[john21]

I have no idea what has infected my computer but here is the hjt log...thanks so much.

Logfile of HijackThis v1.99.1
Scan saved at 4:57:34 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\MySpace\IM\MySpaceIM .exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\MySpace\IM\MySpaceIM .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\John Owen Burt Cole\Desktop\hjt\Killer.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3EF38527-F346-4E64-AC51-4BC6736B1380} - C:\WINDOWS\system32\gebcd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\yayxvuu.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147916494296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: yayxvuu - C:\WINDOWS\SYSTEM32\yayxvuu.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

[Advertisements]

Hi john

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[loophole]

Hi john

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[john21]

Hey thanks...here is the combofix log:

ComboFix 07-12-31.4 - John Owen Burt Cole 2008-01-01 18:48:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.522 [GMT -6:00]
Running from: C:\Documents and Settings\John Owen Burt Cole\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\QdrDrive
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\racle~1
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\wininstall.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\icroso~1
C:\WINDOWS\mrofinu11.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dcbeg.ini2
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\gebcd.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\wapiisv.exe
C:\WINDOWS\system32\yayxvuu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FAD


((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-01 18:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 08:03 . 2007-12-31 08:03 339,456 --a------ C:\WINDOWS\system32\RCX27.tmp
2007-12-30 22:13 . 2007-12-30 22:13 339,456 --a------ C:\WINDOWS\system32\RCX26.tmp
2007-12-30 20:45 . 2007-12-30 20:45 339,456 --a------ C:\WINDOWS\system32\RCX32.tmp
2007-12-30 20:45 . 2008-01-01 16:18 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-30 10:21 . 2007-12-31 08:03 380,416 --a------ C:\WINDOWS\mrofinu11.exe.tmp
2007-12-26 15:08 . 2007-07-27 02:26 37,768 -ra------ C:\WINDOWS\system32\drivers\OLD75.tmp
2007-12-26 15:08 . 2004-08-03 23:08 31,744 --a------ C:\WINDOWS\system32\drivers\wceusbsh.sys
2007-12-26 15:08 . 2004-08-03 23:08 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-12-25 14:46 . 2007-12-25 14:46 <DIR> d-------- C:\Program Files\Mio Technology
2007-12-08 00:01 . 2007-12-08 00:01 <DIR> d-------- C:\Documents and Settings\John Owen Burt Cole\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 00:54 --------- d-----w C:\Program Files\QuickTime
2008-01-01 22:32 --------- d-----w C:\Documents and Settings\John Owen Burt Cole\Application Data\Uniblue
2007-12-25 20:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-22 04:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-11-22 04:24 --------- d-----w C:\Program Files\Citrix
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2006-12-03 20:19 32 --sha-w C:\WINDOWS\{27B5C850-CFF6-4327-B68A-8F925CA07658}.dat
2006-12-03 20:19 32 --sha-w C:\WINDOWS\{35FEEC08-73DE-4B6C-87F6-E363EDFEC8C4}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\{792CFBA0-75FE-4FDF-BDFD-1A13A6037CB6}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\{C593CAEB-7B9C-4C82-A645-B2CCA1CFE9D8}.dat
2006-12-03 20:18 32 --sha-w C:\WINDOWS\{DDF563CD-F211-4581-B16F-31E6850D78B3}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\{FB4339DA-CE65-493E-84F0-66CCF38D6554}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\system32\{3591CAC5-348F-4081-8647-6B2EBBF6538A}.dat
2006-12-03 20:18 32 --sha-w C:\WINDOWS\system32\{7983C860-51C5-4EEF-8EFC-F56973DA7C6C}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\system32\{7AE8CBED-3AA7-4822-9637-4A8D502C3773}.dat
2006-12-03 20:19 32 --sha-w C:\WINDOWS\system32\{9D81D1EC-1B4E-4B22-BBCA-547602DEDD34}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\system32\{DA704889-9611-42AE-B515-51589386B510}.dat
2006-12-03 20:19 32 --sha-w C:\WINDOWS\system32\{EAFE50D0-88D3-4FE9-BA54-85DA69580724}.dat
.

----a-w		   198,184 2008-01-01 22:18:03  C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd .exe
----a-w			50,736 2008-01-01 22:17:57  C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware .exe
----a-w			81,920 2008-01-01 22:17:56  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   180,269 2008-01-01 22:18:03  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   132,496 2008-01-01 22:17:48  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 8,720,384 2008-01-01 22:18:34  C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w		   761,947 2008-01-01 22:17:51  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w			15,360 2008-01-01 22:18:08  C:\WINDOWS\system32\ctfmon .exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 06:50 71216 -ra------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-05-31 04:33 122941 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 16:19 53248 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FireExplore Update]
FireExplore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2002-08-14 15:21 94208 --a------ C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-09-08 19:20 8192 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-11 04:19 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"gusvc"=3 (0x3)

R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 15:11]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 22:26:38 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-01 22:26:36 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 18:59:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 19:01:53 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 01:01:50
.
2007-12-22 06:53:30 --- E O F ---

[loophole]

Hi john

Download RenV.exe to your desktop.
http://download.blee...s/Beta/RenV.exe

Double click RenV.exe to run it.

A text will open with some info just close it . Next, referring to the picture below drag and drop that new text file onto RenV.exe




Please rescan with combofix and post the log

Thanks

[john21]

thanks, here is the new combofix log:

ComboFix 07-12-31.4 - John Owen Burt Cole 2008-01-01 19:32:17.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.664 [GMT -6:00]
Running from: C:\Documents and Settings\John Owen Burt Cole\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-01 18:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 08:03 . 2007-12-31 08:03 339,456 --a------ C:\WINDOWS\system32\RCX27.tmp
2007-12-30 22:13 . 2007-12-30 22:13 339,456 --a------ C:\WINDOWS\system32\RCX26.tmp
2007-12-30 20:45 . 2007-12-30 20:45 339,456 --a------ C:\WINDOWS\system32\RCX32.tmp
2007-12-30 10:21 . 2007-12-31 08:03 380,416 --a------ C:\WINDOWS\mrofinu11.exe.tmp
2007-12-26 15:08 . 2007-07-27 02:26 37,768 -ra------ C:\WINDOWS\system32\drivers\OLD75.tmp
2007-12-26 15:08 . 2004-08-03 23:08 31,744 --a------ C:\WINDOWS\system32\drivers\wceusbsh.sys
2007-12-26 15:08 . 2004-08-03 23:08 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-12-25 14:46 . 2007-12-25 14:46 <DIR> d-------- C:\Program Files\Mio Technology
2007-12-08 00:01 . 2007-12-08 00:01 <DIR> d-------- C:\Documents and Settings\John Owen Burt Cole\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 00:54 --------- d-----w C:\Program Files\QuickTime
2008-01-01 22:32 --------- d-----w C:\Documents and Settings\John Owen Burt Cole\Application Data\Uniblue
2008-01-01 22:18 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-01 22:18 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-25 20:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-22 04:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-11-22 04:24 --------- d-----w C:\Program Files\Citrix
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 22:06 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 05:57 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 05:57 666,112 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 05:57 617,984 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 05:57 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 05:57 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 05:57 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 05:57 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 05:57 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 05:57 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 05:57 251,904 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 05:57 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 05:57 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 05:57 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 05:57 1,024,000 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 10:48 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2006-12-03 20:19 32 --sha-w C:\WINDOWS\{27B5C850-CFF6-4327-B68A-8F925CA07658}.dat
2006-12-03 20:19 32 --sha-w C:\WINDOWS\{35FEEC08-73DE-4B6C-87F6-E363EDFEC8C4}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\{792CFBA0-75FE-4FDF-BDFD-1A13A6037CB6}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\{C593CAEB-7B9C-4C82-A645-B2CCA1CFE9D8}.dat
2006-12-03 20:18 32 --sha-w C:\WINDOWS\{DDF563CD-F211-4581-B16F-31E6850D78B3}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\{FB4339DA-CE65-493E-84F0-66CCF38D6554}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\system32\{3591CAC5-348F-4081-8647-6B2EBBF6538A}.dat
2006-12-03 20:18 32 --sha-w C:\WINDOWS\system32\{7983C860-51C5-4EEF-8EFC-F56973DA7C6C}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\system32\{7AE8CBED-3AA7-4822-9637-4A8D502C3773}.dat
2006-12-03 20:19 32 --sha-w C:\WINDOWS\system32\{9D81D1EC-1B4E-4B22-BBCA-547602DEDD34}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\system32\{DA704889-9611-42AE-B515-51589386B510}.dat
2006-12-03 20:19 32 --sha-w C:\WINDOWS\system32\{EAFE50D0-88D3-4FE9-BA54-85DA69580724}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-01 16:18 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 06:50 71216 -ra------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-01-01 16:18 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-05-31 04:33 122941 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 16:19 53248 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FireExplore Update]
FireExplore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2002-08-14 15:21 94208 --a------ C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-09-08 19:20 8192 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-11 04:19 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"gusvc"=3 (0x3)

R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 15:11]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 22:26:38 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-01 22:26:36 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-01 19:33:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-01 19:33:49
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 01:33:33
C:\qoobox\ComboFix2.txt 2008-01-02 01:29:59
C:\qoobox\ComboFix3.txt 2008-01-02 01:01:54
.
2007-12-22 06:53:30 --- E O F ---

[loophole]

Hi John, I have to leave for a bit but this is going very well

Can you do thew following for me

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  
  • C:\WINDOWS\system32\RCX27.tmp
• Click on the submit button
  
• Please post the results in your next reply.

Please scan this one to C:\WINDOWS\mrofinu11.exe.tmp

Thanks

[john21]

Service load: 0% 100%

File: RCX27.tmp
Status: INFECTED/MALWARE
MD5: 6c83827aa93dd740b4d9fda366d51a43
Packers detected: -
Bit9 reports: File not found



Scan taken on 02 Jan 2008 02:04:53 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Dropper.Agent.GIT
BitDefender Found Trojan.Dropper.Vundo.D
ClamAV Found Trojan.Dropper-3531
CPsecure Found Troj.Dropper.W32.Agent.dgo
Dr.Web Found Trojan.MulDrop.10006
F-Prot Antivirus Found W32/Virtumonde.OQ
F-Secure Anti-Virus Found Trojan-Dropper.Win32.Agent.dgo
Fortinet Found nothing
Ikarus Found Trojan-Dropper.Win32.Agent.dgo
Kaspersky Anti-Virus Found Trojan-Dropper.Win32.Agent.dgo
NOD32 Found Win32/TrojanDropper.Agent.DGO
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found W32/VirtInf-B
VirusBuster Found Win32.Trats.Gen
VBA32 Found Trojan-Dropper.Win32.Agent.dgo

[loophole]

Hi again. almost there

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\RCX27.tmp
  C:\WINDOWS\system32\RCX26.tmp
  C:\WINDOWS\system32\RCX32.tmp
  C:\WINDOWS\mrofinu11.exe.tmp
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

[john21]

OTMovieIt log:

File/Folder C:\WINDOWS\system32\RCX27.tmp not found.
File/Folder C:\WINDOWS\system32\RCX26.tmp not found.
File/Folder C:\WINDOWS\system32\RCX32.tmp not found.
File/Folder C:\WINDOWS\mrofinu11.exe.tmp not found.

Created on 01/02/2008 18:08:58

Panda Scan log:


Incident Status Location

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\18\2eeb2852-589e02ae[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\18\2eeb2852-589e02ae[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\18\2eeb2852-589e02ae[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\18\2eeb2852-589e02ae[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\35\663965a3-57ab9075[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\35\663965a3-57ab9075[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\35\663965a3-57ab9075[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\35\663965a3-57ab9075[Parser.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\54\5b3b23b6-763d8056[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\54\5b3b23b6-763d8056[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\54\5b3b23b6-763d8056[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\John Owen Burt Cole\Application Data\Sun\Java\Deployment\cache\6.0\54\5b3b23b6-763d8056[NewURLClassLoader.class]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\John Owen Burt Cole\Cookies\john owen burt [email protected][1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\John Owen Burt Cole\Cookies\john owen burt cole@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\John Owen Burt Cole\Cookies\john owen burt cole@atdmt[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\John Owen Burt Cole\Cookies\john owen burt cole@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\John Owen Burt Cole\Cookies\john owen burt cole@doubleclick[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\John Owen Burt Cole\Cookies\john owen burt cole@realmedia[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\John Owen Burt Cole\Cookies\john owen burt cole@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\John Owen Burt Cole\Cookies\john owen burt cole@tribalfusion[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\John Owen Burt Cole\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\John Owen Burt Cole\Desktop\ComboFix.exe[nircmd.cfexe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\John Owen Burt Cole\Desktop\hjt\backups\backup-20071231-082633-321.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\John Owen Burt Cole\Desktop\hjt\backups\backup-20071231-082645-102.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\America Online 9.0\download\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Program Files\America Online 9.0\download\SmitfraudFix\restart.exe
Virus:Trj/Downloader.RNO Disinfected C:\QooBox\Quarantine\C\WINDOWS\mrofinu11.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\catchme2008-01-01_185915.48.zip[yayxvuu.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00179258.CFE
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00179259.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00179363.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00179394.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00179413.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00179729.CFE
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00179730.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00180099.CFE
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\NPROTECT\00180100.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

[loophole]

Great, all very minor


Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  
  
  
  • 
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  
  • http://www.java.com/en/download/manual.jsp
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  Downloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

Clearing cookies and temporary internet files IE7

• Click on Tools
• Click on "internet options"
• Under "Browsing history" Click "Delete"
• Click the "Delete all" button

*note* This will delete your saved passwords if you have internet explorer save them. Its never a good idea to do this because malware can easily read from this and send the data off.


Let me know how it goes and how the computer is running

Thanks

[john21]

Hey can we start this over. Something else has happened and popups come from everywhere. I am doing this in safe mode. My task manager won't even work I get a message that says the adminstrator has disabled the task manager. Thankyou so much. Here is the hjt log:

[john21]

Sorry here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 7:54:42 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\John Owen Burt Cole\Desktop\hjt\Killer.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BDEX System - {93289CD1-5615-4994-9FD4-FD11A9F6A66D} - C:\WINDOWS\dxpvqlmnsr.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: The ensfolr - {96AB91E2-7D18-4BF5-9930-2C213B9658A4} - C:\WINDOWS\ensfolr.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147916494296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: ampkfst - {CB5EA755-2B34-4A5D-B0A6-8EE8B984A121} - C:\WINDOWS\ampkfst.dll
O21 - SSODL: bklgvsf - {EC7D5612-41FB-42CB-94CF-7EA64DD60BE5} - C:\WINDOWS\bklgvsf.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

[loophole]

Ack, something new entirely

Lets start with combofix:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[john21]

Thankyou so much. Here is the Combofix log along with the hjt log afterwards.

ComboFix 08-01-04.1 - John Owen Burt Cole 2008-01-04 10:18:14.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.671 [GMT -6:00]
Running from: C:\Documents and Settings\John Owen Burt Cole\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ampkfst.dll
C:\WINDOWS\bklgvsf.dll
C:\WINDOWS\dat.txt
C:\WINDOWS\dxpvqlmnsr.dll
C:\WINDOWS\ensfolr.dll
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 10:17 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 08:47 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-04 08:47 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-04 08:47 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-04 08:47 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-04 01:53 . 2007-07-03 20:07 <DIR> d-------- C:\Documents and Settings\Administrator.D5XQ7R91\Application Data\Gtek
2008-01-04 01:53 . 2006-04-01 13:07 <DIR> d-------- C:\Documents and Settings\Administrator.D5XQ7R91\Application Data\Corel
2008-01-03 18:38 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\yctjfupdqejg.sys
2008-01-03 18:34 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2007-12-26 15:08 . 2007-07-27 02:26 37,768 -ra------ C:\WINDOWS\system32\drivers\OLD75.tmp
2007-12-26 15:08 . 2004-08-03 23:08 31,744 --a------ C:\WINDOWS\system32\drivers\wceusbsh.sys
2007-12-26 15:08 . 2004-08-03 23:08 31,744 --a------ C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-12-25 14:46 . 2007-12-25 14:46 <DIR> d-------- C:\Program Files\Mio Technology
2007-12-08 00:01 . 2007-12-08 00:01 <DIR> d-------- C:\Documents and Settings\John Owen Burt Cole\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 00:37 --------- d-----w C:\Program Files\Dell Network Assistant
2008-01-02 00:54 --------- d-----w C:\Program Files\QuickTime
2008-01-01 22:32 --------- d-----w C:\Documents and Settings\John Owen Burt Cole\Application Data\Uniblue
2008-01-01 22:18 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-01 22:18 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-25 20:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-22 04:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-11-22 04:24 --------- d-----w C:\Program Files\Citrix
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 22:06 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-11 05:57 96,256 ----a-w C:\WINDOWS\system32\dllcache\inseng.dll
2007-10-11 05:57 666,112 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 05:57 617,984 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 05:57 55,808 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 05:57 532,480 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 05:57 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 05:57 449,024 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 05:57 39,424 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-10-11 05:57 357,888 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-10-11 05:57 251,904 ----a-w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-10-11 05:57 205,824 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 05:57 16,384 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 05:57 146,432 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 05:57 1,024,000 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 10:48 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe
2006-12-03 20:19 32 --sha-w C:\WINDOWS\{27B5C850-CFF6-4327-B68A-8F925CA07658}.dat
2006-12-03 20:19 32 --sha-w C:\WINDOWS\{35FEEC08-73DE-4B6C-87F6-E363EDFEC8C4}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\{792CFBA0-75FE-4FDF-BDFD-1A13A6037CB6}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\{C593CAEB-7B9C-4C82-A645-B2CCA1CFE9D8}.dat
2006-12-03 20:18 32 --sha-w C:\WINDOWS\{DDF563CD-F211-4581-B16F-31E6850D78B3}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\{FB4339DA-CE65-493E-84F0-66CCF38D6554}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\system32\{3591CAC5-348F-4081-8647-6B2EBBF6538A}.dat
2006-12-03 20:18 32 --sha-w C:\WINDOWS\system32\{7983C860-51C5-4EEF-8EFC-F56973DA7C6C}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\system32\{7AE8CBED-3AA7-4822-9637-4A8D502C3773}.dat
2006-12-03 20:19 32 --sha-w C:\WINDOWS\system32\{9D81D1EC-1B4E-4B22-BBCA-547602DEDD34}.dat
2006-12-03 20:17 32 --sha-w C:\WINDOWS\system32\{DA704889-9611-42AE-B515-51589386B510}.dat
2006-12-03 20:19 32 --sha-w C:\WINDOWS\system32\{EAFE50D0-88D3-4FE9-BA54-85DA69580724}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-01_19.01.34.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-04-11 22:10:10 135,168 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2006-08-24 14:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2006-04-05 17:39:08 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2007-03-29 15:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
- 2006-04-05 17:39:16 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2006-10-05 22:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
- 2005-06-03 19:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2005-06-03 20:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
- 2003-08-01 16:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2003-08-01 17:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
- 2005-05-20 18:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2005-05-20 19:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2007-11-12 15:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
- 2006-02-16 23:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2006-02-17 00:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
- 2005-10-25 23:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2005-10-26 00:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2007-11-26 17:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
- 2004-05-04 20:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2004-05-04 21:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
- 2006-03-31 15:09:48 202,752 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-07-14 19:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
- 2005-04-16 21:27:48 172,139 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-04-10 16:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
- 2006-02-14 18:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-14 19:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
- 2005-06-07 21:39:14 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-02-17 00:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
- 2006-04-05 17:39:44 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-10-05 22:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2007-06-04 17:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
- 2005-11-04 20:39:28 6,144 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2006-06-30 20:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
- 2004-02-04 19:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2004-02-04 20:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2007-10-30 16:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
+ 2006-08-01 19:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
- 2006-03-31 18:11:02 1,605,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-11-21 16:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 19:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
- 2006-04-03 23:43:04 10,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-08-17 17:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
- 2006-03-28 23:31:58 48,128 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-09-04 17:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
- 2006-04-12 18:46:14 2,357,760 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2006-08-18 14:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
- 2006-03-31 15:01:08 405,504 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2007-03-26 20:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
- 2006-04-12 17:46:14 81,920 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-08-09 16:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
- 2006-04-06 18:13:10 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-07-19 16:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
- 2006-01-20 21:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-01-20 22:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
- 2006-04-04 18:31:52 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-05-17 15:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
- 2006-01-20 21:49:00 33,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-08-16 16:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
- 2006-04-12 23:18:20 258,048 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-06-30 20:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
- 2006-03-28 18:21:44 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-17 20:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
- 2006-04-05 14:41:12 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-08 19:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
- 2006-04-12 17:59:40 64,000 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 14:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
- 2006-04-03 21:48:20 126,464 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2006-08-18 14:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-10-18 15:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 20:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 15:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 17:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 14:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 21:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 14:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 14:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 21:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 17:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 17:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
- 2006-04-10 15:20:48 339,968 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-04-18 23:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 20:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 2007-06-08 15:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 16:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
- 1997-09-18 11:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 1997-09-18 12:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
- 2005-04-19 16:19:00 53,248 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-02-28 23:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2007-09-17 15:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
- 2006-04-06 15:54:38 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
+ 2006-08-02 18:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2000-08-31 14:00:00 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-01-09 15:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
- 2000-08-31 14:00:00 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 11:20:32 79,360 ----a-w C:\WINDOWS\system32\swxcacls.exe
- 2006-11-27 07:34:46 49,152 ----a-w C:\WINDOWS\system32\vfind.exe
+ 2000-08-31 14:00:00 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
- 2003-03-25 23:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
+ 2003-03-26 00:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-01 16:18 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ampkfst"= {CB5EA755-2B34-4A5D-B0A6-8EE8B984A121} - C:\WINDOWS\ampkfst.dll [ ]
"bklgvsf"= {EC7D5612-41FB-42CB-94CF-7EA64DD60BE5} - C:\WINDOWS\bklgvsf.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=C:\WINDOWS\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 06:50 71216 -ra------ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-01-01 16:18 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-05-31 04:33 122941 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 16:19 53248 --------- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FireExplore Update]
FireExplore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2002-08-14 15:21 94208 --a------ C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-09-08 19:20 8192 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-11 04:19 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"gusvc"=3 (0x3)

R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 15:11]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 22:26:38 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-01-01 22:26:36 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 10:19:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 10:20:19
ComboFix-quarantined-files.txt 2008-01-04 16:20:04
ComboFix2.txt 2008-01-02 01:33:49
ComboFix3.txt 2008-01-02 01:29:59
ComboFix4.txt 2008-01-02 01:01:54
.
2007-12-22 06:53:30 --- E O F ---


hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:39 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\John Owen Burt Cole\Desktop\hjt\Killer.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1172367011\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147916494296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: ampkfst - {CB5EA755-2B34-4A5D-B0A6-8EE8B984A121} - C:\WINDOWS\ampkfst.dll (file missing)
O21 - SSODL: bklgvsf - {EC7D5612-41FB-42CB-94CF-7EA64DD60BE5} - C:\WINDOWS\bklgvsf.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - Unknown owner - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2 (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

[loophole]

Hi John

Please rescan with Hijackthis and place a check next to the following entries:

O21 - SSODL: ampkfst - {CB5EA755-2B34-4A5D-B0A6-8EE8B984A121} - C:\WINDOWS\ampkfst.dll (file missing)
O21 - SSODL: bklgvsf - {EC7D5612-41FB-42CB-94CF-7EA64DD60BE5} - C:\WINDOWS\bklgvsf.dll (file missing)

Now click "Fix Checked" and close Hijackthis

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit. Please post the log with a new Hijack log