Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

msiexec[1].exe + many other trojans/downloaders [RESOLVED]

Started by growlix , Apr 09 2008 04:33 PM

This topic is locked

#1
growlix

Posted 09 April 2008 - 04:33 PM

New Member

Member
9 posts

My computer is plagued with viruses. It's running slow, bombarded with popups and is failing to run and browse properly. It usually locks up after so long. My desktop has been replaced with a blue screen warning me that spyware has been detected on my computer. It resets back to that every time I reset the desktop or restart the computer. Warning balloons constantly pop up informing me of my computer running slowly, spyware, etc. It's basically killing my computer. One of the viruses is "msiexec[1].exe"....at least I'm thinking so. Problems started when this came about. Since then, it's been awful. Please help.

Hijack log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:38 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wmsdkns.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\system32\PROMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\regsvr32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\FNTS~1\javaw.exe
C:\WINNT\system32\ujmlgjuh.exe
C:\Documents and Settings\Owner\My Documents\F?nts\e?plorer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.protopage.com/bwkaelin
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\wmsdkns.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dwfqrmfg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\dwfqrmfg.dll"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BMdf26ce76] Rundll32.exe "C:\WINNT\system32\pqtglifu.dll",s
O4 - HKLM\..\Run: [dc15fdea] rundll32.exe "C:\WINNT\system32\jrqncmlv.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\FNTS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [gczwadhb] C:\WINNT\system32\fibohczs.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [eeosziow] C:\WINNT\system32\ujmlgjuh.exe
O4 - HKCU\..\Run: [Xmmos] "C:\Documents and Settings\Owner\My Documents\F?nts\e?plorer.exe"
O4 - HKLM\..\Policies\Explorer\Run: [Ulkr4ZWsjU] C:\WINNT\anmvqdcf.exe
O4 - HKLM\..\Policies\Explorer\Run: [cLfe2ZWsjU] C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7382 bytes

#2
Tigger93

Posted 09 April 2008 - 06:09 PM

Trusted Helper

Retired Staff
1,870 posts

Hello growlix and Welcome to Geekstogo!

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3
growlix

Posted 09 April 2008 - 08:40 PM

New Member

Topic Starter
Member
9 posts

ComboFix 08-04-09.8 - Owner 2008-04-09 21:09:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.159 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\My Documents\FNTS~1
C:\Documents and Settings\Owner\My Documents\FNTS~1\e?plorer.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\fnts~1
C:\Program Files\fnts~1\F?nts\
C:\Program Files\fnts~1\javaw.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\svchost.exe
C:\WINNT\180ax.exe
C:\WINNT\2020search.dll
C:\WINNT\2020search2.dll
C:\WINNT\bjam.dll
C:\WINNT\BMdf26ce76.xml
C:\WINNT\bokja.exe
C:\WINNT\cdsm32.dll
C:\WINNT\default.htm
C:\WINNT\hosts
C:\WINNT\mspphe.dll
C:\WINNT\mssvr.exe
C:\WINNT\pskt.ini
C:\WINNT\saiemod.dll
C:\WINNT\salm.exe
C:\WINNT\stcloader.exe
C:\WINNT\swin32.dll
C:\WINNT\system32\000080.exe
C:\WINNT\system32\000090.exe
C:\WINNT\system32\brlipqew.dll
C:\WINNT\system32\byegfsbk.dll
C:\WINNT\system32\byXRlKBr.dll
C:\WINNT\system32\ettgblnd.dll
C:\WINNT\system32\jrqncmlv.dll
C:\WINNT\system32\msixu.dll
C:\WINNT\system32\pqtglifu.dll
C:\WINNT\system32\pufrimks.dll
C:\WINNT\system32\pytbxcim.ini
C:\WINNT\system32\rBKlRXyb.ini
C:\WINNT\system32\rBKlRXyb.ini2
C:\WINNT\system32\twcqkiia.ini
C:\WINNT\system32\vlmcnqrj.ini
C:\WINNT\system32\wer8274.dll
C:\WINNT\system32\winfrun32.bin
C:\WINNT\system32\ykvasuvb.dll
C:\WINNT\TEMP\salm.exe
C:\WINNT\updatetc.exe
C:\WINNT\voiceip.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-09 21:19 . 2008-04-09 21:19 94,208 --a------ C:\WINNT\system32\qhmrulmz.exe
2008-04-09 21:17 . 2008-04-09 21:19 <DIR> d-------- C:\Program Files\zango
2008-04-09 21:17 . 2008-04-09 21:19 <DIR> d-------- C:\Program Files\Sysmnt
2008-04-09 21:17 . 2008-04-09 21:19 <DIR> d-------- C:\Program Files\stc
2008-04-09 21:17 . 2008-04-09 21:19 <DIR> d-------- C:\Program Files\seekmo
2008-04-09 21:17 . 2008-04-09 21:19 <DIR> d-------- C:\Program Files\180solutions
2008-04-09 21:17 . 2008-04-09 21:19 <DIR> d-------- C:\Program Files\180searchassistant
2008-04-09 21:17 . 2008-04-09 21:19 <DIR> d-------- C:\Program Files\180search assistant
2008-04-09 17:20 . 2008-04-09 17:20 3,648 --a------ C:\WINNT\system32\mpnstvdm.dll
2008-04-08 22:26 . 2008-04-08 22:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\True Sword
2008-04-08 22:25 . 2008-04-08 22:29 <DIR> d-------- C:\Program Files\True Sword 4
2008-04-08 16:56 . 2008-04-08 16:56 3,648 --a------ C:\WINNT\system32\pdvrtoho.dll
2008-04-08 00:10 . 2008-04-08 00:10 9,662 --a------ C:\WINNT\system32\ZoneAlarmIconUS.ico
2008-04-06 20:06 . 2008-04-06 20:06 <DIR> d-------- C:\WINNT\FLEOK
2008-04-06 02:26 . 2008-04-06 02:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 01:52 . 2008-04-06 01:52 110,592 --a------ C:\WINNT\system32\ujmlgjuh.exe
2008-04-06 01:48 . 2008-04-06 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vepezgbu
2008-04-06 00:03 . 2008-04-06 00:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-05 23:47 . 2008-04-05 23:47 110,592 --a------ C:\WINNT\system32\fibohczs.exe
2008-04-05 23:46 . 2008-04-05 23:46 67,584 --a------ C:\WINNT\wlovczwp.dll
2008-04-05 23:46 . 2008-04-05 23:46 67,584 --a------ C:\Documents and Settings\All Users\Application Data\dwfqrmfg.dll
2008-04-05 23:33 . 2008-04-05 23:33 91,561 --a------ C:\WINNT\system32\wmsdkns.exe
2008-04-05 23:31 . 2008-04-05 23:31 8,268 --a------ C:\WINNT\system32\L3762.tmp
2008-04-05 23:31 . 2008-04-05 23:31 396 --a------ C:\WINNT\system32\L479E.tmp
2008-04-05 23:31 . 2008-04-05 23:31 396 --a------ C:\WINNT\system32\L405B.tmp
2008-04-05 23:31 . 2008-04-05 23:31 396 --a------ C:\WINNT\system32\L3F80.tmp
2008-04-05 23:31 . 2008-04-05 23:31 396 --a------ C:\WINNT\system32\L3BB7.tmp
2008-03-31 20:04 . 2008-03-31 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 04:48 9,728 ----a-w C:\WINNT\avifile32.dll
2008-02-17 16:35 3,938 ----a-w C:\info.exe
2008-02-04 23:23 693,792 ----a-w C:\WINNT\system32\OGACheckControl.DLL
2008-01-24 08:25 8,192 ----a-w C:\WINNT\java\Local Data\Owner\STG46B1.tmp
2007-01-20 05:30 87,288 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1f03258-1dd1-11b2-844a-d95ac99666f6}]
2008-04-05 23:46 67584 --a------ C:\WINNT\wlovczwp.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{E29F6C89-E033-C62B-2B4B-2E31D3DA3250}"= C:\PROGRA~1\DVDCRE~1\SAFELOAD.dll [2007-05-11 15:01 0]

[HKEY_CLASSES_ROOT\clsid\{e29f6c89-e033-c62b-2b4b-2e31d3da3250}]
[HKEY_CLASSES_ROOT\Second.WebPure.1]
[HKEY_CLASSES_ROOT\Second.WebPure]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 13:39 68856]
"Ltho"="C:\PROGRA~1\FNTS~1\javaw.exe" [ ]
"gczwadhb"="C:\WINNT\system32\fibohczs.exe" [2008-04-05 23:47 110592]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"eeosziow"="C:\WINNT\system32\ujmlgjuh.exe" [2008-04-06 01:52 110592]
"Xmmos"="C:\Documents and Settings\Owner\My Documents\F?nts\e?plorer.exe" [ ]
"cuuefgrd"="C:\WINNT\system32\qhmrulmz.exe" [2008-04-09 21:19 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINNT\system32\rundll32.exe]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 66048 C:\WINNT\system32\SK9910DM.EXE]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" [ ]
"PROMon.exe"="PROMon.exe" [2002-04-18 18:32 73728 C:\WINNT\system32\PROMon.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 18:01 40960 C:\WINNT\system32\CTHELPER.EXE]
"UpdReg"="C:\WINNT\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 08:47 675840]
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [2003-03-14 18:15 143360]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-01 13:55 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 17:03 282624]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57 5355832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06 5181440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Ulkr4ZWsjU"= C:\WINNT\anmvqdcf.exe
"cLfe2ZWsjU"= C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHApoP]
jkkHApoP.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\AIM\\aim.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINNT\system32\Drivers\SSFS0BB8.SYS [2007-06-21 18:43]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 12:36]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
"2008-04-04 22:30:00 C:\WINNT\Tasks\Disk Cleanup.job"
- C:\WINNT\system32\cleanmgr.exe
"2002-09-19 14:55:49 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-31 07:00:03 C:\WINNT\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 21:20:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\WINNT\SoftwareDistribution\Download\a82dc500ddf76b06dc26bd22c7a14240\update\update.exe
.
**************************************************************************
.
Completion time: 2008-04-09 21:27:16 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-04-10 02:26:40
Pre-Run: 15,929,516,032 bytes free
Post-Run: 17,335,447,552 bytes free
.
2008-03-13 00:17:18 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:28 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\system32\PROMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\qhmrulmz.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.protopage.com/bwkaelin
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINNT\wlovczwp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\FNTS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [gczwadhb] C:\WINNT\system32\fibohczs.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [eeosziow] C:\WINNT\system32\ujmlgjuh.exe
O4 - HKCU\..\Run: [Xmmos] "C:\Documents and Settings\Owner\My Documents\F?nts\e?plorer.exe"
O4 - HKCU\..\Run: [cuuefgrd] C:\WINNT\system32\qhmrulmz.exe
O4 - HKCU\..\Run: [gmpihlmb] C:\WINNT\system32\ohajerqn.exe
O4 - HKLM\..\Policies\Explorer\Run: [Ulkr4ZWsjU] C:\WINNT\anmvqdcf.exe
O4 - HKLM\..\Policies\Explorer\Run: [cLfe2ZWsjU] C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O20 - Winlogon Notify: jkkHApoP - jkkHApoP.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7546 bytes

#4
Tigger93

Posted 10 April 2008 - 12:03 PM

Trusted Helper

Retired Staff
1,870 posts

Hi again.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINNT\system32\qhmrulmz.exe
C:\WINNT\system32\mpnstvdm.dll
C:\WINNT\system32\pdvrtoho.dll
C:\WINNT\system32\ujmlgjuh.exe
C:\WINNT\system32\fibohczs.exe
C:\WINNT\wlovczwp.dll
C:\Documents and Settings\All Users\Application Data\dwfqrmfg.dll
C:\WINNT\system32\wmsdkns.exe
C:\WINNT\system32\L3762.tmp
C:\WINNT\system32\L479E.tmp
C:\WINNT\system32\L405B.tmp
C:\WINNT\system32\L3F80.tmp
C:\WINNT\system32\L3BB7.tmp
C:\WINNT\avifile32.dll
C:\info.exe
C:\WINNT\java\Local Data\Owner\STG46B1.tmp
C:\WINNT\anmvqdcf.exe
C:\WINNT\system32\jkkHApoP.dll

Folder::
C:\Program Files\zango\
C:\Program Files\Sysmnt\
C:\Program Files\stc\
C:\Program Files\180solutions\
C:\Program Files\180searchassistant\
C:\Program Files\180search assistant\
C:\Documents and Settings\All Users\Application Data\vepezgbu\
C:\Program Files\Viewpoint\

Driver::
Viewpoint Manager Service

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1f03258-1dd1-11b2-844a-d95ac99666f6}]
[-HKEY_CLASSES_ROOT\clsid\{e29f6c89-e033-c62b-2b4b-2e31d3da3250}]
[-HKEY_CLASSES_ROOT\Second.WebPure.1]
[-HKEY_CLASSES_ROOT\Second.WebPure]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ltho"=-
"gczwadhb"=-
"eeosziow"=-
"Xmmos"=-
"cuuefgrd"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Ulkr4ZWsjU"=-
"cLfe2ZWsjU"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkHApoP]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#5
growlix

Posted 10 April 2008 - 12:42 PM

New Member

Topic Starter
Member
9 posts

Thanks for your help thus far. I'm lost as to what I'm doing.

COMBO:

ComboFix 08-04-09.8 - Owner 2008-04-10 13:28:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.250 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\dwfqrmfg.dll
C:\info.exe
C:\WINNT\anmvqdcf.exe
C:\WINNT\avifile32.dll
C:\WINNT\java\Local Data\Owner\STG46B1.tmp
C:\WINNT\system32\fibohczs.exe
C:\WINNT\system32\jkkHApoP.dll
C:\WINNT\system32\L3762.tmp
C:\WINNT\system32\L3BB7.tmp
C:\WINNT\system32\L3F80.tmp
C:\WINNT\system32\L405B.tmp
C:\WINNT\system32\L479E.tmp
C:\WINNT\system32\mpnstvdm.dll
C:\WINNT\system32\pdvrtoho.dll
C:\WINNT\system32\qhmrulmz.exe
C:\WINNT\system32\ujmlgjuh.exe
C:\WINNT\system32\wmsdkns.exe
C:\WINNT\wlovczwp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\dwfqrmfg.dll
C:\Documents and Settings\All Users\Application Data\vepezgbu\
C:\Documents and Settings\All Users\Application Data\vepezgbu\\hczqfmny.exe
C:\info.exe
C:\Program Files\180search assistant
C:\Program Files\180searchassistant
C:\Program Files\180solutions
C:\Program Files\PC-Cleaner
C:\Program Files\seekmo
C:\Program Files\stc
C:\Program Files\Sysmnt
C:\Program Files\Viewpoint\
C:\Program Files\Viewpoint\\Common\ViewpointService.exe
C:\Program Files\Viewpoint\\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\ComponentMgr_03000C09.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\BlueStreak.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\Mts2Reader.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\VMPAudio.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\DownLoadHist.ini
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\HostRegistry.ini
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\NewClassID.ini
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1233463906.MTZ
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1756920320.MTZ
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1912772586.SWF
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1912774574.MTZ
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_00\1456766201.MZV
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_00\152344322.MTZ
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_00\1980973699.MZV
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_00\1989748647.mtx
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1012449703.SWF
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_01\-298155108.MTZ
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_01\-513102351.MTZ
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_01\1214347398.MTZ
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_01\1539641771.MZV
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_01\1874612289.MTZ
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_02\-1453780023.SWF
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_02\-513102342.MTS
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_02\407034558.ini
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_02\518054506.fdg
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_02\518054506.mtx
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1912774567.MTS
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_03\-792045772.SWF
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_03\591149361.MZV
C:\Program Files\Viewpoint\\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Program Files\Viewpoint\\Viewpoint Manager\CPtask.xml
C:\Program Files\Viewpoint\\Viewpoint Manager\NotifyData\header.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\NotifyData\no.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\NotifyData\options.ini
C:\Program Files\Viewpoint\\Viewpoint Manager\NotifyData\updates.html
C:\Program Files\Viewpoint\\Viewpoint Manager\NotifyData\yes.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\Read_Me.txt
C:\Program Files\Viewpoint\\Viewpoint Manager\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCP.cpl
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\s.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\options.ini
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\viewpoint.ico
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPData\vmctrl.html
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewCPexe.exe
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewMgrCore.dll
C:\Program Files\Viewpoint\\Viewpoint Manager\ViewMgrInstaller.exe
C:\Program Files\Viewpoint\\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\AxMetaStream_.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\\Viewpoint Media Player\ComponentMgr_0305000D.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\\Viewpoint Media Player\NewComponents\Mts3Reader.dll
C:\Program Files\zango
C:\WINNT\avifile32.dll
C:\WINNT\java\Local Data\Owner\STG46B1.tmp
C:\WINNT\system32\fibohczs.exe
C:\WINNT\system32\L3762.tmp
C:\WINNT\system32\L3BB7.tmp
C:\WINNT\system32\L3F80.tmp
C:\WINNT\system32\L405B.tmp
C:\WINNT\system32\L479E.tmp
C:\WINNT\system32\mpnstvdm.dll
C:\WINNT\system32\pdvrtoho.dll
C:\WINNT\system32\qhmrulmz.exe
C:\WINNT\system32\ujmlgjuh.exe
C:\WINNT\system32\wmsdkns.exe
C:\WINNT\wlovczwp.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-09 21:35 . 2008-04-09 21:35 <DIR> d-------- C:\WINNT\LastGood
2008-04-09 21:32 . 2008-04-09 21:32 94,208 --a------ C:\WINNT\system32\ohajerqn.exe
2008-04-08 22:26 . 2008-04-08 22:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\True Sword
2008-04-08 22:25 . 2008-04-08 22:29 <DIR> d-------- C:\Program Files\True Sword 4
2008-04-08 00:10 . 2008-04-08 00:10 9,662 --a------ C:\WINNT\system32\ZoneAlarmIconUS.ico
2008-04-06 20:06 . 2008-04-06 20:06 <DIR> d-------- C:\WINNT\FLEOK
2008-04-06 02:26 . 2008-04-06 02:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 00:03 . 2008-04-06 00:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-03-31 20:04 . 2008-03-31 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 23:23 693,792 ----a-w C:\WINNT\system32\OGACheckControl.DLL
2007-01-20 05:30 87,288 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_21.25.53.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-10 02:18:00 53,248 ----a-w C:\WINNT\PSEXESVC.EXE
+ 2008-04-10 18:33:24 53,248 ----a-w C:\WINNT\PSEXESVC.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 13:39 68856]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"gmpihlmb"="C:\WINNT\system32\ohajerqn.exe" [2008-04-09 21:32 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINNT\system32\rundll32.exe]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 66048 C:\WINNT\system32\SK9910DM.EXE]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" [ ]
"PROMon.exe"="PROMon.exe" [2002-04-18 18:32 73728 C:\WINNT\system32\PROMon.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 18:01 40960 C:\WINNT\system32\CTHELPER.EXE]
"UpdReg"="C:\WINNT\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 08:47 675840]
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [2003-03-14 18:15 143360]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-01 13:55 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 17:03 282624]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57 5355832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06 5181440]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\AIM\\aim.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINNT\system32\Drivers\SSFS0BB8.SYS [2007-06-21 18:43]
R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 12:36]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 12:36]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
"2008-04-04 22:30:00 C:\WINNT\Tasks\Disk Cleanup.job"
- C:\WINNT\system32\cleanmgr.exe
"2002-09-19 14:55:49 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-31 07:00:03 C:\WINNT\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 13:33:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\System32\NavLogon.dll
.
Completion time: 2008-04-10 13:34:57
ComboFix-quarantined-files.txt 2008-04-10 18:34:36
ComboFix2.txt 2008-04-10 02:27:19
Pre-Run: 17,496,211,456 bytes free
Post-Run: 17,470,107,648 bytes free
.
2008-03-13 00:17:18 --- E O F ---

HIJACK:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:05 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\system32\PROMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.protopage.com/bwkaelin
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [gmpihlmb] C:\WINNT\system32\ohajerqn.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6857 bytes

#6
Tigger93

Posted 11 April 2008 - 09:00 AM

Trusted Helper

Retired Staff
1,870 posts

Were just getting rid of virus's.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINNT\system32\ohajerqn.exe

Driver::
Viewpoint Manager Service

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gmpihlmb"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#7
growlix

Posted 11 April 2008 - 05:56 PM

New Member

Topic Starter
Member
9 posts

Thanks for the continued help. My computer was pretty blasted, huh?

ComboFix 08-04-09.8 - Owner 2008-04-11 18:47:29.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\ohajerqn.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 15:02 . 2008-04-11 15:02 118 --a------ C:\WINNT\system32\MRT.INI
2008-04-10 21:32 . 2008-04-10 21:32 106,496 --a------ C:\WINNT\system32\enubwvqr.exe
2008-04-08 22:26 . 2008-04-08 22:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\True Sword
2008-04-08 22:25 . 2008-04-08 22:29 <DIR> d-------- C:\Program Files\True Sword 4
2008-04-08 00:10 . 2008-04-08 00:10 9,662 --a------ C:\WINNT\system32\ZoneAlarmIconUS.ico
2008-04-06 20:06 . 2008-04-06 20:06 <DIR> d-------- C:\WINNT\FLEOK
2008-04-06 02:26 . 2008-04-06 02:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 00:03 . 2008-04-06 00:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-03-31 20:04 . 2008-03-31 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 09:47 1,845,248 ----a-w C:\WINNT\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINNT\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINNT\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINNT\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINNT\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINNT\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINNT\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINNT\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINNT\system32\dllcache\iedw.exe
2008-02-04 23:23 693,792 ----a-w C:\WINNT\system32\OGACheckControl.DLL
2007-01-20 05:30 87,288 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_21.25.53.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-19 09:40:27 1,845,888 ----a-w C:\WINNT\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINNT\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINNT\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINNT\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINNT\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINNT\$hf_mig$\KB941693\update\updspapi.dll
+ 2007-12-18 14:32:13 450,560 ----a-w C:\WINNT\$hf_mig$\KB944338\SP2QFE\jscript.dll
+ 2007-12-18 14:32:13 417,792 ----a-w C:\WINNT\$hf_mig$\KB944338\SP2QFE\vbscript.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINNT\$hf_mig$\KB944338\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINNT\$hf_mig$\KB944338\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINNT\$hf_mig$\KB944338\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINNT\$hf_mig$\KB944338\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINNT\$hf_mig$\KB944338\update\updspapi.dll
+ 2008-02-20 05:19:35 147,968 ----a-w C:\WINNT\$hf_mig$\KB945553\SP2QFE\dnsapi.dll
+ 2008-02-20 18:49:36 45,568 ----a-w C:\WINNT\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINNT\$hf_mig$\KB945553\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINNT\$hf_mig$\KB945553\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINNT\$hf_mig$\KB945553\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINNT\$hf_mig$\KB945553\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINNT\$hf_mig$\KB945553\update\updspapi.dll
+ 2008-02-16 09:32:03 1,024,000 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\browseui.dll
+ 2008-02-16 09:32:03 151,040 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\cdfview.dll
+ 2008-02-16 09:32:03 1,054,208 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\danim.dll
+ 2008-02-16 09:32:04 357,888 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\dxtmsft.dll
+ 2008-02-16 09:32:04 205,312 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\dxtrans.dll
+ 2008-02-16 09:32:04 55,808 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\extmgr.dll
+ 2008-02-15 09:07:53 18,432 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\iedw.exe
+ 2008-02-16 09:32:04 251,904 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\iepeers.dll
+ 2008-02-16 09:32:04 96,256 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\inseng.dll
+ 2008-02-16 09:32:04 16,384 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\jsproxy.dll
+ 2008-02-16 09:32:06 3,066,880 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\mshtml.dll
+ 2008-02-16 09:32:06 449,024 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\mshtmled.dll
+ 2008-02-16 09:32:06 146,432 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\msrating.dll
+ 2008-02-16 09:32:07 532,480 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\mstime.dll
+ 2008-02-16 09:32:07 39,424 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\pngfilt.dll
+ 2008-02-16 09:32:08 1,499,136 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\shdocvw.dll
+ 2008-02-16 09:32:08 474,112 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\shlwapi.dll
+ 2008-02-16 09:32:08 618,496 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\urlmon.dll
+ 2008-02-16 09:32:09 666,112 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\wininet.dll
+ 2008-02-15 09:06:21 351,744 ----a-w C:\WINNT\$hf_mig$\KB947864\SP2QFE\xpsp3res.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINNT\$hf_mig$\KB947864\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINNT\$hf_mig$\KB947864\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINNT\$hf_mig$\KB947864\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINNT\$hf_mig$\KB947864\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINNT\$hf_mig$\KB947864\update\updspapi.dll
+ 2008-02-20 06:52:43 282,624 ----a-w C:\WINNT\$hf_mig$\KB948590\SP2QFE\gdi32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINNT\$hf_mig$\KB948590\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINNT\$hf_mig$\KB948590\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINNT\$hf_mig$\KB948590\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINNT\$hf_mig$\KB948590\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINNT\$hf_mig$\KB948590\update\updspapi.dll
- 2008-04-10 02:18:00 53,248 ----a-w C:\WINNT\PSEXESVC.EXE
+ 2008-04-11 23:51:37 53,248 ----a-w C:\WINNT\PSEXESVC.EXE
- 2007-12-07 01:07:12 1,023,488 ----a-w C:\WINNT\system32\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINNT\system32\browseui.dll
- 2007-12-07 01:07:12 151,040 ----a-w C:\WINNT\system32\cdfview.dll
+ 2008-02-16 08:59:35 151,040 ----a-w C:\WINNT\system32\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 ----a-w C:\WINNT\system32\danim.dll
+ 2008-02-16 08:59:35 1,054,208 ----a-w C:\WINNT\system32\danim.dll
- 2007-12-07 01:07:12 1,023,488 ------w C:\WINNT\system32\dllcache\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 ------w C:\WINNT\system32\dllcache\browseui.dll
- 2007-12-07 01:07:12 151,040 ------w C:\WINNT\system32\dllcache\cdfview.dll
+ 2008-02-16 08:59:35 151,040 ------w C:\WINNT\system32\dllcache\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 ------w C:\WINNT\system32\dllcache\danim.dll
+ 2008-02-16 08:59:35 1,054,208 ------w C:\WINNT\system32\dllcache\danim.dll
- 2007-12-07 01:07:12 357,888 ------w C:\WINNT\system32\dllcache\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 ------w C:\WINNT\system32\dllcache\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 ------w C:\WINNT\system32\dllcache\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 ------w C:\WINNT\system32\dllcache\dxtrans.dll
- 2007-12-07 01:07:12 55,808 ------w C:\WINNT\system32\dllcache\extmgr.dll
+ 2008-02-16 08:59:35 55,808 ------w C:\WINNT\system32\dllcache\extmgr.dll
- 2007-12-07 01:07:12 251,392 ------w C:\WINNT\system32\dllcache\iepeers.dll
+ 2008-02-16 08:59:35 251,392 ------w C:\WINNT\system32\dllcache\iepeers.dll
- 2007-12-07 01:07:12 96,256 ------w C:\WINNT\system32\dllcache\inseng.dll
+ 2008-02-16 08:59:35 96,256 ------w C:\WINNT\system32\dllcache\inseng.dll
- 2007-11-14 07:26:56 450,560 ------w C:\WINNT\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 ------w C:\WINNT\system32\dllcache\jscript.dll
- 2007-12-07 01:07:12 16,384 ------w C:\WINNT\system32\dllcache\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 ------w C:\WINNT\system32\dllcache\jsproxy.dll
- 2007-12-07 01:07:13 449,024 ------w C:\WINNT\system32\dllcache\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 ------w C:\WINNT\system32\dllcache\mshtmled.dll
- 2007-12-07 01:07:13 146,432 ------w C:\WINNT\system32\dllcache\msrating.dll
+ 2008-02-16 08:59:37 146,432 ------w C:\WINNT\system32\dllcache\msrating.dll
- 2007-12-07 01:07:13 532,480 ------w C:\WINNT\system32\dllcache\mstime.dll
+ 2008-02-16 08:59:37 532,480 ------w C:\WINNT\system32\dllcache\mstime.dll
- 2007-12-07 01:07:13 39,424 ------w C:\WINNT\system32\dllcache\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 ------w C:\WINNT\system32\dllcache\pngfilt.dll
- 2007-12-07 01:07:13 1,494,528 ------w C:\WINNT\system32\dllcache\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 ------w C:\WINNT\system32\dllcache\shdocvw.dll
- 2007-12-07 01:07:13 474,112 ------w C:\WINNT\system32\dllcache\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 ------w C:\WINNT\system32\dllcache\shlwapi.dll
- 2007-12-07 01:07:14 615,424 ------w C:\WINNT\system32\dllcache\urlmon.dll
+ 2008-02-16 08:59:38 615,936 ------w C:\WINNT\system32\dllcache\urlmon.dll
+ 2007-12-18 14:40:58 417,792 ------w C:\WINNT\system32\dllcache\vbscript.dll
- 2007-12-07 01:07:14 659,456 ------w C:\WINNT\system32\dllcache\wininet.dll
+ 2008-02-16 08:59:39 659,456 ------w C:\WINNT\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINNT\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINNT\system32\dnsapi.dll
- 2007-12-07 01:07:12 357,888 ----a-w C:\WINNT\system32\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 ----a-w C:\WINNT\system32\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 ----a-w C:\WINNT\system32\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 ----a-w C:\WINNT\system32\dxtrans.dll
- 2007-12-07 01:07:12 55,808 ------w C:\WINNT\system32\extmgr.dll
+ 2008-02-16 08:59:35 55,808 ------w C:\WINNT\system32\extmgr.dll
- 2007-04-06 20:07:16 302,824 ----a-w C:\WINNT\system32\FNTCACHE.DAT
+ 2008-04-11 20:09:34 302,824 ----a-w C:\WINNT\system32\FNTCACHE.DAT
- 2007-12-07 01:07:12 251,392 ----a-w C:\WINNT\system32\iepeers.dll
+ 2008-02-16 08:59:35 251,392 ----a-w C:\WINNT\system32\iepeers.dll
- 2007-12-07 01:07:12 96,256 ----a-w C:\WINNT\system32\inseng.dll
+ 2008-02-16 08:59:35 96,256 ----a-w C:\WINNT\system32\inseng.dll
- 2007-11-14 07:26:56 450,560 ----a-w C:\WINNT\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINNT\system32\jscript.dll
- 2007-12-07 01:07:12 16,384 ----a-w C:\WINNT\system32\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 ----a-w C:\WINNT\system32\jsproxy.dll
+ 2008-04-06 03:56:22 19,836,024 ----a-w C:\WINNT\system32\MRT.exe
- 2007-12-07 14:37:14 3,059,200 ----a-w C:\WINNT\system32\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINNT\system32\mshtml.dll
- 2007-12-07 01:07:13 449,024 ----a-w C:\WINNT\system32\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 ----a-w C:\WINNT\system32\mshtmled.dll
- 2007-12-07 01:07:13 146,432 ----a-w C:\WINNT\system32\msrating.dll
+ 2008-02-16 08:59:37 146,432 ----a-w C:\WINNT\system32\msrating.dll
- 2007-12-07 01:07:13 532,480 ----a-w C:\WINNT\system32\mstime.dll
+ 2008-02-16 08:59:37 532,480 ----a-w C:\WINNT\system32\mstime.dll
- 2007-12-07 01:07:13 39,424 ----a-w C:\WINNT\system32\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 ----a-w C:\WINNT\system32\pngfilt.dll
- 2007-12-07 01:07:13 1,494,528 ----a-w C:\WINNT\system32\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINNT\system32\shdocvw.dll
- 2007-12-07 01:07:13 474,112 ----a-w C:\WINNT\system32\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 ----a-w C:\WINNT\system32\shlwapi.dll
- 2007-12-07 01:07:14 615,424 ----a-w C:\WINNT\system32\urlmon.dll
+ 2008-02-16 08:59:38 615,936 ----a-w C:\WINNT\system32\urlmon.dll
- 2004-08-04 07:56:46 417,792 ----a-w C:\WINNT\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINNT\system32\vbscript.dll
- 2007-12-07 01:07:14 659,456 ----a-w C:\WINNT\system32\wininet.dll
+ 2008-02-16 08:59:39 659,456 ----a-w C:\WINNT\system32\wininet.dll
- 2007-12-06 09:38:31 350,720 ----a-w C:\WINNT\system32\xpsp3res.dll
+ 2008-02-15 09:06:21 351,744 ----a-w C:\WINNT\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 13:39 68856]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"auezilll"="C:\WINNT\system32\enubwvqr.exe" [2008-04-10 21:32 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINNT\system32\rundll32.exe]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 66048 C:\WINNT\system32\SK9910DM.EXE]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" [ ]
"PROMon.exe"="PROMon.exe" [2002-04-18 18:32 73728 C:\WINNT\system32\PROMon.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 18:01 40960 C:\WINNT\system32\CTHELPER.EXE]
"UpdReg"="C:\WINNT\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 08:47 675840]
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [2003-03-14 18:15 143360]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-01 13:55 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 17:03 282624]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57 5355832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06 5181440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"cLfe2ZWsjU"= C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\AIM\\aim.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINNT\system32\Drivers\SSFS0BB8.SYS [2007-06-21 18:43]
R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 12:36]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 12:36]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 22:30:00 C:\WINNT\Tasks\Disk Cleanup.job"
- C:\WINNT\system32\cleanmgr.exe
"2002-09-19 14:55:49 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-31 07:00:03 C:\WINNT\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 18:51:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\System32\NavLogon.dll
.
Completion time: 2008-04-11 18:53:11
ComboFix-quarantined-files.txt 2008-04-11 23:52:57
ComboFix2.txt 2008-04-10 18:34:58
ComboFix3.txt 2008-04-10 02:27:19
Pre-Run: 17,886,814,208 bytes free
Post-Run: 17,873,133,568 bytes free
.
2008-04-11 20:03:36 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:05 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\system32\PROMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\enubwvqr.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.protopage.com/bwkaelin
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [auezilll] C:\WINNT\system32\enubwvqr.exe
O4 - HKLM\..\Policies\Explorer\Run: [cLfe2ZWsjU] C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6797 bytes

#8
Tigger93

Posted 12 April 2008 - 07:54 AM

Trusted Helper

Retired Staff
1,870 posts

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#9
growlix

Posted 12 April 2008 - 04:47 PM

New Member

Topic Starter
Member
9 posts

Here's the post:

Malwarebytes' Anti-Malware 1.11
Database version: 619

Scan type: Quick Scan
Objects scanned: 31136
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 31

Memory Processes Infected:
C:\WINNT\system32\enubwvqr.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\auezilll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINNT\FLEOK (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINNT\system32\enubwvqr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINNT\FLEOK\180ax.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\MSNSA32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\ntnut32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\Installer\id53.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINNT\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.

#10
Tigger93

Posted 13 April 2008 - 09:02 AM

Trusted Helper

Retired Staff
1,870 posts

Looking much better.

Can you re-run Combofix and post the new log please?

#11
growlix

Posted 13 April 2008 - 01:09 PM

New Member

Topic Starter
Member
9 posts

Excellent. So far, no more pop-ups or viruses! Here's the new log:

ComboFix 08-04-09.8 - Owner 2008-04-13 14:02:37.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.231 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-12 17:39 . 2008-04-12 17:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-12 17:39 . 2008-04-12 17:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-12 17:39 . 2008-04-12 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 15:02 . 2008-04-11 15:02 118 --a------ C:\WINNT\system32\MRT.INI
2008-04-08 22:26 . 2008-04-08 22:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\True Sword
2008-04-08 22:25 . 2008-04-08 22:29 <DIR> d-------- C:\Program Files\True Sword 4
2008-04-08 00:10 . 2008-04-08 00:10 9,662 --a------ C:\WINNT\system32\ZoneAlarmIconUS.ico
2008-04-06 02:26 . 2008-04-06 02:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 00:03 . 2008-04-06 00:03 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-03-31 20:04 . 2008-03-31 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 09:47 1,845,248 ----a-w C:\WINNT\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINNT\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINNT\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINNT\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINNT\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINNT\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINNT\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINNT\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINNT\system32\dllcache\iedw.exe
2008-02-04 23:23 693,792 ----a-w C:\WINNT\system32\OGACheckControl.DLL
2007-01-20 05:30 87,288 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-04-11_18.52.41.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-11 23:51:37 53,248 ----a-w C:\WINNT\PSEXESVC.EXE
+ 2008-04-13 19:05:26 53,248 ----a-w C:\WINNT\PSEXESVC.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 13:39 68856]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 33280 C:\WINNT\system32\rundll32.exe]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 66048 C:\WINNT\system32\SK9910DM.EXE]
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" [ ]
"PROMon.exe"="PROMon.exe" [2002-04-18 18:32 73728 C:\WINNT\system32\PROMon.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 18:01 40960 C:\WINNT\system32\CTHELPER.EXE]
"UpdReg"="C:\WINNT\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 01:00 28672]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 08:47 675840]
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [2003-03-14 18:15 143360]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 16:48 479232]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-01 13:55 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 17:03 282624]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57 5355832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06 5181440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"cLfe2ZWsjU"= C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\AIM\\aim.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINNT\system32\Drivers\SSFS0BB8.SYS [2007-06-21 18:43]
R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 12:36]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 12:36]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 22:30:00 C:\WINNT\Tasks\Disk Cleanup.job"
- C:\WINNT\system32\cleanmgr.exe
"2002-09-19 14:55:49 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-31 07:00:03 C:\WINNT\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 14:05:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\System32\NavLogon.dll
.
Completion time: 2008-04-13 14:07:55
ComboFix-quarantined-files.txt 2008-04-13 19:07:00
ComboFix2.txt 2008-04-11 23:53:12
ComboFix3.txt 2008-04-10 18:34:58
ComboFix4.txt 2008-04-10 02:27:19
Pre-Run: 18,016,460,800 bytes free
Post-Run: 18,003,963,904 bytes free
.
2008-04-11 20:03:36 --- E O F ---

#12
Tigger93

Posted 13 April 2008 - 05:11 PM

Trusted Helper

Retired Staff
1,870 posts

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Then post a new HijackThis log please.

#13
growlix

Posted 13 April 2008 - 05:31 PM

New Member

Topic Starter
Member
9 posts

Combofix is removed and here is the new hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:44 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\system32\PROMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\CF7900.exe
C:\WINNT\system32\cscript.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.protopage.com/bwkaelin
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKLM\..\Policies\Explorer\Run: [cLfe2ZWsjU] C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6765 bytes

#14
Tigger93

Posted 14 April 2008 - 05:54 PM

Trusted Helper

Retired Staff
1,870 posts

Hi again.

Open HijackThis and put a check next to these:
O4 - HKLM\..\Policies\Explorer\Run: [cLfe2ZWsjU] C:\Documents and Settings\All Users\Application Data\vepezgbu\hczqfmny.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)

O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

Click Fix Checked and close HijackThis.

Open Notepad and copy and paste in the following:

sc stop "PictureTaker"
sc stop "Viewpoint Manager Service"
sc delete "PictureTaker"
sc delete "Viewpoint Manager Service"

del /q fix1.bat

Save it as fix1.bat to the desktop. Double-click on it and it will run; and black box may quickly appear then disappear, this is normal.

Then please go here and upload and scan this file:
C:\WINNT\system32\CF7900.exe

Please save the results.

Restart your computer and post the following please:

The VirusTotal results
A new HijackThis log

#15
growlix

Posted 14 April 2008 - 06:30 PM

New Member

Topic Starter
Member
9 posts

When I uploaded and sent the file (C:\WINNT\system32\CF7900.exe) the only thing that popped up was a white screen that said 0 bytes received. I tried a few times and that's all I got. Perhaps I'm doing something wrong, as I anticipate that isn't what you had in mind.

Also, I have a program installed on my computer called SpySweeper by Webroot. Is it actually beneficial to have, or is it just taking up space and bogging my computer down?

Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:47 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\system32\PROMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.protopage.com/bwkaelin
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6071 bytes