Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan:Win32/Vundo.gen! [RESOLVED]

Started by jchevier , Jul 04 2008 06:23 PM

  • This topic is locked This topic is locked

#1
jchevier
Posted 04 July 2008 - 06:23 PM

jchevier

    New Member

  • Member
  • Pip
  • 9 posts
I tried my best to follow the "You Must Read This Before Posting A Hijackthis Log, Malware Cleaning Guide" thread. As a result, I have several logs to copy over, any help would be appreciated. Thank you - jchevier.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:20 PM, on 7/4/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\p2phost.exe
C:\Windows\System32\rundll32.exe
C:\ProgramData\psbsjwxi\rexihudq.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\ProgramData\adecazxn\lavyjadc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...arm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Summer\lsass.exe
O4 - HKCU\..\Run: [MSSMSGS] rundll32.exe winkye32.rom,HdyRun
O4 - HKCU\..\Run: [ammhpupd] C:\ProgramData\ammhpupd\jcbwhohe.exe
O4 - HKCU\..\Run: [2PTRR1Iziz] C:\ProgramData\psbsjwxi\rexihudq.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [adecazxn] C:\ProgramData\adecazxn\lavyjadc.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....NPUplden-us.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13745 bytes



------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Malwarebytes' Anti-Malware 1.19
Database version: 921
Windows 6.0.6000

3:18:06 PM 7/4/2008
mbam-log-7-4-2008 (15-18-06).txt

Scan type: Quick Scan
Objects scanned: 40634
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Summer\AppData\Local\Temp\ssqoPHYP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\ssqPfcCV.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp00009c2f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000a015 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000a275 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000a63d (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000acc2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000adfa (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000b125 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000b441 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000b672 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000bd84 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000c59f (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000d873 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000da85 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0000ff35 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp00010d0a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp00010d39 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp00013976 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp00016e5b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0001e8b8 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp00024b13 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0004bd26 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\AppData\Local\Temp\tmp0008842c (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\Local Settings\Temporary Internet Files\Content.IE5\IBZX3LYH\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\Local Settings\Temporary Internet Files\Content.IE5\W9IMB2AY\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\Local Settings\Temporary Internet Files\Content.IE5\W9IMB2AY\kb767887[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\Local Settings\Temporary Internet Files\Content.IE5\W9IMB2AY\kb767887[3] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Summer\Setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.



------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


SUPERAntiSpyware Scan Log
Generated 07/04/2008 at 05:47 PM

Application Version : 3.6.1000

Core Rules Database Version : 3497
Trace Rules Database Version: 1488

Scan type : Complete Scan
Total Scan Time : 00:47:45

Memory items scanned : 757
Memory threats detected : 0
Registry items scanned : 7528
Registry threats detected : 0
File items scanned : 79389
File threats detected : 147

Adware.Tracking Cookie
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@adbrite[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@adbureau[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@adinterax[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@adnetserver[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@adnetwork2go[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@advertising[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@apmebf[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@bestdiscountoffers[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@chitika[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@clickbank[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@clickshift[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@clicksor[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@collective-media[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@consumergain[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@crackle[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@directtrack[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@dmtracker[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@eyewonder[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@findarticles[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@findwhat[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@hearsomethingcountry[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@hornymatches[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@insightexpressai[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@interclick[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@kontera[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@lynxtrack[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@media6degrees[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@mediafileshost[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@mediafire[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@mediaresponder[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@myroitracking[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@mystats[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@optimost[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@partner2profit[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@petfinder[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@precisionclick[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@qnsr[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@redorbit[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@revsci[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@roiservice[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@royaladultvideo[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@smileycentral[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@tacoda[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@testquestionsandanswers[2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@trafficregenerator[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\summer@valueclick[1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][10].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][11].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][4].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][6].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][7].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][8].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\Summer\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt



------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-04 19:59:20
PROTECTIONS: 3
MALWARE: 1
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Trend Micro PC-Cillin Internet Security 14 14.70.1014 No Yes
Windows Defender 1.1.3704.0 No No
Trend Micro Internet Security 2008 14.70.1014 No No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
03184317 Adware/Lop Adware Yes 1 Yes No C:\ProgramData\psbsjwxi\rexihudq.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location ܨ~�� s5
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description ܨ~�� s5
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================



-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


[07/04/2008, 12:57:24] - VirtumundoBeGone v1.5 ( "C:\Users\Summer\Desktop\VirtumundoBeGone.exe" )
[07/04/2008, 12:57:30] - Detected System Information:
[07/04/2008, 12:57:30] - Windows Version: 6.0.6000,
[07/04/2008, 12:57:30] - Current Username: Summer (Admin)
[07/04/2008, 12:57:30] - Windows is in SAFE mode with Networking.
[07/04/2008, 12:57:30] - Searching for Browser Helper Objects:
[07/04/2008, 12:57:30] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (&Yahoo! Toolbar Helper)
[07/04/2008, 12:57:30] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[07/04/2008, 12:57:30] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/04/2008, 12:57:30] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[07/04/2008, 12:57:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/04/2008, 12:57:30] - No filename found. Continuing.
[07/04/2008, 12:57:30] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/04/2008, 12:57:30] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[07/04/2008, 12:57:30] - BHO 7: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[07/04/2008, 12:57:30] - Finished Searching Browser Helper Objects
[07/04/2008, 12:57:30] - Finishing up...
[07/04/2008, 12:57:30] - Nothing found! Exiting...
  • 0

Advertisements

#2
loophole
Posted 04 July 2008 - 06:58 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi,

Certainly some things amiss, lets see if we can get it sorted

Your using vista so all the apps I ask you tou run: you will need to right click them and choose "run as administrator"

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
jchevier
Posted 04 July 2008 - 07:26 PM

jchevier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-07-04.2 - Summer 2008-07-04 21:10:28.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2042 [GMT -4:00]
Running from: C:\Users\Summer\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 01:05 --------- d---a-w C:\ProgramData\TEMP
2008-07-05 00:53 27,430 ----a-w C:\Users\Summer\AppData\Roaming\nvModes.dat
2008-07-05 00:06 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-04 22:27 --------- d-----w C:\Program Files\Panda Security
2008-07-04 21:53 --------- d-----w C:\ProgramData\adecazxn
2008-07-04 20:57 --------- d-----w C:\Users\Summer\AppData\Roaming\SUPERAntiSpyware.com
2008-07-04 20:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 19:58 --------- d-----w C:\Program Files\LimeWire
2008-07-04 19:22 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-07-04 19:13 --------- d-----w C:\Users\Summer\AppData\Roaming\Malwarebytes
2008-07-04 19:13 --------- d-----w C:\ProgramData\Malwarebytes
2008-07-04 19:13 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-04 19:11 --------- d-----w C:\Users\Summer\AppData\Roaming\Download Manager
2008-07-04 18:53 --------- d-----w C:\Program Files\Trend Micro
2008-07-01 18:25 --------- d-----w C:\Program Files\Google
2008-06-30 15:27 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-30 05:37 --------- d-----w C:\Users\Summer\AppData\Roaming\LimeWire
2008-06-30 04:36 --------- d-----w C:\ProgramData\psbsjwxi
2008-06-30 04:36 --------- d-----w C:\ProgramData\ammhpupd
2008-06-30 04:01 --------- d-----w C:\Users\Summer\AppData\Roaming\PC Tools
2008-06-30 03:45 147,456 ----a-w C:\Users\Summer\vbzip10.dll
2008-06-30 03:45 115,967 ----a-w C:\Users\Summer\a.zip
2008-06-30 01:22 524 ----a-w C:\Users\Summer\355.bat
2008-06-29 15:27 524 ----a-w C:\Users\Summer\869.bat
2008-06-29 15:12 524 ----a-w C:\Users\Summer\738.bat
2008-06-29 15:08 524 ----a-w C:\Users\Summer\836.bat
2008-06-29 14:46 524 ----a-w C:\Users\Summer\544.bat
2008-06-29 02:49 524 ----a-w C:\Users\Summer\402.bat
2008-06-28 22:23 523 ----a-w C:\Users\Summer\22.bat
2008-06-28 21:33 524 ----a-w C:\Users\Summer\881.bat
2008-06-28 19:52 523 ----a-w C:\Users\Summer\97.bat
2008-06-28 18:16 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-06-28 18:16 17,144 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-06-19 21:24 28,544 ----a-w C:\Windows\system32\drivers\pavboot.sys
2008-06-11 23:35 --------- d-----w C:\Program Files\Windows Mail
2008-06-11 01:22 81,288 ----a-w C:\Windows\system32\drivers\iksyssec.sys
2008-06-02 19:19 66,952 ----a-w C:\Windows\system32\drivers\iksysflt.sys
2008-06-02 19:19 42,376 ----a-w C:\Windows\system32\drivers\ikfilesec.sys
2008-06-02 19:19 29,576 ----a-w C:\Windows\system32\drivers\kcom.sys
2008-05-18 14:01 --------- d-----w C:\Program Files\HP_Vista_SF_Ph1
2008-05-11 20:03 --------- d-----w C:\Program Files\Incomplete
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-05-10 01:21 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-04-29 03:50 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-04-26 07:41 1,327,616 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:23 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-25 04:23 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-23 04:27 428,032 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:27 292,352 ----a-w C:\Windows\System32\psisdecd.dll
2008-04-23 04:27 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-12-16 02:53 174 --sha-w C:\Program Files\desktop.ini
2007-12-16 03:12 76 --sh--r C:\Windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]
"CollaborationHost"="C:\Windows\system32\p2phost.exe" [2006-11-02 08:35 191488]
"ammhpupd"="C:\ProgramData\ammhpupd\jcbwhohe.exe" [2008-06-30 00:36 86016]
"2PTRR1Iziz"="C:\ProgramData\psbsjwxi\rexihudq.exe" [2008-06-30 00:36 53248]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-01 14:25 171448]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"adecazxn"="C:\ProgramData\adecazxn\lavyjadc.exe" [2008-07-04 17:53 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-09-24 05:27 159744]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-08-29 01:54 36864]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 18:43 118784]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2007-03-21 15:33 1548288]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 13:37 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 18:10 184320]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-15 23:22 1838592]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 20:57 16384]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-27 05:21 1807696]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 13:35 221184]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 22:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 22:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 22:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 22:24 86016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 19:55:50 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-15 23:10:34 50688]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 20:13:26 1180952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ED67C628-21C9-4E13-B13E-178E440EB97E}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{A923C0B6-A87D-48E3-92E1-088EF7D78359}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{077CDE20-6161-41F8-A3F1-8E0970F9EA6D}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{97BA0E04-739C-4892-95A2-40E9FA24C058}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{1AF5981C-FCC1-4EA0-A50C-B57970F53621}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{CEC0D812-6D0A-42A5-B7CE-02982D8CCFD7}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{FAE1CC91-60A9-40B0-AE57-5352B78122FC}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C95E9067-B67F-4C75-A9B8-DDB4AF87EF55}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{1F1909AD-4E6C-46A9-82D3-59E8C68EC858}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2D683439-DC34-430C-A1A8-06406C90D03C}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{4F4B610B-4297-4999-AB97-16D5992E5097}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1E553221-9544-4046-9577-74F6C66986F8}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{F185DD9A-8B9A-4234-BC76-7E6364B89A91}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{EF317720-774A-4DD7-9378-AB0523C2C228}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{31E0988D-DF61-4C50-9FCA-A50861F104E0}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{7017CAB9-5608-4BFD-BDA1-4065DBD99735}C:\\program files\\myspace\\im\\myspaceim.exe"= UDP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{463E7277-CCAA-4C4D-A176-FAED382CD1B9}C:\\program files\\myspace\\im\\myspaceim.exe"= TCP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"TCP Query User{01A72309-A2D0-4F2F-BB7F-ACE7AB69E952}C:\\program files\\myspace\\im\\myspaceim.exe"= UDP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{D1F16F11-1ACD-40AD-9E1E-AF7CC094D9B3}C:\\program files\\myspace\\im\\myspaceim.exe"= TCP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2007-09-28 00:54]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-06 21:37]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2006-11-06 19:13]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-06 19:13]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 18:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-29 01:55]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3a7d815-04f6-11dd-b324-001dd9e741f6}]
\shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LSA Shellu - C:\Users\Summer\lsass.exe
HKCU-Run-MSSMSGS - winkye32.rom


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 21:12:37
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-04 21:14:50
ComboFix-quarantined-files.txt 2008-07-05 01:14:18

The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 80,573,972,480 bytes free

174 --- E O F --- 2008-07-04 17:40:28



------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:59 PM, on 7/4/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\p2phost.exe
C:\Windows\System32\rundll32.exe
C:\ProgramData\psbsjwxi\rexihudq.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\ProgramData\adecazxn\lavyjadc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
O4 - HKCU\..\Run: [ammhpupd] C:\ProgramData\ammhpupd\jcbwhohe.exe
O4 - HKCU\..\Run: [2PTRR1Iziz] C:\ProgramData\psbsjwxi\rexihudq.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [adecazxn] C:\ProgramData\adecazxn\lavyjadc.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....NPUplden-us.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11092 bytes
  • 0

#4
loophole
Posted 04 July 2008 - 07:47 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

A few things need to go, but please do the following before we continue

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\Windows\system32\drivers\pavboot.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

  • 0

#5
jchevier
Posted 04 July 2008 - 08:00 PM

jchevier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
http://virscan.org/r...b187dfbbef.html
  • 0

#6
loophole
Posted 04 July 2008 - 08:25 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi


Open notepad and copy/paste the text in RED below into it:



File::
C:\Users\Summer\355.bat
C:\Users\Summer\869.bat
C:\Users\Summer\738.bat
C:\Users\Summer\836.bat
C:\Users\Summer\544.bat
C:\Users\Summer\402.bat
C:\Users\Summer\22.bat
C:\Users\Summer\881.bat
C:\Users\Summer\97.bat
Folder::
C:\ProgramData\psbsjwxi
C:\ProgramData\ammhpupd
C:\ProgramData\adecazxn

Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post it
  • 0

#7
jchevier
Posted 04 July 2008 - 08:51 PM

jchevier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-07-04.2 - Summer 2008-07-04 22:42:08.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2066 [GMT -4:00]
Running from: C:\Users\Summer\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 02:35 27,430 ----a-w C:\Users\Summer\AppData\Roaming\nvModes.dat
2008-07-05 02:34 --------- d-----w C:\ProgramData\ttjskhzw
2008-07-05 01:05 --------- d---a-w C:\ProgramData\TEMP
2008-07-05 00:06 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-04 22:27 --------- d-----w C:\Program Files\Panda Security
2008-07-04 21:53 --------- d-----w C:\ProgramData\adecazxn
2008-07-04 20:57 --------- d-----w C:\Users\Summer\AppData\Roaming\SUPERAntiSpyware.com
2008-07-04 20:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 19:58 --------- d-----w C:\Program Files\LimeWire
2008-07-04 19:22 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-07-04 19:13 --------- d-----w C:\Users\Summer\AppData\Roaming\Malwarebytes
2008-07-04 19:13 --------- d-----w C:\ProgramData\Malwarebytes
2008-07-04 19:13 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-04 19:11 --------- d-----w C:\Users\Summer\AppData\Roaming\Download Manager
2008-07-04 18:53 --------- d-----w C:\Program Files\Trend Micro
2008-07-01 18:25 --------- d-----w C:\Program Files\Google
2008-06-30 15:27 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-30 05:37 --------- d-----w C:\Users\Summer\AppData\Roaming\LimeWire
2008-06-30 04:36 --------- d-----w C:\ProgramData\psbsjwxi
2008-06-30 04:36 --------- d-----w C:\ProgramData\ammhpupd
2008-06-30 04:01 --------- d-----w C:\Users\Summer\AppData\Roaming\PC Tools
2008-06-30 03:45 147,456 ----a-w C:\Users\Summer\vbzip10.dll
2008-06-30 03:45 115,967 ----a-w C:\Users\Summer\a.zip
2008-06-30 01:22 524 ----a-w C:\Users\Summer\355.bat
2008-06-29 15:27 524 ----a-w C:\Users\Summer\869.bat
2008-06-29 15:12 524 ----a-w C:\Users\Summer\738.bat
2008-06-29 15:08 524 ----a-w C:\Users\Summer\836.bat
2008-06-29 14:46 524 ----a-w C:\Users\Summer\544.bat
2008-06-29 02:49 524 ----a-w C:\Users\Summer\402.bat
2008-06-28 22:23 523 ----a-w C:\Users\Summer\22.bat
2008-06-28 21:33 524 ----a-w C:\Users\Summer\881.bat
2008-06-28 19:52 523 ----a-w C:\Users\Summer\97.bat
2008-06-28 18:16 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-06-28 18:16 17,144 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-06-19 21:24 28,544 ----a-w C:\Windows\system32\drivers\pavboot.sys
2008-06-11 23:35 --------- d-----w C:\Program Files\Windows Mail
2008-06-11 01:22 81,288 ----a-w C:\Windows\system32\drivers\iksyssec.sys
2008-06-02 19:19 66,952 ----a-w C:\Windows\system32\drivers\iksysflt.sys
2008-06-02 19:19 42,376 ----a-w C:\Windows\system32\drivers\ikfilesec.sys
2008-06-02 19:19 29,576 ----a-w C:\Windows\system32\drivers\kcom.sys
2008-05-18 14:01 --------- d-----w C:\Program Files\HP_Vista_SF_Ph1
2008-05-11 20:03 --------- d-----w C:\Program Files\Incomplete
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-05-10 01:21 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-04-29 03:50 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-04-26 07:41 1,327,616 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:23 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-25 04:23 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-23 04:27 428,032 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:27 292,352 ----a-w C:\Windows\System32\psisdecd.dll
2008-04-23 04:27 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-12-16 02:53 174 --sha-w C:\Program Files\desktop.ini
2007-12-16 03:12 76 --sh--r C:\Windows\CT4CET.bin
.

((((((((((((((((((((((((((((( snapshot@2008-07-04_21.13.55.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-05 00:52:10 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-07-05 02:33:27 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-07-05 00:52:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-05 02:33:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-07-05 00:52:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-07-05 02:33:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-07-05 00:54:51 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-05 02:36:12 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-07-05 00:54:46 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-05 02:36:07 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-05 02:36:07 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-07-05 01:05:54 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-05 02:35:30 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-05 01:05:54 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-05 02:35:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-05 01:05:54 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-05 02:35:30 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-05 00:58:46 104,024 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-05 02:40:06 104,024 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-05 00:58:46 618,648 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-05 02:40:06 618,648 ----a-w C:\Windows\System32\perfh009.dat
- 2008-07-05 00:55:16 9,904 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1547547826-446779606-3597821660-1000_UserData.bin
+ 2008-07-05 02:36:37 9,904 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1547547826-446779606-3597821660-1000_UserData.bin
- 2008-07-05 00:55:15 72,582 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-05 02:36:35 72,812 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-05 00:55:12 44,558 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-07-05 02:36:26 44,574 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]
"CollaborationHost"="C:\Windows\system32\p2phost.exe" [2006-11-02 08:35 191488]
"ammhpupd"="C:\ProgramData\ammhpupd\jcbwhohe.exe" [2008-06-30 00:36 86016]
"2PTRR1Iziz"="C:\ProgramData\psbsjwxi\rexihudq.exe" [2008-06-30 00:36 53248]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-01 14:25 171448]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"adecazxn"="C:\ProgramData\adecazxn\lavyjadc.exe" [2008-07-04 17:53 106496]
"ttjskhzw"="C:\ProgramData\ttjskhzw\srkxmrux.exe" [2008-07-04 22:34 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-09-24 05:27 159744]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-08-29 01:54 36864]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 18:43 118784]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2007-03-21 15:33 1548288]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 13:37 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 18:10 184320]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-15 23:22 1838592]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 20:57 16384]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-27 05:21 1807696]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 13:35 221184]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 22:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 22:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 22:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 22:24 86016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 19:55:50 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-15 23:10:34 50688]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 20:13:26 1180952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ED67C628-21C9-4E13-B13E-178E440EB97E}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{A923C0B6-A87D-48E3-92E1-088EF7D78359}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{077CDE20-6161-41F8-A3F1-8E0970F9EA6D}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{97BA0E04-739C-4892-95A2-40E9FA24C058}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{1AF5981C-FCC1-4EA0-A50C-B57970F53621}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{CEC0D812-6D0A-42A5-B7CE-02982D8CCFD7}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{FAE1CC91-60A9-40B0-AE57-5352B78122FC}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C95E9067-B67F-4C75-A9B8-DDB4AF87EF55}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{1F1909AD-4E6C-46A9-82D3-59E8C68EC858}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2D683439-DC34-430C-A1A8-06406C90D03C}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{4F4B610B-4297-4999-AB97-16D5992E5097}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1E553221-9544-4046-9577-74F6C66986F8}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{F185DD9A-8B9A-4234-BC76-7E6364B89A91}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{EF317720-774A-4DD7-9378-AB0523C2C228}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{31E0988D-DF61-4C50-9FCA-A50861F104E0}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{7017CAB9-5608-4BFD-BDA1-4065DBD99735}C:\\program files\\myspace\\im\\myspaceim.exe"= UDP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{463E7277-CCAA-4C4D-A176-FAED382CD1B9}C:\\program files\\myspace\\im\\myspaceim.exe"= TCP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"TCP Query User{01A72309-A2D0-4F2F-BB7F-ACE7AB69E952}C:\\program files\\myspace\\im\\myspaceim.exe"= UDP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{D1F16F11-1ACD-40AD-9E1E-AF7CC094D9B3}C:\\program files\\myspace\\im\\myspaceim.exe"= TCP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2007-09-28 00:54]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-06 21:37]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2006-11-06 19:13]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-06 19:13]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 18:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-29 01:55]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3a7d815-04f6-11dd-b324-001dd9e741f6}]
\shell\AutoRun\command - F:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 22:44:01
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-04 22:46:05
ComboFix-quarantined-files.txt 2008-07-05 02:45:01
ComboFix2.txt 2008-07-05 01:24:46
ComboFix3.txt 2008-07-05 01:14:51

The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 80,035,328,000 bytes free

201 --- E O F --- 2008-07-04 17:40:28
  • 0

#8
loophole
Posted 04 July 2008 - 09:07 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Something went astray, please do this

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    C:\Users\Summer\355.bat
    C:\Users\Summer\869.bat
    C:\Users\Summer\738.bat
    C:\Users\Summer\836.bat
    C:\Users\Summer\544.bat
    C:\Users\Summer\402.bat
    C:\Users\Summer\22.bat
    C:\Users\Summer\881.bat
    C:\Users\Summer\97.bat
    C:\ProgramData\psbsjwxi
    C:\ProgramData\ammhpupd
    C:\ProgramData\adecazxn


  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2

    Next re run combofix and post the log
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

#9
jchevier
Posted 04 July 2008 - 09:20 PM

jchevier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
C:\Users\Summer\355.bat moved successfully.
C:\Users\Summer\869.bat moved successfully.
C:\Users\Summer\738.bat moved successfully.
C:\Users\Summer\836.bat moved successfully.
C:\Users\Summer\544.bat moved successfully.
C:\Users\Summer\402.bat moved successfully.
C:\Users\Summer\22.bat moved successfully.
C:\Users\Summer\881.bat moved successfully.
C:\Users\Summer\97.bat moved successfully.
C:\ProgramData\psbsjwxi moved successfully.
C:\ProgramData\ammhpupd moved successfully.
C:\ProgramData\adecazxn moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07042008_231427



------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


ComboFix 08-07-04.2 - Summer 2008-07-04 23:16:05.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2065 [GMT -4:00]
Running from: C:\Users\Summer\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 02:50 27,430 ----a-w C:\Users\Summer\AppData\Roaming\nvModes.dat
2008-07-05 02:50 --------- d-----w C:\ProgramData\jwmelhie
2008-07-05 02:34 --------- d-----w C:\ProgramData\ttjskhzw
2008-07-05 01:05 --------- d---a-w C:\ProgramData\TEMP
2008-07-05 00:06 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-04 22:27 --------- d-----w C:\Program Files\Panda Security
2008-07-04 20:57 --------- d-----w C:\Users\Summer\AppData\Roaming\SUPERAntiSpyware.com
2008-07-04 20:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 19:58 --------- d-----w C:\Program Files\LimeWire
2008-07-04 19:22 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-07-04 19:13 --------- d-----w C:\Users\Summer\AppData\Roaming\Malwarebytes
2008-07-04 19:13 --------- d-----w C:\ProgramData\Malwarebytes
2008-07-04 19:13 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-04 19:11 --------- d-----w C:\Users\Summer\AppData\Roaming\Download Manager
2008-07-04 18:53 --------- d-----w C:\Program Files\Trend Micro
2008-07-01 18:25 --------- d-----w C:\Program Files\Google
2008-06-30 15:27 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-30 05:37 --------- d-----w C:\Users\Summer\AppData\Roaming\LimeWire
2008-06-30 04:01 --------- d-----w C:\Users\Summer\AppData\Roaming\PC Tools
2008-06-30 03:45 147,456 ----a-w C:\Users\Summer\vbzip10.dll
2008-06-30 03:45 115,967 ----a-w C:\Users\Summer\a.zip
2008-06-28 18:16 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-06-28 18:16 17,144 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-06-19 21:24 28,544 ----a-w C:\Windows\system32\drivers\pavboot.sys
2008-06-11 23:35 --------- d-----w C:\Program Files\Windows Mail
2008-06-11 01:22 81,288 ----a-w C:\Windows\system32\drivers\iksyssec.sys
2008-06-02 19:19 66,952 ----a-w C:\Windows\system32\drivers\iksysflt.sys
2008-06-02 19:19 42,376 ----a-w C:\Windows\system32\drivers\ikfilesec.sys
2008-06-02 19:19 29,576 ----a-w C:\Windows\system32\drivers\kcom.sys
2008-05-18 14:01 --------- d-----w C:\Program Files\HP_Vista_SF_Ph1
2008-05-11 20:03 --------- d-----w C:\Program Files\Incomplete
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-05-10 01:21 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-04-29 03:50 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-04-26 07:41 1,327,616 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:23 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-25 04:23 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-23 04:27 428,032 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:27 292,352 ----a-w C:\Windows\System32\psisdecd.dll
2008-04-23 04:27 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-12-16 02:53 174 --sha-w C:\Program Files\desktop.ini
2007-12-16 03:12 76 --sh--r C:\Windows\CT4CET.bin
.

((((((((((((((((((((((((((((( snapshot@2008-07-04_21.13.55.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-05 00:52:10 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-07-05 02:48:37 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-07-05 00:52:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-05 02:48:38 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-07-05 00:52:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-07-05 02:48:38 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-07-05 00:54:51 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-05 02:51:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-07-05 00:54:46 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-05 02:51:24 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-05 02:51:24 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-07-05 01:05:54 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-05 02:58:57 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-05 01:05:54 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-05 02:58:57 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-05 01:05:54 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-05 02:58:57 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-05 00:58:46 104,024 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-05 02:55:41 104,024 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-05 00:58:46 618,648 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-05 02:55:41 618,648 ----a-w C:\Windows\System32\perfh009.dat
- 2008-07-05 00:55:16 9,904 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1547547826-446779606-3597821660-1000_UserData.bin
+ 2008-07-05 02:51:41 9,904 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1547547826-446779606-3597821660-1000_UserData.bin
- 2008-07-05 00:55:15 72,582 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-05 02:51:40 72,948 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-05 00:55:12 44,558 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-07-05 02:51:36 44,582 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]
"CollaborationHost"="C:\Windows\system32\p2phost.exe" [2006-11-02 08:35 191488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-01 14:25 171448]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"ttjskhzw"="C:\ProgramData\ttjskhzw\srkxmrux.exe" [2008-07-04 22:34 106496]
"jwmelhie"="C:\ProgramData\jwmelhie\ghslmtal.exe" [2008-07-04 22:50 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-09-24 05:27 159744]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-08-29 01:54 36864]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 18:43 118784]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2007-03-21 15:33 1548288]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 13:37 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 18:10 184320]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-15 23:22 1838592]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 20:57 16384]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-27 05:21 1807696]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 13:35 221184]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 22:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 22:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 22:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 22:24 86016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 19:55:50 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-15 23:10:34 50688]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 20:13:26 1180952]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ED67C628-21C9-4E13-B13E-178E440EB97E}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{A923C0B6-A87D-48E3-92E1-088EF7D78359}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{077CDE20-6161-41F8-A3F1-8E0970F9EA6D}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{97BA0E04-739C-4892-95A2-40E9FA24C058}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{1AF5981C-FCC1-4EA0-A50C-B57970F53621}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{CEC0D812-6D0A-42A5-B7CE-02982D8CCFD7}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{FAE1CC91-60A9-40B0-AE57-5352B78122FC}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C95E9067-B67F-4C75-A9B8-DDB4AF87EF55}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{1F1909AD-4E6C-46A9-82D3-59E8C68EC858}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2D683439-DC34-430C-A1A8-06406C90D03C}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{4F4B610B-4297-4999-AB97-16D5992E5097}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1E553221-9544-4046-9577-74F6C66986F8}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{F185DD9A-8B9A-4234-BC76-7E6364B89A91}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{EF317720-774A-4DD7-9378-AB0523C2C228}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{31E0988D-DF61-4C50-9FCA-A50861F104E0}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{7017CAB9-5608-4BFD-BDA1-4065DBD99735}C:\\program files\\myspace\\im\\myspaceim.exe"= UDP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{463E7277-CCAA-4C4D-A176-FAED382CD1B9}C:\\program files\\myspace\\im\\myspaceim.exe"= TCP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"TCP Query User{01A72309-A2D0-4F2F-BB7F-ACE7AB69E952}C:\\program files\\myspace\\im\\myspaceim.exe"= UDP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{D1F16F11-1ACD-40AD-9E1E-AF7CC094D9B3}C:\\program files\\myspace\\im\\myspaceim.exe"= TCP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2007-09-28 00:54]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-06 21:37]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2006-11-06 19:13]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-06 19:13]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 18:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-29 01:55]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 03:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3a7d815-04f6-11dd-b324-001dd9e741f6}]
\shell\AutoRun\command - F:\setupSNK.exe

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ammhpupd - C:\ProgramData\ammhpupd\jcbwhohe.exe
HKCU-Run-2PTRR1Iziz - C:\ProgramData\psbsjwxi\rexihudq.exe
HKCU-Run-adecazxn - C:\ProgramData\adecazxn\lavyjadc.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 23:17:26
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-04 23:18:24
ComboFix-quarantined-files.txt 2008-07-05 03:18:19
ComboFix2.txt 2008-07-05 02:46:05
ComboFix3.txt 2008-07-05 01:24:46
ComboFix4.txt 2008-07-05 01:14:51

The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 80,214,323,200 bytes free

195 --- E O F --- 2008-07-04 17:40:28
  • 0

#10
loophole
Posted 05 July 2008 - 08:31 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

# Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
# Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\ProgramData\jwmelhie
C:\ProgramData\ttjskhzw


# Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
# Click the red Moveit! button.
# Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
# Close OTMoveIt2


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Please post the log with a new Hijack log

  • 0

Advertisements

#11
jchevier
Posted 05 July 2008 - 05:25 PM

jchevier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
C:\ProgramData\jwmelhie moved successfully.
C:\ProgramData\ttjskhzw moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07052008_150351


------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Users\Summer\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Users\Summer\Desktop;Archive contains infected objects;Moved.;
VirtumundoBeGone.exe\data005;C:\Users\Summer\Desktop\New Folder\VirtumundoBeGone.exe;Tool.Prockill;;
VirtumundoBeGone.exe;C:\Users\Summer\Desktop\New Folder;Archive contains infected objects;Moved.;
  • 0

#12
loophole
Posted 06 July 2008 - 01:52 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
All the scan found was false positives (combofix,viryumondobegone) Hows it running?
  • 0

#13
jchevier
Posted 06 July 2008 - 02:14 PM

jchevier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
It's running alot better. But every once in a while, I get an ad that launches from the task bar. Other than that, It seems to be doing ok.
  • 0

#14
loophole
Posted 06 July 2008 - 03:23 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I will peruse back through the logs, please post a new combofix log and hijack log and we will find out what the pop up is
  • 0

#15
jchevier
Posted 06 July 2008 - 04:27 PM

jchevier

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-07-05.1 - Summer 2008-07-06 18:22:31.6 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2115 [GMT -4:00]
Running from: C:\Users\Summer\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-06 12:45 . 2008-07-06 12:45 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-07-06 10:28 . 2008-07-06 10:28 <DIR> d-------- C:\PerfLogs
2008-07-05 15:06 . 2008-07-05 16:21 <DIR> d-------- C:\Users\Summer\DoctorWeb
2008-07-04 23:11 . 2008-07-04 23:11 <DIR> d-------- C:\_OTMoveIt
2008-07-04 18:27 . 2008-07-04 18:27 <DIR> d-------- C:\Program Files\Panda Security
2008-07-04 18:27 . 2008-06-19 17:24 28,544 --a------ C:\Windows\System32\drivers\pavboot.sys
2008-07-04 16:57 . 2008-07-04 16:57 <DIR> d-------- C:\Users\Summer\AppData\Roaming\SUPERAntiSpyware.com
2008-07-04 16:57 . 2008-07-04 20:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-04 16:57 . 2008-07-04 16:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 15:22 . 2008-07-04 15:22 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-07-04 15:22 . 2008-07-04 15:22 <DIR> d-------- C:\PROGRA~2\SUPERAntiSpyware.com
2008-07-04 15:13 . 2008-07-04 15:13 <DIR> d-------- C:\Users\Summer\AppData\Roaming\Malwarebytes
2008-07-04 15:13 . 2008-07-04 15:13 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-04 15:13 . 2008-07-04 15:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-04 15:13 . 2008-07-04 15:13 <DIR> d-------- C:\PROGRA~2\Malwarebytes
2008-07-04 15:13 . 2008-06-28 14:16 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-07-04 15:13 . 2008-06-28 14:16 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-04 15:11 . 2008-07-04 15:11 <DIR> d-------- C:\Users\Summer\AppData\Roaming\Download Manager
2008-07-04 00:13 . 2008-07-04 00:13 <DIR> d-------- C:\VundoFix Backups
2008-07-01 14:24 . 2008-07-01 14:25 <DIR> d-------- C:\Windows\System32\Adobe
2008-06-30 00:12 . 2008-06-30 01:37 <DIR> d-------- C:\Users\Summer\Limewire
2008-06-30 00:12 . 2008-06-30 00:12 <DIR> d-------- C:\Users\Incomplete
2008-06-30 00:02 . 2008-07-04 21:05 <DIR> d-a------ C:\Users\All Users\TEMP
2008-06-30 00:02 . 2008-07-04 21:05 <DIR> d-a------ C:\PROGRA~2\TEMP
2008-06-30 00:01 . 2008-06-30 00:01 <DIR> d-------- C:\Users\Summer\AppData\Roaming\PC Tools
2008-06-30 00:01 . 2008-06-30 11:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-30 00:01 . 2008-06-10 21:22 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-06-30 00:01 . 2008-06-02 15:19 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-06-30 00:01 . 2008-06-02 15:19 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-06-30 00:01 . 2008-06-02 15:19 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-06-14 22:45 . 2008-04-23 00:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-14 22:45 . 2008-04-23 00:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-14 22:45 . 2008-04-23 00:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-14 22:45 . 2008-01-19 03:33 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-06-14 22:45 . 2008-01-19 03:33 69,632 --a------ C:\Windows\System32\Mpeg2Data.ax
2008-06-14 22:45 . 2008-04-23 00:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-09 20:13 . 2008-01-19 03:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-06-09 20:12 . 2008-01-19 02:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-06-09 20:11 . 2008-01-19 03:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-06-09 20:11 . 2008-01-19 03:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-06-09 20:11 . 2008-01-19 03:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-06-09 20:11 . 2008-01-19 03:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-06-09 20:11 . 2008-01-19 03:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-06-09 20:10 . 2008-01-19 03:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-06-09 20:10 . 2008-01-19 03:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-06-09 20:10 . 2008-01-19 03:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-06-09 20:10 . 2008-01-19 03:35 35,328 --a------ C:\Windows\System32\mspatcha.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 14:35 174 --sha-w C:\Program Files\desktop.ini
2008-07-06 14:29 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-06 14:29 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-06 14:29 --------- d-----w C:\Program Files\Windows Mail
2008-07-06 14:29 --------- d-----w C:\Program Files\Windows Journal
2008-07-06 14:29 --------- d-----w C:\Program Files\Windows Defender
2008-07-06 14:29 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-06 14:29 --------- d-----w C:\Program Files\Windows Calendar
2008-07-06 14:17 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-07-06 14:17 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-07-06 14:05 27,430 ----a-w C:\Users\Summer\AppData\Roaming\nvModes.dat
2008-07-04 19:58 --------- d-----w C:\Program Files\LimeWire
2008-07-04 18:53 --------- d-----w C:\Program Files\Trend Micro
2008-07-01 18:25 --------- d-----w C:\Program Files\Google
2008-06-30 05:37 --------- d-----w C:\Users\Summer\AppData\Roaming\LimeWire
2008-06-30 03:45 147,456 ----a-w C:\Users\Summer\vbzip10.dll
2008-06-30 03:45 115,967 ----a-w C:\Users\Summer\a.zip
2008-05-18 14:01 --------- d-----w C:\Program Files\HP_Vista_SF_Ph1
2008-05-11 20:03 --------- d-----w C:\Program Files\Incomplete
2008-05-10 01:33 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-04-29 03:54 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2007-12-16 03:12 76 --sh--r C:\Windows\CT4CET.bin
.

((((((((((((((((((((((((((((( snapshot_2008-07-06_17.32.02.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-06 19:20:24 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-07-06 22:07:46 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-07-06 19:20:25 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-06 22:07:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-07-06 19:20:25 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-07-06 22:07:47 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-07-06 19:21:10 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-06 22:09:47 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-07-06 21:30:53 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-06 22:23:42 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-06 22:23:42 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-07-06 21:26:12 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-06 22:02:29 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-06 21:26:12 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-06 22:02:29 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-06 21:26:12 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-06 22:02:29 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-06 19:26:10 101,350 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-06 22:13:57 101,350 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-06 19:26:10 595,684 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-06 22:13:57 595,684 ----a-w C:\Windows\System32\perfh009.dat
- 2008-07-06 19:22:45 9,912 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1547547826-446779606-3597821660-1000_UserData.bin
+ 2008-07-06 22:10:10 10,004 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1547547826-446779606-3597821660-1000_UserData.bin
- 2008-07-06 19:22:44 73,652 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-06 22:10:09 73,892 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-06 19:22:40 44,882 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-07-06 22:10:04 45,074 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"CollaborationHost"="C:\Windows\system32\p2phost.exe" [2008-01-19 03:33 192000]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-07-01 14:25 171448]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2007-09-24 05:27 159744]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-08-29 01:54 36864]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 18:43 118784]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2007-03-21 15:33 1548288]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 13:37 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 18:10 184320]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-15 23:22 1838592]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 20:57 16384]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-27 05:21 1807696]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 13:35 221184]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 22:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 22:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 22:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 22:24 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

C:\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 19:55:50 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-15 23:10:34 50688]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 20:13:26 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ED67C628-21C9-4E13-B13E-178E440EB97E}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{A923C0B6-A87D-48E3-92E1-088EF7D78359}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{077CDE20-6161-41F8-A3F1-8E0970F9EA6D}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{97BA0E04-739C-4892-95A2-40E9FA24C058}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{1AF5981C-FCC1-4EA0-A50C-B57970F53621}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{CEC0D812-6D0A-42A5-B7CE-02982D8CCFD7}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{FAE1CC91-60A9-40B0-AE57-5352B78122FC}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C95E9067-B67F-4C75-A9B8-DDB4AF87EF55}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{1F1909AD-4E6C-46A9-82D3-59E8C68EC858}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{2D683439-DC34-430C-A1A8-06406C90D03C}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{4F4B610B-4297-4999-AB97-16D5992E5097}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1E553221-9544-4046-9577-74F6C66986F8}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{F185DD9A-8B9A-4234-BC76-7E6364B89A91}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{EF317720-774A-4DD7-9378-AB0523C2C228}"= UDP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{31E0988D-DF61-4C50-9FCA-A50861F104E0}"= TCP:C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{7017CAB9-5608-4BFD-BDA1-4065DBD99735}C:\\program files\\myspace\\im\\myspaceim.exe"= UDP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{463E7277-CCAA-4C4D-A176-FAED382CD1B9}C:\\program files\\myspace\\im\\myspaceim.exe"= TCP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"TCP Query User{01A72309-A2D0-4F2F-BB7F-ACE7AB69E952}C:\\program files\\myspace\\im\\myspaceim.exe"= UDP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{D1F16F11-1ACD-40AD-9E1E-AF7CC094D9B3}C:\\program files\\myspace\\im\\myspaceim.exe"= TCP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2007-09-28 00:54]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-06 21:37]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2006-11-06 19:13]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-06 19:13]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 18:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-29 01:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3a7d815-04f6-11dd-b324-001dd9e741f6}]
\shell\AutoRun\command - F:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 18:24:00
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-06 18:25:48
ComboFix-quarantined-files.txt 2008-07-06 22:24:45
ComboFix2.txt 2008-07-05 03:18:24
ComboFix3.txt 2008-07-05 02:46:05
ComboFix4.txt 2008-07-05 01:24:46
ComboFix5.txt 2008-07-05 01:14:51

Pre-Run: 99,626,938,368 bytes free
Post-Run: 99,594,608,640 bytes free

213 --- E O F --- 2008-07-06 14:20:05



------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:45 PM, on 7/6/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\p2phost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.co.../sysreqlab3.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....NPUplden-us.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11090 bytes
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP