Trojan Downloaders

tjames238 · 2007/06/12

A friend of mines is having some problems with there browser homepage popping up in Chinese. I had her scan her computer using AVG and Ad-Aware SE. She came up with several Trojan Downloaders. We were able to delete some of them but not all. I also noticed a Coulomb dialer which I think I have a fix for. After deleting most of the viruses found her homepage is still changing to the same wierd page. I am getting the computer from her today and I will run HJT and post the log here tonight. I remember some of the fixes TeMerc gave me a year ago when I was working on another computer. Does anyone else have any other information on Trojan Downloaders?

TeMerc · 2007/06/14

Hello and welcome to WindowsBBS Removing Spyware & Viruses forum sorry for long delay in reply.

If, you have already run AdAware SE and\or Spybot Search Destroy, with updated definitions, and are still having problems, next, we move onto HiJackThis v:1.99.1. This scan will give us a 'base point' to begin an in depth detailed analysis.

Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

tjames238 · 2007/06/14

this is a test.

tjames238 · 2007/06/14

I was just making sure I posted this correct. Thanks TeMerc I actually have download HJT and I will be running that here in the next hour or so. You helped me with a similar problem last year around this time so I figured HJT was the next move. No problem on the delay. I have until tuesday to try and get this thing working correctly. I have been trying to help others on other threads. I was on your site yesterday and you really have some good information on there. I applied for and account but it hasn't been activated yet.

TeMerc · 2007/06/14

tjames238 said:

I was on your site yesterday and you really have some good information on there. I applied for and account but it hasn't been activated yet.
Click to expand...

I approved that account about 5 minutes after it was created. Try to log in, see what happens.

tjames238 · 2007/06/14

I did recieve a response but it was in my BULK folder. Thanks!
Here is the HJT logfile.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:21:41 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\6e5a1.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\suad.exe
C:\Program Files\directx\tlleiij.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\FaxTools\ykhhljk.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis_v2.zip\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.haol23.net/?a49
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 202.109.114.142 survey88.allyes.com
O1 - Hosts: 202.109.114.142 adtaobao.allyes.com
O1 - Hosts: 202.109.114.142 code.qihoo.com
O1 - Hosts: 202.109.114.142 union.mop.com
O1 - Hosts: 202.109.114.142 js.kkunion.com
O1 - Hosts: 202.109.114.142 v.kkunion.com
O1 - Hosts: 202.109.114.142 v.21cn.com
O1 - Hosts: 202.109.114.142 iplusms.allyes.com
O1 - Hosts: 202.109.114.142 mms.t2t2.com
O1 - Hosts: 202.109.114.142 ivr.dobig.net
O1 - Hosts: 202.109.114.142 www.u8u.com
O1 - Hosts: 202.109.114.142 u.u8u.com
O1 - Hosts: 202.109.114.142 img.zhangxiu.com
O1 - Hosts: 202.109.114.142 tl.linktone.com
O1 - Hosts: 202.109.114.142 channel.e78.com
O1 - Hosts: 202.109.114.142 u.7town.com
O1 - Hosts: 202.109.114.142 union.95ol.com.cn
O1 - Hosts: 202.109.114.142 mms1.95ol.com.cn
O1 - Hosts: 202.109.114.142 mfs.95ol.com.cn
O1 - Hosts: 202.109.114.142 tl.a8.com
O1 - Hosts: 202.109.114.142 ad01.a8.com
O1 - Hosts: 202.109.114.142 u2.caiku.com
O1 - Hosts: 202.109.114.142 mms.caiku.com
O1 - Hosts: 202.109.114.142 code1.caiku.com
O1 - Hosts: 202.109.114.142 pub.lele.com
O1 - Hosts: 202.109.114.142 u.lele.com
O1 - Hosts: 202.109.114.142 7town.com
O1 - Hosts: 202.109.114.142 tvsend.7town.com
O1 - Hosts: 202.109.114.142 ivrsend.7town.com
O1 - Hosts: 202.109.114.142 tlt.7town.com
O1 - Hosts: 202.109.114.142 gsend.7town.com
O1 - Hosts: 202.109.114.142 smssend.7town.com
O1 - Hosts: 202.109.114.142 mmssend.moyu.com
O1 - Hosts: 202.109.114.142 91ivr.com
O1 - Hosts: 202.109.114.142 myad.91ivr.com
O1 - Hosts: 202.109.114.142 u.91ivr.com
O1 - Hosts: 202.109.114.142 union.91ivr.com
O1 - Hosts: 202.109.114.142 cm.p4p.cn.yahoo.com
O1 - Hosts: 202.109.114.142 un.265.com
O1 - Hosts: 202.109.114.142 union.qq.com
O1 - Hosts: 202.109.114.142 view.aliunion.cn.yahoo.com
O1 - Hosts: 202.109.114.142 union.narrowad.com
O1 - Hosts: 202.109.114.142 ln.heima8.com
O1 - Hosts: 202.109.114.142 www.fboat.cn
O1 - Hosts: 202.109.114.142 cpro.baidu.com
O1 - Hosts: 202.109.114.142 unstat.baidu.com
O1 - Hosts: 202.109.114.142 y.cnxad.com
O1 - Hosts: 202.109.114.142 www.ewowo.com
O1 - Hosts: 202.109.114.142 template.union.163.com
O1 - Hosts: 202.109.114.142 new.is686.com
O1 - Hosts: 202.109.114.142 creative.unionsys.bolaa.com
O1 - Hosts: 202.109.114.142 www.qyule.com
O1 - Hosts: 202.109.114.142 99e.cc
O1 - Hosts: 202.109.114.142 www.91ivr.com
O1 - Hosts: 202.109.114.142 mg.ukaka.com
O1 - Hosts: 202.109.114.142 kooxoo2.ad4all.net
O1 - Hosts: 202.109.114.142 www.8fff.com
O1 - Hosts: 202.109.114.142 union.pomoho.com
O1 - Hosts: 202.109.114.142 202.107.233.211
O1 - Hosts: 202.109.114.142 www.end123.com
O1 - Hosts: 202.109.114.142 w1.7clink.com
O1 - Hosts: 202.109.114.142 w2.7clink.com
O1 - Hosts: 202.109.114.142 union01.com
O1 - Hosts: 202.109.114.142 click.8le8le.com
O1 - Hosts: 202.109.114.142 stbanner.allyes.com
O1 - Hosts: 202.109.114.142 mms1.moyu.com
O1 - Hosts: 202.109.114.142 u.moyu.com
O1 - Hosts: 202.109.114.142 mmsu.moyu.com
O1 - Hosts: 202.109.114.142 show.moyu.com
O1 - Hosts: 202.109.114.142 ivrsend.moyu.com
O1 - Hosts: 202.109.114.142 ivru.moyu.com
O1 - Hosts: 202.109.114.142 ivr1.moyu.com
O1 - Hosts: 203.191.146.205 corep.dmcast.com
O1 - Hosts: 203.191.146.205 m081.dmcast.com
O1 - Hosts: 203.191.146.205 dcww.dmcast.com
O1 - Hosts: 203.191.146.205 renren.dmcast.com
O1 - Hosts: 203.191.146.205 files.henbang.net
O1 - Hosts: 203.191.146.205 bannerbox.cn
O1 - Hosts: 203.191.146.205 www.bannerbox.cn
O1 - Hosts: 203.191.146.205 action.coopen.cn
O1 - Hosts: 203.191.146.205 u4.sky99.cn
O1 - Hosts: 203.191.146.205 u1.sky99.cn
O1 - Hosts: 203.191.146.205 u2.sky99.cn
O1 - Hosts: 203.191.146.205 u3.sky99.cn
O1 - Hosts: 203.191.146.205 sky99.cn
O1 - Hosts: 203.191.146.205 u.sky99.cn
O1 - Hosts: 203.191.146.205 u.ete.cn
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 www.365tan.com
O1 - Hosts: 203.191.146.205 www.winopen.cn
O1 - Hosts: 203.191.146.205 www.tanip.com
O1 - Hosts: 203.191.146.205 alexaanywhere.com
O1 - Hosts: 203.191.146.205 jssb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ns250.alexaanywhere.com
O1 - Hosts: 203.191.146.205 sb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 pop.9v.cn
O1 - Hosts: 203.191.146.205 xuni.myad.cn
O1 - Hosts: 203.191.146.205 iebar.t2t2.com
O1 - Hosts: 203.191.146.205 error.newcell.cn
O1 - Hosts: 203.191.146.205 auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {031882e5-f020-40a9-849c-fde8950dba61} - C:\WINDOWS\system32\ipsuid.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: ChinaBuy Class - {85FAEA13-9C62-4917-8571-B35C563A1943} - C:\WINDOWS\system32\buyunion.dll
O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll
O2 - BHO: ff Class - {FAAAC0F6-94BE-4466-934B-7C53666A2F41} - C:\WINDOWS\system32\b6e1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [setup] "rundll32.exe" "C:\WINDOWS\pmnomk.dll ",realset
O4 - HKLM\..\Run: [BootService] "rundll32.exe" "C:\WINDOWS\iifgdc.dll ",realset
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [sua] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\suad.exe
O4 - HKLM\..\Run: [tlleiij] "C:\Program Files\directx\tlleiij.exe "
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O4 - HKLM\..\Policies\Explorer\Run: [Userinit] rundll32.exe start
O4 - HKLM\..\Policies\Explorer\Run: [usrinit] C:\WINDOWS\system32\usrinit.exe
O4 - HKLM\..\Policies\Explorer\Run: [WinAutoUp] C:\WINDOWS\AutoUp.exe
O4 - HKLM\..\Policies\Explorer\Run: [adsnt] C:\WINDOWS\AdsNT.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: ykhhlj.lnk = C:\Program Files\FaxTools\ykhhljk.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ipsuid - ipsuid.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Security Machine Manager (BNESS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 15607 bytes

TeMerc · 2007/06/14

Absolute mess!!

I see bots\backdoors, I see Vundo, I see perhaps AWF.

The bots\backdoors create a special problem:
These kinds of backdoors can leave an open port back to 'malware headquarters' as the case may be. Meaning that some of your personal information may have been collected. I strongly urge you to contact any companies which you perform financial transactions with on this computer to alert them of the possible breach to avoid any sort of identity theft.

While this back door should be easily cleaned, there is always a slight possibility we can miss something else. To be 100% sure the system is no longer compromised the best thing to do is to save all data which is important to you and wipe the hard drive, re-installing Windows.

While the chance of this happening may be rather low, I want to be sure and alert you of the possibility.

Let me know how you want to proceed and if you do:
I see you're running the new Trend Micro HijackThis! beta version. As that application is still in beta form, we prefer to use the older version until such a time the Trend Micro one is out of beta phase testing. Please delete the Trend Micro version from your machine.

Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

tjames238 · 2007/06/14

Thanks for the quick response. I definitely want to proceed but I have never completely cleaned a hard drive. I also don't have a copy of Windows XP either. What should I do from here?

TeMerc · 2007/06/14

Ok, seeing as you have no XP disc, we'll try and clean you up good as we can.

We'll run a bunch of tools before getting new HJT log.

Please do as instructed below in the order presented.

1:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

2.
Please download VundoFix.exe to your desktop.

Double-click *VundoFix.exe* to run it.

Click the *Scan for Vundo* button.

Once it's done scanning, click the *Remove Vundo* button.

You will receive a prompt asking if you want to remove the files, click *YES*

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click *OK*.

Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

3.
Please click here select Save. Save FindAWF to your desktop.

Double Click FindAWF.exe and let it run, it will create the file AWF.txt on your desktop when finished.

Open AWF.txt in notepad, select Edit> Select All> Edit> Copy> and Paste the contents.
Please click here select Save. Save FindAWF to your desktop.

3.
Download combofix.exe

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

4.Open HJT, click the [None of the above, just start the program] button.
Then click the [Config] button in the lower right hand of the program.
Then select the [Misc Tools] button.
In the upper left hand side of the program tick the two boxes [List also minor sections (full)] button and the [List empty sections (complete)] and hit the [Generate StarupList log] button, select 'Yes' when prompted by the dialog box. The resultant scan will produce a notepad log file, please paste that log file back here for me to review.

Be sure to use the old version of HJT please.

Logs I'll need once you're done:

HJT

Vundo

AWF

SDFix

HJT Start up

ComboFix

tjames238 · 2007/06/14

I just downloaded the old version of HJT that you posted. I am about to get started on your instructions.

tjames238 · 2007/06/14

Here are the HJT and AWF logfile.

Logfile of HijackThis v1.99.1
Scan saved at 10:18:21 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\6e5a1.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\directx\tlleiij.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\FaxTools\ykhhljk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.haol23.net/?a49
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O1 - Hosts: 202.109.114.142 survey88.allyes.com
O1 - Hosts: 202.109.114.142 adtaobao.allyes.com
O1 - Hosts: 202.109.114.142 code.qihoo.com
O1 - Hosts: 202.109.114.142 union.mop.com
O1 - Hosts: 202.109.114.142 js.kkunion.com
O1 - Hosts: 202.109.114.142 v.kkunion.com
O1 - Hosts: 202.109.114.142 v.21cn.com
O1 - Hosts: 202.109.114.142 iplusms.allyes.com
O1 - Hosts: 202.109.114.142 mms.t2t2.com
O1 - Hosts: 202.109.114.142 ivr.dobig.net
O1 - Hosts: 202.109.114.142 www.u8u.com
O1 - Hosts: 202.109.114.142 u.u8u.com
O1 - Hosts: 202.109.114.142 img.zhangxiu.com
O1 - Hosts: 202.109.114.142 tl.linktone.com
O1 - Hosts: 202.109.114.142 channel.e78.com
O1 - Hosts: 202.109.114.142 u.7town.com
O1 - Hosts: 202.109.114.142 union.95ol.com.cn
O1 - Hosts: 202.109.114.142 mms1.95ol.com.cn
O1 - Hosts: 202.109.114.142 mfs.95ol.com.cn
O1 - Hosts: 202.109.114.142 tl.a8.com
O1 - Hosts: 202.109.114.142 ad01.a8.com
O1 - Hosts: 202.109.114.142 u2.caiku.com
O1 - Hosts: 202.109.114.142 mms.caiku.com
O1 - Hosts: 202.109.114.142 code1.caiku.com
O1 - Hosts: 202.109.114.142 pub.lele.com
O1 - Hosts: 202.109.114.142 u.lele.com
O1 - Hosts: 202.109.114.142 7town.com
O1 - Hosts: 202.109.114.142 tvsend.7town.com
O1 - Hosts: 202.109.114.142 ivrsend.7town.com
O1 - Hosts: 202.109.114.142 tlt.7town.com
O1 - Hosts: 202.109.114.142 gsend.7town.com
O1 - Hosts: 202.109.114.142 smssend.7town.com
O1 - Hosts: 202.109.114.142 mmssend.moyu.com
O1 - Hosts: 202.109.114.142 91ivr.com
O1 - Hosts: 202.109.114.142 myad.91ivr.com
O1 - Hosts: 202.109.114.142 u.91ivr.com
O1 - Hosts: 202.109.114.142 union.91ivr.com
O1 - Hosts: 202.109.114.142 cm.p4p.cn.yahoo.com
O1 - Hosts: 202.109.114.142 un.265.com
O1 - Hosts: 202.109.114.142 union.qq.com
O1 - Hosts: 202.109.114.142 view.aliunion.cn.yahoo.com
O1 - Hosts: 202.109.114.142 union.narrowad.com
O1 - Hosts: 202.109.114.142 ln.heima8.com
O1 - Hosts: 202.109.114.142 www.fboat.cn
O1 - Hosts: 202.109.114.142 cpro.baidu.com
O1 - Hosts: 202.109.114.142 unstat.baidu.com
O1 - Hosts: 202.109.114.142 y.cnxad.com
O1 - Hosts: 202.109.114.142 www.ewowo.com
O1 - Hosts: 202.109.114.142 template.union.163.com
O1 - Hosts: 202.109.114.142 new.is686.com
O1 - Hosts: 202.109.114.142 creative.unionsys.bolaa.com
O1 - Hosts: 202.109.114.142 www.qyule.com
O1 - Hosts: 202.109.114.142 99e.cc
O1 - Hosts: 202.109.114.142 www.91ivr.com
O1 - Hosts: 202.109.114.142 mg.ukaka.com
O1 - Hosts: 202.109.114.142 kooxoo2.ad4all.net
O1 - Hosts: 202.109.114.142 www.8fff.com
O1 - Hosts: 202.109.114.142 union.pomoho.com
O1 - Hosts: 202.109.114.142 202.107.233.211
O1 - Hosts: 202.109.114.142 www.end123.com
O1 - Hosts: 202.109.114.142 w1.7clink.com
O1 - Hosts: 202.109.114.142 w2.7clink.com
O1 - Hosts: 202.109.114.142 union01.com
O1 - Hosts: 202.109.114.142 click.8le8le.com
O1 - Hosts: 202.109.114.142 stbanner.allyes.com
O1 - Hosts: 202.109.114.142 mms1.moyu.com
O1 - Hosts: 202.109.114.142 u.moyu.com
O1 - Hosts: 202.109.114.142 mmsu.moyu.com
O1 - Hosts: 202.109.114.142 show.moyu.com
O1 - Hosts: 202.109.114.142 ivrsend.moyu.com
O1 - Hosts: 202.109.114.142 ivru.moyu.com
O1 - Hosts: 202.109.114.142 ivr1.moyu.com
O1 - Hosts: 203.191.146.205 corep.dmcast.com
O1 - Hosts: 203.191.146.205 m081.dmcast.com
O1 - Hosts: 203.191.146.205 dcww.dmcast.com
O1 - Hosts: 203.191.146.205 renren.dmcast.com
O1 - Hosts: 203.191.146.205 files.henbang.net
O1 - Hosts: 203.191.146.205 bannerbox.cn
O1 - Hosts: 203.191.146.205 www.bannerbox.cn
O1 - Hosts: 203.191.146.205 action.coopen.cn
O1 - Hosts: 203.191.146.205 u4.sky99.cn
O1 - Hosts: 203.191.146.205 u1.sky99.cn
O1 - Hosts: 203.191.146.205 u2.sky99.cn
O1 - Hosts: 203.191.146.205 u3.sky99.cn
O1 - Hosts: 203.191.146.205 sky99.cn
O1 - Hosts: 203.191.146.205 u.sky99.cn
O1 - Hosts: 203.191.146.205 u.ete.cn
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 www.365tan.com
O1 - Hosts: 203.191.146.205 www.winopen.cn
O1 - Hosts: 203.191.146.205 www.tanip.com
O1 - Hosts: 203.191.146.205 alexaanywhere.com
O1 - Hosts: 203.191.146.205 jssb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ns250.alexaanywhere.com
O1 - Hosts: 203.191.146.205 sb.alexaanywhere.com
O1 - Hosts: 203.191.146.205 ip.alexaanywhere.com
O1 - Hosts: 203.191.146.205 pop.9v.cn
O1 - Hosts: 203.191.146.205 xuni.myad.cn
O1 - Hosts: 203.191.146.205 iebar.t2t2.com
O1 - Hosts: 203.191.146.205 error.newcell.cn
O1 - Hosts: 203.191.146.205 auto.search.msn.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {031882e5-f020-40a9-849c-fde8950dba61} - C:\WINDOWS\system32\ipsuid.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: ChinaBuy Class - {85FAEA13-9C62-4917-8571-B35C563A1943} - C:\WINDOWS\system32\buyunion.dll
O2 - BHO: QQHelper Class - {BF182DBF-1283-4BD3-86EE-D3239228770C} - C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [tlleiij] "C:\Program Files\directx\tlleiij.exe "
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: ykhhlj.lnk = C:\Program Files\FaxTools\ykhhljk.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ipsuid - ipsuid.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Fax 2Client (ms_2fax) - Unknown owner - C:\WINDOWS\system32\6e5a1.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

*******************AWF Logfile***************
Find AWF report by noahdfear ©2006

bak folders found
~~~~~~~~~~~

Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\NAPSTER\BAK

06/29/2006 02:17 PM 319,488 napster.exe
1 File(s) 319,488 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 10:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 06:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
08/21/2004 12:55 AM 155,648 igfxtray.exe
09/12/2003 10:13 PM 98,304 ps2.exe
3 File(s) 269,312 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 11:54 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\TRENDM~1\ANTIVI~1\BAK

02/17/2004 05:51 PM 950,337 pccguide.exe
02/17/2004 05:51 PM 634,949 PCClient.exe
02/17/2004 05:50 PM 290,816 TMOAgent.exe
3 File(s) 1,876,102 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

05/02/2006 03:51 PM 3,334,144 YAHOOM~1.EXE
1 File(s) 3,334,144 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

04/13/2004 03:07 PM 69,632 issch.exe
04/17/2004 09:41 PM 196,608 ISUSPM.exe
2 File(s) 266,240 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/20/2004 09:25 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 10:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

07/26/2006 03:03 AM 49,263 jusched.exe
1 File(s) 49,263 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE "
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe "
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe "
102400 Apr 8 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe "
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe "
319488 Jun 29 2006 "C:\Program Files\Napster\napster.exe "
319488 Jun 29 2006 "C:\Program Files\Napster\bak\napster.exe "
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE "
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe "
155648 Aug 21 2004 "C:\WINDOWS\system32\bak\igfxtray.exe "
98304 Sep 12 2003 "C:\hp\drivers\keyboard\PS2.EXE "
98304 Sep 12 2003 "C:\WINDOWS\system32\bak\ps2.exe "
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe "
950337 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\bak\pccguide.exe "
634949 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\bak\PCClient.exe "
290816 Feb 17 2004 "C:\Program Files\Trend Micro\Antivirus\bak\TMOAgent.exe "
3334144 May 2 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE "
69632 Apr 13 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe "
196608 Apr 17 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe "
180269 Oct 20 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
32881 Oct 20 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe "
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe "

end of report

tjames238 · 2007/06/14

Here is the SD Fix log and ComboFix Log.
Vundo ran and deleted but I didn't get a VundoFix.txt file. I ran it again and it didn't find anything.

SDFix: Version 1.87

Run by Compaq_Owner on Thu 06/14/2007 at 08:54 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\COMPAQ~1\Desktop\SDFix

Safe Mode:
Checking Services:

***********Combo Log******************
ComboFix 07-06-13.3 - C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
"Compaq_Owner" - 2007-06-14 21:56:05 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\a1009.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\ad\d21dd114b\0001.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\ad\send.lz
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\b1009.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\k1009.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\p1009.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\t\r1009.dat
C:\Program Files\deepdo
C:\Program Files\deepdo\DeepdoBar\Favorite\favorite.ini
C:\Program Files\deepdo\DeepdoBar\Favorite\Update.ini
C:\Program Files\Internet Explorer\KVMonXP41.exe
C:\Program Files\Internet Explorer\KVMonXP42.exe
C:\Program Files\internet explorer\user32.dll
C:\Program Files\ptjn\cgwa.dll
C:\Program Files\ptjn\eiyc.dll
C:\Program Files\ptjn\hlbf.dll
C:\Program Files\ptjn\zdtx.dll
C:\WINDOWS\7321.exe
C:\WINDOWS\installreg.exe
C:\WINDOWS\mydown_tmp.txt
C:\WINDOWS\mywinsys.ini
C:\WINDOWS\sysdn.ini
C:\WINDOWS\system32\4b1.dll
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\b6e1.dll
C:\WINDOWS\system32\drivers\dgyny.sys
C:\WINDOWS\system32\drivers\iazjhv.sys
C:\WINDOWS\system32\drivers\tugfry.sys
C:\WINDOWS\system32\drivers\usrinit.dll
C:\WINDOWS\system32\drivers\xtrpci.sys
C:\WINDOWS\system32\iazjhv.dll
C:\WINDOWS\system32\mywebhit.ini
C:\WINDOWS\system32\mywebhit.ini.tmp
C:\WINDOWS\system32\score.txt
C:\WINDOWS\system32\scrsys070424.scr
C:\WINDOWS\system32\tugfry.dll
C:\WINDOWS\system32\usrinit.ini
C:\WINDOWS\system32\xtrpci.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_BNESS
-------\LEGACY_DGYNY
-------\LEGACY_IAZJHV
-------\LEGACY_MSQMX
-------\LEGACY_SCRIPTS
-------\LEGACY_TUGFRY
-------\LEGACY_XTRPCI
-------\BNESS
-------\dgyny
-------\iazjhv
-------\Scripts
-------\tugfry
-------\xtrpci

((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))

2007-06-14 21:55 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 21:17 <DIR> d-------- C:\VundoFix Backups
2007-06-14 02:16 <DIR> d-------- C:\Spyware Tools
2007-06-14 01:27 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-14 01:27 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-06-14 00:58 <DIR> d-------- C:\Program Files\CCleaner
2007-06-14 00:15 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0
2007-06-14 00:15 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-06-14 00:14 <DIR> d-------- C:\Program Files\FaxTools
2007-06-14 00:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-06-13 11:35 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1.JEF\NTUSER.DAT
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\WINDOWS
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Symantec
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Sonic
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\SampleView
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Real
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Intervideo
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Apple Computer
2007-06-13 11:26 114,688 -r------- C:\WINDOWS\system32\6e5a1.exe
2007-06-06 13:53 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Lavasoft
2007-06-06 13:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-05 23:34 43 --a------ C:\WINDOWS\hosts.dat
2007-06-05 21:33 41,318 --a------ C:\WINDOWS\other32575625.exe
2007-06-05 10:06 26,624 --a------ C:\WINDOWS\other2080936.exe
2007-06-05 10:05 20,480 --a------ C:\WINDOWS\other14385623.exe
2007-06-05 10:04 272,337 --a------ C:\WINDOWS\other22295779.exe
2007-06-05 00:39 86,016 --a------ C:\WINDOWS\system32\buyunion.dll
2007-06-02 17:02 26,112 --a------ C:\WINDOWS\other53484744.exe
2007-06-02 17:02 20,480 --a------ C:\WINDOWS\other26934451.exe
2007-06-02 17:01 272,337 --a------ C:\WINDOWS\other45660037.exe
2007-06-02 11:02 26,112 --a------ C:\WINDOWS\other55646914.exe
2007-06-02 11:01 272,337 --a------ C:\WINDOWS\other73229617.exe
2007-06-02 11:01 20,480 --a------ C:\WINDOWS\other38854617.exe
2007-05-29 22:06 162,142 --a------ C:\WINDOWS\other86213320.exe
2007-05-29 15:27 20,480 --a------ C:\WINDOWS\other49917239.exe
2007-05-29 15:16 272,337 --a------ C:\WINDOWS\other7168216.exe
2007-05-28 12:22 272,337 --a------ C:\WINDOWS\other26545352.exe
2007-05-28 12:22 20,480 --a------ C:\WINDOWS\other67205447.exe
2007-05-28 12:12 272,337 --a------ C:\WINDOWS\other40087527.exe
2007-05-28 12:12 20,480 --a------ C:\WINDOWS\other74169558.exe
2007-05-28 12:12 <DIR> d-------- C:\Program Files\ptjn

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-14 06:26:18 -------- d-----w C:\Program Files\MyWebSearch
2007-06-14 05:14:10 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-13 17:24:18 -------- d-----w C:\Program Files\FunWebProducts
2007-06-10 16:46:30 -------- d-----w C:\Program Files\directx
2007-06-06 21:01:18 -------- d-----w C:\Program Files\Freeze.com
2007-06-06 18:52:00 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-05 21:19:05 8,704 ------w C:\WINDOWS\system32\nwizqqhx.dll
2007-05-26 19:11:52 -------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-05-23 16:14:31 14,848 ----a-w C:\WINDOWS\system32\nwizwmsjs.dll
2007-05-22 02:55:40 -------- d-----w C:\Program Files\Napster
2007-05-14 03:25:43 -------- d-----w C:\Program Files\LimeWire
2007-05-11 18:35:17 3,328 ----a-w C:\WINDOWS\MsAudio.sys
2007-05-11 18:35:16 69,632 ----a-w C:\WINDOWS\EBSPI.dll
2007-05-11 18:25:07 10,316 ----a-w C:\WINDOWS\jh.exe
2007-05-11 12:25:48 8,704 ----a-w C:\WINDOWS\system32\dh2102.dll
2007-05-11 12:14:47 8,704 ----a-w C:\WINDOWS\system32\dh2101.dll
2007-05-11 01:06:06 8,704 ----a-w C:\WINDOWS\system32\dh2100.dll
2007-05-08 00:41:29 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\iWin
2007-05-08 00:37:01 -------- d-----w C:\Program Files\HP Games
2007-04-27 18:31:33 7,680 ------w C:\WINDOWS\system32\nwizwmgjs.dll
2007-04-25 18:00:02 13,312 ------w C:\WINDOWS\system32\nwizQQFO.dll
2007-04-21 15:03:39 13,312 ------w C:\WINDOWS\system32\nwizwows.dll
2007-04-18 18:47:16 8,704 ------w C:\WINDOWS\system32\nwizwlwz100.dll
2007-04-15 06:26:23 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\HP
2007-04-06 20:04:45 164 ----a-w C:\install.dat
2007-03-15 17:04:26 5,658 ----a-w C:\DOCUME~1\COMPAQ~1\APPLIC~1\wklnhst.dat
2006-04-02 01:14:52 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll [2006-04-17 19:37]
{031882e5-f020-40a9-849c-fde8950dba61}=C:\WINDOWS\system32\ipsuid.dll []
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-01-06 12:52]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll [2006-07-26 03:17]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll [2005-11-30 13:17]
{85FAEA13-9C62-4917-8571-B35C563A1943}=C:\WINDOWS\system32\buyunion.dll [2007-06-06 11:00]
{BF182DBF-1283-4BD3-86EE-D3239228770C}=C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll [2005-05-29 10:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"VTTimer "= "VTTimer.exe" []
"SiSPower "= "Rundll32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-06-29 19:06 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 22:47 C:\WINDOWS\ALCXMNTR.EXE]
"NapsterShell "= "C:\Program Files\Napster\napster.exe" [2006-06-29 14:17]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-05 17:38]
"tlleiij "= "C:\Program Files\directx\tlleiij.exe" [2005-06-10 11:46]
"Lexmark X1100 Series "= "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []
"Acme.PCHButton "= "C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe" [2004-10-21 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipsuid]
ipsuid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
uyos

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

Contents of the 'Scheduled Tasks' folder
2007-06-14 23:00:00 C:\WINDOWS\tasks\1Gh3yKYh.job
2007-05-27 13:54:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\h.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\K8NQTDXtgCeu8N4ob.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\MwqmTiWVHXBHan.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\PYca.job
2007-06-13 21:00:00 C:\WINDOWS\tasks\wrSpySweeper_L45D879D57E484D71A474ECACCC08B700.job
2007-06-13 21:00:00 C:\WINDOWS\tasks\wrSpySweeper_L78D979FD361544EBAB10BFA1D96C4EBA.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\zKl1Nm.job
2007-06-14 23:00:00 C:\WINDOWS\tasks\ZVPkL7b4IVvNdigZAX.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 22:01:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-14 22:03:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-14 22:03

--- E O F ---

tjames238 · 2007/06/14

This has been put in 2 separate post because it was so long.

************HJT Start up*****************
Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe "= "C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe:*:Enabled:BackWeb for Presario "
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe "= "C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink "
"C:\\Program Files\\LimeWire\\LimeWire.exe "= "C:\\Program Files\\LimeWire\\LimeWire.exe:*isabled:LimeWire "
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger "
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server "
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote "
"C:\\Program Files\\iTunes\\iTunes.exe "= "C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes "
"C:\\Program Files\\FunWebProducts\\ykhhljk.exe "= "C:\\Program Files\\FunWebProducts\\ykhhljk.exe:*:Enabledop "
"C:\\WINDOWS\\system32\\zflfngn.exe "= "C:\\WINDOWS\\system32\\zflfngn.exe:*:Enabledop "
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe "= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe "
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe "= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe "
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe "= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe "
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe "= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe "
"C:\\Program Files\\directx\\tlleiij.exe "= "C:\\Program Files\\directx\\tlleiij.exe:*:Enabledop "
"C:\\Program Files\\FaxTools\\ykhhljk.exe "= "C:\\Program Files\\FaxTools\\ykhhljk.exe:*:Enabledop "
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE "= "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"%ProgramFiles%\\iTunes\\iTunes.exe "= "%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes "

Remaining Files:
---------------

Listing Files with Hidden Attributes:

C:\Program Files\Internet Explorer\use30.dll
C:\Program Files\Internet Explorer\use31.dll
C:\Program Files\Internet Explorer\use32.dll
C:\Program Files\Internet Explorer\use41.dll
C:\Program Files\Internet Explorer\use42.dll
C:\Program Files\Internet Explorer\use43.dll
C:\Program Files\Internet Explorer\user32.dll
C:\Program Files\Internet Explorer\user3210.dll
C:\Program Files\Internet Explorer\user3211.dll
C:\Program Files\Internet Explorer\user3212.dll
C:\Program Files\Internet Explorer\user3213.dll
C:\Program Files\Internet Explorer\user3214.dll
C:\Program Files\Internet Explorer\user3215.dll
C:\Program Files\Internet Explorer\user3216.dll
C:\Program Files\Internet Explorer\user3217.dll
C:\Program Files\Internet Explorer\user3218.dll
C:\Program Files\Internet Explorer\user3219.dll
C:\Program Files\Internet Explorer\user3220.dll
C:\Program Files\Internet Explorer\user3221.dll
C:\Program Files\Internet Explorer\user3222.dll
C:\Program Files\Internet Explorer\user3223.dll
C:\Program Files\Internet Explorer\user3224.dll
C:\Program Files\Internet Explorer\user3225.dll
C:\Program Files\Internet Explorer\user3226.dll
C:\Program Files\Internet Explorer\user3227.dll
C:\Program Files\Internet Explorer\user3228.dll
C:\Program Files\Internet Explorer\user3229.dll
C:\Program Files\Internet Explorer\user3230.dll
C:\Program Files\Internet Explorer\user3231.dll
C:\Program Files\Internet Explorer\user3232.dll
C:\Program Files\Internet Explorer\user3233.dll
C:\Program Files\Internet Explorer\user3234.dll
C:\Program Files\Internet Explorer\user3235.dll
C:\Program Files\Internet Explorer\user3236.dll
C:\Program Files\Internet Explorer\user3237.dll
C:\Program Files\Internet Explorer\user3238.dll
C:\Program Files\Internet Explorer\user3239.dll
C:\Program Files\Internet Explorer\user324.dll
C:\Program Files\Internet Explorer\user3240.dll
C:\Program Files\Internet Explorer\user3241.dll
C:\Program Files\Internet Explorer\user3242.dll
C:\Program Files\Internet Explorer\user3243.dll
C:\Program Files\Internet Explorer\user3244.dll
C:\Program Files\Internet Explorer\user3245.dll
C:\Program Files\Internet Explorer\user3246.dll
C:\Program Files\Internet Explorer\user3247.dll
C:\Program Files\Internet Explorer\user3248.dll
C:\Program Files\Internet Explorer\user3249.dll
C:\Program Files\Internet Explorer\user325.dll
C:\Program Files\Internet Explorer\user3250.dll
C:\Program Files\Internet Explorer\user3251.dll
C:\Program Files\Internet Explorer\user3252.dll
C:\Program Files\Internet Explorer\user3253.dll
C:\Program Files\Internet Explorer\user3254.dll
C:\Program Files\Internet Explorer\user3255.dll
C:\Program Files\Internet Explorer\user3256.dll
C:\Program Files\Internet Explorer\user3257.dll
C:\Program Files\Internet Explorer\user3258.dll
C:\Program Files\Internet Explorer\user3259.dll
C:\Program Files\Internet Explorer\user326.dll
C:\Program Files\Internet Explorer\user3260.dll
C:\Program Files\Internet Explorer\user3261.dll
C:\Program Files\Internet Explorer\user3262.dll
C:\Program Files\Internet Explorer\user3263.dll
C:\Program Files\Internet Explorer\user3264.dll
C:\Program Files\Internet Explorer\user3265.dll
C:\Program Files\Internet Explorer\user3266.dll
C:\Program Files\Internet Explorer\user3267.dll
C:\Program Files\Internet Explorer\user3268.dll
C:\Program Files\Internet Explorer\user3269.dll
C:\Program Files\Internet Explorer\user327.dll
C:\Program Files\Internet Explorer\user3270.dll
C:\Program Files\Internet Explorer\user3271.dll
C:\Program Files\Internet Explorer\user3272.dll
C:\Program Files\Internet Explorer\user3273.dll
C:\Program Files\Internet Explorer\user3274.dll
C:\Program Files\Internet Explorer\user3275.dll
C:\Program Files\Internet Explorer\user3276.dll
C:\Program Files\Internet Explorer\user3277.dll
C:\Program Files\Internet Explorer\user3278.dll
C:\Program Files\Internet Explorer\user328.dll
C:\Program Files\Internet Explorer\user329.dll
C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll
C:\Program Files\Internet Explorer\KVMonXP41.exe
C:\Program Files\Internet Explorer\KVMonXP42.exe
C:\WINDOWS\SMINST\HPCD.sys
C:\Documents and Settings\Compaq_Owner\Application Data\Roxio\Dragon\DiscInfoCache\LITE-ON__DVDRW_SOHW-1633S_BPSA_300_DICV018_DRGV2050102.TMP
C:\WINDOWS\cdgfii.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6752e343d22c025be1f290a6267a146d\BIT7.tmp

Listing User Accounts:

User accounts for \\JEFFERSON-AW

Administrator Compaq_Owner Guest
HelpAssistant SUPPORT_388945a0 SUPPORT_fddfa904

Finished

StartupList report, 6/14/2007, 10:12:54 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\6e5a1.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\directx\tlleiij.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\FaxTools\ykhhljk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
ykhhlj.lnk = C:\Program Files\FaxTools\ykhhljk.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ISUSPM Startup = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
VTTimer = VTTimer.exe
SiSPower = "Rundll32.exe" SiSPower.dll,ModeAgent
AGRSMMSG = AGRSMMSG.exe
AlcxMonitor = ALCXMNTR.EXE
NapsterShell = "C:\Program Files\Napster\napster.exe" /systray
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe "
AVG7_CC = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
tlleiij = "C:\Program Files\directx\tlleiij.exe "
Lexmark X1100 Series = "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Yahoo! Pager = "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
Acme.PCHButton = C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

tjames238 · 2007/06/14

THis is the 2nd part of the HJT start Log.

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{3A202177-913D-112B-54CD-72FF5FE1CF20}] *
StubPath = C:\WINDOWS\system32\nwizmhxy.exe

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{5FF01121-F04D-30cf-64CD-74FF5FE1CF1C}] *
StubPath = C:\WINDOWS\system32\nwizdh.exe

[{6A202101-A04D-21cf-65CD-31FF5FE1CF20}] *
StubPath = C:\WINDOWS\system32\mydata.exe

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{79702107-A10D-11cf-64CD-51FF5FE1CF41}] *
StubPath = C:\WINDOWS\system32\nwizwmsjs.exe

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

[{95192103-834D-71CF-64CD-51E15112AF20}] *
StubPath = C:\WINDOWS\system32\nwizhx2.exe

[{AA312103-F04D-11cf-64CD-11EF5011CF20}] *
StubPath = C:\WINDOWS\system32\nwizqjsj.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\WINDOWS\system32\ipsuid.dll (file missing) - {031882e5-f020-40a9-849c-fde8950dba61}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
(no name) - C:\WINDOWS\system32\buyunion.dll - {85FAEA13-9C62-4917-8571-B35C563A1943}
(no name) - C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll - {BF182DBF-1283-4BD3-86EE-D3239228770C}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1Gh3yKYh.job
AppleSoftwareUpdate.job
h.job
K8NQTDXtgCeu8N4ob.job
MwqmTiWVHXBHan.job
PYca.job
wrSpySweeper_L45D879D57E484D71A474ECACCC08B700.job
wrSpySweeper_L78D979FD361544EBAB10BFA1D96C4EBA.job
zKl1Nm.job
ZVPkL7b4IVvNdigZAX.job

--------------------------------------------------

Enumerating Download Program Files:

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://ak.exe.imgfarm.com/images/no...ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab

[Java Plug-in 1.5.0_08]
InProcServer32 = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

[Java Plug-in 1.5.0_08]
InProcServer32 = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

[Java Plug-in 1.5.0_08]
InProcServer32 = C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Agere Systems Soft Modem: system32\DRIVERS\AGRSM.sys (manual start)
Intel AGP Bus Filter: system32\DRIVERS\agp440.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: system32\DRIVERS\amdk7.sys (system)
AMD Athlon64 Processor Driver: system32\DRIVERS\AmdK8.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
fasttx2k: system32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IntelIde: \SystemRoot\system32\DRIVERS\intelide.sys (disabled)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (manual start)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
IVI ASPI Shell: system32\drivers\iviaspi.sys (manual start)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Fax 2Client: C:\WINDOWS\system32\6e5a1.exe (autostart)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
File Replication Service: C:\WINDOWS\system32\ntfrs.exe (autostart)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
O&O Defrag: C:\WINDOWS\system32\oodag.exe (autostart)
Microsoft Office Diagnostics Service: "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: system32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: system32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
qgfaiu: system32\drivers\qgfaiu.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: system32\DRIVERS\R8139n51.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: system32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: system32\DRIVERS\SISAGPX.sys (system)
SiSkp: system32\DRIVERS\srvkp.sys (system)
SiS PCI Fast Ethernet Adapter Driver: system32\DRIVERS\sisnic.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Spy Sweeper File System Filer Driver: 0509: SYSTEM32\Drivers\SSFS0509.SYS (system)
Spy Sweeper Hookrack MiniDriver: SYSTEM32\Drivers\SSHRMD.SYS (system)
Spy Sweeper Interdiction Driver: SYSTEM32\Drivers\SSIDRV.SYS (system)
Webroot Spy Sweeper Keylogger Shield Keyboard Filter: System32\Drivers\sskbfd.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{04643054-32BA-4D95-828F-F4AEE633949D} (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20040813.178\symidsco.sys (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
Windows uyos RunThem: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: system32\DRIVERS\viaagp1.sys (system)
viagfx: system32\DRIVERS\vtmini.sys (manual start)
ViaIde: \SystemRoot\system32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Webroot Spy Sweeper Engine: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
WpdUsb: System32\Drivers\wpdusb.sys (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 35,654 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

TeMerc · 2007/06/15

It's gonna take some time to get thru these, so lets run a couple of other apps.

Also, please look for the Vundo.txt, it ought to be on the 'C' drive.

Then: 1.
Download GMER from one of the following sites listed on this Google page.

Right Click the Zip file top open it and Select "Extract All "

Double-click gmer.exe to launch the program.

Click on the Rootkit Tab and on the right side, untick the Registry [] box, then click Scan.

Once the scan is done, hit the [copy] button, then open notepad and paste the results here for me to see.

2.
Download Deljob.exe and save it to your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply along with the GMER log please.

tjames238 · 2007/06/15

Here is the GMER log.
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-15 10:30:11
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT 845CBA80 ZwAllocateVirtualMemory
SSDT 845E8890 ZwCreateKey
SSDT 845CBFA8 ZwCreateProcess
SSDT 845CBF30 ZwCreateProcessEx
SSDT 845CBD50 ZwCreateThread
SSDT 845CC320 ZwDeleteKey
SSDT 845CB020 ZwDeleteValueKey
SSDT 845CBAF8 ZwQueueApcThread
SSDT 845CB990 ZwReadVirtualMemory
SSDT 845CC2A8 ZwRenameKey
SSDT 845CBBE8 ZwSetContextThread
SSDT 845CC230 ZwSetInformationKey
SSDT 845CBE40 ZwSetInformationProcess
SSDT 845CBC60 ZwSetInformationThread
SSDT qgfaiu.sys ZwSetValueKey
SSDT 845CBDC8 ZwSuspendProcess
SSDT 845CBB70 ZwSuspendThread
SSDT 845CBEB8 ZwTerminateProcess
SSDT 845CBCD8 ZwTerminateThread
SSDT 845CBA08 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23E8 805010EC 2 Bytes [ A8, BF ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2400 80501104 2 Bytes [ 50, BD ]
.text ntkrnlpa.exe!ZwCallbackReturn + 25FC 80501300 2 Bytes [ F8, BA ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2680 80501384 2 Bytes CALL CCD47044
.text ntkrnlpa.exe!ZwCallbackReturn + 26BC 805013C0 2 Bytes [ 40, BE ]
.text ...
? C:\WINDOWS\system32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[720] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes [ B3, F8, C3, 83 ]
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1648] kernel32.dll!CreateThread + 1A 7C810849 1 Byte [ 0B ]
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1648] kernel32.dll!CreateThread + 1C 7C81084B 2 Bytes [ C3, 83 ]
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2728] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0002FCB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2728] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0002FEDC C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2728] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0002FCB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2728] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 0002FE60 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[2728] kernel32.dll!VirtualFree 7C809B14 5 Bytes JMP 0002FEA0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 841F4A48
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 841F3A20
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 84257500
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 842529E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 8424D558
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 8423CAE8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 84238638
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 83FC50C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 83FAE0C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 83FF60C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 8446E168
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 84208AF8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 84205130
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 842515A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 842368D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B6085A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 8424E420
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 841B7F20
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 8411A108
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 84495AB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 844D4F20
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 8448D188
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 8449C3F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 844AF3C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 8449EB18
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 8449F548
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 844A0398
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 844A0918
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 841F4A48
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 841F3A20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 84257500
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 842529E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 8424D558
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 8423CAE8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 84238638
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 83FC50C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 83FAE0C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 83FF60C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 8446E168
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 84208AF8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 84205130
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 842515A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 842368D8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B6085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 8424E420
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 841B7F20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 8411A108
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 84495AB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 844D4F20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 8448D188
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 8449C3F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 844AF3C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 8449EB18
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 8449F548
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 844A0398
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 844A0918
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 841F4A48
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 841F3A20
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 84257500
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 842529E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 8424D558
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 8423CAE8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 84238638
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 83FC50C8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 83FAE0C8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 83FF60C8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 8446E168
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 84208AF8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 84205130
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 842515A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 842368D8
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B6085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 8424E420
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 841B7F20
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 8411A108
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 84495AB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 844D4F20
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 8448D188
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 8449C3F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 844AF3C8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 8449EB18
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 8449F548
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 844A0398
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 844A0918
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 841F4A48
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 841F3A20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 84257500
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 842529E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 8424D558
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 8423CAE8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 84238638
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 83FC50C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 83FAE0C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 83FF60C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 8446E168
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 84208AF8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 84205130
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 842515A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 842368D8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B6085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 8424E420
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 841B7F20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 8411A108
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 84495AB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 844D4F20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 8448D188
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 8449C3F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 844AF3C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 8449EB18
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 8449F548
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 844A0398
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 844A0918
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 841F4A48
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 841F3A20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 84257500
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 842529E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 8424D558
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 8423CAE8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 84238638
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 83FC50C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 83FAE0C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 83FF60C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 8446E168
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 84208AF8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 84205130
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 842515A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 842368D8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B6085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 8424E420
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 841B7F20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 8411A108
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 84495AB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 844D4F20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 8448D188
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 8449C3F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 844AF3C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 8449EB18
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 8449F548
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 844A0398
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 844A0918

---- EOF - GMER 1.0.12 ----

tjames238 · 2007/06/15

HEre is the Deljobs log. For Vundo all I foulnd was a VundoFix Backups and there is 2 bad files in there. No Vundo.txt I can email you those to files if you like.
--------------------------------------------------------
No LOP jobs found
--------------------------------------------------------
Files remaining after cleaning

1Gh3yKYh.job
AppleSoftwareUpdate.job
h.job
K8NQTDXtgCeu8N4ob.job
MwqmTiWVHXBHan.job
PYca.job
wrSpySweeper_L45D879D57E484D71A474ECACCC08B700.job
wrSpySweeper_L78D979FD361544EBAB10BFA1D96C4EBA.job
zKl1Nm.job
ZVPkL7b4IVvNdigZAX.job
--------------------------------------------------------
App data folders

Volume in drive C is PRESARIO
Volume Serial Number is 0084-E38A

Directory of C:\Documents and Settings\Compaq_Owner\Application Data

06/14/2007 12:55 AM <DIR> .
06/14/2007 12:55 AM <DIR> ..
03/15/2005 08:51 PM <DIR> Adobe
06/09/2006 05:00 PM <DIR> AdobeUM
03/16/2005 08:53 PM <DIR> Aim
04/08/2007 03:38 PM <DIR> APPLEC~1 Apple Computer
06/15/2007 10:09 AM <DIR> AVG7
01/31/2006 09:03 PM <DIR> DIGITA~1 Digital Album Organizer
02/18/2006 01:22 PM <DIR> Google
03/15/2005 09:08 PM <DIR> Help
04/15/2007 01:26 AM <DIR> HP
10/20/2004 08:13 AM <DIR> IDENTI~1 Identities
01/31/2006 09:13 PM <DIR> INSTAL~1 InstallShield Installation Information
09/17/2006 09:22 PM <DIR> INTERV~1 Intervideo
05/07/2007 07:41 PM <DIR> iWin
06/06/2007 01:53 PM <DIR> Lavasoft
04/09/2005 03:26 PM <DIR> LEADER~1 Leadertech
03/13/2005 12:58 PM <DIR> MACROM~1 Macromedia
03/15/2007 12:47 PM <DIR> MICROS~1 Microsoft
03/13/2005 09:13 PM <DIR> Motive
03/05/2007 02:21 PM <DIR> MOVENE~1 Move Networks
02/27/2006 10:57 AM <DIR> MSNINS~1 MSNInstaller
03/26/2006 04:36 PM <DIR> Real
04/21/2005 11:02 PM <DIR> Roxio
10/21/2004 01:40 AM <DIR> SAMPLE~1 SampleView
03/26/2006 04:36 PM <DIR> Sonic
10/20/2004 08:39 AM <DIR> Sun
03/26/2006 04:36 PM <DIR> Symantec
03/13/2005 05:54 PM <DIR> Template
03/21/2006 12:12 PM <DIR> WEATHE~1 WeatherBug
03/13/2005 01:21 PM <DIR> Webroot
05/05/2005 12:11 AM <DIR> Yahoo!
0 File(s) 0 bytes
32 Dir(s) 53,749,346,304 bytes free
Volume in drive C is PRESARIO
Volume Serial Number is 0084-E38A

Directory of C:\Documents and Settings\All Users\Application Data

06/14/2007 09:58 PM <DIR> .
06/14/2007 09:58 PM <DIR> ..
06/09/2006 04:59 PM <DIR> Adobe
04/10/2006 07:48 PM <DIR> AOLDOW~1 AOL Downloads
12/29/2006 09:12 PM <DIR> APPLEC~1 Apple Computer
06/06/2007 10:58 AM <DIR> avg7
06/14/2007 12:14 AM <DIR> BVRPSO~1 BVRP Software
06/05/2007 05:38 PM <DIR> Grisoft
03/27/2005 10:44 PM <DIR> HEWLET~1 Hewlett-Packard
06/19/2006 01:35 PM <DIR> HP
10/20/2004 09:31 AM <DIR> INSTAL~1 InstallShield
10/20/2004 09:30 AM <DIR> INTERV~1 InterVideo
10/20/2004 09:43 AM <DIR> MICROS~1 Microsoft
03/15/2007 12:47 PM <DIR> MICROS~2 Microsoft Help
10/21/2004 01:06 AM <DIR> Motive
04/21/2005 10:52 PM <DIR> Napster
05/28/2005 11:31 PM <DIR> PopCap
10/20/2004 09:46 AM <DIR> QUICKT~1 QuickTime
10/20/2004 08:19 AM <DIR> SBSI
06/19/2006 01:31 PM <DIR> Sonic
06/14/2006 10:27 PM <DIR> Symantec
08/20/2005 11:17 PM <DIR> Trymedia
05/13/2005 04:54 PM <DIR> VIEWPO~1 Viewpoint
03/13/2005 04:06 PM <DIR> VISUAL~1 Visual Networks
04/06/2007 03:06 PM <DIR> Webroot
05/07/2007 07:40 PM <DIR> WILDTA~1 WildTangent
05/09/2006 07:06 PM <DIR> Yahoo!
01/05/2006 07:12 PM <DIR> YAHOO!~1 Yahoo! Companion
0 File(s) 0 bytes
28 Dir(s) 53,749,342,208 bytes free
--------------------------------------------------------

TeMerc · 2007/06/15

Ok, lets kill a couple of services and some files too.

Please hit the 'Ctrl' key + 'Alt' key + 'Delete' key to bring up the Task Manager and select the 'Processes' tab. Then find, high-light and select 'End Task' on the following process(es) if present:
C:\WINDOWS\system32\6e5a1.exe
C:\Program Files\directx\tlleiij.exe
C:\Program Files\FaxTools\ykhhljk.exe

Then open GMER

Select the Services tab

Find the services called Fax 2Client & qgfaiu

Right-click each and select Delete

Close GMER and Reboot

Once rebooted, check for the same runnin processes as previous and kill them if they are running, then access your Add or Remove Programs Control Panel by hitting your [Start] button, select Control Panel and click on Add or Remove Programs. Then find the following programs and click the [Change|Remove] button for each, if they are listed. If they are not, continue with instructions
FaxTools
FunWebProducts
LimeWire
Dirextx
Free Offers\Freeze.com\
MyWebSearch
ptjn
Napster

Then download the Killbox from here, (not the beta link) and save it to the desktop.

Double-click the KillBox icon on your desktop to open it

Select "Delete on Reboot "

Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\6e5a1.exe
C:\WINDOWS\hosts.dat
C:\WINDOWS\other32575625.exe
C:\WINDOWS\other2080936.exe
C:\WINDOWS\other14385623.exe
C:\WINDOWS\other22295779.exe
C:\WINDOWS\system32\buyunion.dll
C:\WINDOWS\other53484744.exe
C:\WINDOWS\other26934451.exe
C:\WINDOWS\other45660037.exe
C:\WINDOWS\other55646914.exe
C:\WINDOWS\other73229617.exe
C:\WINDOWS\other38854617.exe
C:\WINDOWS\other86213320.exe
C:\WINDOWS\other49917239.exe
C:\WINDOWS\other7168216.exe
C:\WINDOWS\other26545352.exe
C:\WINDOWS\other67205447.exe
C:\WINDOWS\other40087527.exe
C:\WINDOWS\other74169558.exe
C:\WINDOWS\system32\nwizqqhx.dll
C:\WINDOWS\system32\nwizwmsjs.dll
C:\WINDOWS\MsAudio.sys
C:\WINDOWS\EBSPI.dll
C:\WINDOWS\jh.exe
C:\WINDOWS\system32\dh2102.dll
C:\WINDOWS\system32\dh2101.dll
C:\WINDOWS\system32\dh2100.dll
C:\DOCUME~1\COMPAQ~1\APPLIC~1\iWin
C:\WINDOWS\system32\nwizwmgjs.dll
C:\WINDOWS\system32\nwizQQFO.dll
C:\WINDOWS\system32\nwizwows.dll
C:\WINDOWS\system32\nwizwlwz100.dll
C:\Program Files\Internet Explorer\KVMonXP41.exe
C:\Program Files\Internet Explorer\KVMonXP42.exe
C:\WINDOWS\cdgfii.tmp

Return to Killbox

Go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white [Delete File] button.

Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Reboot, the system Download AVG Anti-Spyware 7.5 from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.

Once the setup is complete you will need run ewido and update the definition files.

On the main screen select the icon "Update" then select the "Update now" link.

Next select the [Start Update] button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".

Under "Reports "

Select "Automatically generate report after every scan "

Un-Select "Only if threats were found "

Close AVG anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot, into safe mode, this way:

Turn on the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process.

Launch ewido-anti-spyware by double-clicking the icon on your desktop.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".

AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:

If you have any infections you will prompted, then select "Apply all actions "

Next select the "Reports" icon at the top.

Select the [Save report as] button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Close AVG and reboot your system back into Normal Mode and post the results of the AVG report scan.(Please edit out any cookie, Recyler and System Volume Information Folder references)

Then run ComboFix first, then GMER, then HJT and post those logs along with the AVG log.

tjames238 · 2007/06/16

Here is the GMER scan.
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-16 11:18:39
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT 8454A698 ZwAllocateVirtualMemory
SSDT 845E8DA0 ZwCreateKey
SSDT 8454ABC0 ZwCreateProcess
SSDT 8454AB48 ZwCreateProcessEx
SSDT 8454A968 ZwCreateThread
SSDT 8454AE18 ZwDeleteKey
SSDT 8454AC38 ZwDeleteValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 8454A710 ZwQueueApcThread
SSDT 8454A5A8 ZwReadVirtualMemory
SSDT 8454ADA0 ZwRenameKey
SSDT 8454A800 ZwSetContextThread
SSDT 8454AD28 ZwSetInformationKey
SSDT 8454AA58 ZwSetInformationProcess
SSDT 8454A878 ZwSetInformationThread
SSDT 8454ACB0 ZwSetValueKey
SSDT 8454A9E0 ZwSuspendProcess
SSDT 8454A788 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 8454A8F0 ZwTerminateThread
SSDT 8454A620 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified.

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[968] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes [ B3, F8, C3, 83 ]
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[1440] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0002FCB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[1440] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0002FEDC C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[1440] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0002FCB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[1440] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 0002FE60 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\ssu.exe[1440] kernel32.dll!VirtualFree 7C809B14 5 Bytes JMP 0002FEA0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1704] kernel32.dll!CreateThread + 1A 7C810849 1 Byte [ 0B ]
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1704] kernel32.dll!CreateThread + 1C 7C81084B 2 Bytes [ C3, 83 ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 843279F8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 84314560
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 843F1020
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 842CBCA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 842CAF08
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 84295FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 8433FC50
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 84335D40
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 84325208
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 8430AFA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 84303880
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 842F75C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 842F2510
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 842E59A0
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 842DEC50
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AC085A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 843350E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 842F8D08
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 84312360
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 84310678
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 843060C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 8433C100
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 8431ADD8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 844BA5B8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 844BA6C8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 844BB398
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 844BAFA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 844BAD58
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 843279F8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 84314560
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 843F1020
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 842CBCA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 842CAF08
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 84295FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 8433FC50
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 84335D40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 84325208
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 8430AFA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 84303880
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 842F75C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 842F2510
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 842E59A0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 842DEC50
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AC085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 843350E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 842F8D08
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 84312360
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 84310678
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 843060C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 8433C100
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 8431ADD8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 844BA5B8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 844BA6C8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 844BB398
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 844BAFA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 844BAD58
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 843279F8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 84314560
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 843F1020
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 842CBCA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 842CAF08
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 84295FA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 8433FC50
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 84335D40
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 84325208
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 8430AFA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 84303880
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 842F75C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 842F2510
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 842E59A0
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 842DEC50
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AC085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 843350E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 842F8D08
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 84312360
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 84310678
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 843060C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 8433C100
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 8431ADD8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 844BA5B8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 844BA6C8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 844BB398
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 844BAFA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 844BAD58
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 843279F8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 84314560
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 843F1020
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 842CBCA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 842CAF08
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 84295FA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 8433FC50
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 84335D40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 84325208
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 8430AFA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 84303880
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 842F75C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 842F2510
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 842E59A0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 842DEC50
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AC085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 843350E8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 842F8D08
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 84312360
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 84310678
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 843060C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 8433C100
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 8431ADD8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 844BA5B8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 844BA6C8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 844BB398
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 844BAFA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 844BAD58
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 843279F8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 84314560
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 843F1020
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 842CBCA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 842CAF08
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 84295FA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 8433FC50
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 84335D40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 84325208
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 8430AFA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 84303880
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 842F75C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 842F2510
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 842E59A0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 842DEC50
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AC085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 843350E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 842F8D08
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 84312360
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 84310678
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 843060C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 8433C100
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 8431ADD8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 844BA5B8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 844BA6C8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 844BB398
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 844BAFA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 844BAD58

---- EOF - GMER 1.0.12 ----

tjames238 · 2007/06/16

Here is the ComboFix log. I ran AVG and it created no report. I hit "Apply All Actions" and it quarantined them. When I hit the report icon there was nothing there.
ComboFix 07-06-13.3 - C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
"Compaq_Owner" - 2007-06-16 10:49:29 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\4b1.dll

((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))

2007-06-16 00:52 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-16 00:42 <DIR> d-------- C:\!KillBox
2007-06-14 21:55 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 21:17 <DIR> d-------- C:\VundoFix Backups
2007-06-14 02:16 <DIR> d-------- C:\Spyware Tools
2007-06-14 01:27 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-14 01:27 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-06-14 00:58 <DIR> d-------- C:\Program Files\CCleaner
2007-06-14 00:15 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0
2007-06-14 00:15 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-06-13 11:35 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1.JEF\NTUSER.DAT
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\WINDOWS
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Symantec
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Sonic
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\SampleView
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Real
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Intervideo
2007-06-13 11:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1.JEF\APPLIC~1\Apple Computer
2007-06-06 13:53 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Lavasoft
2007-06-06 13:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-28 12:12 <DIR> d-------- C:\Program Files\ptjn

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-16 05:35:15 -------- d-----w C:\Program Files\LimeWire
2007-06-14 06:26:18 -------- d-----w C:\Program Files\MyWebSearch
2007-06-14 05:14:10 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-13 17:24:18 -------- d-----w C:\Program Files\FunWebProducts
2007-06-10 16:46:30 -------- d-----w C:\Program Files\directx
2007-06-06 21:01:18 -------- d-----w C:\Program Files\Freeze.com
2007-06-06 18:52:00 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-26 19:11:52 -------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-05-08 00:41:29 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\iWin
2007-05-08 00:37:01 -------- d-----w C:\Program Files\HP Games
2007-04-06 20:04:45 164 ----a-w C:\install.dat
2006-04-02 01:14:52 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll [2006-04-17 19:37]
{031882e5-f020-40a9-849c-fde8950dba61}=C:\WINDOWS\system32\ipsuid.dll []
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-01-06 12:52]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll [2006-07-26 03:17]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll [2005-11-30 13:17]
{85FAEA13-9C62-4917-8571-B35C563A1943}=C:\WINDOWS\system32\buyunion.dll []
{BF182DBF-1283-4BD3-86EE-D3239228770C}=C:\Program Files\Internet Explorer\Connection Wizard\QQZoneHelper.dll [2005-05-29 10:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"VTTimer "= "VTTimer.exe" []
"SiSPower "= "Rundll32.exe" [2004-08-04 07:00 C:\WINDOWS\system32\rundll32.exe]
"AGRSMMSG "= "AGRSMMSG.exe" [2004-06-29 19:06 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 22:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-05 17:38]
"tlleiij "= "C:\Program Files\directx\tlleiij.exe" [2005-06-10 11:46]
"Lexmark X1100 Series "= "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 05:43]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []
"Acme.PCHButton "= "C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe" [2004-10-21 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 07:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipsuid]
ipsuid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
uyos

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

Contents of the 'Scheduled Tasks' folder
2007-06-16 16:00:00 C:\WINDOWS\tasks\1Gh3yKYh.job
2007-05-27 13:54:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-16 16:00:00 C:\WINDOWS\tasks\h.job
2007-06-16 16:00:00 C:\WINDOWS\tasks\K8NQTDXtgCeu8N4ob.job
2007-06-16 16:00:01 C:\WINDOWS\tasks\MwqmTiWVHXBHan.job
2007-06-16 16:00:01 C:\WINDOWS\tasks\PYca.job
2007-06-15 21:00:00 C:\WINDOWS\tasks\wrSpySweeper_L45D879D57E484D71A474ECACCC08B700.job
2007-06-15 21:00:00 C:\WINDOWS\tasks\wrSpySweeper_L78D979FD361544EBAB10BFA1D96C4EBA.job
2007-06-16 16:00:01 C:\WINDOWS\tasks\zKl1Nm.job
2007-06-16 16:00:01 C:\WINDOWS\tasks\ZVPkL7b4IVvNdigZAX.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-16 11:00:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-16 11:01:28
C:\ComboFix-quarantined-files.txt ... 2007-06-16 11:01
C:\ComboFix2.txt ... 2007-06-14 22:03

--- E O F ---

Log in or Sign up

Trojan Downloaders

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

Share This Page

Log in or Sign up

Trojan Downloaders

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

TeMerc Inactive Alumni

tjames238 Inactive Thread Starter

tjames238 Inactive Thread Starter

Share This Page

Useful Searches