash Casino
C:\Program Files\Apple Software Update
C:\Program Files\LimeWire
C:\Program Files\ConnectToCasino
C:\Program Files\iTunes
C:\Program Files\iPod
C:\Program Files\UsUsden200F
C:\WINDOWS\system32unimdmat.dll 98304 bytes
C:\WINDOWS\system32unimdm.tsp 229376 bytes
C:\WINDOWS\system32umpnpmgr.dll 131072 bytes
C:\WINDOWS\system32umandlg.dll 65536 bytes
C:\WINDOWS\system32termsrv.dll 327680 bytes
C:\WINDOWS\system32termmgr.dll 360448 bytes
C:\WINDOWS\system32tcpmib.dll 32768 bytes
C:\WINDOWS\system32tapi32.dll 196608 bytes
C:\WINDOWS\system32tapi3.dll 884736 bytes
C:\WINDOWS\system32svchost.exe 32768 bytes
C:\WINDOWS\system32strmdll.dll 262144 bytes
C:\WINDOWS\system32stimon.exe 32768 bytes
C:\WINDOWS\system32sstext3d.scr 688128 bytes
C:\WINDOWS\system32ssdpapi.dll 65536 bytes
C:\WINDOWS\system32ssbezier.scr 32768 bytes
C:\WINDOWS\system32srrstr.dll 262144 bytes
C:\WINDOWS\system32sqlsrv32.rll 98304 bytes
C:\WINDOWS\system32sqlsrv32.dll 458752 bytes
C:\WINDOWS\system32spoolsv.exe 65536 bytes
C:\WINDOWS\system32spoolss.dll 98304 bytes
C:\WINDOWS\system32spider.exe 557056 bytes
C:\WINDOWS\system32skeys.exe 32768 bytes
C:\WINDOWS\system32shscrap.dll 32768 bytes
C:\WINDOWS\system32LTIMG12n.DLL 196608 bytes
C:\WINDOWS\system32LTKRN12n.DLL 425984 bytes
C:\WINDOWS\system32LTOCX12n.INF 32768 bytes
C:\WINDOWS\system32LTTWN12n.DLL 65536 bytes
C:\WINDOWS\system32shimgvw.dll 458752 bytes
C:\WINDOWS\system32shimeng.dll 65536 bytes
C:\WINDOWS\system32shgina.dll 98304 bytes
C:\WINDOWS\system32shdoclc.dll 557056 bytes
C:\WINDOWS\system32sfcfiles.dll 1605632 bytes
C:\WINDOWS\system32sfc.dll 32768 bytes
C:\WINDOWS\system32setup.exe 32768 bytes
C:\WINDOWS\system32sens.dll 65536 bytes
C:\WINDOWS\system32sendmail.dll 65536 bytes
C:\WINDOWS\system32seclogon.dll 32768 bytes
C:\WINDOWS\system32sdbinst.exe 98304 bytes
C:\WINDOWS\system32scesrv.dll 327680 bytes
C:\WINDOWS\system32scecli.dll 196608 bytes
C:\WINDOWS\system32sccsccp.dll 196608 bytes
C:\WINDOWS\system32rtipxmib.dll 32768 bytes
C:\WINDOWS\system32rpcrt4.dll 589824 bytes
C:\WINDOWS\system32riched20.dll 458752 bytes
C:\WINDOWS\system32rexec.exe 32768 bytes
C:\WINDOWS\system32remotesp.tsp 98304 bytes
C:\WINDOWS\system32regapi.dll 65536 bytes
C:\WINDOWS\system32reg.exe 65536 bytes
C:\WINDOWS\system32rassapi.dll 32768 bytes
C:\WINDOWS\system32rasphone.exe 65536 bytes
C:\WINDOWS\system32raschap.dll 98304 bytes
C:\WINDOWS\system32rasadhlp.dll 32768 bytes
C:\WINDOWS\system32racpldlg.dll 65536 bytes
C:\WINDOWS\system32quartz.dll 1310720 bytes
C:\WINDOWS\system32qdvd.dll 393216 bytes
C:\WINDOWS\system32pstorec.dll 65536 bytes
C:\WINDOWS\system32psapi.dll 32768 bytes
C:\WINDOWS\system32proquota.exe 65536 bytes
C:\WINDOWS\system32proctexe.ocx 98304 bytes
C:\WINDOWS\system32powercfg.cpl 131072 bytes
C:\WINDOWS\system32ping.exe 32768 bytes
C:\WINDOWS\system32offfilt.dll 131072 bytes
C:\WINDOWS\system32odbcp32r.dll 32768 bytes
C:\WINDOWS\system32odbcjt32.dll 294912 bytes
C:\WINDOWS\system32odbccu32.dll 65536 bytes
C:\WINDOWS\system32odbccr32.dll 65536 bytes
C:\WINDOWS\system32odbccp32.dll 131072 bytes
C:\WINDOWS\system32odbccp32.cpl 32768 bytes
C:\WINDOWS\system32odbcconf.rsp 32768 bytes
C:\WINDOWS\system32odbcconf.dll 163840 bytes
C:\WINDOWS\system32odbcbcp.dll 32768 bytes
C:\WINDOWS\system32odbcad32.exe 32768 bytes
C:\WINDOWS\system32odbc32gt.dll 32768 bytes
C:\WINDOWS\system32odbc32.dll 262144 bytes
C:\WINDOWS\system32occache.dll 98304 bytes
C:\WINDOWS\system32nusrmgr.cpl 262144 bytes
C:\WINDOWS\system32ntmssvc.dll 458752 bytes
C:\WINDOWS\system32ntlanman.dll 65536 bytes
C:\WINDOWS\system32ntdsapi.dll 98304 bytes
C:\WINDOWS\system32npptools.dll 65536 bytes
C:\WINDOWS\system32newdev.dll 262144 bytes
C:\WINDOWS\system32netui1.dll 262144 bytes
C:\WINDOWS\system32netui0.dll 98304 bytes
C:\WINDOWS\system32netstat.exe 65536 bytes
C:\WINDOWS\system32netsh.exe 98304 bytes
C:\WINDOWS\system32netplwiz.dll 884736 bytes
C:\WINDOWS\system32netlogon.dll 425984 bytes
C:\WINDOWS\system32netid.dll 163840 bytes
C:\WINDOWS\system32netapi32.dll 360448 bytes
C:\WINDOWS\system32net1.exe 131072 bytes
C:\WINDOWS\system32nddenb32.dll 32768 bytes
C:\WINDOWS\system32ncobjapi.dll 65536 bytes
C:\WINDOWS\system32narrator.exe 65536 bytes
C:\WINDOWS\system32mtxclu.dll 98304 bytes
C:\WINDOWS\system32msxml2.dll 720896 bytes
C:\WINDOWS\system32msvcrt40.dll 65536 bytes
C:\WINDOWS\system32msvcp60.dll 425984 bytes
C:\WINDOWS\system32msvcirt.dll 65536 bytes
C:\WINDOWS\system32mstinit.exe 32768 bytes
C:\WINDOWS\system32mspaint.exe 360448 bytes
C:\WINDOWS\system32msorc32r.dll 32768 bytes
C:\WINDOWS\system32msoert2.dll 131072 bytes
C:\WINDOWS\system32msimtf.dll 163840 bytes
C:\WINDOWS\system32msimg32.dll 32768 bytes
C:\WINDOWS\system32ntmqodlt.ini 589824 bytes
C:\WINDOWS\system32msieftp.dll 262144 bytes
C:\WINDOWS\system32msidle.dll 32768 bytes
C:\WINDOWS\system32msident.dll 65536 bytes
C:\WINDOWS\system32mshtmler.dll 65536 bytes
C:\WINDOWS\system32mshta.exe 32768 bytes
C:\WINDOWS\system32msexcl40.dll 327680 bytes
C:\WINDOWS\system32msctfp.dll 98304 bytes
C:\WINDOWS\system32mscpx32r.dll 32768 bytes
C:\WINDOWS\system32msconf.dll 98304 bytes
C:\WINDOWS\system32msaud32.acm 294912 bytes
C:\WINDOWS\system32msasn1.dll 65536 bytes
C:\WINDOWS\system32msapsspc.dll 98304 bytes
C:\WINDOWS\system32msadds32.ax 229376 bytes
C:\WINDOWS\system32mprapi.dll 98304 bytes
C:\WINDOWS\system32mpr.dll 65536 bytes
C:\WINDOWS\system32mplay32.exe 131072 bytes
C:\WINDOWS\system32mobsync.exe 163840 bytes
C:\WINDOWS\system32miglibnt.dll 65536 bytes
C:\WINDOWS\system32mfcsubs.dll 32768 bytes
C:\WINDOWS\system32mfc42u.dll 1048576 bytes
C:\WINDOWS\system32mf3216.dll 65536 bytes
C:\WINDOWS\system32mciwave.dll 32768 bytes
C:\WINDOWS\system32lprhelp.dll 32768 bytes
C:\WINDOWS\system32licwmi.dll 65536 bytes
C:\WINDOWS\system32vtegjitf.ini 589824 bytes
C:\WINDOWS\system32keymgr.dll 163840 bytes
C:\WINDOWS\system32kd1394.dll 32768 bytes
C:\WINDOWS\system32joy.cpl 98304 bytes
C:\WINDOWS\system32ipsecsnp.dll 360448 bytes
C:\WINDOWS\system32ipconfig.exe 65536 bytes
C:\WINDOWS\system32intl.cpl 131072 bytes
C:\WINDOWS\system32inetmib1.dll 65536 bytes
C:\WINDOWS\system32imgutil.dll 65536 bytes
C:\WINDOWS\system32ils.dll 98304 bytes
C:\WINDOWS\system32icm32.dll 262144 bytes
C:\WINDOWS\system32iasrad.dll 131072 bytes
C:\WINDOWS\system32hidphone.tsp 32768 bytes
C:\WINDOWS\system32hid.dll 32768 bytes
C:\WINDOWS\system32hdwwiz.cpl 163840 bytes
C:\WINDOWS\system32grpconv.exe 65536 bytes
C:\WINDOWS\system32framebuf.dll 32768 bytes
C:\WINDOWS\system32eudcedit.exe 196608 bytes
C:\WINDOWS\system32es.dll 262144 bytes
C:\WINDOWS\system32ersvc.dll 32768 bytes
C:\WINDOWS\system32els.dll 196608 bytes
C:\WINDOWS\system32dumprep.exe 32768 bytes
C:\WINDOWS\system32dssec.dll 65536 bytes
C:\WINDOWS\system32dnsrslvr.dll 65536 bytes
C:\WINDOWS\system32dnsapi.dll 163840 bytes
C:\WINDOWS\system32dmutil.dll 65536 bytes
C:\WINDOWS\system32dmscript.dll 98304 bytes
C:\WINDOWS\system32ddeshare.exe 32768 bytes
C:\WINDOWS\system32dcache.bin 32768 bytes
C:\WINDOWS\system32dataclen.dll 65536 bytes
C:\WINDOWS\system32cscui.dll 327680 bytes
C:\WINDOWS\system32cscript.exe 98304 bytes
C:\WINDOWS\system32cryptui.dll 524288 bytes
C:\WINDOWS\system32cryptsvc.dll 65536 bytes
C:\WINDOWS\system32cryptnet.dll 65536 bytes
C:\WINDOWS\system32cryptext.dll 65536 bytes
C:\WINDOWS\system32cryptdlg.dll 98304 bytes
C:\WINDOWS\system32credui.dll 163840 bytes
C:\WINDOWS\system32corpol.dll 65536 bytes
C:\WINDOWS\system32comuid.dll 557056 bytes
C:\WINDOWS\system32comres.dll 819200 bytes
C:\WINDOWS\system32compstui.dll 229376 bytes
C:\WINDOWS\system32cnbjmon.dll 65536 bytes
C:\WINDOWS\system32cmutil.dll 65536 bytes
C:\WINDOWS\system32clipsrv.exe 65536 bytes
C:\WINDOWS\system32clbcatex.dll 131072 bytes
C:\WINDOWS\system32ciodm.dll 98304 bytes
C:\WINDOWS\system32cfgbkend.dll 65536 bytes
C:\WINDOWS\system32cdosys.dll 2097152 bytes
C:\WINDOWS\system32catsrvps.dll 98304 bytes
C:\WINDOWS\system32camocx.dll 65536 bytes
C:\WINDOWS\system32browsewm.dll 98304 bytes
C:\WINDOWS\system32nnpoq.ini 32768 bytes
C:\WINDOWS\system32browser.dll 98304 bytes
C:\WINDOWS\system32basesrv.dll 65536 bytes
C:\WINDOWS\system32avifil32.dll 98304 bytes
C:\WINDOWS\system32audiosrv.dll 65536 bytes
C:\WINDOWS\system32atmlib.dll 32768 bytes
C:\WINDOWS\system32atmadm.exe 32768 bytes
C:\WINDOWS\system32ati3d2ag.dll 1081344 bytes
C:\WINDOWS\system32apphelp.dll 131072 bytes
C:\WINDOWS\system32amstream.dll 98304 bytes
C:\WINDOWS\system32alg.exe 65536 bytes
C:\WINDOWS\system32adsnt.dll 294912 bytes
C:\WINDOWS\system32adsldp.dll 196608 bytes
C:\WINDOWS\system32actmovie.exe 32768 bytes
C:\WINDOWS\system32hpguapi.ini 32768 bytes
C:\WINDOWS\system32aclui.dll 131072 bytes
C:\WINDOWS\system32ntbackup.exe 1212416 bytes
C:\WINDOWS\system32xpob2res.dll 458752 bytes
C:\WINDOWS\system32xmlprov.dll 131072 bytes
C:\WINDOWS\system32wuauserv.dll 32768 bytes
C:\WINDOWS\system32wshbth.dll 131072 bytes
C:\WINDOWS\system32wscui.cpl 163840 bytes
C:\WINDOWS\system32wscsvc.dll 98304 bytes
C:\WINDOWS\system32wscntfy.exe 32768 bytes
C:\WINDOWS\system32wmp.dll 4882432 bytes
C:\WINDOWS\system32winshfhc.dll 32768 bytes
C:\WINDOWS\system32winhttp.dll 360448 bytes
C:\WINDOWS\system32winbrand.dll 950272 bytes
C:\WINDOWS\system32twext.dll 65536 bytes
C:\WINDOWS\system32strmfilt.dll 98304 bytes
C:\WINDOWS\system32spupdwxp.exe 32768 bytes
C:\WINDOWS\system32spnpinst.exe 32768 bytes
C:\WINDOWS\system32smbinst.exe 32768 bytes
C:\WINDOWS\system32slserv.exe 98304 bytes
C:\WINDOWS\system32slrundll.exe 65536 bytes
C:\WINDOWS\system32slgen.dll 196608 bytes
C:\WINDOWS\system32slextspk.dll 294912 bytes
C:\WINDOWS\system32slcoinst.dll 98304 bytes
C:\WINDOWS\system32sdhcinst.dll 32768 bytes
C:\WINDOWS\system32sbeio.dll 163840 bytes
C:\WINDOWS\system32qmgr.dll 393216 bytes
C:\WINDOWS\system32powercfg.exe 65536 bytes
C:\WINDOWS\system32pnrpnsp.dll 65536 bytes
C:\WINDOWS\system32p2psvc.dll 557056 bytes
C:\WINDOWS\system32p2pnetsh.dll 98304 bytes
C:\WINDOWS\system32p2pgraph.dll 327680 bytes
C:\WINDOWS\system32p2pgasvc.dll 98304 bytes
C:\WINDOWS\system32p2p.dll 131072 bytes
C:\WINDOWS\system32mtxparhd.dll 1769472 bytes
C:\WINDOWS\system32mssap.dll 163840 bytes
C:\WINDOWS\system32msftedit.dll 557056 bytes
C:\WINDOWS\system32msctfime.ime 196608 bytes
C:\WINDOWS\system32mdmxsdk.dll 98304 bytes
C:\WINDOWS\system32kbdukx.dll 32768 bytes
C:\WINDOWS\system32kbdsmsno.dll 32768 bytes
C:\WINDOWS\system32kbdsmsfi.dll 32768 bytes
C:\WINDOWS\system32kbdno1.dll 32768 bytes
C:\WINDOWS\system32kbdmlt48.dll 32768 bytes
C:\WINDOWS\system32kbdmlt47.dll 32768 bytes
C:\WINDOWS\system32kbdmaori.dll 32768 bytes
C:\WINDOWS\system32kbdinmal.dll 32768 bytes
C:\WINDOWS\system32kbdinben.dll 32768 bytes
C:\WINDOWS\system32kbdinbe1.dll 32768 bytes
C:\WINDOWS\system32kbdfi1.dll 32768 bytes
C:\WINDOWS\system32ivfsrc.ax 163840 bytes
C:\WINDOWS\system32ir50_qcx.dll 196608 bytes
C:\WINDOWS\system32iac25_32.ax 229376 bytes
C:\WINDOWS\system32httpapi.dll 32768 bytes
C:\WINDOWS\system32html.iec 425984 bytes
C:\WINDOWS\system32hsfcisp2.dll 32768 bytes
C:\WINDOWS\system32hccoin.dll 32768 bytes
C:\WINDOWS\system32fsquirt.exe 196608 bytes
C:\WINDOWS\system32fltmc.exe 32768 bytes
C:\WINDOWS\system32fltlib.dll 32768 bytes
C:\WINDOWS\system32firewall.cpl 98304 bytes
C:\WINDOWS\system32faxpatch.exe 32768 bytes
C:\WINDOWS\system32encdec.dll 196608 bytes
C:\WINDOWS\system32btpanui.dll 65536 bytes
C:\WINDOWS\system32bthserv.dll 32768 bytes
C:\WINDOWS\system32bthprops.cpl 131072 bytes
C:\WINDOWS\system32bthci.dll 32768 bytes
C:\WINDOWS\system32blastcln.exe 98304 bytes
C:\WINDOWS\system32bitsprx3.dll 32768 bytes
C:\WINDOWS\system32ativvaxx.dll 524288 bytes
C:\WINDOWS\system32ativtmxx.dll 32768 bytes
C:\WINDOWS\system32ativmvxx.ax 32768 bytes
C:\WINDOWS\system32ati3d1ag.dll 884736 bytes
C:\WINDOWS\system32wstpager.ax 196608 bytes
C:\WINDOWS\system32wstrenderer.ax 262144 bytes
C:\WINDOWS\system32vbicodec.ax 65536 bytes
C:\WINDOWS\system32secedit.exe 32768 bytes
C:\WINDOWS\system32spiisupd.exe 32768 bytes
C:\WINDOWS\system32asr_pfu.exe 32768 bytes
C:\WINDOWS\system32vhcqcmcc.ini 1245184 bytes
C:\WINDOWS\system32Camapi32.dll 65536 bytes
C:\WINDOWS\system32dns-sd.exe 65536 bytes
C:\WINDOWS\system32dnssd.dll 65536 bytes
C:\WINDOWS\system32E300.dll 327680 bytes
C:\WINDOWS\system32 SOUNDMAN.EXE 32768 bytes
C:\WINDOWS\system32Comm32.dll 32768 bytes
C:\WINDOWS\system32DC210V204_32.dll 65536 bytes
C:\WINDOWS\system32Dc50ip32.dll 131072 bytes
C:\WINDOWS\system32Dc50v11_32.dll 131072 bytes
C:\WINDOWS\system32E300str.dll 32768 bytes
C:\WINDOWS\system32ImgLibLead.dll 32768 bytes
C:\WINDOWS\system32LFCMP70n.DLL 229376 bytes
C:\WINDOWS\system32Lfbmp70n.dll 32768 bytes
C:\WINDOWS\system32Ltfil70n.dll 65536 bytes
C:\WINDOWS\system32Ltkrn70n.dll 360448 bytes
C:\WINDOWS\system32Nkdscsi.dll 65536 bytes
C:\WINDOWS\system32Nkdserl.dll 65536 bytes
C:\WINDOWS\system32TWAIN_32.DLL 98304 bytes
C:\WINDOWS\system32msls2.dll 98304 bytes
C:\WINDOWS\system32hlp95en.dll 32768 bytes
C:\WINDOWS\system32ochlp30e.dll 65536 bytes
C:\WINDOWS\system32Ltwvc11n.dll 720896 bytes
C:\WINDOWS\system32ltkrn11n.dll 393216 bytes
C:\WINDOWS\system32ltimg11n.dll 131072 bytes
C:\WINDOWS\system32ltfil11n.DLL 131072 bytes
C:\WINDOWS\system32LTDIS11n.dll 294912 bytes
C:\WINDOWS\system32lfwmf11n.dll 65536 bytes
C:\WINDOWS\system32lftif11n.dll 163840 bytes
C:\WINDOWS\system32lftga11n.dll 32768 bytes
C:\WINDOWS\system32lfpsd11n.dll 65536 bytes
C:\WINDOWS\system32Lfpng11n.dll 196608 bytes
C:\WINDOWS\system32lfpcx11n.dll 65536 bytes
C:\WINDOWS\system32lfpcd11n.dll 32768 bytes
C:\WINDOWS\system32lfgif11n.dll 65536 bytes
C:\WINDOWS\system32lffax11n.dll 98304 bytes
C:\WINDOWS\system32lfeps11n.dll 32768 bytes
C:\WINDOWS\system32LFCMP11n.DLL 294912 bytes
C:\WINDOWS\system32lfbmp11n.dll 65536 bytes
C:\WINDOWS\system32Pubole32.dll 98304 bytes
C:\WINDOWS\system32MSRECR40.DLL 32768 bytes
C:\WINDOWS\system32TWUNK_16.EXE 65536 bytes
C:\WINDOWS\system32TWUNK_32.EXE 98304 bytes
C:\WINDOWS\system32VEN2232.OLB 65536 bytes
C:\WINDOWS\system32VBAEND32.OLB 32768 bytes
C:\WINDOWS\system32VBAEN32.OLB 32768 bytes
C:\WINDOWS\system32VBAME.DLL 65536 bytes
C:\WINDOWS\system32MFC42ENU.DLL 65536 bytes
C:\WINDOWS\system32URTTemp
C:\WINDOWS\system32NtmsData
C:\WINDOWS\system32ZWebAuth.dll 32768 bytes
C:\WINDOWS\system32hpgud32.dll 262144 bytes
C:\WINDOWS\system32hpguapi.dll 131072 bytes
C:\WINDOWS\system32hpg4400.dll 65536 bytes
C:\WINDOWS\system32rts8891u.dll 425984 bytes
C:\WINDOWS\system32hpgtpusd.dll 229376 bytes
C:\WINDOWS\system32hpsjvset.dll 131072 bytes
C:\WINDOWS\system32hpgtulbz.dll 262144 bytes
C:\WINDOWS\system32QuickTimeVR.qtx 98304 bytes
C:\WINDOWS\system32DRVSTORE
C:\Documents and Settings\Jason\Application DataInstaller352
C:\Documents and Settings\Jason\Application DataIconCache.db 0 bytes
C:\Documents and Settings\Jason\Application DataGiantPalace
C:\Documents and Settings\Jason\Application DataApple Computer
C:\Documents and Settings\Jason\Application DataRiverdeep Interactive Learning Limited
C:\Documents and Settings\Jason\Application Datafusioncache.dat 32768 bytes
C:\Documents and Settings\Jason\Application DataApple

scan completed successfully
hidden files: 366

**************************************************************************
.
Completion time: 2008-01-27 20:08:41 - machine was rebooted
ComboFix5.txt 2007-04-07 05:59:50
ComboFix4.txt 2007-05-19 05:39:24
ComboFix-quarantined-files.txt 2008-01-28 04:08:36
ComboFix3.txt 2008-01-26 09:02:40
ComboFix2.txt 2008-01-27 20:37:20



Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 01/27/2008
The current time is: 20:16:29.73


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

12/15/2006 06:24 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\MICROS~3\BAK

08/08/2000 01:00 PM 311,350 WksSb.exe
1 File(s) 311,350 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

01/21/2007 11:14 PM 1,310,720 SUPERAntiSpyware.exe
1 File(s) 1,310,720 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

06/20/2002 12:25 PM 45,056 LogiTray.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

10/24/2006 04:10 PM 4,662,776 YahooMessenger.exe
1 File(s) 4,662,776 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIVER\BAK

06/10/2002 02:21 PM 102,400 LVCOMS.EXE
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

10/24/2005 03:53 PM 307,200 AdobeUpdateManager.exe
1 File(s) 307,200 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

12/15/2006 03:23 AM 75,520 jusched.exe
1 File(s) 75,520 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

385024 Jan 10 2008 "C:\Program Files\QuickTime\QTTask.exe"
282624 Dec 15 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
282624 Dec 15 2006 "C:\unzipped\zipandsubmit\zipandsubmit\qttask.exe"
282624 Dec 15 2006 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\qttask.exe"
282624 Dec 15 2006 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\qttask.exe"
311350 Aug 8 2000 "C:\Program Files\Microsoft Works\WksSb.exe"
311350 Aug 8 2000 "C:\Program Files\Microsoft Works\bak\WksSb.exe"
311350 Aug 8 2000 "C:\unzipped\zipandsubmit\zipandsubmit\WksSb.exe"
311350 Aug 8 2000 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\WksSb.exe"
311350 Aug 8 2000 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\WksSb.exe"
1310720 Jan 21 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
1310720 Jan 21 2007 "C:\unzipped\zipandsubmit\zipandsubmit\SUPERAntiSpyware.exe"
1310720 Jan 21 2007 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\SUPERAntiSpyware.exe"
1310720 Jan 21 2007 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\SUPERAntiSpyware.exe"
45056 Jun 20 2002 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
45056 Jun 20 2002 "C:\unzipped\zipandsubmit\zipandsubmit\LogiTray.exe"
45056 Jun 20 2002 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\LogiTray.exe"
45056 Jun 20 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
45056 Jun 20 2002 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\LogiTray.exe"
3810544 Dec 17 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\unzipped\zipandsubmit\zipandsubmit\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\YahooMessenger.exe"
102400 Jun 10 2002 "C:\WINDOWS\SYSTEM32\LVComS.exe"
102400 Jun 10 2002 "C:\unzipped\zipandsubmit\zipandsubmit\LVCOMS.EXE"
102400 Jun 10 2002 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\LVCOMS.EXE"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE"
102400 Jun 10 2002 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\LVCOMS.EXE"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE"
2321600 Feb 28 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
307200 Oct 24 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
36975 Apr 13 2005 "C:\unzipped\zipandsubmit\zipandsubmit\jusched.exe"
36975 Apr 13 2005 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
36975 Apr 13 2005 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"


end of report
  • 0

#10
kahdah
Posted 28 January 2008 - 03:24 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Is the zip and submit something you created or something that was made from running Combofix?
For example >"C:\unzipped\zipandsubmit\zipandsubmit\qttask.exe"
"C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\WksSb.exe"
"C:\unzipped\zipandsubmit\zipandsubmit\SUPERAntiSpyware.exe"
===============================================
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    Insert Files to be moved

    Acceptable entries
    "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\Program Files\Microsoft Works\bak\WksSb.exe"
    "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
    "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
    "C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE"
    "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
    "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
    "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#11
jcato
Posted 28 January 2008 - 11:39 AM

jcato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I didn't create them- it must have been from running combo fix...here's the log. Thanks



Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 01/28/2008
The current time is: 9:35:21.82


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

12/15/2006 06:24 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\MICROS~3\BAK

08/08/2000 01:00 PM 311,350 WksSb.exe
1 File(s) 311,350 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

01/21/2007 11:14 PM 1,310,720 SUPERAntiSpyware.exe
1 File(s) 1,310,720 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

06/20/2002 12:25 PM 45,056 LogiTray.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

10/24/2006 04:10 PM 4,662,776 YahooMessenger.exe
1 File(s) 4,662,776 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIVER\BAK

06/10/2002 02:21 PM 102,400 LVCOMS.EXE
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

10/24/2005 03:53 PM 307,200 AdobeUpdateManager.exe
1 File(s) 307,200 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

12/15/2006 03:23 AM 75,520 jusched.exe
1 File(s) 75,520 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

385024 Jan 10 2008 "C:\Program Files\QuickTime\QTTask.exe"
282624 Dec 15 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
282624 Dec 15 2006 "C:\unzipped\zipandsubmit\zipandsubmit\qttask.exe"
282624 Dec 15 2006 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\qttask.exe"
282624 Dec 15 2006 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\qttask.exe"
311350 Aug 8 2000 "C:\Program Files\Microsoft Works\WksSb.exe"
311350 Aug 8 2000 "C:\Program Files\Microsoft Works\bak\WksSb.exe"
311350 Aug 8 2000 "C:\unzipped\zipandsubmit\zipandsubmit\WksSb.exe"
311350 Aug 8 2000 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\WksSb.exe"
311350 Aug 8 2000 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\WksSb.exe"
1310720 Jan 21 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
1310720 Jan 21 2007 "C:\unzipped\zipandsubmit\zipandsubmit\SUPERAntiSpyware.exe"
1310720 Jan 21 2007 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\SUPERAntiSpyware.exe"
1310720 Jan 21 2007 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\SUPERAntiSpyware.exe"
45056 Jun 20 2002 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
45056 Jun 20 2002 "C:\unzipped\zipandsubmit\zipandsubmit\LogiTray.exe"
45056 Jun 20 2002 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\LogiTray.exe"
45056 Jun 20 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
45056 Jun 20 2002 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\LogiTray.exe"
3810544 Dec 17 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\unzipped\zipandsubmit\zipandsubmit\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\YahooMessenger.exe"
102400 Jun 10 2002 "C:\WINDOWS\SYSTEM32\LVComS.exe"
102400 Jun 10 2002 "C:\unzipped\zipandsubmit\zipandsubmit\LVCOMS.EXE"
102400 Jun 10 2002 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\LVCOMS.EXE"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE"
102400 Jun 10 2002 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\LVCOMS.EXE"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE"
2321600 Feb 28 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
307200 Oct 24 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
36975 Apr 13 2005 "C:\unzipped\zipandsubmit\zipandsubmit\jusched.exe"
36975 Apr 13 2005 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
36975 Apr 13 2005 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"


end of report
  • 0

#12
kahdah
Posted 28 January 2008 - 11:52 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Strange because I didn't tell Combofix anything about those files so I am not sure why those would be there.

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\Program Files\QuickTime\bak
    C:\Program Files\Microsoft Works\bak
    C:\Program Files\SUPERAntiSpyware\bak
    C:\Program Files\Logitech\ImageStudio\bak
    C:\Program Files\Common Files\Logitech\QCDriver\bak
    C:\Program Files\Yahoo!\Messenger\bak
    C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
    C:\Program Files\Java\jre1.5.0_11\bin\bak

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#13
jcato
Posted 28 January 2008 - 03:52 PM

jcato

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
here's the log...



Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 01/28/2008
The current time is: 13:48:12.08


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

12/15/2006 06:24 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\MICROS~3\BAK

08/08/2000 01:00 PM 311,350 WksSb.exe
1 File(s) 311,350 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

01/21/2007 11:14 PM 1,310,720 SUPERAntiSpyware.exe
1 File(s) 1,310,720 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

06/20/2002 12:25 PM 45,056 LogiTray.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

10/24/2006 04:10 PM 4,662,776 YahooMessenger.exe
1 File(s) 4,662,776 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIVER\BAK

06/10/2002 02:21 PM 102,400 LVCOMS.EXE
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

10/24/2005 03:53 PM 307,200 AdobeUpdateManager.exe
1 File(s) 307,200 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

12/15/2006 03:23 AM 75,520 jusched.exe
1 File(s) 75,520 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

385024 Jan 10 2008 "C:\Program Files\QuickTime\QTTask.exe"
282624 Dec 15 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
282624 Dec 15 2006 "C:\unzipped\zipandsubmit\zipandsubmit\qttask.exe"
282624 Dec 15 2006 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\qttask.exe"
282624 Dec 15 2006 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\qttask.exe"
311350 Aug 8 2000 "C:\Program Files\Microsoft Works\WksSb.exe"
311350 Aug 8 2000 "C:\Program Files\Microsoft Works\bak\WksSb.exe"
311350 Aug 8 2000 "C:\unzipped\zipandsubmit\zipandsubmit\WksSb.exe"
311350 Aug 8 2000 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\WksSb.exe"
311350 Aug 8 2000 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\WksSb.exe"
1310720 Jan 21 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
1310720 Jan 21 2007 "C:\unzipped\zipandsubmit\zipandsubmit\SUPERAntiSpyware.exe"
1310720 Jan 21 2007 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\SUPERAntiSpyware.exe"
1310720 Jan 21 2007 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\SUPERAntiSpyware.exe"
45056 Jun 20 2002 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
45056 Jun 20 2002 "C:\unzipped\zipandsubmit\zipandsubmit\LogiTray.exe"
45056 Jun 20 2002 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\LogiTray.exe"
45056 Jun 20 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
45056 Jun 20 2002 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\LogiTray.exe"
3810544 Dec 17 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\unzipped\zipandsubmit\zipandsubmit\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\YahooMessenger.exe"
102400 Jun 10 2002 "C:\WINDOWS\SYSTEM32\LVComS.exe"
102400 Jun 10 2002 "C:\unzipped\zipandsubmit\zipandsubmit\LVCOMS.EXE"
102400 Jun 10 2002 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\LVCOMS.EXE"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE"
102400 Jun 10 2002 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\LVCOMS.EXE"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE"
2321600 Feb 28 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
307200 Oct 24 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
36975 Apr 13 2005 "C:\unzipped\zipandsubmit\zipandsubmit\jusched.exe"
36975 Apr 13 2005 "C:\WINDOWS\DRWATSON\Desktop\zipandsubmit\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
36975 Apr 13 2005 "C:\WINDOWS\DRWATSON\Desktop\fix\zipandsubmit\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"


end of report
  • 0

#14
kahdah
Posted 28 January 2008 - 06:54 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\QuickTime\bak
C:\Program Files\Microsoft Works\bak
C:\Program Files\SUPERAntiSpyware\bak
C:\Program Files\Logitech\ImageStudio\bak
C:\Program Files\Common Files\Logitech\QCDriver\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\Program Files\Java\jre1.5.0_11\bin\bak
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Edited by kahdah, 29 January 2008 - 03:17 AM.

  • 0

#15
kahdah
Posted 07 February 2009 - 10:03 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP