Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I cannot delete this file ljjhh.dll [RESOLVED]


  • This topic is locked This topic is locked

#1
lukee

lukee

    New Member

  • Member
  • Pip
  • 9 posts
Hello there,

I downloaded a key generator for office enterprise 2007 the minute i extracted the file my spybot teatimer thing started going mad saying an important registry has been changed and did i want to deny change if i click remember this answer the screen becomes full of boxes. Anyways enough about that my avg will not pic up this problem after a scan. I have found the problem and its ljjhh.dll file which is in my temp folder. i cannot delete this as rundll32.exe is using it the whole time. i have read some solutions on this site but im not sure if they apply to my problem aswell as the other people appeared to have alot more spyware apart from that little baby!

Can you give me any advice guys ? i have included my HJ log

Thanks for any help in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:54:37, on 07/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\James H\Desktop\HiJackThis_v2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\Windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\JAMESH~1\AppData\Local\Temp\ljjhh.dll,#1
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{467DACD0-FE46-4442-9DB9-588B8D625A92}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10714 bytes
  • 0

Advertisements


#2
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)
  • 0

#3
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

I downloaded a key generator for office enterprise 2007

The software keys come with the software. If you didn't get one you should contact Mircosoft or the place where you bought it.

Edited by sarahw, 08 March 2008 - 04:36 AM.

  • 0

#4
lukee

lukee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Sarah,

Thanks a million for your help. your as good. i hope if have done the things you ask me the right way. ive included the two logs as requested. the file i was telling you about oringally seems to have gone out of the temp file but there is another new baddy ssqro.dll when spybot is going mad with that one now. will i just keep denying is access to the system start up registary. it just keeps popping up.

Anyways thanks again

Luke

heres my combofix log

ComboFix 08-03-07.4 - James H 2008-03-08 20:09:00.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.852 [GMT 0:00]
Running from: C:\Users\James H\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 19:53 . 2008-03-08 19:53 <DIR> d-------- C:\ComboFix(2)
2008-03-07 20:54 . 2008-03-07 20:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-07 20:37 . 2008-01-04 20:34 163,696 --a------ C:\Windows\System32\drivers\ssidrv.sys
2008-03-07 20:37 . 2008-01-04 20:34 23,920 --a------ C:\Windows\System32\drivers\sskbfd.sys
2008-03-07 20:37 . 2008-01-04 20:34 20,336 --a------ C:\Windows\System32\drivers\SSFS0BB9.sys
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\James H\AppData\Roaming\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\All Users\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\ProgramData\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Program Files\Webroot
2008-03-07 20:36 . 2008-01-04 20:56 1,526,640 --a------ C:\Windows\WRSetup.dll
2008-03-07 20:36 . 2008-01-04 20:34 21,872 --a------ C:\Windows\System32\drivers\sshrmd.sys
2008-03-07 20:32 . 2008-03-07 20:32 164 --a------ C:\install.dat
2008-03-07 00:47 . 2008-03-07 00:47 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 19:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d-------- C:\Program Files\Windows Live
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\ProgramData\WLInstaller
2008-03-06 13:32 . 2008-03-06 13:32 <DIR> d--hs---- C:\found.000
2008-03-05 10:46 . 2008-03-08 12:24 <DIR> d-------- C:\Users\James H\AppData\Roaming\VMware
2008-03-04 23:43 . 2007-10-08 09:27 436,784 --a------ C:\Windows\System32\vnetlib.dll
2008-03-04 23:43 . 2007-10-08 09:26 150,064 --a------ C:\Windows\System32\vmnat.exe
2008-03-04 23:43 . 2007-10-08 09:26 121,392 --a------ C:\Windows\System32\vmnetdhcp.exe
2008-03-04 23:43 . 2007-10-08 09:26 50,992 -ra------ C:\Windows\System32\vmnetbridge.dll
2008-03-04 23:43 . 2007-10-08 09:26 28,592 -ra------ C:\Windows\System32\drivers\vmnetbridge.sys
2008-03-04 23:43 . 2007-10-08 09:27 25,008 --a------ C:\Windows\System32\drivers\vmnetuserif.sys
2008-03-04 23:43 . 2007-10-08 09:26 17,712 -ra------ C:\Windows\System32\drivers\vmnet.sys
2008-03-04 23:43 . 2007-10-08 09:26 16,816 --a------ C:\Windows\System32\drivers\vmnetadapter.sys
2008-03-04 23:43 . 2007-10-08 09:26 13,104 --a------ C:\Windows\System32\vnetinst.dll
2008-03-04 23:41 . 2007-10-08 09:26 30,768 --a------ C:\Windows\System32\drivers\vmusb.sys
2008-03-04 23:41 . 2007-10-08 09:27 20,912 --a------ C:\Windows\System32\drivers\VMkbd.sys
2008-03-04 23:41 . 2008-03-04 23:41 1,024 --a------ C:\.rnd
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\Users\All Users\VMware
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\ProgramData\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:08 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-03-04 18:06 . 2008-03-04 18:07 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-04 18:03 . 2008-03-04 18:03 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-03-04 17:56 . 2007-10-27 00:46 779,800 --a------ C:\Windows\System32\PresentationNative_v0300.dll
2008-03-04 17:56 . 2007-10-27 00:46 579,584 --a------ C:\Windows\System32\icardagt.exe
2008-03-04 17:56 . 2007-10-27 00:46 350,744 --a------ C:\Windows\System32\PresentationHost.exe
2008-03-04 17:56 . 2007-10-27 00:46 106,520 --a------ C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-03-04 17:56 . 2007-10-30 03:12 88,576 --a------ C:\Windows\System32\infocardapi.dll
2008-03-04 17:56 . 2007-10-27 00:46 33,304 --a------ C:\Windows\System32\PresentationHostProxy.dll
2008-03-04 17:56 . 2007-10-30 03:09 28,160 --a------ C:\Windows\System32\infocardcpl.cpl
2008-03-04 17:56 . 2007-10-27 00:46 11,776 --a------ C:\Windows\System32\icardres.dll
2008-03-04 17:45 . 2007-10-27 00:46 41,984 --a------ C:\Windows\System32\netfxperf.dll
2008-03-04 17:44 . 2007-10-27 00:46 158,720 --a------ C:\Windows\System32\mscorier.dll
2008-03-04 17:44 . 2007-10-27 00:46 84,480 --a------ C:\Windows\System32\mscories.dll
2008-03-04 17:43 . 2007-10-27 00:46 282,112 --a------ C:\Windows\System32\mscoree.dll
2008-03-04 17:43 . 2007-10-27 00:46 96,760 --a------ C:\Windows\System32\dfshim.dll
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Program Files\WebSite eXtractor
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Internet
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\install
2008-02-28 20:19 . 2008-02-28 20:19 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-02-28 14:12 . 2008-02-28 14:12 <DIR> d-------- C:\perflogs
2008-02-27 19:20 . 2008-02-27 19:20 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-27 19:20 . 2008-02-27 19:20 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-27 19:11 . 2008-02-27 19:11 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-27 19:10 . 2008-02-27 19:10 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-27 19:10 . 2008-02-27 19:10 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-27 19:10 . 2008-02-27 19:10 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-02-27 19:10 . 2008-02-27 19:10 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-02-27 19:10 . 2008-02-27 19:10 2,048 --a------ C:\Windows\System32\asferror.dll
2008-02-27 19:09 . 2008-02-27 19:09 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-02-27 19:08 . 2008-02-27 19:08 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-02-27 19:08 . 2008-02-27 19:08 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-02-27 19:08 . 2008-02-27 19:08 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-02-27 19:08 . 2008-02-27 19:08 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-02-27 19:06 . 2008-02-27 19:06 2,048 --a------ C:\Windows\System32\tzres.dll
2008-02-27 19:04 . 2008-02-27 19:04 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-02-27 19:04 . 2008-02-27 19:04 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-02-27 19:04 . 2008-02-27 19:04 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-02-27 19:03 . 2008-02-27 19:03 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-21 23:49 . 2008-02-28 14:24 <DIR> d-------- C:\Program Files\ThumbNailer
2008-02-21 23:49 . 2008-02-21 23:49 <DIR> d-------- C:\Program Files\ClickPic
2008-02-19 17:32 . 2003-06-18 17:31 17,920 --a------ C:\Windows\System32\mdimon.dll
2008-02-19 17:29 . 2008-02-19 17:29 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-02-19 17:28 . 2008-02-19 17:28 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-19 17:27 . 2008-02-19 17:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-19 17:26 . 2008-02-19 17:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-19 17:19 . 2008-02-19 17:19 <DIR> dr-h----- C:\MSOCache
2008-02-10 21:14 . 2008-02-10 21:14 <DIR> d-------- C:\Program Files\Alex Feinman
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\Users\All Users\TrueCrypt
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\ProgramData\TrueCrypt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 23:41 --------- d-----w C:\Users\James H\AppData\Roaming\Skype
2008-03-07 20:45 --------- d-----w C:\Users\James H\AppData\Roaming\AVG7
2008-03-07 19:54 0 ----a-w C:\Windows\system32\drivers\lvuvc.hs
2008-03-07 18:42 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-06 19:47 --------- d-----w C:\Users\James H\AppData\Roaming\uTorrent
2008-03-03 18:34 --------- d-----w C:\Users\James H\AppData\Roaming\TrueCrypt
2008-02-29 23:49 --------- d-----w C:\Users\James H\AppData\Roaming\LimeWire
2008-02-28 15:03 --------- d-----w C:\ProgramData\avg7
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Mail
2008-02-27 19:11 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-27 19:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-27 19:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-27 19:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-27 19:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-27 19:05 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-27 19:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 23:27 --------- d-----w C:\ProgramData\Kontiki
2008-02-17 13:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 20:12 225,344 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-02-03 18:56 --------- d-----w C:\Program Files\UltraVNC
2008-02-02 22:37 --------- d-----w C:\Program Files\TrueCrypt
2008-01-30 22:32 --------- d-----w C:\Program Files\Bonjour
2008-01-30 16:38 --------- d-----w C:\ProgramData\FLEXnet
2008-01-30 16:27 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-29 15:55 --------- d-----w C:\Program Files\Microsoft FrontPage
2008-01-28 23:01 --------- d-----w C:\ProgramData\Bryxen Software
2008-01-28 23:01 --------- d-----w C:\Program Files\Bryxen Software
2008-01-24 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-23 23:19 --------- d-----w C:\ProgramData\Logishrd
2008-01-23 22:47 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-01-23 22:44 --------- d-----w C:\Program Files\Logitech
2008-01-23 20:16 --------- d-----w C:\Program Files\Google
2008-01-23 00:32 --------- d-----w C:\Program Files\iTunes
2008-01-23 00:32 --------- d-----w C:\Program Files\iPod
2008-01-23 00:31 --------- d-----w C:\Program Files\QuickTime
2008-01-17 23:47 --------- d-----w C:\Program Files\SecondLife
2008-01-09 19:57 --------- d-----w C:\Program Files\Huawei technologies
2008-01-04 22:03 139,264 ----a-w C:\Windows\War3Unin.exe
2007-11-01 09:47 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2008-02-10 20:12 1060544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"cmds"="C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll" [2008-03-07 21:00 316928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-01 09:40 1006264]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 16:50 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvSvc"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 23:05 185896]
"BigDog303"="C:\Windows\VM303_STI.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 09:27 72240]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 09:26 55856]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 17:06 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-10-30 20:49 9216 C:\Windows\System32\avgwlntf.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{C4669F79-394B-4D03-AC25-1FE96F45305B}C:\wamp\apache2\bin\httpd.exe"= UDP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"UDP Query User{24F44E27-6852-4D58-A00E-5FEAC5F03FF5}C:\wamp\apache2\bin\httpd.exe"= TCP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"TCP Query User{F6E06608-4823-4971-A8AC-BE142B288B45}C:\program files\utorrent\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"UDP Query User{9847581E-3074-4BAC-BE7B-086D0CA6F8E1}C:\program files\utorrent\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"TCP Query User{2F220537-5754-4743-9C22-BB37D92A8D29}C:\program files\skype\phone\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"UDP Query User{B7ACB372-FA24-4D41-8BF4-72BCC10A1F96}C:\program files\skype\phone\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"TCP Query User{F1F9B3E8-2FE6-4D0E-A391-52C39626EB34}C:\program files\sopcast\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"UDP Query User{A8AB3115-0125-4B2B-B2DE-D60DA9963C35}C:\program files\sopcast\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"{F5D5A759-DD80-45ED-84E5-4A3598E9D542}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8A684CBD-2C1D-4508-8B95-F6A18D5EFDB1}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{2BE81018-3EF0-4C63-8D8D-10B8AD071200}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{54A50C0F-CE9B-4CA4-BA0F-B1729FFF3545}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{4164CA47-2D5B-41CD-907B-35727EB547D2}C:\program files\mozilla firefox\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"UDP Query User{ECB7B0B8-D5B6-439E-88C0-B2E23AB5F8C4}C:\program files\mozilla firefox\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"TCP Query User{D31DC342-389B-4A09-A92E-26010DDE6AF0}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= UDP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"UDP Query User{09F3EA87-C19D-4F8F-A6C5-438432F3A26B}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= TCP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"TCP Query User{3753178E-2986-4A94-A4C7-21C243F0F10B}C:\program files\sopcast\sopvod.exe"= UDP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"UDP Query User{9A97A960-5C36-4AFF-9D10-BE33ED509D9E}C:\program files\sopcast\sopvod.exe"= TCP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"TCP Query User{EC991A72-6B88-4498-B168-C0430E6044D9}C:\program files\sopcast\adv\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"UDP Query User{D2E9BBD8-BA9E-4369-94C8-2A4265871A78}C:\program files\sopcast\adv\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"TCP Query User{411CA4DD-2E15-4A42-9201-1D18027A3A40}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{BFC6BCB5-DFA4-4633-BD7B-4CA315A5A51E}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{D1A44D53-1E91-4412-81B4-5F7E991F4908}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= UDP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"UDP Query User{B42AA4AC-E209-497E-AF00-6DFAF566D198}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= TCP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"TCP Query User{366D5331-9967-4E94-B46D-8B307CCFC16C}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= UDP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"UDP Query User{FB4A7B34-BF08-4C6F-B791-ED9D1B971D09}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= TCP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"TCP Query User{22CB88CA-D4A9-47A9-B69E-A5CD1687036D}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{2CF3F85A-5090-4DA1-9F59-D74906F79EA9}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"{217BED0E-8015-4316-9A69-104D58656223}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{FA1438C6-6D59-45A6-B540-699CD3CC1DAE}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{CDE4319F-2EF2-4D97-B865-0E9A87A7EAA2}C:\users\james h\program files\utorrent\utorrent.exe"= UDP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"UDP Query User{F1088B9C-0574-45B5-A654-381A50341A84}C:\users\james h\program files\utorrent\utorrent.exe"= TCP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"{05E4F880-CA47-4E4D-8100-2113A054FCF7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1759AFEE-FE92-4E72-AF26-6C24D819379E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{7CF431A1-0D23-4842-B2F3-AC0FFF73D7AD}C:\program files\ultravnc\winvnc.exe"= UDP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"UDP Query User{D3C1C2CF-ACFF-49D4-8571-602D27C52440}C:\program files\ultravnc\winvnc.exe"= TCP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"TCP Query User{2D7B2751-D702-415A-BBC7-6A1AACFAD6A2}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= UDP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"UDP Query User{9B9656A2-9EEA-4831-AA02-5F818E80B8D4}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= TCP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"{E3A407C9-7241-40AB-89EA-509D49DC069E}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 hotcore3;hotcore3;C:\Windows\system32\drivers\hotcore3.sys [2007-03-07 13:27]
R1 moufiltr;ENERGY SISTEM Mouse Filter Driver;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-11-09 11:52]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-07 18:42]
S3 vmfilter303;vmfilter303;C:\Windows\system32\drivers\vmfilter303.sys [2006-04-25 10:57]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-05-04 10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e31-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e33-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d54-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d72-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e43f2b2-a5a3-11dc-9de5-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b57-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b72-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b78749c-92c4-11dc-bf9c-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f10839c-eab4-11dc-949d-005056c00008}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9dee-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9df0-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d09-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d24-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a2b22-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc33e5a1-be21-11dc-a231-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 09:51:49 C:\Windows\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 20:18:11
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll
.
Completion time: 2008-03-08 20:26:22
.
2008-03-08 19:39:01 --- E O F ---


This is the hijack this one

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:25, on 08/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\Windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{467DACD0-FE46-4442-9DB9-588B8D625A92}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10534 bytes

looking forward to your reply :)
  • 0

#5
lukee

lukee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Sarah,

Thanks a million for your help. your as good. i hope if have done the things you ask me the right way. ive included the two logs as requested. the file i was telling you about oringally seems to have gone out of the temp file but there is another new baddy ssqro.dll when spybot is going mad with that one now. will i just keep denying is access to the system start up registary. it just keeps popping up.

Anyways thanks again

Luke

heres my combofix log

ComboFix 08-03-07.4 - James H 2008-03-08 20:09:00.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.852 [GMT 0:00]
Running from: C:\Users\James H\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 19:53 . 2008-03-08 19:53 <DIR> d-------- C:\ComboFix(2)
2008-03-07 20:54 . 2008-03-07 20:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-07 20:37 . 2008-01-04 20:34 163,696 --a------ C:\Windows\System32\drivers\ssidrv.sys
2008-03-07 20:37 . 2008-01-04 20:34 23,920 --a------ C:\Windows\System32\drivers\sskbfd.sys
2008-03-07 20:37 . 2008-01-04 20:34 20,336 --a------ C:\Windows\System32\drivers\SSFS0BB9.sys
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\James H\AppData\Roaming\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\All Users\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\ProgramData\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Program Files\Webroot
2008-03-07 20:36 . 2008-01-04 20:56 1,526,640 --a------ C:\Windows\WRSetup.dll
2008-03-07 20:36 . 2008-01-04 20:34 21,872 --a------ C:\Windows\System32\drivers\sshrmd.sys
2008-03-07 20:32 . 2008-03-07 20:32 164 --a------ C:\install.dat
2008-03-07 00:47 . 2008-03-07 00:47 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 19:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d-------- C:\Program Files\Windows Live
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\ProgramData\WLInstaller
2008-03-06 13:32 . 2008-03-06 13:32 <DIR> d--hs---- C:\found.000
2008-03-05 10:46 . 2008-03-08 12:24 <DIR> d-------- C:\Users\James H\AppData\Roaming\VMware
2008-03-04 23:43 . 2007-10-08 09:27 436,784 --a------ C:\Windows\System32\vnetlib.dll
2008-03-04 23:43 . 2007-10-08 09:26 150,064 --a------ C:\Windows\System32\vmnat.exe
2008-03-04 23:43 . 2007-10-08 09:26 121,392 --a------ C:\Windows\System32\vmnetdhcp.exe
2008-03-04 23:43 . 2007-10-08 09:26 50,992 -ra------ C:\Windows\System32\vmnetbridge.dll
2008-03-04 23:43 . 2007-10-08 09:26 28,592 -ra------ C:\Windows\System32\drivers\vmnetbridge.sys
2008-03-04 23:43 . 2007-10-08 09:27 25,008 --a------ C:\Windows\System32\drivers\vmnetuserif.sys
2008-03-04 23:43 . 2007-10-08 09:26 17,712 -ra------ C:\Windows\System32\drivers\vmnet.sys
2008-03-04 23:43 . 2007-10-08 09:26 16,816 --a------ C:\Windows\System32\drivers\vmnetadapter.sys
2008-03-04 23:43 . 2007-10-08 09:26 13,104 --a------ C:\Windows\System32\vnetinst.dll
2008-03-04 23:41 . 2007-10-08 09:26 30,768 --a------ C:\Windows\System32\drivers\vmusb.sys
2008-03-04 23:41 . 2007-10-08 09:27 20,912 --a------ C:\Windows\System32\drivers\VMkbd.sys
2008-03-04 23:41 . 2008-03-04 23:41 1,024 --a------ C:\.rnd
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\Users\All Users\VMware
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\ProgramData\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:08 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-03-04 18:06 . 2008-03-04 18:07 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-04 18:03 . 2008-03-04 18:03 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-03-04 17:56 . 2007-10-27 00:46 779,800 --a------ C:\Windows\System32\PresentationNative_v0300.dll
2008-03-04 17:56 . 2007-10-27 00:46 579,584 --a------ C:\Windows\System32\icardagt.exe
2008-03-04 17:56 . 2007-10-27 00:46 350,744 --a------ C:\Windows\System32\PresentationHost.exe
2008-03-04 17:56 . 2007-10-27 00:46 106,520 --a------ C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-03-04 17:56 . 2007-10-30 03:12 88,576 --a------ C:\Windows\System32\infocardapi.dll
2008-03-04 17:56 . 2007-10-27 00:46 33,304 --a------ C:\Windows\System32\PresentationHostProxy.dll
2008-03-04 17:56 . 2007-10-30 03:09 28,160 --a------ C:\Windows\System32\infocardcpl.cpl
2008-03-04 17:56 . 2007-10-27 00:46 11,776 --a------ C:\Windows\System32\icardres.dll
2008-03-04 17:45 . 2007-10-27 00:46 41,984 --a------ C:\Windows\System32\netfxperf.dll
2008-03-04 17:44 . 2007-10-27 00:46 158,720 --a------ C:\Windows\System32\mscorier.dll
2008-03-04 17:44 . 2007-10-27 00:46 84,480 --a------ C:\Windows\System32\mscories.dll
2008-03-04 17:43 . 2007-10-27 00:46 282,112 --a------ C:\Windows\System32\mscoree.dll
2008-03-04 17:43 . 2007-10-27 00:46 96,760 --a------ C:\Windows\System32\dfshim.dll
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Program Files\WebSite eXtractor
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Internet
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\install
2008-02-28 20:19 . 2008-02-28 20:19 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-02-28 14:12 . 2008-02-28 14:12 <DIR> d-------- C:\perflogs
2008-02-27 19:20 . 2008-02-27 19:20 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-27 19:20 . 2008-02-27 19:20 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-27 19:11 . 2008-02-27 19:11 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-27 19:10 . 2008-02-27 19:10 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-27 19:10 . 2008-02-27 19:10 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-27 19:10 . 2008-02-27 19:10 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-02-27 19:10 . 2008-02-27 19:10 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-02-27 19:10 . 2008-02-27 19:10 2,048 --a------ C:\Windows\System32\asferror.dll
2008-02-27 19:09 . 2008-02-27 19:09 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-02-27 19:08 . 2008-02-27 19:08 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-02-27 19:08 . 2008-02-27 19:08 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-02-27 19:08 . 2008-02-27 19:08 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-02-27 19:08 . 2008-02-27 19:08 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-02-27 19:06 . 2008-02-27 19:06 2,048 --a------ C:\Windows\System32\tzres.dll
2008-02-27 19:04 . 2008-02-27 19:04 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-02-27 19:04 . 2008-02-27 19:04 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-02-27 19:04 . 2008-02-27 19:04 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-02-27 19:03 . 2008-02-27 19:03 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-21 23:49 . 2008-02-28 14:24 <DIR> d-------- C:\Program Files\ThumbNailer
2008-02-21 23:49 . 2008-02-21 23:49 <DIR> d-------- C:\Program Files\ClickPic
2008-02-19 17:32 . 2003-06-18 17:31 17,920 --a------ C:\Windows\System32\mdimon.dll
2008-02-19 17:29 . 2008-02-19 17:29 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-02-19 17:28 . 2008-02-19 17:28 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-19 17:27 . 2008-02-19 17:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-19 17:26 . 2008-02-19 17:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-19 17:19 . 2008-02-19 17:19 <DIR> dr-h----- C:\MSOCache
2008-02-10 21:14 . 2008-02-10 21:14 <DIR> d-------- C:\Program Files\Alex Feinman
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\Users\All Users\TrueCrypt
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\ProgramData\TrueCrypt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 23:41 --------- d-----w C:\Users\James H\AppData\Roaming\Skype
2008-03-07 20:45 --------- d-----w C:\Users\James H\AppData\Roaming\AVG7
2008-03-07 19:54 0 ----a-w C:\Windows\system32\drivers\lvuvc.hs
2008-03-07 18:42 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-06 19:47 --------- d-----w C:\Users\James H\AppData\Roaming\uTorrent
2008-03-03 18:34 --------- d-----w C:\Users\James H\AppData\Roaming\TrueCrypt
2008-02-29 23:49 --------- d-----w C:\Users\James H\AppData\Roaming\LimeWire
2008-02-28 15:03 --------- d-----w C:\ProgramData\avg7
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Mail
2008-02-27 19:11 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-27 19:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-27 19:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-27 19:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-27 19:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-27 19:05 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-27 19:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 23:27 --------- d-----w C:\ProgramData\Kontiki
2008-02-17 13:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 20:12 225,344 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-02-03 18:56 --------- d-----w C:\Program Files\UltraVNC
2008-02-02 22:37 --------- d-----w C:\Program Files\TrueCrypt
2008-01-30 22:32 --------- d-----w C:\Program Files\Bonjour
2008-01-30 16:38 --------- d-----w C:\ProgramData\FLEXnet
2008-01-30 16:27 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-29 15:55 --------- d-----w C:\Program Files\Microsoft FrontPage
2008-01-28 23:01 --------- d-----w C:\ProgramData\Bryxen Software
2008-01-28 23:01 --------- d-----w C:\Program Files\Bryxen Software
2008-01-24 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-23 23:19 --------- d-----w C:\ProgramData\Logishrd
2008-01-23 22:47 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-01-23 22:44 --------- d-----w C:\Program Files\Logitech
2008-01-23 20:16 --------- d-----w C:\Program Files\Google
2008-01-23 00:32 --------- d-----w C:\Program Files\iTunes
2008-01-23 00:32 --------- d-----w C:\Program Files\iPod
2008-01-23 00:31 --------- d-----w C:\Program Files\QuickTime
2008-01-17 23:47 --------- d-----w C:\Program Files\SecondLife
2008-01-09 19:57 --------- d-----w C:\Program Files\Huawei technologies
2008-01-04 22:03 139,264 ----a-w C:\Windows\War3Unin.exe
2007-11-01 09:47 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2008-02-10 20:12 1060544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"cmds"="C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll" [2008-03-07 21:00 316928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-01 09:40 1006264]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 16:50 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvSvc"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 23:05 185896]
"BigDog303"="C:\Windows\VM303_STI.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 09:27 72240]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 09:26 55856]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 17:06 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-10-30 20:49 9216 C:\Windows\System32\avgwlntf.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{C4669F79-394B-4D03-AC25-1FE96F45305B}C:\wamp\apache2\bin\httpd.exe"= UDP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"UDP Query User{24F44E27-6852-4D58-A00E-5FEAC5F03FF5}C:\wamp\apache2\bin\httpd.exe"= TCP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"TCP Query User{F6E06608-4823-4971-A8AC-BE142B288B45}C:\program files\utorrent\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"UDP Query User{9847581E-3074-4BAC-BE7B-086D0CA6F8E1}C:\program files\utorrent\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"TCP Query User{2F220537-5754-4743-9C22-BB37D92A8D29}C:\program files\skype\phone\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"UDP Query User{B7ACB372-FA24-4D41-8BF4-72BCC10A1F96}C:\program files\skype\phone\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"TCP Query User{F1F9B3E8-2FE6-4D0E-A391-52C39626EB34}C:\program files\sopcast\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"UDP Query User{A8AB3115-0125-4B2B-B2DE-D60DA9963C35}C:\program files\sopcast\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"{F5D5A759-DD80-45ED-84E5-4A3598E9D542}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8A684CBD-2C1D-4508-8B95-F6A18D5EFDB1}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{2BE81018-3EF0-4C63-8D8D-10B8AD071200}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{54A50C0F-CE9B-4CA4-BA0F-B1729FFF3545}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{4164CA47-2D5B-41CD-907B-35727EB547D2}C:\program files\mozilla firefox\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"UDP Query User{ECB7B0B8-D5B6-439E-88C0-B2E23AB5F8C4}C:\program files\mozilla firefox\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"TCP Query User{D31DC342-389B-4A09-A92E-26010DDE6AF0}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= UDP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"UDP Query User{09F3EA87-C19D-4F8F-A6C5-438432F3A26B}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= TCP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"TCP Query User{3753178E-2986-4A94-A4C7-21C243F0F10B}C:\program files\sopcast\sopvod.exe"= UDP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"UDP Query User{9A97A960-5C36-4AFF-9D10-BE33ED509D9E}C:\program files\sopcast\sopvod.exe"= TCP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"TCP Query User{EC991A72-6B88-4498-B168-C0430E6044D9}C:\program files\sopcast\adv\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"UDP Query User{D2E9BBD8-BA9E-4369-94C8-2A4265871A78}C:\program files\sopcast\adv\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"TCP Query User{411CA4DD-2E15-4A42-9201-1D18027A3A40}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{BFC6BCB5-DFA4-4633-BD7B-4CA315A5A51E}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{D1A44D53-1E91-4412-81B4-5F7E991F4908}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= UDP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"UDP Query User{B42AA4AC-E209-497E-AF00-6DFAF566D198}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= TCP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"TCP Query User{366D5331-9967-4E94-B46D-8B307CCFC16C}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= UDP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"UDP Query User{FB4A7B34-BF08-4C6F-B791-ED9D1B971D09}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= TCP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"TCP Query User{22CB88CA-D4A9-47A9-B69E-A5CD1687036D}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{2CF3F85A-5090-4DA1-9F59-D74906F79EA9}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"{217BED0E-8015-4316-9A69-104D58656223}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{FA1438C6-6D59-45A6-B540-699CD3CC1DAE}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{CDE4319F-2EF2-4D97-B865-0E9A87A7EAA2}C:\users\james h\program files\utorrent\utorrent.exe"= UDP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"UDP Query User{F1088B9C-0574-45B5-A654-381A50341A84}C:\users\james h\program files\utorrent\utorrent.exe"= TCP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"{05E4F880-CA47-4E4D-8100-2113A054FCF7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1759AFEE-FE92-4E72-AF26-6C24D819379E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{7CF431A1-0D23-4842-B2F3-AC0FFF73D7AD}C:\program files\ultravnc\winvnc.exe"= UDP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"UDP Query User{D3C1C2CF-ACFF-49D4-8571-602D27C52440}C:\program files\ultravnc\winvnc.exe"= TCP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"TCP Query User{2D7B2751-D702-415A-BBC7-6A1AACFAD6A2}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= UDP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"UDP Query User{9B9656A2-9EEA-4831-AA02-5F818E80B8D4}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= TCP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"{E3A407C9-7241-40AB-89EA-509D49DC069E}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 hotcore3;hotcore3;C:\Windows\system32\drivers\hotcore3.sys [2007-03-07 13:27]
R1 moufiltr;ENERGY SISTEM Mouse Filter Driver;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-11-09 11:52]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-07 18:42]
S3 vmfilter303;vmfilter303;C:\Windows\system32\drivers\vmfilter303.sys [2006-04-25 10:57]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-05-04 10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e31-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e33-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d54-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d72-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e43f2b2-a5a3-11dc-9de5-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b57-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b72-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b78749c-92c4-11dc-bf9c-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f10839c-eab4-11dc-949d-005056c00008}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9dee-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9df0-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d09-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d24-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a2b22-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc33e5a1-be21-11dc-a231-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 09:51:49 C:\Windows\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 20:18:11
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll
.
Completion time: 2008-03-08 20:26:22
.
2008-03-08 19:39:01 --- E O F ---


This is the hijack this one

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:25, on 08/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\Windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-
  • 0

#6
lukee

lukee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Sarah,

Thanks a million for your help. your as good. i hope if have done the things you ask me the right way. ive included the two logs as requested. the file i was telling you about oringally seems to have gone out of the temp file but there is another new baddy ssqro.dll when spybot is going mad with that one now. will i just keep denying is access to the system start up registary. it just keeps popping up.

Anyways thanks again

Luke

heres my combofix log

ComboFix 08-03-07.4 - James H 2008-03-08 20:09:00.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.852 [GMT 0:00]
Running from: C:\Users\James H\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 19:53 . 2008-03-08 19:53 <DIR> d-------- C:\ComboFix(2)
2008-03-07 20:54 . 2008-03-07 20:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-07 20:37 . 2008-01-04 20:34 163,696 --a------ C:\Windows\System32\drivers\ssidrv.sys
2008-03-07 20:37 . 2008-01-04 20:34 23,920 --a------ C:\Windows\System32\drivers\sskbfd.sys
2008-03-07 20:37 . 2008-01-04 20:34 20,336 --a------ C:\Windows\System32\drivers\SSFS0BB9.sys
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\James H\AppData\Roaming\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\All Users\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\ProgramData\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Program Files\Webroot
2008-03-07 20:36 . 2008-01-04 20:56 1,526,640 --a------ C:\Windows\WRSetup.dll
2008-03-07 20:36 . 2008-01-04 20:34 21,872 --a------ C:\Windows\System32\drivers\sshrmd.sys
2008-03-07 20:32 . 2008-03-07 20:32 164 --a------ C:\install.dat
2008-03-07 00:47 . 2008-03-07 00:47 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 19:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d-------- C:\Program Files\Windows Live
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\ProgramData\WLInstaller
2008-03-06 13:32 . 2008-03-06 13:32 <DIR> d--hs---- C:\found.000
2008-03-05 10:46 . 2008-03-08 12:24 <DIR> d-------- C:\Users\James H\AppData\Roaming\VMware
2008-03-04 23:43 . 2007-10-08 09:27 436,784 --a------ C:\Windows\System32\vnetlib.dll
2008-03-04 23:43 . 2007-10-08 09:26 150,064 --a------ C:\Windows\System32\vmnat.exe
2008-03-04 23:43 . 2007-10-08 09:26 121,392 --a------ C:\Windows\System32\vmnetdhcp.exe
2008-03-04 23:43 . 2007-10-08 09:26 50,992 -ra------ C:\Windows\System32\vmnetbridge.dll
2008-03-04 23:43 . 2007-10-08 09:26 28,592 -ra------ C:\Windows\System32\drivers\vmnetbridge.sys
2008-03-04 23:43 . 2007-10-08 09:27 25,008 --a------ C:\Windows\System32\drivers\vmnetuserif.sys
2008-03-04 23:43 . 2007-10-08 09:26 17,712 -ra------ C:\Windows\System32\drivers\vmnet.sys
2008-03-04 23:43 . 2007-10-08 09:26 16,816 --a------ C:\Windows\System32\drivers\vmnetadapter.sys
2008-03-04 23:43 . 2007-10-08 09:26 13,104 --a------ C:\Windows\System32\vnetinst.dll
2008-03-04 23:41 . 2007-10-08 09:26 30,768 --a------ C:\Windows\System32\drivers\vmusb.sys
2008-03-04 23:41 . 2007-10-08 09:27 20,912 --a------ C:\Windows\System32\drivers\VMkbd.sys
2008-03-04 23:41 . 2008-03-04 23:41 1,024 --a------ C:\.rnd
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\Users\All Users\VMware
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\ProgramData\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:08 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-03-04 18:06 . 2008-03-04 18:07 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-04 18:03 . 2008-03-04 18:03 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-03-04 17:56 . 2007-10-27 00:46 779,800 --a------ C:\Windows\System32\PresentationNative_v0300.dll
2008-03-04 17:56 . 2007-10-27 00:46 579,584 --a------ C:\Windows\System32\icardagt.exe
2008-03-04 17:56 . 2007-10-27 00:46 350,744 --a------ C:\Windows\System32\PresentationHost.exe
2008-03-04 17:56 . 2007-10-27 00:46 106,520 --a------ C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-03-04 17:56 . 2007-10-30 03:12 88,576 --a------ C:\Windows\System32\infocardapi.dll
2008-03-04 17:56 . 2007-10-27 00:46 33,304 --a------ C:\Windows\System32\PresentationHostProxy.dll
2008-03-04 17:56 . 2007-10-30 03:09 28,160 --a------ C:\Windows\System32\infocardcpl.cpl
2008-03-04 17:56 . 2007-10-27 00:46 11,776 --a------ C:\Windows\System32\icardres.dll
2008-03-04 17:45 . 2007-10-27 00:46 41,984 --a------ C:\Windows\System32\netfxperf.dll
2008-03-04 17:44 . 2007-10-27 00:46 158,720 --a------ C:\Windows\System32\mscorier.dll
2008-03-04 17:44 . 2007-10-27 00:46 84,480 --a------ C:\Windows\System32\mscories.dll
2008-03-04 17:43 . 2007-10-27 00:46 282,112 --a------ C:\Windows\System32\mscoree.dll
2008-03-04 17:43 . 2007-10-27 00:46 96,760 --a------ C:\Windows\System32\dfshim.dll
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Program Files\WebSite eXtractor
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Internet
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\install
2008-02-28 20:19 . 2008-02-28 20:19 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-02-28 14:12 . 2008-02-28 14:12 <DIR> d-------- C:\perflogs
2008-02-27 19:20 . 2008-02-27 19:20 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-27 19:20 . 2008-02-27 19:20 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-27 19:11 . 2008-02-27 19:11 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-27 19:10 . 2008-02-27 19:10 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-27 19:10 . 2008-02-27 19:10 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-27 19:10 . 2008-02-27 19:10 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-02-27 19:10 . 2008-02-27 19:10 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-02-27 19:10 . 2008-02-27 19:10 2,048 --a------ C:\Windows\System32\asferror.dll
2008-02-27 19:09 . 2008-02-27 19:09 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-02-27 19:08 . 2008-02-27 19:08 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-02-27 19:08 . 2008-02-27 19:08 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-02-27 19:08 . 2008-02-27 19:08 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-02-27 19:08 . 2008-02-27 19:08 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-02-27 19:06 . 2008-02-27 19:06 2,048 --a------ C:\Windows\System32\tzres.dll
2008-02-27 19:04 . 2008-02-27 19:04 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-02-27 19:04 . 2008-02-27 19:04 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-02-27 19:04 . 2008-02-27 19:04 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-02-27 19:03 . 2008-02-27 19:03 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-21 23:49 . 2008-02-28 14:24 <DIR> d-------- C:\Program Files\ThumbNailer
2008-02-21 23:49 . 2008-02-21 23:49 <DIR> d-------- C:\Program Files\ClickPic
2008-02-19 17:32 . 2003-06-18 17:31 17,920 --a------ C:\Windows\System32\mdimon.dll
2008-02-19 17:29 . 2008-02-19 17:29 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-02-19 17:28 . 2008-02-19 17:28 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-19 17:27 . 2008-02-19 17:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-19 17:26 . 2008-02-19 17:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-19 17:19 . 2008-02-19 17:19 <DIR> dr-h----- C:\MSOCache
2008-02-10 21:14 . 2008-02-10 21:14 <DIR> d-------- C:\Program Files\Alex Feinman
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\Users\All Users\TrueCrypt
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\ProgramData\TrueCrypt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 23:41 --------- d-----w C:\Users\James H\AppData\Roaming\Skype
2008-03-07 20:45 --------- d-----w C:\Users\James H\AppData\Roaming\AVG7
2008-03-07 19:54 0 ----a-w C:\Windows\system32\drivers\lvuvc.hs
2008-03-07 18:42 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-06 19:47 --------- d-----w C:\Users\James H\AppData\Roaming\uTorrent
2008-03-03 18:34 --------- d-----w C:\Users\James H\AppData\Roaming\TrueCrypt
2008-02-29 23:49 --------- d-----w C:\Users\James H\AppData\Roaming\LimeWire
2008-02-28 15:03 --------- d-----w C:\ProgramData\avg7
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Mail
2008-02-27 19:11 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-27 19:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-27 19:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-27 19:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-27 19:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-27 19:05 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-27 19:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 23:27 --------- d-----w C:\ProgramData\Kontiki
2008-02-17 13:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 20:12 225,344 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-02-03 18:56 --------- d-----w C:\Program Files\UltraVNC
2008-02-02 22:37 --------- d-----w C:\Program Files\TrueCrypt
2008-01-30 22:32 --------- d-----w C:\Program Files\Bonjour
2008-01-30 16:38 --------- d-----w C:\ProgramData\FLEXnet
2008-01-30 16:27 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-29 15:55 --------- d-----w C:\Program Files\Microsoft FrontPage
2008-01-28 23:01 --------- d-----w C:\ProgramData\Bryxen Software
2008-01-28 23:01 --------- d-----w C:\Program Files\Bryxen Software
2008-01-24 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-23 23:19 --------- d-----w C:\ProgramData\Logishrd
2008-01-23 22:47 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-01-23 22:44 --------- d-----w C:\Program Files\Logitech
2008-01-23 20:16 --------- d-----w C:\Program Files\Google
2008-01-23 00:32 --------- d-----w C:\Program Files\iTunes
2008-01-23 00:32 --------- d-----w C:\Program Files\iPod
2008-01-23 00:31 --------- d-----w C:\Program Files\QuickTime
2008-01-17 23:47 --------- d-----w C:\Program Files\SecondLife
2008-01-09 19:57 --------- d-----w C:\Program Files\Huawei technologies
2008-01-04 22:03 139,264 ----a-w C:\Windows\War3Unin.exe
2007-11-01 09:47 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2008-02-10 20:12 1060544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"cmds"="C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll" [2008-03-07 21:00 316928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-01 09:40 1006264]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 16:50 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvSvc"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 23:05 185896]
"BigDog303"="C:\Windows\VM303_STI.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 09:27 72240]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 09:26 55856]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 17:06 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-10-30 20:49 9216 C:\Windows\System32\avgwlntf.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{C4669F79-394B-4D03-AC25-1FE96F45305B}C:\wamp\apache2\bin\httpd.exe"= UDP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"UDP Query User{24F44E27-6852-4D58-A00E-5FEAC5F03FF5}C:\wamp\apache2\bin\httpd.exe"= TCP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"TCP Query User{F6E06608-4823-4971-A8AC-BE142B288B45}C:\program files\utorrent\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"UDP Query User{9847581E-3074-4BAC-BE7B-086D0CA6F8E1}C:\program files\utorrent\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"TCP Query User{2F220537-5754-4743-9C22-BB37D92A8D29}C:\program files\skype\phone\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"UDP Query User{B7ACB372-FA24-4D41-8BF4-72BCC10A1F96}C:\program files\skype\phone\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"TCP Query User{F1F9B3E8-2FE6-4D0E-A391-52C39626EB34}C:\program files\sopcast\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"UDP Query User{A8AB3115-0125-4B2B-B2DE-D60DA9963C35}C:\program files\sopcast\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"{F5D5A759-DD80-45ED-84E5-4A3598E9D542}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8A684CBD-2C1D-4508-8B95-F6A18D5EFDB1}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{2BE81018-3EF0-4C63-8D8D-10B8AD071200}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{54A50C0F-CE9B-4CA4-BA0F-B1729FFF3545}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{4164CA47-2D5B-41CD-907B-35727EB547D2}C:\program files\mozilla firefox\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"UDP Query User{ECB7B0B8-D5B6-439E-88C0-B2E23AB5F8C4}C:\program files\mozilla firefox\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"TCP Query User{D31DC342-389B-4A09-A92E-26010DDE6AF0}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= UDP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"UDP Query User{09F3EA87-C19D-4F8F-A6C5-438432F3A26B}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= TCP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"TCP Query User{3753178E-2986-4A94-A4C7-21C243F0F10B}C:\program files\sopcast\sopvod.exe"= UDP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"UDP Query User{9A97A960-5C36-4AFF-9D10-BE33ED509D9E}C:\program files\sopcast\sopvod.exe"= TCP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"TCP Query User{EC991A72-6B88-4498-B168-C0430E6044D9}C:\program files\sopcast\adv\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"UDP Query User{D2E9BBD8-BA9E-4369-94C8-2A4265871A78}C:\program files\sopcast\adv\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"TCP Query User{411CA4DD-2E15-4A42-9201-1D18027A3A40}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{BFC6BCB5-DFA4-4633-BD7B-4CA315A5A51E}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{D1A44D53-1E91-4412-81B4-5F7E991F4908}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= UDP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"UDP Query User{B42AA4AC-E209-497E-AF00-6DFAF566D198}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= TCP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"TCP Query User{366D5331-9967-4E94-B46D-8B307CCFC16C}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= UDP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"UDP Query User{FB4A7B34-BF08-4C6F-B791-ED9D1B971D09}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= TCP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"TCP Query User{22CB88CA-D4A9-47A9-B69E-A5CD1687036D}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{2CF3F85A-5090-4DA1-9F59-D74906F79EA9}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"{217BED0E-8015-4316-9A69-104D58656223}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{FA1438C6-6D59-45A6-B540-699CD3CC1DAE}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{CDE4319F-2EF2-4D97-B865-0E9A87A7EAA2}C:\users\james h\program files\utorrent\utorrent.exe"= UDP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"UDP Query User{F1088B9C-0574-45B5-A654-381A50341A84}C:\users\james h\program files\utorrent\utorrent.exe"= TCP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"{05E4F880-CA47-4E4D-8100-2113A054FCF7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1759AFEE-FE92-4E72-AF26-6C24D819379E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{7CF431A1-0D23-4842-B2F3-AC0FFF73D7AD}C:\program files\ultravnc\winvnc.exe"= UDP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"UDP Query User{D3C1C2CF-ACFF-49D4-8571-602D27C52440}C:\program files\ultravnc\winvnc.exe"= TCP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"TCP Query User{2D7B2751-D702-415A-BBC7-6A1AACFAD6A2}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= UDP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"UDP Query User{9B9656A2-9EEA-4831-AA02-5F818E80B8D4}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= TCP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"{E3A407C9-7241-40AB-89EA-509D49DC069E}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 hotcore3;hotcore3;C:\Windows\system32\drivers\hotcore3.sys [2007-03-07 13:27]
R1 moufiltr;ENERGY SISTEM Mouse Filter Driver;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-11-09 11:52]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-07 18:42]
S3 vmfilter303;vmfilter303;C:\Windows\system32\drivers\vmfilter303.sys [2006-04-25 10:57]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-05-04 10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e31-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e33-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d54-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d72-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e43f2b2-a5a3-11dc-9de5-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b57-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b72-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b78749c-92c4-11dc-bf9c-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f10839c-eab4-11dc-949d-005056c00008}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9dee-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9df0-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d09-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d24-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a2b22-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc33e5a1-be21-11dc-a231-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 09:51:49 C:\Windows\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 20:18:11
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll
.
Completion time: 2008-03-08 20:26:22
.
2008-03-08 19:39:01 --- E O F ---


This is the hijack this one

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:25, on 08/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\Windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{467DACD0-FE46-4442-9DB9-588B8D625A92}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10534 bytes

looking forward to your reply :)
  • 0

#7
lukee

lukee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Sarah,

Thanks a million for your help. your as good. i hope if have done the things you ask me the right way. ive included the two logs as requested. the file i was telling you about oringally seems to have gone out of the temp file but there is another new baddy ssqro.dll when spybot is going mad with that one now. will i just keep denying is access to the system start up registary. it just keeps popping up.

Anyways thanks again

Luke

heres my combofix log

ComboFix 08-03-07.4 - James H 2008-03-08 20:09:00.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.852 [GMT 0:00]
Running from: C:\Users\James H\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 19:53 . 2008-03-08 19:53 <DIR> d-------- C:\ComboFix(2)
2008-03-07 20:54 . 2008-03-07 20:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-07 20:37 . 2008-01-04 20:34 163,696 --a------ C:\Windows\System32\drivers\ssidrv.sys
2008-03-07 20:37 . 2008-01-04 20:34 23,920 --a------ C:\Windows\System32\drivers\sskbfd.sys
2008-03-07 20:37 . 2008-01-04 20:34 20,336 --a------ C:\Windows\System32\drivers\SSFS0BB9.sys
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\James H\AppData\Roaming\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\All Users\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\ProgramData\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Program Files\Webroot
2008-03-07 20:36 . 2008-01-04 20:56 1,526,640 --a------ C:\Windows\WRSetup.dll
2008-03-07 20:36 . 2008-01-04 20:34 21,872 --a------ C:\Windows\System32\drivers\sshrmd.sys
2008-03-07 20:32 . 2008-03-07 20:32 164 --a------ C:\install.dat
2008-03-07 00:47 . 2008-03-07 00:47 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 19:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d-------- C:\Program Files\Windows Live
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\ProgramData\WLInstaller
2008-03-06 13:32 . 2008-03-06 13:32 <DIR> d--hs---- C:\found.000
2008-03-05 10:46 . 2008-03-08 12:24 <DIR> d-------- C:\Users\James H\AppData\Roaming\VMware
2008-03-04 23:43 . 2007-10-08 09:27 436,784 --a------ C:\Windows\System32\vnetlib.dll
2008-03-04 23:43 . 2007-10-08 09:26 150,064 --a------ C:\Windows\System32\vmnat.exe
2008-03-04 23:43 . 2007-10-08 09:26 121,392 --a------ C:\Windows\System32\vmnetdhcp.exe
2008-03-04 23:43 . 2007-10-08 09:26 50,992 -ra------ C:\Windows\System32\vmnetbridge.dll
2008-03-04 23:43 . 2007-10-08 09:26 28,592 -ra------ C:\Windows\System32\drivers\vmnetbridge.sys
2008-03-04 23:43 . 2007-10-08 09:27 25,008 --a------ C:\Windows\System32\drivers\vmnetuserif.sys
2008-03-04 23:43 . 2007-10-08 09:26 17,712 -ra------ C:\Windows\System32\drivers\vmnet.sys
2008-03-04 23:43 . 2007-10-08 09:26 16,816 --a------ C:\Windows\System32\drivers\vmnetadapter.sys
2008-03-04 23:43 . 2007-10-08 09:26 13,104 --a------ C:\Windows\System32\vnetinst.dll
2008-03-04 23:41 . 2007-10-08 09:26 30,768 --a------ C:\Windows\System32\drivers\vmusb.sys
2008-03-04 23:41 . 2007-10-08 09:27 20,912 --a------ C:\Windows\System32\drivers\VMkbd.sys
2008-03-04 23:41 . 2008-03-04 23:41 1,024 --a------ C:\.rnd
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\Users\All Users\VMware
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\ProgramData\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:08 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-03-04 18:06 . 2008-03-04 18:07 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-04 18:03 . 2008-03-04 18:03 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-03-04 17:56 . 2007-10-27 00:46 779,800 --a------ C:\Windows\System32\PresentationNative_v0300.dll
2008-03-04 17:56 . 2007-10-27 00:46 579,584 --a------ C:\Windows\System32\icardagt.exe
2008-03-04 17:56 . 2007-10-27 00:46 350,744 --a------ C:\Windows\System32\PresentationHost.exe
2008-03-04 17:56 . 2007-10-27 00:46 106,520 --a------ C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-03-04 17:56 . 2007-10-30 03:12 88,576 --a------ C:\Windows\System32\infocardapi.dll
2008-03-04 17:56 . 2007-10-27 00:46 33,304 --a------ C:\Windows\System32\PresentationHostProxy.dll
2008-03-04 17:56 . 2007-10-30 03:09 28,160 --a------ C:\Windows\System32\infocardcpl.cpl
2008-03-04 17:56 . 2007-10-27 00:46 11,776 --a------ C:\Windows\System32\icardres.dll
2008-03-04 17:45 . 2007-10-27 00:46 41,984 --a------ C:\Windows\System32\netfxperf.dll
2008-03-04 17:44 . 2007-10-27 00:46 158,720 --a------ C:\Windows\System32\mscorier.dll
2008-03-04 17:44 . 2007-10-27 00:46 84,480 --a------ C:\Windows\System32\mscories.dll
2008-03-04 17:43 . 2007-10-27 00:46 282,112 --a------ C:\Windows\System32\mscoree.dll
2008-03-04 17:43 . 2007-10-27 00:46 96,760 --a------ C:\Windows\System32\dfshim.dll
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Program Files\WebSite eXtractor
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Internet
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\install
2008-02-28 20:19 . 2008-02-28 20:19 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-02-28 14:12 . 2008-02-28 14:12 <DIR> d-------- C:\perflogs
2008-02-27 19:20 . 2008-02-27 19:20 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-27 19:20 . 2008-02-27 19:20 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-27 19:11 . 2008-02-27 19:11 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-27 19:10 . 2008-02-27 19:10 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-27 19:10 . 2008-02-27 19:10 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-27 19:10 . 2008-02-27 19:10 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-02-27 19:10 . 2008-02-27 19:10 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-02-27 19:10 . 2008-02-27 19:10 2,048 --a------ C:\Windows\System32\asferror.dll
2008-02-27 19:09 . 2008-02-27 19:09 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-02-27 19:08 . 2008-02-27 19:08 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-02-27 19:08 . 2008-02-27 19:08 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-02-27 19:08 . 2008-02-27 19:08 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-02-27 19:08 . 2008-02-27 19:08 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-02-27 19:06 . 2008-02-27 19:06 2,048 --a------ C:\Windows\System32\tzres.dll
2008-02-27 19:04 . 2008-02-27 19:04 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-02-27 19:04 . 2008-02-27 19:04 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-02-27 19:04 . 2008-02-27 19:04 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-02-27 19:03 . 2008-02-27 19:03 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-21 23:49 . 2008-02-28 14:24 <DIR> d-------- C:\Program Files\ThumbNailer
2008-02-21 23:49 . 2008-02-21 23:49 <DIR> d-------- C:\Program Files\ClickPic
2008-02-19 17:32 . 2003-06-18 17:31 17,920 --a------ C:\Windows\System32\mdimon.dll
2008-02-19 17:29 . 2008-02-19 17:29 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-02-19 17:28 . 2008-02-19 17:28 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-19 17:27 . 2008-02-19 17:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-19 17:26 . 2008-02-19 17:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-19 17:19 . 2008-02-19 17:19 <DIR> dr-h----- C:\MSOCache
2008-02-10 21:14 . 2008-02-10 21:14 <DIR> d-------- C:\Program Files\Alex Feinman
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\Users\All Users\TrueCrypt
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\ProgramData\TrueCrypt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 23:41 --------- d-----w C:\Users\James H\AppData\Roaming\Skype
2008-03-07 20:45 --------- d-----w C:\Users\James H\AppData\Roaming\AVG7
2008-03-07 19:54 0 ----a-w C:\Windows\system32\drivers\lvuvc.hs
2008-03-07 18:42 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-06 19:47 --------- d-----w C:\Users\James H\AppData\Roaming\uTorrent
2008-03-03 18:34 --------- d-----w C:\Users\James H\AppData\Roaming\TrueCrypt
2008-02-29 23:49 --------- d-----w C:\Users\James H\AppData\Roaming\LimeWire
2008-02-28 15:03 --------- d-----w C:\ProgramData\avg7
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Mail
2008-02-27 19:11 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-27 19:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-27 19:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-27 19:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-27 19:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-27 19:05 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-27 19:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 23:27 --------- d-----w C:\ProgramData\Kontiki
2008-02-17 13:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 20:12 225,344 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-02-03 18:56 --------- d-----w C:\Program Files\UltraVNC
2008-02-02 22:37 --------- d-----w C:\Program Files\TrueCrypt
2008-01-30 22:32 --------- d-----w C:\Program Files\Bonjour
2008-01-30 16:38 --------- d-----w C:\ProgramData\FLEXnet
2008-01-30 16:27 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-29 15:55 --------- d-----w C:\Program Files\Microsoft FrontPage
2008-01-28 23:01 --------- d-----w C:\ProgramData\Bryxen Software
2008-01-28 23:01 --------- d-----w C:\Program Files\Bryxen Software
2008-01-24 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-23 23:19 --------- d-----w C:\ProgramData\Logishrd
2008-01-23 22:47 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-01-23 22:44 --------- d-----w C:\Program Files\Logitech
2008-01-23 20:16 --------- d-----w C:\Program Files\Google
2008-01-23 00:32 --------- d-----w C:\Program Files\iTunes
2008-01-23 00:32 --------- d-----w C:\Program Files\iPod
2008-01-23 00:31 --------- d-----w C:\Program Files\QuickTime
2008-01-17 23:47 --------- d-----w C:\Program Files\SecondLife
2008-01-09 19:57 --------- d-----w C:\Program Files\Huawei technologies
2008-01-04 22:03 139,264 ----a-w C:\Windows\War3Unin.exe
2007-11-01 09:47 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2008-02-10 20:12 1060544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"cmds"="C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll" [2008-03-07 21:00 316928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-01 09:40 1006264]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 16:50 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvSvc"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 23:05 185896]
"BigDog303"="C:\Windows\VM303_STI.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 09:27 72240]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 09:26 55856]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 17:06 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-10-30 20:49 9216 C:\Windows\System32\avgwlntf.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{C4669F79-394B-4D03-AC25-1FE96F45305B}C:\wamp\apache2\bin\httpd.exe"= UDP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"UDP Query User{24F44E27-6852-4D58-A00E-5FEAC5F03FF5}C:\wamp\apache2\bin\httpd.exe"= TCP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"TCP Query User{F6E06608-4823-4971-A8AC-BE142B288B45}C:\program files\utorrent\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"UDP Query User{9847581E-3074-4BAC-BE7B-086D0CA6F8E1}C:\program files\utorrent\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"TCP Query User{2F220537-5754-4743-9C22-BB37D92A8D29}C:\program files\skype\phone\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"UDP Query User{B7ACB372-FA24-4D41-8BF4-72BCC10A1F96}C:\program files\skype\phone\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"TCP Query User{F1F9B3E8-2FE6-4D0E-A391-52C39626EB34}C:\program files\sopcast\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"UDP Query User{A8AB3115-0125-4B2B-B2DE-D60DA9963C35}C:\program files\sopcast\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"{F5D5A759-DD80-45ED-84E5-4A3598E9D542}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8A684CBD-2C1D-4508-8B95-F6A18D5EFDB1}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{2BE81018-3EF0-4C63-8D8D-10B8AD071200}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{54A50C0F-CE9B-4CA4-BA0F-B1729FFF3545}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{4164CA47-2D5B-41CD-907B-35727EB547D2}C:\program files\mozilla firefox\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"UDP Query User{ECB7B0B8-D5B6-439E-88C0-B2E23AB5F8C4}C:\program files\mozilla firefox\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"TCP Query User{D31DC342-389B-4A09-A92E-26010DDE6AF0}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= UDP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"UDP Query User{09F3EA87-C19D-4F8F-A6C5-438432F3A26B}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= TCP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"TCP Query User{3753178E-2986-4A94-A4C7-21C243F0F10B}C:\program files\sopcast\sopvod.exe"= UDP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"UDP Query User{9A97A960-5C36-4AFF-9D10-BE33ED509D9E}C:\program files\sopcast\sopvod.exe"= TCP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"TCP Query User{EC991A72-6B88-4498-B168-C0430E6044D9}C:\program files\sopcast\adv\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"UDP Query User{D2E9BBD8-BA9E-4369-94C8-2A4265871A78}C:\program files\sopcast\adv\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"TCP Query User{411CA4DD-2E15-4A42-9201-1D18027A3A40}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{BFC6BCB5-DFA4-4633-BD7B-4CA315A5A51E}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{D1A44D53-1E91-4412-81B4-5F7E991F4908}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= UDP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"UDP Query User{B42AA4AC-E209-497E-AF00-6DFAF566D198}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= TCP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"TCP Query User{366D5331-9967-4E94-B46D-8B307CCFC16C}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= UDP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"UDP Query User{FB4A7B34-BF08-4C6F-B791-ED9D1B971D09}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= TCP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"TCP Query User{22CB88CA-D4A9-47A9-B69E-A5CD1687036D}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{2CF3F85A-5090-4DA1-9F59-D74906F79EA9}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"{217BED0E-8015-4316-9A69-104D58656223}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{FA1438C6-6D59-45A6-B540-699CD3CC1DAE}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{CDE4319F-2EF2-4D97-B865-0E9A87A7EAA2}C:\users\james h\program files\utorrent\utorrent.exe"= UDP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"UDP Query User{F1088B9C-0574-45B5-A654-381A50341A84}C:\users\james h\program files\utorrent\utorrent.exe"= TCP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"{05E4F880-CA47-4E4D-8100-2113A054FCF7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1759AFEE-FE92-4E72-AF26-6C24D819379E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{7CF431A1-0D23-4842-B2F3-AC0FFF73D7AD}C:\program files\ultravnc\winvnc.exe"= UDP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"UDP Query User{D3C1C2CF-ACFF-49D4-8571-602D27C52440}C:\program files\ultravnc\winvnc.exe"= TCP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"TCP Query User{2D7B2751-D702-415A-BBC7-6A1AACFAD6A2}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= UDP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"UDP Query User{9B9656A2-9EEA-4831-AA02-5F818E80B8D4}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= TCP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"{E3A407C9-7241-40AB-89EA-509D49DC069E}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 hotcore3;hotcore3;C:\Windows\system32\drivers\hotcore3.sys [2007-03-07 13:27]
R1 moufiltr;ENERGY SISTEM Mouse Filter Driver;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-11-09 11:52]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-07 18:42]
S3 vmfilter303;vmfilter303;C:\Windows\system32\drivers\vmfilter303.sys [2006-04-25 10:57]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-05-04 10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e31-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e33-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d54-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d72-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e43f2b2-a5a3-11dc-9de5-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b57-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b72-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b78749c-92c4-11dc-bf9c-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f10839c-eab4-11dc-949d-005056c00008}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9dee-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9df0-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d09-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d24-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a2b22-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc33e5a1-be21-11dc-a231-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 09:51:49 C:\Windows\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 20:18:11
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll
.
Completion time: 2008-03-08 20:26:22
.
2008-03-08 19:39:01 --- E O F ---


This is the hijack this one

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:25, on 08/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\Windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{467DACD0-FE46-4442-9DB9-588B8D625A92}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10534 bytes

looking forward to your reply :)
  • 0

#8
lukee

lukee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Sarah,

Thanks a million for your help. your as good. i hope if have done the things you ask me the right way. ive included the two logs as requested. the file i was telling you about oringally seems to have gone out of the temp file but there is another new baddy ssqro.dll when spybot is going mad with that one now. will i just keep denying is access to the system start up registary. it just keeps popping up.

Anyways thanks again

Luke

heres my combofix log

ComboFix 08-03-07.4 - James H 2008-03-08 20:09:00.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.852 [GMT 0:00]
Running from: C:\Users\James H\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 19:53 . 2008-03-08 19:53 <DIR> d-------- C:\ComboFix(2)
2008-03-07 20:54 . 2008-03-07 20:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-07 20:37 . 2008-01-04 20:34 163,696 --a------ C:\Windows\System32\drivers\ssidrv.sys
2008-03-07 20:37 . 2008-01-04 20:34 23,920 --a------ C:\Windows\System32\drivers\sskbfd.sys
2008-03-07 20:37 . 2008-01-04 20:34 20,336 --a------ C:\Windows\System32\drivers\SSFS0BB9.sys
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\James H\AppData\Roaming\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\All Users\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\ProgramData\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Program Files\Webroot
2008-03-07 20:36 . 2008-01-04 20:56 1,526,640 --a------ C:\Windows\WRSetup.dll
2008-03-07 20:36 . 2008-01-04 20:34 21,872 --a------ C:\Windows\System32\drivers\sshrmd.sys
2008-03-07 20:32 . 2008-03-07 20:32 164 --a------ C:\install.dat
2008-03-07 00:47 . 2008-03-07 00:47 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 19:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d-------- C:\Program Files\Windows Live
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\ProgramData\WLInstaller
2008-03-06 13:32 . 2008-03-06 13:32 <DIR> d--hs---- C:\found.000
2008-03-05 10:46 . 2008-03-08 12:24 <DIR> d-------- C:\Users\James H\AppData\Roaming\VMware
2008-03-04 23:43 . 2007-10-08 09:27 436,784 --a------ C:\Windows\System32\vnetlib.dll
2008-03-04 23:43 . 2007-10-08 09:26 150,064 --a------ C:\Windows\System32\vmnat.exe
2008-03-04 23:43 . 2007-10-08 09:26 121,392 --a------ C:\Windows\System32\vmnetdhcp.exe
2008-03-04 23:43 . 2007-10-08 09:26 50,992 -ra------ C:\Windows\System32\vmnetbridge.dll
2008-03-04 23:43 . 2007-10-08 09:26 28,592 -ra------ C:\Windows\System32\drivers\vmnetbridge.sys
2008-03-04 23:43 . 2007-10-08 09:27 25,008 --a------ C:\Windows\System32\drivers\vmnetuserif.sys
2008-03-04 23:43 . 2007-10-08 09:26 17,712 -ra------ C:\Windows\System32\drivers\vmnet.sys
2008-03-04 23:43 . 2007-10-08 09:26 16,816 --a------ C:\Windows\System32\drivers\vmnetadapter.sys
2008-03-04 23:43 . 2007-10-08 09:26 13,104 --a------ C:\Windows\System32\vnetinst.dll
2008-03-04 23:41 . 2007-10-08 09:26 30,768 --a------ C:\Windows\System32\drivers\vmusb.sys
2008-03-04 23:41 . 2007-10-08 09:27 20,912 --a------ C:\Windows\System32\drivers\VMkbd.sys
2008-03-04 23:41 . 2008-03-04 23:41 1,024 --a------ C:\.rnd
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\Users\All Users\VMware
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\ProgramData\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:08 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-03-04 18:06 . 2008-03-04 18:07 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-04 18:03 . 2008-03-04 18:03 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-03-04 17:56 . 2007-10-27 00:46 779,800 --a------ C:\Windows\System32\PresentationNative_v0300.dll
2008-03-04 17:56 . 2007-10-27 00:46 579,584 --a------ C:\Windows\System32\icardagt.exe
2008-03-04 17:56 . 2007-10-27 00:46 350,744 --a------ C:\Windows\System32\PresentationHost.exe
2008-03-04 17:56 . 2007-10-27 00:46 106,520 --a------ C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-03-04 17:56 . 2007-10-30 03:12 88,576 --a------ C:\Windows\System32\infocardapi.dll
2008-03-04 17:56 . 2007-10-27 00:46 33,304 --a------ C:\Windows\System32\PresentationHostProxy.dll
2008-03-04 17:56 . 2007-10-30 03:09 28,160 --a------ C:\Windows\System32\infocardcpl.cpl
2008-03-04 17:56 . 2007-10-27 00:46 11,776 --a------ C:\Windows\System32\icardres.dll
2008-03-04 17:45 . 2007-10-27 00:46 41,984 --a------ C:\Windows\System32\netfxperf.dll
2008-03-04 17:44 . 2007-10-27 00:46 158,720 --a------ C:\Windows\System32\mscorier.dll
2008-03-04 17:44 . 2007-10-27 00:46 84,480 --a------ C:\Windows\System32\mscories.dll
2008-03-04 17:43 . 2007-10-27 00:46 282,112 --a------ C:\Windows\System32\mscoree.dll
2008-03-04 17:43 . 2007-10-27 00:46 96,760 --a------ C:\Windows\System32\dfshim.dll
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Program Files\WebSite eXtractor
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Internet
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\install
2008-02-28 20:19 . 2008-02-28 20:19 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-02-28 14:12 . 2008-02-28 14:12 <DIR> d-------- C:\perflogs
2008-02-27 19:20 . 2008-02-27 19:20 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-27 19:20 . 2008-02-27 19:20 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-27 19:11 . 2008-02-27 19:11 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-27 19:10 . 2008-02-27 19:10 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-27 19:10 . 2008-02-27 19:10 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-27 19:10 . 2008-02-27 19:10 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-02-27 19:10 . 2008-02-27 19:10 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-02-27 19:10 . 2008-02-27 19:10 2,048 --a------ C:\Windows\System32\asferror.dll
2008-02-27 19:09 . 2008-02-27 19:09 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-02-27 19:08 . 2008-02-27 19:08 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-02-27 19:08 . 2008-02-27 19:08 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-02-27 19:08 . 2008-02-27 19:08 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-02-27 19:08 . 2008-02-27 19:08 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-02-27 19:06 . 2008-02-27 19:06 2,048 --a------ C:\Windows\System32\tzres.dll
2008-02-27 19:04 . 2008-02-27 19:04 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-02-27 19:04 . 2008-02-27 19:04 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-02-27 19:04 . 2008-02-27 19:04 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-02-27 19:03 . 2008-02-27 19:03 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-21 23:49 . 2008-02-28 14:24 <DIR> d-------- C:\Program Files\ThumbNailer
2008-02-21 23:49 . 2008-02-21 23:49 <DIR> d-------- C:\Program Files\ClickPic
2008-02-19 17:32 . 2003-06-18 17:31 17,920 --a------ C:\Windows\System32\mdimon.dll
2008-02-19 17:29 . 2008-02-19 17:29 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-02-19 17:28 . 2008-02-19 17:28 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-19 17:27 . 2008-02-19 17:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-19 17:26 . 2008-02-19 17:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-19 17:19 . 2008-02-19 17:19 <DIR> dr-h----- C:\MSOCache
2008-02-10 21:14 . 2008-02-10 21:14 <DIR> d-------- C:\Program Files\Alex Feinman
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\Users\All Users\TrueCrypt
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\ProgramData\TrueCrypt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 23:41 --------- d-----w C:\Users\James H\AppData\Roaming\Skype
2008-03-07 20:45 --------- d-----w C:\Users\James H\AppData\Roaming\AVG7
2008-03-07 19:54 0 ----a-w C:\Windows\system32\drivers\lvuvc.hs
2008-03-07 18:42 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-06 19:47 --------- d-----w C:\Users\James H\AppData\Roaming\uTorrent
2008-03-03 18:34 --------- d-----w C:\Users\James H\AppData\Roaming\TrueCrypt
2008-02-29 23:49 --------- d-----w C:\Users\James H\AppData\Roaming\LimeWire
2008-02-28 15:03 --------- d-----w C:\ProgramData\avg7
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Mail
2008-02-27 19:11 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-27 19:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-27 19:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-27 19:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-27 19:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-27 19:05 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-27 19:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 23:27 --------- d-----w C:\ProgramData\Kontiki
2008-02-17 13:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 20:12 225,344 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-02-03 18:56 --------- d-----w C:\Program Files\UltraVNC
2008-02-02 22:37 --------- d-----w C:\Program Files\TrueCrypt
2008-01-30 22:32 --------- d-----w C:\Program Files\Bonjour
2008-01-30 16:38 --------- d-----w C:\ProgramData\FLEXnet
2008-01-30 16:27 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-29 15:55 --------- d-----w C:\Program Files\Microsoft FrontPage
2008-01-28 23:01 --------- d-----w C:\ProgramData\Bryxen Software
2008-01-28 23:01 --------- d-----w C:\Program Files\Bryxen Software
2008-01-24 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-23 23:19 --------- d-----w C:\ProgramData\Logishrd
2008-01-23 22:47 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-01-23 22:44 --------- d-----w C:\Program Files\Logitech
2008-01-23 20:16 --------- d-----w C:\Program Files\Google
2008-01-23 00:32 --------- d-----w C:\Program Files\iTunes
2008-01-23 00:32 --------- d-----w C:\Program Files\iPod
2008-01-23 00:31 --------- d-----w C:\Program Files\QuickTime
2008-01-17 23:47 --------- d-----w C:\Program Files\SecondLife
2008-01-09 19:57 --------- d-----w C:\Program Files\Huawei technologies
2008-01-04 22:03 139,264 ----a-w C:\Windows\War3Unin.exe
2007-11-01 09:47 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2008-02-10 20:12 1060544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"cmds"="C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll" [2008-03-07 21:00 316928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-01 09:40 1006264]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 16:50 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvSvc"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 23:05 185896]
"BigDog303"="C:\Windows\VM303_STI.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 09:27 72240]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 09:26 55856]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 17:06 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-10-30 20:49 9216 C:\Windows\System32\avgwlntf.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{C4669F79-394B-4D03-AC25-1FE96F45305B}C:\wamp\apache2\bin\httpd.exe"= UDP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"UDP Query User{24F44E27-6852-4D58-A00E-5FEAC5F03FF5}C:\wamp\apache2\bin\httpd.exe"= TCP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"TCP Query User{F6E06608-4823-4971-A8AC-BE142B288B45}C:\program files\utorrent\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"UDP Query User{9847581E-3074-4BAC-BE7B-086D0CA6F8E1}C:\program files\utorrent\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"TCP Query User{2F220537-5754-4743-9C22-BB37D92A8D29}C:\program files\skype\phone\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"UDP Query User{B7ACB372-FA24-4D41-8BF4-72BCC10A1F96}C:\program files\skype\phone\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"TCP Query User{F1F9B3E8-2FE6-4D0E-A391-52C39626EB34}C:\program files\sopcast\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"UDP Query User{A8AB3115-0125-4B2B-B2DE-D60DA9963C35}C:\program files\sopcast\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"{F5D5A759-DD80-45ED-84E5-4A3598E9D542}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8A684CBD-2C1D-4508-8B95-F6A18D5EFDB1}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{2BE81018-3EF0-4C63-8D8D-10B8AD071200}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{54A50C0F-CE9B-4CA4-BA0F-B1729FFF3545}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{4164CA47-2D5B-41CD-907B-35727EB547D2}C:\program files\mozilla firefox\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"UDP Query User{ECB7B0B8-D5B6-439E-88C0-B2E23AB5F8C4}C:\program files\mozilla firefox\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"TCP Query User{D31DC342-389B-4A09-A92E-26010DDE6AF0}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= UDP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"UDP Query User{09F3EA87-C19D-4F8F-A6C5-438432F3A26B}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= TCP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"TCP Query User{3753178E-2986-4A94-A4C7-21C243F0F10B}C:\program files\sopcast\sopvod.exe"= UDP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"UDP Query User{9A97A960-5C36-4AFF-9D10-BE33ED509D9E}C:\program files\sopcast\sopvod.exe"= TCP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"TCP Query User{EC991A72-6B88-4498-B168-C0430E6044D9}C:\program files\sopcast\adv\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"UDP Query User{D2E9BBD8-BA9E-4369-94C8-2A4265871A78}C:\program files\sopcast\adv\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"TCP Query User{411CA4DD-2E15-4A42-9201-1D18027A3A40}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{BFC6BCB5-DFA4-4633-BD7B-4CA315A5A51E}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{D1A44D53-1E91-4412-81B4-5F7E991F4908}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= UDP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"UDP Query User{B42AA4AC-E209-497E-AF00-6DFAF566D198}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= TCP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"TCP Query User{366D5331-9967-4E94-B46D-8B307CCFC16C}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= UDP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"UDP Query User{FB4A7B34-BF08-4C6F-B791-ED9D1B971D09}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= TCP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"TCP Query User{22CB88CA-D4A9-47A9-B69E-A5CD1687036D}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{2CF3F85A-5090-4DA1-9F59-D74906F79EA9}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"{217BED0E-8015-4316-9A69-104D58656223}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{FA1438C6-6D59-45A6-B540-699CD3CC1DAE}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{CDE4319F-2EF2-4D97-B865-0E9A87A7EAA2}C:\users\james h\program files\utorrent\utorrent.exe"= UDP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"UDP Query User{F1088B9C-0574-45B5-A654-381A50341A84}C:\users\james h\program files\utorrent\utorrent.exe"= TCP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"{05E4F880-CA47-4E4D-8100-2113A054FCF7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1759AFEE-FE92-4E72-AF26-6C24D819379E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{7CF431A1-0D23-4842-B2F3-AC0FFF73D7AD}C:\program files\ultravnc\winvnc.exe"= UDP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"UDP Query User{D3C1C2CF-ACFF-49D4-8571-602D27C52440}C:\program files\ultravnc\winvnc.exe"= TCP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"TCP Query User{2D7B2751-D702-415A-BBC7-6A1AACFAD6A2}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= UDP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"UDP Query User{9B9656A2-9EEA-4831-AA02-5F818E80B8D4}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= TCP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"{E3A407C9-7241-40AB-89EA-509D49DC069E}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 hotcore3;hotcore3;C:\Windows\system32\drivers\hotcore3.sys [2007-03-07 13:27]
R1 moufiltr;ENERGY SISTEM Mouse Filter Driver;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-11-09 11:52]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-07 18:42]
S3 vmfilter303;vmfilter303;C:\Windows\system32\drivers\vmfilter303.sys [2006-04-25 10:57]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-05-04 10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e31-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e33-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d54-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d72-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e43f2b2-a5a3-11dc-9de5-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b57-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b72-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b78749c-92c4-11dc-bf9c-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f10839c-eab4-11dc-949d-005056c00008}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9dee-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9df0-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d09-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d24-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a2b22-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc33e5a1-be21-11dc-a231-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 09:51:49 C:\Windows\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 20:18:11
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll
.
Completion time: 2008-03-08 20:26:22
.
2008-03-08 19:39:01 --- E O F ---


This is the hijack this one

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:25, on 08/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\Windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{467DACD0-FE46-4442-9DB9-588B8D625A92}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10534 bytes

looking forward to your reply :)
  • 0

#9
lukee

lukee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Sarah,

Thanks a million for your help. your as good. i hope if have done the things you ask me the right way. ive included the two logs as requested. the file i was telling you about oringally seems to have gone out of the temp file but there is another new baddy ssqro.dll when spybot is going mad with that one now. will i just keep denying is access to the system start up registary. it just keeps popping up.

Anyways thanks again

Luke

heres my combofix log

ComboFix 08-03-07.4 - James H 2008-03-08 20:09:00.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.852 [GMT 0:00]
Running from: C:\Users\James H\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 19:53 . 2008-03-08 19:53 <DIR> d-------- C:\ComboFix(2)
2008-03-07 20:54 . 2008-03-07 20:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-07 20:37 . 2008-01-04 20:34 163,696 --a------ C:\Windows\System32\drivers\ssidrv.sys
2008-03-07 20:37 . 2008-01-04 20:34 23,920 --a------ C:\Windows\System32\drivers\sskbfd.sys
2008-03-07 20:37 . 2008-01-04 20:34 20,336 --a------ C:\Windows\System32\drivers\SSFS0BB9.sys
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\James H\AppData\Roaming\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Users\All Users\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\ProgramData\Webroot
2008-03-07 20:36 . 2008-03-07 20:36 <DIR> d-------- C:\Program Files\Webroot
2008-03-07 20:36 . 2008-01-04 20:56 1,526,640 --a------ C:\Windows\WRSetup.dll
2008-03-07 20:36 . 2008-01-04 20:34 21,872 --a------ C:\Windows\System32\drivers\sshrmd.sys
2008-03-07 20:32 . 2008-03-07 20:32 164 --a------ C:\install.dat
2008-03-07 00:47 . 2008-03-07 00:47 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 20:31 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-03-06 19:52 . 2008-03-06 19:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d-------- C:\Program Files\Windows Live
2008-03-06 16:51 . 2008-03-06 16:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-03-06 16:50 . 2008-03-06 16:50 <DIR> d-------- C:\ProgramData\WLInstaller
2008-03-06 13:32 . 2008-03-06 13:32 <DIR> d--hs---- C:\found.000
2008-03-05 10:46 . 2008-03-08 12:24 <DIR> d-------- C:\Users\James H\AppData\Roaming\VMware
2008-03-04 23:43 . 2007-10-08 09:27 436,784 --a------ C:\Windows\System32\vnetlib.dll
2008-03-04 23:43 . 2007-10-08 09:26 150,064 --a------ C:\Windows\System32\vmnat.exe
2008-03-04 23:43 . 2007-10-08 09:26 121,392 --a------ C:\Windows\System32\vmnetdhcp.exe
2008-03-04 23:43 . 2007-10-08 09:26 50,992 -ra------ C:\Windows\System32\vmnetbridge.dll
2008-03-04 23:43 . 2007-10-08 09:26 28,592 -ra------ C:\Windows\System32\drivers\vmnetbridge.sys
2008-03-04 23:43 . 2007-10-08 09:27 25,008 --a------ C:\Windows\System32\drivers\vmnetuserif.sys
2008-03-04 23:43 . 2007-10-08 09:26 17,712 -ra------ C:\Windows\System32\drivers\vmnet.sys
2008-03-04 23:43 . 2007-10-08 09:26 16,816 --a------ C:\Windows\System32\drivers\vmnetadapter.sys
2008-03-04 23:43 . 2007-10-08 09:26 13,104 --a------ C:\Windows\System32\vnetinst.dll
2008-03-04 23:41 . 2007-10-08 09:26 30,768 --a------ C:\Windows\System32\drivers\vmusb.sys
2008-03-04 23:41 . 2007-10-08 09:27 20,912 --a------ C:\Windows\System32\drivers\VMkbd.sys
2008-03-04 23:41 . 2008-03-04 23:41 1,024 --a------ C:\.rnd
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\Users\All Users\VMware
2008-03-04 23:38 . 2008-03-08 12:25 <DIR> d-------- C:\ProgramData\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\VMware
2008-03-04 23:37 . 2008-03-04 23:37 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:12 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-03-04 18:06 . 2008-03-04 18:08 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-03-04 18:06 . 2008-03-04 18:07 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-03-04 18:03 . 2008-03-04 18:03 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-03-04 17:56 . 2007-10-27 00:46 779,800 --a------ C:\Windows\System32\PresentationNative_v0300.dll
2008-03-04 17:56 . 2007-10-27 00:46 579,584 --a------ C:\Windows\System32\icardagt.exe
2008-03-04 17:56 . 2007-10-27 00:46 350,744 --a------ C:\Windows\System32\PresentationHost.exe
2008-03-04 17:56 . 2007-10-27 00:46 106,520 --a------ C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-03-04 17:56 . 2007-10-30 03:12 88,576 --a------ C:\Windows\System32\infocardapi.dll
2008-03-04 17:56 . 2007-10-27 00:46 33,304 --a------ C:\Windows\System32\PresentationHostProxy.dll
2008-03-04 17:56 . 2007-10-30 03:09 28,160 --a------ C:\Windows\System32\infocardcpl.cpl
2008-03-04 17:56 . 2007-10-27 00:46 11,776 --a------ C:\Windows\System32\icardres.dll
2008-03-04 17:45 . 2007-10-27 00:46 41,984 --a------ C:\Windows\System32\netfxperf.dll
2008-03-04 17:44 . 2007-10-27 00:46 158,720 --a------ C:\Windows\System32\mscorier.dll
2008-03-04 17:44 . 2007-10-27 00:46 84,480 --a------ C:\Windows\System32\mscories.dll
2008-03-04 17:43 . 2007-10-27 00:46 282,112 --a------ C:\Windows\System32\mscoree.dll
2008-03-04 17:43 . 2007-10-27 00:46 96,760 --a------ C:\Windows\System32\dfshim.dll
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Program Files\WebSite eXtractor
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\Internet
2008-03-03 17:14 . 2008-03-03 17:14 <DIR> d-------- C:\install
2008-02-28 20:19 . 2008-02-28 20:19 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-02-28 14:12 . 2008-02-28 14:12 <DIR> d-------- C:\perflogs
2008-02-27 19:20 . 2008-02-27 19:20 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-27 19:20 . 2008-02-27 19:20 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-27 19:11 . 2008-02-27 19:11 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-27 19:10 . 2008-02-27 19:10 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-27 19:10 . 2008-02-27 19:10 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-27 19:10 . 2008-02-27 19:10 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-02-27 19:10 . 2008-02-27 19:10 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-02-27 19:10 . 2008-02-27 19:10 2,048 --a------ C:\Windows\System32\asferror.dll
2008-02-27 19:09 . 2008-02-27 19:09 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-02-27 19:08 . 2008-02-27 19:08 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-02-27 19:08 . 2008-02-27 19:08 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-02-27 19:08 . 2008-02-27 19:08 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-02-27 19:08 . 2008-02-27 19:08 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-02-27 19:06 . 2008-02-27 19:06 2,048 --a------ C:\Windows\System32\tzres.dll
2008-02-27 19:04 . 2008-02-27 19:04 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-02-27 19:04 . 2008-02-27 19:04 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-02-27 19:04 . 2008-02-27 19:04 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-02-27 19:03 . 2008-02-27 19:03 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-21 23:49 . 2008-02-28 14:24 <DIR> d-------- C:\Program Files\ThumbNailer
2008-02-21 23:49 . 2008-02-21 23:49 <DIR> d-------- C:\Program Files\ClickPic
2008-02-19 17:32 . 2003-06-18 17:31 17,920 --a------ C:\Windows\System32\mdimon.dll
2008-02-19 17:29 . 2008-02-19 17:29 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-02-19 17:28 . 2008-02-19 17:28 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-19 17:27 . 2008-02-19 17:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-19 17:26 . 2008-02-19 17:26 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-19 17:19 . 2008-02-19 17:19 <DIR> dr-h----- C:\MSOCache
2008-02-10 21:14 . 2008-02-10 21:14 <DIR> d-------- C:\Program Files\Alex Feinman
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\Users\All Users\TrueCrypt
2008-02-10 21:06 . 2008-02-10 21:06 <DIR> d-------- C:\ProgramData\TrueCrypt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 23:41 --------- d-----w C:\Users\James H\AppData\Roaming\Skype
2008-03-07 20:45 --------- d-----w C:\Users\James H\AppData\Roaming\AVG7
2008-03-07 19:54 0 ----a-w C:\Windows\system32\drivers\lvuvc.hs
2008-03-07 18:42 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-06 19:47 --------- d-----w C:\Users\James H\AppData\Roaming\uTorrent
2008-03-03 18:34 --------- d-----w C:\Users\James H\AppData\Roaming\TrueCrypt
2008-02-29 23:49 --------- d-----w C:\Users\James H\AppData\Roaming\LimeWire
2008-02-28 15:03 --------- d-----w C:\ProgramData\avg7
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-28 12:22 --------- d-----w C:\Program Files\Windows Mail
2008-02-27 19:11 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-27 19:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-27 19:10 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-27 19:10 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-27 19:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-27 19:05 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-27 19:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 23:27 --------- d-----w C:\ProgramData\Kontiki
2008-02-17 13:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 20:12 225,344 ----a-w C:\Windows\system32\drivers\truecrypt.sys
2008-02-03 18:56 --------- d-----w C:\Program Files\UltraVNC
2008-02-02 22:37 --------- d-----w C:\Program Files\TrueCrypt
2008-01-30 22:32 --------- d-----w C:\Program Files\Bonjour
2008-01-30 16:38 --------- d-----w C:\ProgramData\FLEXnet
2008-01-30 16:27 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-29 15:55 --------- d-----w C:\Program Files\Microsoft FrontPage
2008-01-28 23:01 --------- d-----w C:\ProgramData\Bryxen Software
2008-01-28 23:01 --------- d-----w C:\Program Files\Bryxen Software
2008-01-24 19:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-23 23:19 --------- d-----w C:\ProgramData\Logishrd
2008-01-23 22:47 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-01-23 22:44 --------- d-----w C:\Program Files\Logitech
2008-01-23 20:16 --------- d-----w C:\Program Files\Google
2008-01-23 00:32 --------- d-----w C:\Program Files\iTunes
2008-01-23 00:32 --------- d-----w C:\Program Files\iPod
2008-01-23 00:31 --------- d-----w C:\Program Files\QuickTime
2008-01-17 23:47 --------- d-----w C:\Program Files\SecondLife
2008-01-09 19:57 --------- d-----w C:\Program Files\Huawei technologies
2008-01-04 22:03 139,264 ----a-w C:\Windows\War3Unin.exe
2007-11-01 09:47 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2008-02-10 20:12 1060544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"cmds"="C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll" [2008-03-07 21:00 316928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-01 09:40 1006264]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 16:50 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvSvc"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-11-02 09:45 44544 C:\Windows\System32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-23 23:05 185896]
"BigDog303"="C:\Windows\VM303_STI.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 09:27 72240]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-10-08 09:26 55856]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 17:06 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-10-30 20:49 9216 C:\Windows\System32\avgwlntf.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{C4669F79-394B-4D03-AC25-1FE96F45305B}C:\wamp\apache2\bin\httpd.exe"= UDP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"UDP Query User{24F44E27-6852-4D58-A00E-5FEAC5F03FF5}C:\wamp\apache2\bin\httpd.exe"= TCP:C:\wamp\apache2\bin\httpd.exe:Apache HTTP Server|Desc=Apache HTTP Server
"TCP Query User{F6E06608-4823-4971-A8AC-BE142B288B45}C:\program files\utorrent\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"UDP Query User{9847581E-3074-4BAC-BE7B-086D0CA6F8E1}C:\program files\utorrent\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent|Desc=uTorrent
"TCP Query User{2F220537-5754-4743-9C22-BB37D92A8D29}C:\program files\skype\phone\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"UDP Query User{B7ACB372-FA24-4D41-8BF4-72BCC10A1F96}C:\program files\skype\phone\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath |Desc=Skype. Take a deep breath
"TCP Query User{F1F9B3E8-2FE6-4D0E-A391-52C39626EB34}C:\program files\sopcast\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"UDP Query User{A8AB3115-0125-4B2B-B2DE-D60DA9963C35}C:\program files\sopcast\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application|Desc=SopCast Main Application
"{F5D5A759-DD80-45ED-84E5-4A3598E9D542}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{8A684CBD-2C1D-4508-8B95-F6A18D5EFDB1}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{2BE81018-3EF0-4C63-8D8D-10B8AD071200}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{54A50C0F-CE9B-4CA4-BA0F-B1729FFF3545}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{4164CA47-2D5B-41CD-907B-35727EB547D2}C:\program files\mozilla firefox\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"UDP Query User{ECB7B0B8-D5B6-439E-88C0-B2E23AB5F8C4}C:\program files\mozilla firefox\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox|Desc=Firefox
"TCP Query User{D31DC342-389B-4A09-A92E-26010DDE6AF0}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= UDP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"UDP Query User{09F3EA87-C19D-4F8F-A6C5-438432F3A26B}C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe"= TCP:C:\users\james h\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe|Desc=sopadver.exe
"TCP Query User{3753178E-2986-4A94-A4C7-21C243F0F10B}C:\program files\sopcast\sopvod.exe"= UDP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"UDP Query User{9A97A960-5C36-4AFF-9D10-BE33ED509D9E}C:\program files\sopcast\sopvod.exe"= TCP:C:\program files\sopcast\sopvod.exe:sopvod|Desc=sopvod
"TCP Query User{EC991A72-6B88-4498-B168-C0430E6044D9}C:\program files\sopcast\adv\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"UDP Query User{D2E9BBD8-BA9E-4369-94C8-2A4265871A78}C:\program files\sopcast\adv\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver|Desc=SopCast Adver
"TCP Query User{411CA4DD-2E15-4A42-9201-1D18027A3A40}C:\program files\internet explorer\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"UDP Query User{BFC6BCB5-DFA4-4633-BD7B-4CA315A5A51E}C:\program files\internet explorer\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer|Desc=Internet Explorer
"TCP Query User{D1A44D53-1E91-4412-81B4-5F7E991F4908}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= UDP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"UDP Query User{B42AA4AC-E209-497E-AF00-6DFAF566D198}C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe"= TCP:C:\users\james h\downloads\wow-2.0.0-engb-installer-downloader.exe:wow-2.0.0-engb-installer-downloader.exe|Desc=wow-2.0.0-engb-installer-downloader.exe
"TCP Query User{366D5331-9967-4E94-B46D-8B307CCFC16C}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= UDP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"UDP Query User{FB4A7B34-BF08-4C6F-B791-ED9D1B971D09}C:\program files\macromedia\dreamweaver 8\dreamweaver.exe"= TCP:C:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8|Desc=Dreamweaver 8
"TCP Query User{22CB88CA-D4A9-47A9-B69E-A5CD1687036D}C:\program files\warcraft iii\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"UDP Query User{2CF3F85A-5090-4DA1-9F59-D74906F79EA9}C:\program files\warcraft iii\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III|Desc=Warcraft III
"{217BED0E-8015-4316-9A69-104D58656223}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{FA1438C6-6D59-45A6-B540-699CD3CC1DAE}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{CDE4319F-2EF2-4D97-B865-0E9A87A7EAA2}C:\users\james h\program files\utorrent\utorrent.exe"= UDP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"UDP Query User{F1088B9C-0574-45B5-A654-381A50341A84}C:\users\james h\program files\utorrent\utorrent.exe"= TCP:C:\users\james h\program files\utorrent\utorrent.exe:utorrent.exe|Desc=utorrent.exe
"{05E4F880-CA47-4E4D-8100-2113A054FCF7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1759AFEE-FE92-4E72-AF26-6C24D819379E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{7CF431A1-0D23-4842-B2F3-AC0FFF73D7AD}C:\program files\ultravnc\winvnc.exe"= UDP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"UDP Query User{D3C1C2CF-ACFF-49D4-8571-602D27C52440}C:\program files\ultravnc\winvnc.exe"= TCP:C:\program files\ultravnc\winvnc.exe:VNC server for Win32|Desc=VNC server for Win32
"TCP Query User{2D7B2751-D702-415A-BBC7-6A1AACFAD6A2}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= UDP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"UDP Query User{9B9656A2-9EEA-4831-AA02-5F818E80B8D4}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe"= TCP:C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe:Adobe Dreamweaver CS3|Desc=Adobe Dreamweaver CS3
"{E3A407C9-7241-40AB-89EA-509D49DC069E}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)|Edge=TRUE|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 hotcore3;hotcore3;C:\Windows\system32\drivers\hotcore3.sys [2007-03-07 13:27]
R1 moufiltr;ENERGY SISTEM Mouse Filter Driver;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-11-09 11:52]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-07 18:42]
S3 vmfilter303;vmfilter303;C:\Windows\system32\drivers\vmfilter303.sys [2006-04-25 10:57]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-05-04 10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e31-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16af0e33-cd93-11dc-8921-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d54-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19ac3d72-885f-11dc-8254-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e43f2b2-a5a3-11dc-9de5-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b57-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58027b72-bec3-11dc-a77d-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b78749c-92c4-11dc-bf9c-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f10839c-eab4-11dc-949d-005056c00008}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9dee-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c34c9df0-b799-11dc-bd06-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d09-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a1d24-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f94a2b22-87df-11dc-9a5b-001a4d80466f}]
\shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc33e5a1-be21-11dc-a231-001a4d80466f}]
\shell\AutoRun\command - H:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 09:51:49 C:\Windows\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 20:18:11
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll
.
Completion time: 2008-03-08 20:26:22
.
2008-03-08 19:39:01 --- E O F ---


This is the hijack this one

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:25, on 08/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\Windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{467DACD0-FE46-4442-9DB9-588B8D625A92}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10534 bytes

looking forward to your reply :)
  • 0

#10
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
  • Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll,c

  • Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

  • Navigate to this folder and delete the file:

    C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll

  • Reboot your computer into normal mode.

    When you are finished, please reboot the computer as you normally would. Post a new HijackThis log here in a reply. Also, please let me know of any problems you may have encountered or questions you want to ask.

Edited by sarahw, 08 March 2008 - 08:45 PM.

  • 0

#11
lukee

lukee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Sarah,

Thanks for help so far i think we are making progress if not finished. when i logged on i got a warning message saying that
C:\Users\JAMESH~1\AppData\Local\Temp\ssqpo.dll? does this mean that there is still some malware. everything else seems to be running smoothly though. Spybot has quitened down.

Thanks again sarah

Here is my hijack this log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:42:12, on 09/03/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe
C:\Windows\system32\DllHost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\Windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{467DACD0-FE46-4442-9DB9-588B8D625A92}: NameServer = 213.233.128.1 213.233.128.19
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 10041 bytes
  • 0

#12
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Could you please uninstall then reinstall Spybot.
I dont understand the error message. Could you give me the exact message?
  • 0

#13
lukee

lukee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Sarah,

Everything is working perfect now. Thanks so much for all your help you have be great.

Talk to you soon
Luke
  • 0

#14
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Please download OTCleanUp from HERE to your desktop.
Double click to run it. It will clean up the assortment of tools used during malware removal. When it has finnished, it will ask you to reboot so it can remove itself.


Congratulations, your log is now clean. :)

A well protected computer should have at least an Anti Virus and Firewall, an Anti Spyware is also great addition to your computers security. Here is a list of tools I like to recommend to people that will help ensure safe surfing on the internet, and to help you from getting infected again.
Note: DO NOT install more than one antivirus or Firewall program. They will conflict, and provide less protection, not more. Uninstall any existing Anti Virus\Firewall programs if you're going to install a new one.


Free Online Scans:
Free Active X and Java based online scans. You can use these scans from other companies and it will not interfere with your current Anti Virus. If you find that you are infected, post a Hijack This log in the forums.

Free Temp Cleaners:
Use these tools to clean temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ATF cleaner recommended.

Free Firewall Downloads:
You must have a Firewall installed on your computer. This helps stop anything from leaving or entering your computer without your permission.

Free Anti Spyware Downloads:
An Antispyware is a great tool that can help remove infections along side your Anti Virus. Some include real time protection, scheduled scans and automatic definition updates.

Free Anti Virus Downloads:
A must have for all computers. Avast! recommended.

Other:
  • SpywareGuard
    Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd
    This tool puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • Memtest86
    Great memory testing software.
  • CPU-Z
    This application gives detailed information about your system in a nice layout
  • Speedfan
    Returns and monitors system temperatures.
  • Windows Updates
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
You can now Rehide your system files by using the reversal of these instructions HERE



To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read THIS article by Tony Klein.


If you have any other problems or questions be sure to ask. :)
  • 0

#15
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP