Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HIJACKTHIS LOG!


  • Please log in to reply

#1
monkez

monkez

    Member

  • Member
  • PipPip
  • 18 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:00 PM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\GetRight\GetRight.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {2A28E5F7-2C41-415C-859D-6C20506CC904} - C:\WINDOWS\system32\mcockbrc.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8505630C-2747-4640-BB31-5964A4ADE2F4} - C:\WINDOWS\system32\yaywxvwU.dll
O2 - BHO: {14b9b59e-ff09-5658-8284-ed5c32a1ae3a} - {a3ea1a23-c5de-4828-8565-90ffe95b9b41} - C:\WINDOWS\system32\zoipdv.dll
O2 - BHO: (no name) - {BC728C13-5691-4529-A1C2-E662A9AD1C87} - C:\WINDOWS\system32\ssqRKDvt.dll
O2 - BHO: (no name) - {D06910F1-FCD6-4284-8F15-EF464CCB2E16} - C:\Documents and Settings\Ruvim\Local Settings\Temporary Internet Files\Content.IE5\G4CLW5ED\3077ahntdksr[1].dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM63e3c48d] Rundll32.exe "C:\WINDOWS\system32\dmwbusfq.dll",s
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134433558717
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ent/swflash.cab
O20 - Winlogon Notify: ssqRKDvt - C:\WINDOWS\SYSTEM32\ssqRKDvt.dll
O22 - SharedTaskScheduler: dustuck - {4a9e875b-d032-45e4-8294-789fe3be5b19} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6937 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello monkez

Welcome to G2Go. :)
=====================

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
monkez

monkez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Deckard's System Scanner v20071014.68
Run by Ruvim on 2008-07-22 19:27:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
66: 2008-07-23 02:28:11 UTC - RP267 - Deckard's System Scanner Restore Point
65: 2008-07-19 07:10:33 UTC - RP266 - System Checkpoint
64: 2008-07-18 04:50:43 UTC - RP265 - Last known good configuration
63: 2008-07-18 04:50:27 UTC - RP264 - Last known good configuration
62: 2008-07-18 04:50:26 UTC - RP263 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-07-18 04:49:47 UTC - RP202 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Ruvim.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:47 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\GetRight\GetRight.exe
C:\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ruvim.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {2A28E5F7-2C41-415C-859D-6C20506CC904} - C:\WINDOWS\system32\mcockbrc.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {14b9b59e-ff09-5658-8284-ed5c32a1ae3a} - {a3ea1a23-c5de-4828-8565-90ffe95b9b41} - C:\WINDOWS\system32\zoipdv.dll
O2 - BHO: (no name) - {A89C29E5-5B9C-4F81-8303-9477D2BF7DCB} - C:\WINDOWS\system32\yaywxvwU.dll
O2 - BHO: (no name) - {BC728C13-5691-4529-A1C2-E662A9AD1C87} - C:\WINDOWS\system32\ssqRKDvt.dll
O2 - BHO: (no name) - {D06910F1-FCD6-4284-8F15-EF464CCB2E16} - C:\Documents and Settings\Ruvim\Local Settings\Temporary Internet Files\Content.IE5\G4CLW5ED\3077ahntdksr[1].dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134433558717
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ent/swflash.cab
O20 - Winlogon Notify: ssqRKDvt - C:\WINDOWS\SYSTEM32\ssqRKDvt.dll
O22 - SharedTaskScheduler: dustuck - {4a9e875b-d032-45e4-8294-789fe3be5b19} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6807 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 eabfiltr - c:\windows\system32\drivers\eabfiltr.sys <Not Verified; Hewlett-Packard Company; Quick Launch Buttons>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 eabusb - c:\windows\system32\drivers\eabusb.sys <Not Verified; Hewlett-Packard Company; Quick Launch Buttons>
S3 ovt519 (VGA USB Camera) - c:\windows\system32\drivers\ov519vid.sys (file missing)
S3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 getPlus® Helper - c:\program files\nos\bin\getplus_helpersvc.exe (file missing)
S4 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe (file missing)
S4 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 802.11b/g WLAN
Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_12F4103C&REV_03\4&2FF3801D&0&1050
Manufacturer: Broadcom
Name: Broadcom 802.11b/g WLAN
PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_12F4103C&REV_03\4&2FF3801D&0&1050
Service: BCM43XX


-- Scheduled Tasks -------------------------------------------------------------

2008-07-02 14:08:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-21 23:11:04 0 d-------- C:\Program Files\Trend Micro
2008-07-21 15:19:54 78848 --a------ C:\WINDOWS\system32\ytbjktfi.dll
2008-07-21 15:14:10 102912 --a------ C:\WINDOWS\system32\zoipdv.dll
2008-07-21 15:14:06 102912 --a------ C:\WINDOWS\system32\rvdltthm.dll
2008-07-21 15:13:58 91648 --a------ C:\WINDOWS\system32\dmwbusfq.dll
2008-07-20 14:28:19 102912 --a------ C:\WINDOWS\system32\izzgfb.dll
2008-07-20 14:28:14 102912 --a------ C:\WINDOWS\system32\ktdnuovl.dll
2008-07-20 12:39:57 118784 --a------ C:\WINDOWS\system32\mcockbrc.dll
2008-07-20 12:38:34 91648 --a------ C:\WINDOWS\system32\ythybbtf.dll
2008-07-20 11:36:58 0 d-------- C:\Documents and Settings\Ruvim\Incomplete
2008-07-20 11:35:39 0 d-------- C:\Documents and Settings\Ruvim\Application Data\FrostWire
2008-07-17 22:07:58 0 d-------- C:\Documents and Settings\Ruvim\Application Data\Help
2008-07-16 18:44:46 0 --a------ C:\WINDOWS\system32\wrdbdtku.dll
2008-07-16 18:22:29 0 --a------ C:\WINDOWS\system32\prmkcr.dll
2008-07-16 18:22:28 0 --a------ C:\WINDOWS\system32\ohaknyfo.dll
2008-07-16 18:20:04 0 --a------ C:\WINDOWS\system32\xjotkudr.dll
2008-07-15 17:18:09 0 --a------ C:\WINDOWS\system32\unohue.dll
2008-07-15 17:18:07 0 --a------ C:\WINDOWS\system32\rgrvxjwu.dll
2008-07-15 17:16:10 78848 --a------ C:\WINDOWS\system32\afqergmf.dll
2008-07-15 17:16:01 92160 --a------ C:\WINDOWS\system32\eealagyu.dll
2008-07-14 23:20:18 0 d---s---- C:\Documents and Settings\Ruvim\UserData
2008-07-14 17:06:21 0 --a------ C:\WINDOWS\system32\llpazn.dll
2008-07-14 17:06:19 0 --a------ C:\WINDOWS\system32\qmgqhxur.dll
2008-07-14 17:06:09 91136 --a------ C:\WINDOWS\system32\iskvwpls.dll
2008-07-14 17:03:30 0 d-------- C:\Program Files\Shai-Hulud 2000
2008-07-14 16:23:38 0 d-------- C:\Documents and Settings\Ruvim\Application Data\Adobe
2008-07-14 16:22:43 0 d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-07-14 12:35:35 0 d-------- C:\Documents and Settings\new\Application Data\Yahoo!
2008-07-14 01:08:27 0 d-------- C:\Documents and Settings\new\Application Data\Real
2008-07-13 21:52:03 0 d-------- C:\Documents and Settings\new\Application Data\Share-to-Web Upload Folder
2008-07-13 21:45:01 0 d-------- C:\Documents and Settings\new\Application Data\Azureus
2008-07-13 21:31:18 0 d-------- C:\Documents and Settings\new\Application Data\vlc
2008-07-13 21:06:50 0 d-------- C:\Documents and Settings\new\Application Data\Macromedia
2008-07-13 21:04:19 0 d-------- C:\Documents and Settings\new\Application Data\Mozilla
2008-07-13 21:02:27 0 d-------- C:\Documents and Settings\new\Application Data\GetRight Pro
2008-07-13 21:02:12 0 d-------- C:\Documents and Settings\new\Application Data\Symantec
2008-07-13 21:01:32 0 d-------- C:\Documents and Settings\new\Application Data\Identities
2008-07-13 21:00:42 0 d--h----- C:\Documents and Settings\new\Templates
2008-07-13 21:00:42 0 dr------- C:\Documents and Settings\new\Start Menu
2008-07-13 21:00:42 0 dr-h----- C:\Documents and Settings\new\SendTo
2008-07-13 21:00:42 0 dr-h----- C:\Documents and Settings\new\Recent
2008-07-13 21:00:42 0 d--h----- C:\Documents and Settings\new\PrintHood
2008-07-13 21:00:42 0 d--h----- C:\Documents and Settings\new\NetHood
2008-07-13 21:00:42 0 dr------- C:\Documents and Settings\new\My Documents
2008-07-13 21:00:42 0 d--h----- C:\Documents and Settings\new\Local Settings
2008-07-13 21:00:42 0 dr------- C:\Documents and Settings\new\Favorites
2008-07-13 21:00:42 0 d-------- C:\Documents and Settings\new\Desktop
2008-07-13 21:00:42 0 d---s---- C:\Documents and Settings\new\Cookies
2008-07-13 21:00:42 0 dr-h----- C:\Documents and Settings\new\Application Data
2008-07-13 21:00:42 0 d---s---- C:\Documents and Settings\new\Application Data\Microsoft
2008-07-13 21:00:41 1310720 --ah----- C:\Documents and Settings\new\NTUSER.DAT
2008-07-13 17:15:12 78848 --a------ C:\WINDOWS\system32\rommiupr.dll
2008-07-13 17:12:13 0 --a------ C:\WINDOWS\system32\qudmez.dll
2008-07-13 17:12:09 0 --a------ C:\WINDOWS\system32\vglcrbed.dll
2008-07-13 17:06:09 91648 --a------ C:\WINDOWS\system32\wejrwxvm.dll
2008-07-13 16:59:40 0 d-------- C:\Documents and Settings\Ruvim\Application Data\Yahoo!
2008-07-13 16:42:45 0 d-------- C:\Documents and Settings\Ruvim\dwhelper
2008-07-13 16:24:14 0 d-------- C:\Documents and Settings\Ruvim\WINDOWS
2008-07-13 15:18:57 0 d-------- C:\Documents and Settings\Ruvim\Application Data\Share-to-Web Upload Folder
2008-07-13 15:07:45 0 d-------- C:\Documents and Settings\Ruvim\Application Data\vlc
2008-07-13 15:00:24 0 d-------- C:\Documents and Settings\Ruvim\Application Data\Real
2008-07-13 01:02:43 0 d-------- C:\Documents and Settings\Ruvim\Application Data\Azureus
2008-07-13 00:47:32 0 d-------- C:\Documents and Settings\Ruvim\Application Data\Macromedia
2008-07-13 00:46:29 0 d-------- C:\Documents and Settings\Ruvim\Application Data\Mozilla
2008-07-13 00:44:54 0 d-------- C:\Documents and Settings\Ruvim\Application Data\GetRight Pro
2008-07-13 00:44:40 0 d-------- C:\Documents and Settings\Ruvim\Application Data\Symantec
2008-07-13 00:43:25 0 d-------- C:\Documents and Settings\Ruvim\Application Data\Identities
2008-07-13 00:42:21 0 dr------- C:\Documents and Settings\Ruvim\Favorites
2008-07-13 00:42:21 0 d-------- C:\Documents and Settings\Ruvim\Desktop
2008-07-13 00:42:21 0 d---s---- C:\Documents and Settings\Ruvim\Cookies
2008-07-13 00:42:21 0 dr-h----- C:\Documents and Settings\Ruvim\Application Data
2008-07-13 00:42:20 0 d--h----- C:\Documents and Settings\Ruvim\Templates
2008-07-13 00:42:20 0 dr------- C:\Documents and Settings\Ruvim\Start Menu
2008-07-13 00:42:20 0 dr-h----- C:\Documents and Settings\Ruvim\SendTo
2008-07-13 00:42:20 0 dr-h----- C:\Documents and Settings\Ruvim\Recent
2008-07-13 00:42:20 0 d--h----- C:\Documents and Settings\Ruvim\PrintHood
2008-07-13 00:42:20 1835008 --ah----- C:\Documents and Settings\Ruvim\NTUSER.DAT
2008-07-13 00:42:20 0 d--h----- C:\Documents and Settings\Ruvim\NetHood
2008-07-13 00:42:20 0 dr------- C:\Documents and Settings\Ruvim\My Documents
2008-07-13 00:42:20 0 d--h----- C:\Documents and Settings\Ruvim\Local Settings
2008-07-12 17:12:46 109500 --a------ C:\WINDOWS\system32\hpovjmat.exe
2008-07-12 17:09:45 78848 --a------ C:\WINDOWS\system32\bcusbbwy.dll
2008-07-12 17:06:53 0 --a------ C:\WINDOWS\system32\ojeasp.dll
2008-07-12 17:06:45 103424 --a------ C:\WINDOWS\system32\ieyhlgxy.dll
2008-07-12 17:03:45 91648 --a------ C:\WINDOWS\system32\lbuauloc.dll
2008-07-12 09:37:00 0 d-------- C:\Program Files\MED2k
2008-07-12 09:35:23 29696 --a------ C:\WINDOWS\system32\VB5StKit.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-07-12 09:35:23 71680 --a------ C:\WINDOWS\ST5UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-07-12 05:08:51 0 d-------- C:\Program Files\Windows Sidebar
2008-07-12 05:08:04 0 d-------- C:\Program Files\Norton 360
2008-07-12 04:28:55 0 d-------- C:\Downloads
2008-07-11 17:13:20 0 d-------- C:\Program Files\DAEMON Tools
2008-07-11 17:13:16 0 d-------- C:\Program Files\RSSoft
2008-07-10 17:51:38 850750 --ahs---- C:\WINDOWS\system32\Uwvxwyay.ini2
2008-07-10 17:51:28 318976 --a------ C:\WINDOWS\system32\yaywxvwU.dll
2008-07-10 17:46:35 0 d-------- C:\Program Files\GetRight
2008-07-10 17:46:22 26624 --a------ C:\WINDOWS\system32\xxyVmlij.dll
2008-07-10 17:46:22 26624 --a------ C:\WINDOWS\system32\ssqRKDvt.dll
2008-07-08 14:54:32 0 d-------- C:\Program Files\Vuze
2008-07-04 21:05:10 0 d-------- C:\Program Files\TibEd 2
2008-07-04 19:41:23 0 d-------- C:\Program Files\TibEd
2008-07-04 19:28:14 0 d-------- C:\Westwood
2008-07-04 19:24:17 0 d-------- C:\Program Files\Domination
2008-07-04 18:57:07 0 d-------- C:\Program Files\Xicat
2008-06-27 00:37:04 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-27 00:35:38 0 d-------- C:\sj668


-- Find3M Report ---------------------------------------------------------------

2008-07-22 19:29:23 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-13 00:25:13 0 d-------- C:\Program Files\Symantec
2008-07-12 05:10:54 0 d-------- C:\Program Files\Common Files
2008-07-11 16:59:06 0 d-------- C:\Program Files\Real
2008-06-27 00:37:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-27 00:37:23 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-29 22:58:38 0 d-------- C:\Program Files\JD Design
2008-05-29 22:46:32 0 d-------- C:\Program Files\PowerStrip
2008-05-26 16:42:36 0 d-------- C:\Program Files\VideoLAN


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A28E5F7-2C41-415C-859D-6C20506CC904}]
07/20/2008 12:39 PM 118784 --a------ C:\WINDOWS\system32\mcockbrc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a3ea1a23-c5de-4828-8565-90ffe95b9b41}]
07/21/2008 03:14 PM 102912 --a------ C:\WINDOWS\system32\zoipdv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A89C29E5-5B9C-4F81-8303-9477D2BF7DCB}]
07/10/2008 05:51 PM 318976 --a------ C:\WINDOWS\system32\yaywxvwU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC728C13-5691-4529-A1C2-E662A9AD1C87}]
07/10/2008 05:46 PM 26624 --a------ C:\WINDOWS\system32\ssqRKDvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D06910F1-FCD6-4284-8F15-EF464CCB2E16}]
07/20/2008 02:30 PM 91648 --a------ C:\Documents and Settings\Ruvim\Local Settings\Temporary Internet Files\Content.IE5\G4CLW5ED\3077ahntdksr[1].dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [06/30/2008 01:44 PM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/18/2008 12:37 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BC728C13-5691-4529-A1C2-E662A9AD1C87}"= C:\WINDOWS\system32\ssqRKDvt.dll [07/10/2008 05:46 PM 26624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRKDvt]
ssqRKDvt.dll 07/10/2008 05:46 PM 26624 C:\WINDOWS\system32\ssqRKDvt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yaywxvwU

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=C:\WINDOWS\pss\GetRight.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60d0f711]
rundll32.exe "C:\WINDOWS\system32\ytbjktfi.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM63e3c48d]
Rundll32.exe "C:\WINDOWS\system32\dmwbusfq.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton 360\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
c:\program files\powerstrip\pstrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh]
C:\Program Files\RSSoft\RedSwoosh.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"C:\Program Files\Save\Save.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aspnet_state"=3 (0x3)
"WZCSVC"=2 (0x2)
"TrkWks"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"seclogon"=2 (0x2)
"RasMan"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"hpqwmi"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"comHost"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"Netlogon"=3 (0x3)
"dmadmin"=3 (0x3)
"W32Time"=2 (0x2)
"Schedule"=2 (0x2)
"HidServ"=2 (0x2)
"CryptSvc"=3 (0x3)

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-07-22 19:36:16 ------------

---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP Processor 3000+
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 510.98 MiB / 102.54 MiB
Pagefile Memory (total/avail): 1245.71 MiB / 818.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.54 MiB

C: is Fixed (NTFS) - 55.88 GiB total, 42.79 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 698.64 GiB total, 249.43 GiB free.

\\.\PHYSICALDRIVE0 - TOSHIBA MK6025GAS - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.88 GiB - C:

\\.\PHYSICALDRIVE1 - Seagate FreeAgent Pro USB Device - 698.64 GiB - 1 partition
\PARTITION0 - Installable File System - 698.64 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton 360 v2007 (SYMANTEC Corporation)
AV: Norton 360 v2007 (SYMANTEC Corperation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft ® HTML Application host"
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Westwood\\Dune2000\\DUNE2000.DAT"="C:\\Westwood\\Dune2000\\DUNE2000.DAT:*:Enabled:Dune2000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\GameHouse\\Solitaire2\\ghsol2.exe"="C:\\Program Files\\GameHouse\\Solitaire2\\ghsol2.exe:*:Enabled:Super Solitaire 2"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Westwood\\DUNE2000.DAT"="C:\\Program Files\\Westwood\\DUNE2000.DAT:*:Enabled:Dune2000"
"C:\\Program Files\\SecondLife\\SLVoice.exe"="C:\\Program Files\\SecondLife\\SLVoice.exe:*:Enabled:SLVoice"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Vuze\\Azureus.exe"="C:\\Program Files\\Vuze\\Azureus.exe:*:Enabled:Azureus"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ruvim\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
COLLECTIONID=COL8143
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPAQ
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://wwss1proa.cce.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ruvim
ITEMID=dj-22741-15
LANG=1033
LOGONSERVER=\\COMPAQ
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Documents and Settings\Ruvim\Application Data\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
OSVER=winXPH
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONID=1138922605951htx6060142e23f:1094f3986a6:4b56
SESSIONNAME=Console
SWUTVER=1.0.3.1
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ruvim\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\Ruvim\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm
UPDATEDIR=C:\DOCUME~1\Hoodz\LOCALS~1\Temp\rad89719.tmp
USERDOMAIN=COMPAQ
USERNAME=Ruvim
USERPROFILE=C:\Documents and Settings\Ruvim
VERSION=3.0.5.001
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

Hoodz (admin)
Ruvim (admin)
new (admin)
Administrator.COMPAQ (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CBBB5EED-CC92-49F2-A276-D5433F39D1EB}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Agere Systems AC'97 Modem --> agrsmdel
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
Backup --> MsiExec.exe /I{24DF7221-644B-4C3A-A478-459502D40522}
Ballistics --> C:\Program files\Xicat\Ballistics\uninstall.exe
Broadcom 802.11 Driver --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Domination Dune 2000 Map Editor --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Domination\DeIsL3.isu" -cC:\PROGRA~1\DOMINA~1\_ISREG32.DLL
Dune 2000 --> C:\Westwood\Dune20000\Uninstll.exe C:\WINDOWS\UNINST.EXE -fC:\Westwood\DUNE20~1\DeIsL1.isu
FrostWire 4.13.3 --> C:\Program Files\FrostWire\Uninstall.exe
GearDrvs --> MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}
GetRight --> "C:\Program Files\GetRight\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Precisionscan Pro 3.1 --> MsiExec.exe /I{6B36DEBF-27D0-4B1E-858D-D397091C6C7D}
HP Share-to-Web --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" --MAIN -l9
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Mega Codec Pack 1.46 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
MED2k --> C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\MED2k\ST5UNST.LOG"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
My DVD Maker 1.0 --> "C:\Program Files\My DVD Maker\unins000.exe"
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_2_0_0_242\Setup.exe" /X
Norton 360 HTMLHelp --> MsiExec.exe /I{0BDD3FAD-61CD-4BF3-B9C4-4CEFD43F53F8}
Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
NVIDIA nForce Drivers --> C:\WINDOWS\System32\nvuninst.exe Uninstall C:\WINDOWS\System32\NVU001.nvu,NVIDIA nForce Drivers
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvcp.inf
PCI 1620 Cardbus Controller and Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{97355297-21C8-40CD-96D3-48E58037A9B8} /l1033
PowerStrip 3 (remove only) --> C:\Program Files\PowerStrip\uninstal.exe
Quick Launch Buttons 5.00 B3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\setup.exe" -l0x9 REMOVE
RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shai-Hulud 2000 (remove only) --> "C:\Program Files\Shai-Hulud 2000\uninst-sh2k.EXE"
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec Real Time Storage Protection Component --> MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
Symantec Technical Support Controls --> MsiExec.exe /I{45690715-80A6-4445-B61D-ADEC5888E8CD}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
TibEd 1.63 --> "C:\Program Files\TibEd\nsuninst.exe"
TibEd 2 --> C:\Program Files\TibEd 2\uninst-tibed2.exe
Video AX Object 2.07 --> C:\Program Files\Video ActiveX Access\uninst.exe
VideoLAN VLC media player 0.8.6f --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VidRes --> MsiExec.exe /I{4A0B1210-54CE-4876-906D-1E0A362E5DC2}
Vuze --> C:\Program Files\Vuze\uninstall.exe
Westwood Shared Internet Components --> C:\Westwood\Internet\UNINSTAP.EXE
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1317 / Error
Event Submitted/Written: 07/21/2008 02:00:13 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type1057 / Error
Event Submitted/Written: 07/19/2008 00:33:25 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.9.0.3071, faulting module unknown, version 0.0.0.0, fault address 0x0bca6caa.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type1033 / Error
Event Submitted/Written: 07/18/2008 09:35:32 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application register.dat, version 0.0.0.0, faulting module register.dat, version 0.0.0.0, fault address 0x0000ba7b.
Processing media-specific event for [register.dat!ws!]

Event Record #/Type1028 / Error
Event Submitted/Written: 07/18/2008 09:13:35 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application register.dat, version 0.0.0.0, faulting module register.dat, version 0.0.0.0, fault address 0x0000ba7b.
Processing media-specific event for [register.dat!ws!]

Event Record #/Type1024 / Error
Event Submitted/Written: 07/18/2008 08:51:09 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application register.dat, version 0.0.0.0, faulting module register.dat, version 0.0.0.0, fault address 0x0000ba7b.
Processing media-specific event for [register.dat!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1301415 / Error
Event Submitted/Written: 07/22/2008 00:00:45 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.

Event Record #/Type1301414 / Error
Event Submitted/Written: 07/22/2008 00:00:40 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1053" attempting to start the service LiveUpdate with arguments ""
in order to run the server:
{03E0E6C2-363B-11D3-B536-00902771A435}

Event Record #/Type1301395 / Error
Event Submitted/Written: 07/21/2008 10:48:15 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type1301394 / Error
Event Submitted/Written: 07/21/2008 10:48:15 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type1301393 / Error
Event Submitted/Written: 07/21/2008 10:48:15 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}



-- End of Deckard's System Scanner: finished at 2008-07-22 19:36:16 ------------
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
  • 0

#5
monkez

monkez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
norton find the virus named ~ trojan.Vundo (four times) downloader ~ Trojan.Metajuan (twice) Backdoor.Graybird


ComboFix 08-07-22.3 - Ruvim 2008-07-23 0:25:43.1 - NTFSx86
Running from: C:\DOCUME~1\Ruvim\LOCALS~1\Temp\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM63e3c48d.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bcusbbwy.dll
C:\WINDOWS\system32\bgxemryd.ini
C:\WINDOWS\system32\bsckab.dll
C:\WINDOWS\system32\dmwbusfq.dll
C:\WINDOWS\system32\fmgreqfa.ini
C:\WINDOWS\system32\iftkjbty.ini
C:\WINDOWS\system32\izzgfb.dll
C:\WINDOWS\system32\ktdnuovl.dll
C:\WINDOWS\system32\lyotxcfm.dll
C:\WINDOWS\system32\mahwxfhf.dll
C:\WINDOWS\system32\mcockbrc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfcxtoyl.ini
C:\WINDOWS\system32\ntdiocsm.ini
C:\WINDOWS\system32\qxiwydfm.dll
C:\WINDOWS\system32\rommiupr.dll
C:\WINDOWS\system32\rpuimmor.ini
C:\WINDOWS\system32\rvdltthm.dll
C:\WINDOWS\system32\ssqRKDvt.dll
C:\WINDOWS\system32\Uwvxwyay.ini
C:\WINDOWS\system32\Uwvxwyay.ini2
C:\WINDOWS\system32\wssblaji.ini
C:\WINDOWS\system32\xufiitkj.ini
C:\WINDOWS\system32\xxyVmlij.dll
C:\WINDOWS\system32\yaywxvwU.dll
C:\WINDOWS\system32\ytbjktfi.dll
C:\WINDOWS\system32\ythybbtf.dll
C:\WINDOWS\system32\ywbbsucb.ini
C:\WINDOWS\system32\zoipdv.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-22 19:27 . 2008-07-22 19:27 <DIR> d-------- C:\Deckard
2008-07-21 23:11 . 2008-07-21 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 11:36 . 2008-07-20 11:36 <DIR> d-------- C:\Documents and Settings\Ruvim\Incomplete
2008-07-20 11:35 . 2008-07-20 11:45 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\FrostWire
2008-07-15 17:16 . 2008-07-15 17:16 92,160 --a------ C:\WINDOWS\system32\eealagyu.dll
2008-07-15 17:16 . 2008-07-15 17:16 78,848 --a------ C:\WINDOWS\system32\afqergmf.dll
2008-07-14 23:20 . 2008-07-14 23:20 <DIR> d---s---- C:\Documents and Settings\Ruvim\UserData
2008-07-14 17:06 . 2008-07-14 17:06 91,136 --a------ C:\WINDOWS\system32\iskvwpls.dll
2008-07-14 17:03 . 2008-07-17 22:14 <DIR> d-------- C:\Program Files\Shai-Hulud 2000
2008-07-14 16:22 . 2008-07-14 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-07-14 12:35 . 2008-07-14 12:35 <DIR> d-------- C:\Documents and Settings\new\Application Data\Yahoo!
2008-07-13 21:52 . 2008-07-13 21:52 <DIR> d-------- C:\Documents and Settings\new\Application Data\Share-to-Web Upload Folder
2008-07-13 21:45 . 2008-07-14 01:10 <DIR> d-------- C:\Documents and Settings\new\Application Data\Azureus
2008-07-13 21:31 . 2008-07-13 21:31 <DIR> d-------- C:\Documents and Settings\new\Application Data\vlc
2008-07-13 21:14 . 2008-07-13 21:14 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-07-13 21:02 . 2008-07-13 21:02 <DIR> d-------- C:\Documents and Settings\new\Application Data\Symantec
2008-07-13 21:02 . 2008-07-13 21:11 <DIR> d-------- C:\Documents and Settings\new\Application Data\GetRight Pro
2008-07-13 21:00 . 2008-07-13 21:00 <DIR> d-------- C:\Documents and Settings\new
2008-07-13 17:06 . 2008-07-13 17:06 91,648 --a------ C:\WINDOWS\system32\wejrwxvm.dll
2008-07-13 16:59 . 2008-07-13 16:59 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Yahoo!
2008-07-13 16:42 . 2008-07-13 16:42 <DIR> d-------- C:\Documents and Settings\Ruvim\dwhelper
2008-07-13 16:24 . 2008-07-13 16:24 <DIR> d-------- C:\Documents and Settings\Ruvim\WINDOWS
2008-07-13 15:18 . 2008-07-13 15:18 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Share-to-Web Upload Folder
2008-07-13 15:07 . 2008-07-13 15:07 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\vlc
2008-07-13 01:02 . 2008-07-21 14:02 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Azureus
2008-07-13 00:44 . 2008-07-18 17:39 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Symantec
2008-07-13 00:44 . 2008-07-23 00:18 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\GetRight Pro
2008-07-13 00:42 . 2008-07-23 00:37 <DIR> d-------- C:\Documents and Settings\Ruvim
2008-07-12 17:12 . 2008-07-12 17:12 109,500 --a------ C:\WINDOWS\system32\hpovjmat.exe
2008-07-12 09:37 . 2008-07-12 09:39 <DIR> d-------- C:\Program Files\MED2k
2008-07-12 09:35 . 1997-01-16 00:00 71,680 --a------ C:\WINDOWS\ST5UNST.EXE
2008-07-12 09:35 . 1997-01-16 00:00 29,696 --a------ C:\WINDOWS\system32\VB5StKit.dll
2008-07-12 05:08 . 2008-07-12 05:08 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-07-12 05:08 . 2008-07-12 23:48 <DIR> d-------- C:\Program Files\Norton 360
2008-07-12 05:01 . 2008-07-13 00:20 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-12 05:01 . 2008-07-13 00:20 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-12 05:01 . 2008-07-13 00:20 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-12 05:01 . 2008-07-13 00:20 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-12 04:28 . 2008-07-23 00:15 <DIR> d-------- C:\Downloads
2008-07-11 17:13 . 2008-07-11 17:20 <DIR> d-------- C:\Program Files\RSSoft
2008-07-11 17:13 . 2008-07-11 17:13 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-07-10 17:53 . 2008-07-22 12:39 110,419 --a------ C:\WINDOWS\BM63e3c48d.xml
2008-07-10 17:46 . 2008-07-13 21:47 <DIR> d-------- C:\Program Files\GetRight
2008-07-08 14:54 . 2008-07-13 01:15 <DIR> d-------- C:\Program Files\Vuze
2008-07-08 14:36 . 2006-08-16 04:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll
2008-07-04 21:05 . 2008-07-04 21:06 <DIR> d-------- C:\Program Files\TibEd 2
2008-07-04 19:45 . 2008-07-04 19:45 751,096 --a------ C:\WINDOWS\system32\WIN32.TLB
2008-07-04 19:45 . 2008-07-04 19:45 645,616 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2008-07-04 19:45 . 2008-07-04 19:45 414,944 --a------ C:\WINDOWS\system32\comct332.ocx
2008-07-04 19:45 . 2008-07-04 19:45 209,408 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-07-04 19:45 . 2008-07-04 19:45 164,144 --a------ C:\WINDOWS\system32\COMCT232.OCX
2008-07-04 19:45 . 2008-07-04 19:45 82,960 --a------ C:\WINDOWS\system32\PICCLP32.OCX
2008-07-04 19:45 . 2008-07-04 19:45 39,424 --a------ C:\WINDOWS\system32\NInput.ocx
2008-07-04 19:41 . 2008-07-15 00:33 <DIR> d-------- C:\Program Files\TibEd
2008-07-04 19:28 . 2008-07-13 16:53 <DIR> d-------- C:\Westwood
2008-07-04 19:24 . 2008-07-11 16:54 <DIR> d-------- C:\Program Files\Domination
2008-07-04 18:57 . 2008-07-04 18:57 <DIR> d-------- C:\Program Files\Xicat
2008-06-27 00:37 . 2008-06-27 00:37 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-27 00:35 . 2008-06-27 00:35 <DIR> d-------- C:\sj668

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 07:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-13 07:25 --------- d-----w C:\Program Files\Symantec
2008-07-12 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-11 23:59 --------- d-----w C:\Program Files\Real
2008-06-27 07:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-27 07:37 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 21:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 21:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 21:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 21:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 21:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 21:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 21:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 21:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 21:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 21:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 05:58 --------- d-----w C:\Program Files\JD Design
2008-05-30 05:46 --------- d-----w C:\Program Files\PowerStrip
2008-05-26 23:42 --------- d-----w C:\Program Files\VideoLAN
2006-10-14 03:37 88 --sh--r C:\WINDOWS\system32\93AB10843A.sys
2006-10-14 03:39 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 12:37 51048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=C:\WINDOWS\pss\GetRight.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-07-02 03:27 219520 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-18 12:37 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 15:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-17 00:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2004-04-07 12:22 4730880 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2008-02-26 07:50 988512 C:\Program Files\Norton 360\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
--a------ 2008-05-01 17:37 726776 c:\Program Files\PowerStrip\PStrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh]
--a------ 2007-02-26 18:30 62436 C:\Program Files\RSSoft\RedSwoosh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-17 20:41 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra--c--- 2004-01-30 08:01 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aspnet_state"=3 (0x3)
"WZCSVC"=2 (0x2)
"TrkWks"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"seclogon"=2 (0x2)
"RasMan"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"hpqwmi"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"comHost"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"Netlogon"=3 (0x3)
"dmadmin"=3 (0x3)
"W32Time"=2 (0x2)
"Schedule"=2 (0x2)
"HidServ"=2 (0x2)
"CryptSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Westwood\\Dune2000\\DUNE2000.DAT"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R2 PStrip;PSTRIP;C:\WINDOWS\system32\DRIVERS\PSTRIP.SYS [2007-07-14 18:37]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S4 getPlus® Helper;getPlus® Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe []
S4 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 12:37]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 21:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{C2CBCBB2-F642-47CF-8B5C-ED6FDFAB7021} - C:\Documents and Settings\Ruvim\Local Settings\Temporary Internet Files\Content.IE5\07S6Z17O\3077ahntdksr[1].dll
HKLM-Run-60d0f711 - C:\WINDOWS\system32\lyotxcfm.dll
HKLM-Run-BM63e3c48d - C:\WINDOWS\system32\qxiwydfm.dll
MSConfigStartUp-60d0f711 - C:\WINDOWS\system32\ytbjktfi.dll
MSConfigStartUp-Apoint - C:\Program Files\Apoint2K\Apoint.exe
MSConfigStartUp-BM63e3c48d - C:\WINDOWS\system32\dmwbusfq.dll
MSConfigStartUp-Cpqset - C:\Program Files\HPQ\Default Settings\cpqset.exe
MSConfigStartUp-eabconfg - C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
MSConfigStartUp-LClock - C:\Program Files\LClock\LClock.exe
MSConfigStartUp-MSMSGS - C:\Program Files\Messenger\msmsgs.exe
MSConfigStartUp-WhenUSave - C:\Program Files\Save\Save.exe
MSConfigStartUp-Windows Defender - C:\Program Files\Windows Defender\MSASCui.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 00:39:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2008-07-23 0:45:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-23 07:45:45

Pre-Run: 45,912,723,456 bytes free
Post-Run: 46,063,845,376 bytes free

296 --- E O F --- 2008-07-16 06:23:36


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:44 AM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134433558717
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ent/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5916 bytes
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please re-download Combofix to your desktop.

Then:
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When prompted to scan for infected files chose no, when done a log named CF_RC.txt will open. Please post the contents of that log.


Please do not reboot your machine until we have reviewed the log.
  • 0

#7
monkez

monkez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ComboFix 08-07-22.4 - Ruvim 2008-07-23 10:43:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.293 [GMT -7:00]
Running from: C:\Documents and Settings\Ruvim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ruvim\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM63e3c48d.xml
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-23 01:42 . 2008-07-23 02:05 <DIR> d-------- C:\Program Files\Security Task Manager
2008-07-23 01:42 . 2008-07-23 10:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-23 01:30 . 2008-07-23 01:31 <DIR> d-------- C:\Temp\ListDlls
2008-07-22 19:27 . 2008-07-22 19:27 <DIR> d-------- C:\Deckard
2008-07-21 23:11 . 2008-07-21 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 11:36 . 2008-07-20 11:36 <DIR> d-------- C:\Documents and Settings\Ruvim\Incomplete
2008-07-20 11:35 . 2008-07-20 11:45 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\FrostWire
2008-07-15 17:16 . 2008-07-15 17:16 92,160 --a------ C:\WINDOWS\system32\eealagyu.dll
2008-07-15 17:16 . 2008-07-15 17:16 78,848 --a------ C:\WINDOWS\system32\afqergmf.dll
2008-07-14 23:20 . 2008-07-14 23:20 <DIR> d---s---- C:\Documents and Settings\Ruvim\UserData
2008-07-14 17:06 . 2008-07-14 17:06 91,136 --a------ C:\WINDOWS\system32\iskvwpls.dll
2008-07-14 17:03 . 2008-07-17 22:14 <DIR> d-------- C:\Program Files\Shai-Hulud 2000
2008-07-14 16:22 . 2008-07-14 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-07-14 12:35 . 2008-07-14 12:35 <DIR> d-------- C:\Documents and Settings\new\Application Data\Yahoo!
2008-07-13 21:52 . 2008-07-13 21:52 <DIR> d-------- C:\Documents and Settings\new\Application Data\Share-to-Web Upload Folder
2008-07-13 21:45 . 2008-07-14 01:10 <DIR> d-------- C:\Documents and Settings\new\Application Data\Azureus
2008-07-13 21:31 . 2008-07-13 21:31 <DIR> d-------- C:\Documents and Settings\new\Application Data\vlc
2008-07-13 21:14 . 2008-07-13 21:14 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-07-13 21:02 . 2008-07-13 21:02 <DIR> d-------- C:\Documents and Settings\new\Application Data\Symantec
2008-07-13 21:02 . 2008-07-13 21:11 <DIR> d-------- C:\Documents and Settings\new\Application Data\GetRight Pro
2008-07-13 21:00 . 2008-07-13 21:00 <DIR> d-------- C:\Documents and Settings\new
2008-07-13 17:06 . 2008-07-13 17:06 91,648 --a------ C:\WINDOWS\system32\wejrwxvm.dll
2008-07-13 16:59 . 2008-07-13 16:59 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Yahoo!
2008-07-13 16:42 . 2008-07-13 16:42 <DIR> d-------- C:\Documents and Settings\Ruvim\dwhelper
2008-07-13 16:24 . 2008-07-13 16:24 <DIR> d-------- C:\Documents and Settings\Ruvim\WINDOWS
2008-07-13 15:18 . 2008-07-13 15:18 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Share-to-Web Upload Folder
2008-07-13 15:07 . 2008-07-13 15:07 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\vlc
2008-07-13 01:02 . 2008-07-23 10:42 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Azureus
2008-07-13 00:44 . 2008-07-18 17:39 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Symantec
2008-07-13 00:44 . 2008-07-23 10:36 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\GetRight Pro
2008-07-13 00:42 . 2008-07-23 00:37 <DIR> d-------- C:\Documents and Settings\Ruvim
2008-07-12 17:12 . 2008-07-12 17:12 109,500 --a------ C:\WINDOWS\system32\hpovjmat.exe
2008-07-12 09:37 . 2008-07-12 09:39 <DIR> d-------- C:\Program Files\MED2k
2008-07-12 09:35 . 1997-01-16 00:00 71,680 --a------ C:\WINDOWS\ST5UNST.EXE
2008-07-12 09:35 . 1997-01-16 00:00 29,696 --a------ C:\WINDOWS\system32\VB5StKit.dll
2008-07-12 05:08 . 2008-07-12 05:08 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-07-12 05:08 . 2008-07-12 23:48 <DIR> d-------- C:\Program Files\Norton 360
2008-07-12 05:01 . 2008-07-13 00:20 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-12 05:01 . 2008-07-13 00:20 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-12 05:01 . 2008-07-13 00:20 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-12 05:01 . 2008-07-13 00:20 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-12 04:28 . 2008-07-23 10:35 <DIR> d-------- C:\Downloads
2008-07-11 17:13 . 2008-07-11 17:20 <DIR> d-------- C:\Program Files\RSSoft
2008-07-11 17:13 . 2008-07-11 17:13 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-07-10 17:46 . 2008-07-13 21:47 <DIR> d-------- C:\Program Files\GetRight
2008-07-08 14:54 . 2008-07-13 01:15 <DIR> d-------- C:\Program Files\Vuze
2008-07-08 14:36 . 2006-08-16 04:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll
2008-07-04 21:05 . 2008-07-04 21:06 <DIR> d-------- C:\Program Files\TibEd 2
2008-07-04 19:45 . 2008-07-04 19:45 751,096 --a------ C:\WINDOWS\system32\WIN32.TLB
2008-07-04 19:45 . 2008-07-04 19:45 645,616 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2008-07-04 19:45 . 2008-07-04 19:45 414,944 --a------ C:\WINDOWS\system32\comct332.ocx
2008-07-04 19:45 . 2008-07-04 19:45 209,408 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-07-04 19:45 . 2008-07-04 19:45 164,144 --a------ C:\WINDOWS\system32\COMCT232.OCX
2008-07-04 19:45 . 2008-07-04 19:45 82,960 --a------ C:\WINDOWS\system32\PICCLP32.OCX
2008-07-04 19:45 . 2008-07-04 19:45 39,424 --a------ C:\WINDOWS\system32\NInput.ocx
2008-07-04 19:41 . 2008-07-15 00:33 <DIR> d-------- C:\Program Files\TibEd
2008-07-04 19:28 . 2008-07-13 16:53 <DIR> d-------- C:\Westwood
2008-07-04 19:24 . 2008-07-11 16:54 <DIR> d-------- C:\Program Files\Domination
2008-07-04 18:57 . 2008-07-04 18:57 <DIR> d-------- C:\Program Files\Xicat
2008-06-27 00:37 . 2008-06-27 00:37 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-27 00:35 . 2008-06-27 00:35 <DIR> d-------- C:\sj668

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 17:23 --------- d-----w C:\Program Files\FrostWire
2008-07-23 08:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-13 07:25 --------- d-----w C:\Program Files\Symantec
2008-07-12 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-11 23:59 --------- d-----w C:\Program Files\Real
2008-06-27 07:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-27 07:37 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 21:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 21:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 21:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 21:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 21:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 21:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 21:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 21:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 21:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 21:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 21:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 21:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 05:58 --------- d-----w C:\Program Files\JD Design
2008-05-30 05:46 --------- d-----w C:\Program Files\PowerStrip
2008-05-26 23:42 --------- d-----w C:\Program Files\VideoLAN
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2006-10-14 03:37 88 --sh--r C:\WINDOWS\system32\93AB10843A.sys
2006-10-14 03:39 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_ 0.45.27.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 15:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-07-23 07:39:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
+ 2008-07-23 07:50:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 12:37 51048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=C:\WINDOWS\pss\GetRight.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-07-02 03:27 219520 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-18 12:37 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 15:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-17 00:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2004-04-07 12:22 4730880 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2008-02-26 07:50 988512 C:\Program Files\Norton 360\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
--a------ 2008-05-01 17:37 726776 c:\Program Files\PowerStrip\PStrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh]
--a------ 2007-02-26 18:30 62436 C:\Program Files\RSSoft\RedSwoosh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-17 20:41 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra--c--- 2004-01-30 08:01 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aspnet_state"=3 (0x3)
"WZCSVC"=2 (0x2)
"TrkWks"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"seclogon"=2 (0x2)
"RasMan"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"hpqwmi"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"comHost"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"Netlogon"=3 (0x3)
"dmadmin"=3 (0x3)
"W32Time"=2 (0x2)
"Schedule"=2 (0x2)
"HidServ"=2 (0x2)
"CryptSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Westwood\\Dune2000\\DUNE2000.DAT"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R2 PStrip;PSTRIP;C:\WINDOWS\system32\DRIVERS\PSTRIP.SYS [2007-07-14 18:37]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 21:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 10:46:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-23 10:48:42
ComboFix-quarantined-files.txt 2008-07-23 17:48:28
ComboFix2.txt 2008-07-23 07:45:53

Pre-Run: 46,002,929,664 bytes free
Post-Run: 45,977,366,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

266 --- E O F --- 2008-07-16 06:23:36
  • 0

#8
monkez

monkez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
should i del myself??
wejrwxvm.dll
iskvwpls.dll
afqergmf.dll
eealagyu.dll
  • 0

#9
monkez

monkez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ComboFix 08-07-22.4 - Ruvim 2008-07-23 10:43:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.293 [GMT -7:00]
Running from: C:\Documents and Settings\Ruvim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ruvim\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM63e3c48d.xml
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-23 01:42 . 2008-07-23 02:05 <DIR> d-------- C:\Program Files\Security Task Manager
2008-07-23 01:42 . 2008-07-23 10:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-23 01:30 . 2008-07-23 01:31 <DIR> d-------- C:\Temp\ListDlls
2008-07-22 19:27 . 2008-07-22 19:27 <DIR> d-------- C:\Deckard
2008-07-21 23:11 . 2008-07-21 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 11:36 . 2008-07-20 11:36 <DIR> d-------- C:\Documents and Settings\Ruvim\Incomplete
2008-07-20 11:35 . 2008-07-20 11:45 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\FrostWire
2008-07-15 17:16 . 2008-07-15 17:16 92,160 --a------ C:\WINDOWS\system32\eealagyu.dll
2008-07-15 17:16 . 2008-07-15 17:16 78,848 --a------ C:\WINDOWS\system32\afqergmf.dll
2008-07-14 23:20 . 2008-07-14 23:20 <DIR> d---s---- C:\Documents and Settings\Ruvim\UserData
2008-07-14 17:06 . 2008-07-14 17:06 91,136 --a------ C:\WINDOWS\system32\iskvwpls.dll
2008-07-14 17:03 . 2008-07-17 22:14 <DIR> d-------- C:\Program Files\Shai-Hulud 2000
2008-07-14 16:22 . 2008-07-14 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-07-14 12:35 . 2008-07-14 12:35 <DIR> d-------- C:\Documents and Settings\new\Application Data\Yahoo!
2008-07-13 21:52 . 2008-07-13 21:52 <DIR> d-------- C:\Documents and Settings\new\Application Data\Share-to-Web Upload Folder
2008-07-13 21:45 . 2008-07-14 01:10 <DIR> d-------- C:\Documents and Settings\new\Application Data\Azureus
2008-07-13 21:31 . 2008-07-13 21:31 <DIR> d-------- C:\Documents and Settings\new\Application Data\vlc
2008-07-13 21:14 . 2008-07-13 21:14 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-07-13 21:02 . 2008-07-13 21:02 <DIR> d-------- C:\Documents and Settings\new\Application Data\Symantec
2008-07-13 21:02 . 2008-07-13 21:11 <DIR> d-------- C:\Documents and Settings\new\Application Data\GetRight Pro
2008-07-13 21:00 . 2008-07-13 21:00 <DIR> d-------- C:\Documents and Settings\new
2008-07-13 17:06 . 2008-07-13 17:06 91,648 --a------ C:\WINDOWS\system32\wejrwxvm.dll
2008-07-13 16:59 . 2008-07-13 16:59 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Yahoo!
2008-07-13 16:42 . 2008-07-13 16:42 <DIR> d-------- C:\Documents and Settings\Ruvim\dwhelper
2008-07-13 16:24 . 2008-07-13 16:24 <DIR> d-------- C:\Documents and Settings\Ruvim\WINDOWS
2008-07-13 15:18 . 2008-07-13 15:18 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Share-to-Web Upload Folder
2008-07-13 15:07 . 2008-07-13 15:07 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\vlc
2008-07-13 01:02 . 2008-07-23 10:42 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Azureus
2008-07-13 00:44 . 2008-07-18 17:39 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Symantec
2008-07-13 00:44 . 2008-07-23 10:36 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\GetRight Pro
2008-07-13 00:42 . 2008-07-23 00:37 <DIR> d-------- C:\Documents and Settings\Ruvim
2008-07-12 17:12 . 2008-07-12 17:12 109,500 --a------ C:\WINDOWS\system32\hpovjmat.exe
2008-07-12 09:37 . 2008-07-12 09:39 <DIR> d-------- C:\Program Files\MED2k
2008-07-12 09:35 . 1997-01-16 00:00 71,680 --a------ C:\WINDOWS\ST5UNST.EXE
2008-07-12 09:35 . 1997-01-16 00:00 29,696 --a------ C:\WINDOWS\system32\VB5StKit.dll
2008-07-12 05:08 . 2008-07-12 05:08 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-07-12 05:08 . 2008-07-12 23:48 <DIR> d-------- C:\Program Files\Norton 360
2008-07-12 05:01 . 2008-07-13 00:20 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-12 05:01 . 2008-07-13 00:20 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-12 05:01 . 2008-07-13 00:20 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-12 05:01 . 2008-07-13 00:20 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-12 04:28 . 2008-07-23 10:35 <DIR> d-------- C:\Downloads
2008-07-11 17:13 . 2008-07-11 17:20 <DIR> d-------- C:\Program Files\RSSoft
2008-07-11 17:13 . 2008-07-11 17:13 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-07-10 17:46 . 2008-07-13 21:47 <DIR> d-------- C:\Program Files\GetRight
2008-07-08 14:54 . 2008-07-13 01:15 <DIR> d-------- C:\Program Files\Vuze
2008-07-08 14:36 . 2006-08-16 04:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll
2008-07-04 21:05 . 2008-07-04 21:06 <DIR> d-------- C:\Program Files\TibEd 2
2008-07-04 19:45 . 2008-07-04 19:45 751,096 --a------ C:\WINDOWS\system32\WIN32.TLB
2008-07-04 19:45 . 2008-07-04 19:45 645,616 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2008-07-04 19:45 . 2008-07-04 19:45 414,944 --a------ C:\WINDOWS\system32\comct332.ocx
2008-07-04 19:45 . 2008-07-04 19:45 209,408 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-07-04 19:45 . 2008-07-04 19:45 164,144 --a------ C:\WINDOWS\system32\COMCT232.OCX
2008-07-04 19:45 . 2008-07-04 19:45 82,960 --a------ C:\WINDOWS\system32\PICCLP32.OCX
2008-07-04 19:45 . 2008-07-04 19:45 39,424 --a------ C:\WINDOWS\system32\NInput.ocx
2008-07-04 19:41 . 2008-07-15 00:33 <DIR> d-------- C:\Program Files\TibEd
2008-07-04 19:28 . 2008-07-13 16:53 <DIR> d-------- C:\Westwood
2008-07-04 19:24 . 2008-07-11 16:54 <DIR> d-------- C:\Program Files\Domination
2008-07-04 18:57 . 2008-07-04 18:57 <DIR> d-------- C:\Program Files\Xicat
2008-06-27 00:37 . 2008-06-27 00:37 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-27 00:35 . 2008-06-27 00:35 <DIR> d-------- C:\sj668

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 17:23 --------- d-----w C:\Program Files\FrostWire
2008-07-23 08:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-13 07:25 --------- d-----w C:\Program Files\Symantec
2008-07-12 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-11 23:59 --------- d-----w C:\Program Files\Real
2008-06-27 07:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-27 07:37 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 21:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 21:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 21:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 21:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 21:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 21:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 21:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 21:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 21:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 21:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 21:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 21:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 05:58 --------- d-----w C:\Program Files\JD Design
2008-05-30 05:46 --------- d-----w C:\Program Files\PowerStrip
2008-05-26 23:42 --------- d-----w C:\Program Files\VideoLAN
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2006-10-14 03:37 88 --sh--r C:\WINDOWS\system32\93AB10843A.sys
2006-10-14 03:39 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_ 0.45.27.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 15:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-07-23 07:39:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
+ 2008-07-23 07:50:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 12:37 51048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=C:\WINDOWS\pss\GetRight.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-07-02 03:27 219520 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-18 12:37 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 15:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-17 00:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2004-04-07 12:22 4730880 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2008-02-26 07:50 988512 C:\Program Files\Norton 360\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
--a------ 2008-05-01 17:37 726776 c:\Program Files\PowerStrip\PStrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh]
--a------ 2007-02-26 18:30 62436 C:\Program Files\RSSoft\RedSwoosh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-17 20:41 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra--c--- 2004-01-30 08:01 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aspnet_state"=3 (0x3)
"WZCSVC"=2 (0x2)
"TrkWks"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"seclogon"=2 (0x2)
"RasMan"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"hpqwmi"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"comHost"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"Netlogon"=3 (0x3)
"dmadmin"=3 (0x3)
"W32Time"=2 (0x2)
"Schedule"=2 (0x2)
"HidServ"=2 (0x2)
"CryptSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Westwood\\Dune2000\\DUNE2000.DAT"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R2 PStrip;PSTRIP;C:\WINDOWS\system32\DRIVERS\PSTRIP.SYS [2007-07-14 18:37]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 21:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 10:46:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-23 10:48:42
ComboFix-quarantined-files.txt 2008-07-23 17:48:28
ComboFix2.txt 2008-07-23 07:45:53

Pre-Run: 46,002,929,664 bytes free
Post-Run: 45,977,366,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

266 --- E O F --- 2008-07-16 06:23:36

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
should i del this myself???????????????
wejrwxvm.dll
iskvwpls.dll
afqergmf.dll
eealagyu.dll
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\eealagyu.dll
C:\WINDOWS\system32\afqergmf.dll
C:\WINDOWS\system32\iskvwpls.dll
C:\WINDOWS\system32\wejrwxvm.dll
C:\WINDOWS\system32\hpovjmat.exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

Advertisements


#11
monkez

monkez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
combofix log------------------------------
ComboFix 08-07-22.4 - Ruvim 2008-07-23 22:40:37.3 - NTFSx86
Running from: C:\Documents and Settings\Ruvim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ruvim\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\afqergmf.dll
C:\WINDOWS\system32\eealagyu.dll
C:\WINDOWS\system32\hpovjmat.exe
C:\WINDOWS\system32\iskvwpls.dll
C:\WINDOWS\system32\wejrwxvm.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\afqergmf.dll
C:\WINDOWS\system32\eealagyu.dll
C:\WINDOWS\system32\hpovjmat.exe
C:\WINDOWS\system32\iskvwpls.dll
C:\WINDOWS\system32\wejrwxvm.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-23 19:09 . 2008-07-23 19:31 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\LimeWire
2008-07-23 19:02 . 2008-07-23 19:02 <DIR> d-------- C:\Program Files\LimeWire
2008-07-23 19:02 . 2008-07-23 19:02 64,632 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-23 17:55 . 2008-07-23 17:55 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Apple Computer
2008-07-23 11:30 . 2008-07-23 11:32 <DIR> d-------- C:\Program Files\Safari
2008-07-23 11:28 . 2008-07-23 11:28 <DIR> d-------- C:\Program Files\Bonjour
2008-07-23 11:09 . 2008-07-23 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-23 11:08 . 2008-07-23 11:11 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-23 11:08 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-07-23 01:42 . 2008-07-23 02:05 <DIR> d-------- C:\Program Files\Security Task Manager
2008-07-23 01:42 . 2008-07-23 10:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-23 01:30 . 2008-07-23 01:31 <DIR> d-------- C:\Temp\ListDlls
2008-07-22 19:27 . 2008-07-22 19:27 <DIR> d-------- C:\Deckard
2008-07-21 23:11 . 2008-07-21 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 11:36 . 2008-07-20 11:36 <DIR> d-------- C:\Documents and Settings\Ruvim\Incomplete
2008-07-20 11:35 . 2008-07-20 11:45 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\FrostWire
2008-07-14 23:20 . 2008-07-14 23:20 <DIR> d---s---- C:\Documents and Settings\Ruvim\UserData
2008-07-14 17:03 . 2008-07-17 22:14 <DIR> d-------- C:\Program Files\Shai-Hulud 2000
2008-07-14 16:22 . 2008-07-14 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-07-14 12:35 . 2008-07-14 12:35 <DIR> d-------- C:\Documents and Settings\new\Application Data\Yahoo!
2008-07-13 21:52 . 2008-07-13 21:52 <DIR> d-------- C:\Documents and Settings\new\Application Data\Share-to-Web Upload Folder
2008-07-13 21:45 . 2008-07-14 01:10 <DIR> d-------- C:\Documents and Settings\new\Application Data\Azureus
2008-07-13 21:31 . 2008-07-13 21:31 <DIR> d-------- C:\Documents and Settings\new\Application Data\vlc
2008-07-13 21:14 . 2008-07-13 21:14 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-07-13 21:02 . 2008-07-13 21:02 <DIR> d-------- C:\Documents and Settings\new\Application Data\Symantec
2008-07-13 21:02 . 2008-07-13 21:11 <DIR> d-------- C:\Documents and Settings\new\Application Data\GetRight Pro
2008-07-13 21:00 . 2008-07-13 21:00 <DIR> d-------- C:\Documents and Settings\new
2008-07-13 16:59 . 2008-07-13 16:59 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Yahoo!
2008-07-13 16:42 . 2008-07-13 16:42 <DIR> d-------- C:\Documents and Settings\Ruvim\dwhelper
2008-07-13 16:24 . 2008-07-13 16:24 <DIR> d-------- C:\Documents and Settings\Ruvim\WINDOWS
2008-07-13 15:18 . 2008-07-13 15:18 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Share-to-Web Upload Folder
2008-07-13 15:07 . 2008-07-13 15:07 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\vlc
2008-07-13 01:02 . 2008-07-23 22:39 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Azureus
2008-07-13 00:44 . 2008-07-18 17:39 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\Symantec
2008-07-13 00:44 . 2008-07-23 19:00 <DIR> d-------- C:\Documents and Settings\Ruvim\Application Data\GetRight Pro
2008-07-13 00:42 . 2008-07-23 00:37 <DIR> d-------- C:\Documents and Settings\Ruvim
2008-07-12 09:37 . 2008-07-12 09:39 <DIR> d-------- C:\Program Files\MED2k
2008-07-12 09:35 . 1997-01-16 00:00 71,680 --a------ C:\WINDOWS\ST5UNST.EXE
2008-07-12 09:35 . 1997-01-16 00:00 29,696 --a------ C:\WINDOWS\system32\VB5StKit.dll
2008-07-12 05:08 . 2008-07-12 05:08 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-07-12 05:08 . 2008-07-12 23:48 <DIR> d-------- C:\Program Files\Norton 360
2008-07-12 05:01 . 2008-07-13 00:20 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-12 05:01 . 2008-07-13 00:20 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-12 05:01 . 2008-07-13 00:20 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-12 05:01 . 2008-07-13 00:20 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-12 04:28 . 2008-07-23 11:25 <DIR> d-------- C:\Downloads
2008-07-11 17:13 . 2008-07-11 17:20 <DIR> d-------- C:\Program Files\RSSoft
2008-07-11 17:13 . 2008-07-11 17:13 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-07-10 17:46 . 2008-07-13 21:47 <DIR> d-------- C:\Program Files\GetRight
2008-07-08 14:54 . 2008-07-13 01:15 <DIR> d-------- C:\Program Files\Vuze
2008-07-08 14:36 . 2006-08-16 04:58 100,352 -----c--- C:\WINDOWS\system32\dllcache\6to4svc.dll
2008-07-04 21:05 . 2008-07-04 21:06 <DIR> d-------- C:\Program Files\TibEd 2
2008-07-04 19:45 . 2008-07-04 19:45 751,096 --a------ C:\WINDOWS\system32\WIN32.TLB
2008-07-04 19:45 . 2008-07-04 19:45 645,616 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2008-07-04 19:45 . 2008-07-04 19:45 414,944 --a------ C:\WINDOWS\system32\comct332.ocx
2008-07-04 19:45 . 2008-07-04 19:45 209,408 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-07-04 19:45 . 2008-07-04 19:45 164,144 --a------ C:\WINDOWS\system32\COMCT232.OCX
2008-07-04 19:45 . 2008-07-04 19:45 82,960 --a------ C:\WINDOWS\system32\PICCLP32.OCX
2008-07-04 19:45 . 2008-07-04 19:45 39,424 --a------ C:\WINDOWS\system32\NInput.ocx
2008-07-04 19:41 . 2008-07-15 00:33 <DIR> d-------- C:\Program Files\TibEd
2008-07-04 19:28 . 2008-07-13 16:53 <DIR> d-------- C:\Westwood
2008-07-04 19:24 . 2008-07-11 16:54 <DIR> d-------- C:\Program Files\Domination
2008-07-04 18:57 . 2008-07-04 18:57 <DIR> d-------- C:\Program Files\Xicat
2008-06-27 00:37 . 2008-06-27 00:37 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-27 00:35 . 2008-06-27 00:35 <DIR> d-------- C:\sj668

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 05:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 17:23 --------- d-----w C:\Program Files\FrostWire
2008-07-13 07:25 --------- d-----w C:\Program Files\Symantec
2008-07-12 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-11 23:59 --------- d-----w C:\Program Files\Real
2008-06-27 07:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-27 07:37 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 21:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 21:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 21:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 21:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 21:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 21:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 21:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 21:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 21:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 21:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 21:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 21:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 05:58 --------- d-----w C:\Program Files\JD Design
2008-05-30 05:46 --------- d-----w C:\Program Files\PowerStrip
2008-05-26 23:42 --------- d-----w C:\Program Files\VideoLAN
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2006-10-14 03:37 88 --sh--r C:\WINDOWS\system32\93AB10843A.sys
2006-10-14 03:39 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_ 0.45.27.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-23 18:29:45 86,016 ----a-r C:\WINDOWS\Installer\{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}\PrntWzrdIco.exe
+ 2008-07-23 18:33:03 307,200 ----a-r C:\WINDOWS\Installer\{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}\SafariIco.exe
+ 2000-08-31 15:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
+ 2007-07-24 22:17:08 81,920 ----a-w C:\WINDOWS\system32\dns-sd.exe
+ 2007-07-24 22:17:08 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
+ 2007-07-24 22:17:08 65,536 ----a-w C:\WINDOWS\system32\jdns_sd.dll
- 2008-07-23 07:39:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
+ 2008-07-23 07:50:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 12:37 51048]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=C:\WINDOWS\pss\GetRight.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-07-02 03:27 219520 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-18 12:37 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 15:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-17 00:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2004-04-07 12:22 4730880 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2008-02-26 07:50 988512 C:\Program Files\Norton 360\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
--a------ 2008-05-01 17:37 726776 c:\Program Files\PowerStrip\PStrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh]
--a------ 2007-02-26 18:30 62436 C:\Program Files\RSSoft\RedSwoosh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2001-07-03 09:11 57344 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-17 20:41 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra--c--- 2004-01-30 08:01 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2004-04-07 12:22 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aspnet_state"=3 (0x3)
"WZCSVC"=2 (0x2)
"TrkWks"=2 (0x2)
"StarWindServiceAE"=2 (0x2)
"seclogon"=2 (0x2)
"RasMan"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"hpqwmi"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"comHost"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"Netlogon"=3 (0x3)
"dmadmin"=3 (0x3)
"W32Time"=2 (0x2)
"Schedule"=2 (0x2)
"HidServ"=2 (0x2)
"CryptSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mshta.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Westwood\\Dune2000\\DUNE2000.DAT"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R2 PStrip;PSTRIP;C:\WINDOWS\system32\DRIVERS\PSTRIP.SYS [2007-07-14 18:37]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]

*Newly Created Service* - BONJOUR_SERVICE
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 21:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 22:46:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-23 22:50:04
ComboFix-quarantined-files.txt 2008-07-24 05:49:23
ComboFix2.txt 2008-07-23 17:48:43
ComboFix3.txt 2008-07-23 07:45:53

Pre-Run: 45,724,315,648 bytes free
Post-Run: 45,717,397,504 bytes free

275 --- E O F --- 2008-07-16 06:23:36


---------------------------------------------------------------
hijackthis log-----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:09 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1134433558717
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ent/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6044 bytes
  • 0

#12
monkez

monkez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ST5UNST.EXE ? might be virus?
  • 0

#13
monkez

monkez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
one more question off the virus helping, how do i get option "security" on properties of folder to pop up on windows xp home edition? with outgoing to safe mode?
  • 0

#14
monkez

monkez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
i have found out that apples Safari internet program is not effected by the virus vundo
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP