computer reboots or freezes at login (win xp)

Awww, there's nothing to be afraid of

 

I am thinking there is something to be afraid of...and I think I am throwing in the towel for tonight...I can't get it to cooperate long enough to get a few log files. Lots of freezing... still is loading windows but almost immediately repeatedly hitting me with the windows has recovered from a serious error, then back to the virtual memory errors. combofix didn't complete, the memory error came up and then combofix terminated. will try again with fresh eyes and less frustration.

 

okay, I am determined that this thing is not gonna beat me . I have gotten combofix to run completely and am posting a log from that as well as hjt before and after combofix. Combofix running properly has fixed my safe mode login problem (for now anyway, hopefully it won't come back).

here is the first hjt log
Logfile of HijackThis v1.99.1
Scan saved at 22:12, on 2000-12-31
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\U3VzYW4\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\lxamsp32.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=pdf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {34ef652a-f955-4e9a-84d9-5b4d27400418} - C:\WINDOWS\system32\dinGR1.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {8A06A1A7-9E64-4359-8556-B6EA03D69814} - C:\WINDOWS\system32\dinGR1.dll
O2 - BHO: (no name) - {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} - C:\WINDOWS\system32\hggdabb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Microsoft Visual Enhance V2.1] C:\WINDOWS\iuntfs32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm231YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drhpmit.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll
O20 - Winlogon Notify: dinGR1 - C:\WINDOWS\SYSTEM32\dinGR1.dll
O20 - Winlogon Notify: hggdabb - C:\WINDOWS\SYSTEM32\hggdabb.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3VzYW4\command.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



here is the combofix log
ComboFix 07-07-30.2 - "Brent" 2001-01-01 0:34:03.1 [GMT -5:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True
* Created a new restore point


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\iifcyyv.dll
C:\WINDOWS\awttuu.dll
C:\WINDOWS\uuttwa.ini
C:\WINDOWS\system32\dinGR1.dll
C:\WINDOWS\system32\hggdabb.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
C:\1.exe
C:\cp1041.nls
C:\DOCUME~1\Brent\APPLIC~1.\asks~1
C:\DOCUME~1\Brent\APPLIC~1.\crosof~1.net
C:\DOCUME~1\Brent\APPLIC~1.\mantec~1
C:\DOCUME~1\Brent\APPLIC~1.\racle~1
C:\DOCUME~1\Brent\APPLIC~1.\racle~2
C:\DOCUME~1\Brent\APPLIC~1.\ssembl~1
C:\DOCUME~1\Brent\APPLIC~1.\ymante~1
C:\DOCUME~1\Brent\MYDOCU~1.\appatc~1
C:\DOCUME~1\Brent\MYDOCU~1.\asks~1
C:\DOCUME~1\Brent\MYDOCU~1.\crosof~1
C:\DOCUME~1\Brent\MYDOCU~1.\dobe~1
C:\DOCUME~1\Brent\MYDOCU~1.\mcroso~1
C:\DOCUME~1\Brent\MYDOCU~1.\mcroso~1.net
C:\DOCUME~1\Brent\MYDOCU~1.\ppatch~1
C:\DOCUME~1\Brent\MYDOCU~1.\sks~1
C:\DOCUME~1\Brent\MYDOCU~1.\ystem3~1
C:\DOCUME~1\Brent\MYDOCU~1.\ystem3~1\??plorer.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\asks~1
C:\Program Files\Common Files\{304E6~1
C:\Program Files\Common Files\{304E6~1\UnInstall.exe
C:\Program Files\Common Files\{B04E6~1
C:\Program Files\Common Files\{B04E6~1\bak\Update.exe
C:\Program Files\Common Files\{B04E6~1\system.dll
C:\Program Files\Common Files\{B04E6~1\Update.exe
C:\Program Files\Common Files\{B04E6~2
C:\Program Files\Common Files\{B04E6~2\system.dll
C:\Program Files\Common Files\{B04E6~2\Update.exe
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\ymbols~1
C:\Program Files\cowabanga
C:\Program Files\cowabanga\License.txt
C:\Program Files\cowabanga\uninstaller.exe
C:\Program Files\crosof~1
C:\Program Files\deluxecommunications
C:\Program Files\deluxecommunications\Dxc.exe
C:\Program Files\deluxecommunications\DxcBho.dll
C:\Program Files\deluxecommunications\DxcCore.dll
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\0EF14CCB.dat
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\0006A76E.bin
C:\Program Files\MyWebSearch\bar\Cache\0006B103.bin
C:\Program Files\MyWebSearch\bar\Cache\0006B355.bin
C:\Program Files\MyWebSearch\bar\Cache\0006B671.bin
C:\Program Files\MyWebSearch\bar\Cache\0006BF7A.bin
C:\Program Files\MyWebSearch\bar\Cache\0006C229
C:\Program Files\MyWebSearch\bar\Cache\016144C4.bin
C:\Program Files\MyWebSearch\bar\Cache\01614AFE.bin
C:\Program Files\MyWebSearch\bar\Cache\01614C94.bin
C:\Program Files\MyWebSearch\bar\Cache\01615908.bin
C:\Program Files\MyWebSearch\bar\Cache\01615A40.bin
C:\Program Files\MyWebSearch\bar\Cache\0EF00595
C:\Program Files\MyWebSearch\bar\Cache\0EF01DD0.bin
C:\Program Files\MyWebSearch\bar\Cache\0EF02041.bin
C:\Program Files\MyWebSearch\bar\Cache\0EF022B2.bin
C:\Program Files\MyWebSearch\bar\Cache\0EF0240A.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\newdotnet
C:\Program Files\newdotnet\newdotnet6_38(2).dll
C:\Program Files\newdotnet\readme.html
C:\Program Files\oin search
C:\Program Files\oin search\OINSearch.dll
C:\Program Files\oin search\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\scurit~1
C:\Program Files\smbols~1
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\bak\whagent.exe
C:\WINDOWS\crosof~1
C:\WINDOWS\ecurit~1
C:\WINDOWS\scurit~1
C:\WINDOWS\smbols~1
C:\WINDOWS\sstem~1
C:\WINDOWS\stem~1
C:\WINDOWS\system32\a3dxq.dll
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\drhpmit.dll
C:\WINDOWS\system32\driverc.exe
C:\WINDOWS\system32\driverd.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\dxclib~1.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\mantec~1\bak\msiexec.exe
C:\WINDOWS\system32\mantec~1\msiexec.exe
C:\WINDOWS\system32\mantec~1\msiexec.exe1176139249
C:\WINDOWS\system32\monterreyc_redux.exe
C:\WINDOWS\system32\monterreyd_a4m.exe
C:\WINDOWS\system32\monterreyd_olive.exe
C:\WINDOWS\system32\sdetvtv.dll
C:\WINDOWS\system32\stem~1
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\winhealer.dll
C:\WINDOWS\system32\wnstsicomsv.exe
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\U3VzYW4\asappsrv.dll
C:\WINDOWS\U3VzYW4\command.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wnsxs~1
Restored copy from - c:\I386\NDIS.SYS


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_LDRSVC
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NTLDR.SYS
-------\LEGACY_RUNTIME
-------\cmdService
-------\COM+ Messages
-------\ldrsvc
-------\Network Monitor
-------\ntldr.sys
-------\Runtime


((((((((((((((((((((((((( Files Created from 2000-12-01 to 2001-01-01 )))))))))))))))))))))))))))))))


2001-01-19 10:50 40,960 --a------ C:\WINDOWS\SYSTEM32\INSTMON.EXE
2000-12-31 23:13 <DIR> d-------- C:\DOCUME~1\Brent\SmitfraudFix


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 12:42 5558 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-27 12:27 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Webroot
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2007-04-19 15:46 91958 --a------ C:\WINDOWS\system32\cent.exe
2007-04-18 17:23 9526 --a------ C:\xx1232255.exe
2007-04-18 00:29 0 --a------ C:\WINDOWS\bstdin.bin
2007-04-15 14:08 --------- d-------- C:\Program Files\Common Files\imqu
2007-04-10 13:23 45056 --a------ C:\command.exe
2007-04-09 12:20 --------- d-------- C:\Program Files\QuickTime
2007-04-09 12:20 --------- d-------- C:\Program Files\Messenger
2007-04-09 12:20 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-04-09 12:20 --------- d-------- C:\Program Files\Dell Support
2007-04-09 12:19 37697 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-04-09 12:19 37697 --a------ C:\WINDOWS\system32\hphmon05.exe
2007-04-09 12:19 37697 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-04-09 12:19 37697 --a------ C:\WINDOWS\system32\DSentry.exe
2007-04-09 12:19 37697 --a------ C:\WINDOWS\iuntfs32.exe
2007-03-28 19:05 26112 --a------ C:\WINDOWS\ntmsapi32.dll
2007-03-28 11:10 8704 --a------ C:\WINDOWS\cmfbr43.dll
2007-03-18 19:57 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\MSN6
2007-03-11 20:11 --------- dr-h----- C:\DOCUME~1\Brent\APPLIC~1\yahoo!
2007-02-17 17:59 --------- d-------- C:\Program Files\GameHouse
2007-02-15 22:52 --------- d-------- C:\Program Files\TryMedia
2007-02-13 20:57 --------- d-------- C:\Program Files\Yahoo!
2007-02-06 19:15 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Corel
2007-02-05 17:34 --------- d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-01-26 23:48 146 --ah----- C:\Program Files\hpothb07.dat
2006-09-06 19:27 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-09-06 19:27 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-09-06 19:09 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-04-27 16:49 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-04-19 15:43 14848 --a------ C:\WINDOWS\system32\ksxc.dll
2006-03-05 22:44 --------- d-------- C:\Program Files\ItsDeductible2005
2006-03-05 20:19 --------- d--h----- C:\Program Files\InstallShield Installation Information
2006-03-05 20:19 --------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2006-03-05 20:17 --------- d-------- C:\Program Files\Common Files\Intuit
2006-03-05 20:16 --------- d-------- C:\Program Files\TurboTax
2006-03-05 20:15 --------- d-------- C:\Program Files\Common Files\InstallShield
2005-10-31 10:56 700416 --a------ C:\StubInstaller.exe
2005-10-03 18:53 38784 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2005-09-07 17:27 1716297 --a------ C:\WINDOWS\system32\InetClnt.dll
2005-08-14 17:35 --------- d-------- C:\Program Files\Dell
2005-08-14 17:32 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2005-08-11 20:56 --------- d-------- C:\Program Files\Trend Micro
2005-08-03 22:05 --------- d--h----- C:\DOCUME~1\Brent\APPLIC~1\GTek
2005-08-03 19:55 --------- d-------- C:\Program Files\Support.com
2005-05-18 11:21 529 --ah----- C:\hpothb07.dat
2005-05-18 11:20 255 --ah----- C:\Program Files\hpothb07.tif
2005-04-28 18:21 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Symantec
2005-01-18 20:03 838870 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2004-09-19 22:34 --------- d-------- C:\Program Files\SymNetDrv
2004-07-31 17:50 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2004-06-20 20:56 --------- d-------- C:\Program Files\Hewlett-Packard
2004-06-17 11:56 7626 --a------ C:\WINDOWS\system32\GPCIEnu.sys
2004-06-09 14:31 6144 --a------ C:\WINDOWS\system32\DLPT.sys
2004-06-09 08:29 6977 --a------ C:\WINDOWS\system32\DDMI2.sys
2004-04-18 20:22 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Hewlett-Packard
2004-03-23 20:17 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Share-to-Web Upload Folder
2004-03-15 21:40 82380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2004-03-01 21:42 18283 --a------ C:\WINDOWS\HPHins01.dat
2004-03-01 21:39 --------- d-------- C:\Program Files\HP
2004-02-18 20:38 --------- d-------- C:\Program Files\ABBYY FineReader 6.0
2004-01-05 19:58 --------- d-------- C:\Program Files\Common Files\Nullsoft
2003-09-12 09:30 4284 --------- C:\WINDOWS\hphmdl01.dat
2003-09-03 20:28 --------- d-------- C:\Program Files\QUICKENW
2003-08-20 21:24 61440 --a------ C:\WINDOWS\system32\HPHap05.exe
2003-08-20 15:59 6371 -ra------ C:\WINDOWS\system32\hphmon05.dat
2003-08-19 05:51 69632 --a------ C:\WINDOWS\system32\LXBKCU.DLL
2003-08-19 05:43 90112 --a------ C:\WINDOWS\system32\LXBKCUR.DLL
2003-08-19 05:41 454656 --a------ C:\WINDOWS\system32\LXBKJSWR.DLL
2003-08-19 05:29 352256 --a------ C:\WINDOWS\system32\LXBKUTIL.DLL
2003-08-19 05:25 73728 --a------ C:\WINDOWS\system32\lxbkpwr.dll
2003-08-18 10:43 82432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2003-08-18 10:43 626960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2003-08-18 10:43 487424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2003-08-18 10:43 44544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2003-08-18 10:43 344064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2003-08-18 10:43 1230336 -ra------ C:\WINDOWS\system32\MSXML4.dll
2003-08-18 06:56 69632 --a------ C:\WINDOWS\system32\lxbkscin.dll
2003-08-18 06:56 57344 --a------ C:\WINDOWS\system32\lxbkcinf.dll
2003-08-18 06:56 49152 --a------ C:\WINDOWS\system32\lxbkcoin.dll
2003-08-18 06:03 544768 --a------ C:\WINDOWS\system32\LXBKLSNT.EXE
2003-08-18 05:58 217088 --a------ C:\WINDOWS\system32\LXBKLCNT.DLL
2003-08-18 05:57 286720 --a------ C:\WINDOWS\system32\LXBKPMNT.DLL
2003-08-18 05:55 86016 --a------ C:\WINDOWS\system32\LXBKIH.EXE
2003-08-18 05:55 155648 --a------ C:\WINDOWS\system32\LEXPING.EXE
2003-08-18 05:53 126976 --a------ C:\WINDOWS\system32\LXBKCFG.EXE
2003-08-18 05:52 286720 --a------ C:\WINDOWS\system32\lxbkcomm.dll
2003-08-18 05:46 77824 --a------ C:\WINDOWS\system32\LXBKLCNP.DLL
2003-07-25 08:57 147512 --a------ C:\WINDOWS\system32\hpzlnt09.dll
2003-07-25 08:53 270336 --a------ C:\WINDOWS\system32\hpzcon09.dll
2003-07-25 08:52 208896 --a------ C:\WINDOWS\system32\hpzcoi09.dll
2003-06-23 02:44 1415680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2003-06-05 20:13 53248 --a------ C:\WINDOWS\system32\Process.exe
2003-05-14 07:45 65795 -ra------ C:\WINDOWS\system32\HPZipm12.exe
2003-05-14 07:45 61699 -ra------ C:\WINDOWS\system32\HPZinw12.exe
2003-05-14 07:24 262144 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2003-05-14 07:23 196608 -ra------ C:\WINDOWS\system32\HPZipr12.dll
2003-05-14 07:21 266296 -ra------ C:\WINDOWS\system32\HPZidr12.dll
2003-05-14 07:19 51056 -ra------ C:\WINDOWS\system32\drivers\hpzid412.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-04-09 12:19]
"MMTray "= "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2007-04-09 12:19]
"AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2007-04-09 12:19]
"lxamsp32.exe "= "lxamsp32.exe" [2001-10-21 18:12 C:\WINDOWS\SYSTEM32\LXAMSP32.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-04-09 12:19]
"Lexmark X1100 Series "= "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-09 12:19]
"HPHUPD05 "= "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2007-04-09 12:19]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2007-04-09 12:19]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2007-04-09 12:19]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2007-04-09 12:19]
"CamMonitor "= "C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2007-04-09 12:19]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2007-04-09 12:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\Dell Support\DSAgnt.exe" [2007-04-09 12:19]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 14:22]
"Microsoft Visual Enhance V2.1 "= "C:\WINDOWS\iuntfs32.exe" [2007-04-09 12:19]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec Network Driver Update Warning "=C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
"ALUAlert "=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Symantec NetDriver Warning "=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

C:\Documents and Settings\Brent\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-12-29 11:53:59]

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\System32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\System32\Drivers\tmtdi.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\System32\drivers\ASCTRM.sys
R2 tm_cfw;Common Firewall Driver;C:\WINDOWS\System32\Drivers\tm_cfw.sys
R2 Tmfilter;Tmfilter;C:\WINDOWS\System32\drivers\TmXPFlt.sys
R2 Tmpreflt;Tmpreflt;C:\WINDOWS\System32\drivers\Tmpreflt.sys
R2 Vsapint;Vsapint;C:\WINDOWS\System32\drivers\Vsapint.sys
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
S2 windev-4134-6407;windev-4134-6407;\??\C:\WINDOWS\system32\windev-4134-6407.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 i81x;i81x;C:\WINDOWS\System32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\System32\DRIVERS\wanatw4.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\System32\DRIVERS\agpCPQ.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Visual Enhance V2.1]
C:\WINDOWS\iuntfs32.exe

Contents of the 'Scheduled Tasks' folder
2007-04-02 01:40:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#140#CN3CN340S2J3.job - C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
2007-04-18 21:39:00 C:\WINDOWS\Tasks\HP Usg Daily.job - C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
2003-01-03 23:39:07 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2001-01-01 00:44:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2001-01-01 0:45:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2001-01-01 00:45

--- E O F ---


hjt after combofix:
Logfile of HijackThis v1.99.1
Scan saved at 12:49:33 AM, on 1/1/2001
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=pdf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Microsoft Visual Enhance V2.1] C:\WINDOWS\iuntfs32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm231YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

I am standing at the top of the staircase with the infected computer, you tell me should I drop it or is it salvageable?????

 

Wow! ComboFix did an awesome job. And so are you!!

I'm currently on lunch, so I don't have the time to post much right now.

Try to run SDFix again now and post it's log.

Run LSPFix again.

I would also like for you to do a disk check. Open a command prompt and type chkdsk /r then hit enter. You should get a message that the volume is in use and would you like to schedule a disk check ....... answer yes and reboot. Disk Check should run upon startup.

I'll be back this evening.

BTW, don't toss it over the stairs just yet ..... it looks like we're well on our way to a successful cleanup.

 

okay..will do.. I was hoping it was improved over last night. Ii just got a reprieve from the old heave ho,lol.

 

Got a couple of other things to do ..... more logs

Please download FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report (awf.txt) will open.
Please post the contents of awf.txt.

I would also like to see another fresh HijackThis log.

 

fresh logs files.
here is the sdfix
SDFix: Version 1.94

Run by Brent on Mon 01/01/2001 at 06:01 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\Brent\LOCALS~1\Temp\abc123.pid - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP621\A0036130.exe
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP637\A0214301.sys
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP637\A0218473.sys
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP638\A0220683.sys
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP638\A0220866.sys
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP638\A0220955.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.tmp.LOG
C:\WINDOWS\U3VzYW4\oapWsqb.vbs

Finished


hjt at chkdsk
Logfile of HijackThis v1.99.1
Scan saved at 12:49:33 AM, on 1/1/2001
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=pdf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Microsoft Visual Enhance V2.1] C:\WINDOWS\iuntfs32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm231YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

 

I don't know what's going on now, but I can't download from this site...the says you have chosen to save file. but save file is gray and I can't click on it, the only option is to cancel...this happened earlier when I tried to download, sd fix, combo fix. I had to go to yet another computer to download... for some reason firefox doesn't want to download, but got it with ie.

 

here is the text file from awf:

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

07/19/2004 08:51 AM 306,688 DSAgnt.exe
1 File(s) 306,688 bytes

Directory of C:\PROGRA~1\LEXMAR~1\BAK

08/19/2003 06:43 AM 57,344 lxbkbmgr.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

08/20/2002 05:08 PM 1,511,453 msmsgs.exe
1 File(s) 1,511,453 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/12/2004 10:37 AM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/14/2002 08:22 PM 28,672 DSentry.exe
06/20/2002 04:05 AM 114,688 hkcmd.exe
08/20/2003 05:15 PM 483,328 hphmon05.exe
06/20/2002 04:14 AM 155,648 igfxtray.exe
03/29/2007 11:10 AM 37,382 lsasss.exe
5 File(s) 819,718 bytes

Directory of C:\PROGRA~1\COMMON~1\IMQU\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 11:42 AM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

06/25/2003 12:24 PM 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\{45B61~1\BAK

08/20/2003 05:23 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

08/20/2003 03:57 PM 221,184 hpcmpmgr.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

08/14/2002 07:29 PM 90,112 mm_tray.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

12/29/2002 12:57 PM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

01/19/2007 01:49 PM 4,670,968 YAHOOM~1.EXE
03/27/2007 04:22 PM 4,670,968 YahooMessenger.exe
2 File(s) 9,341,936 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

10/07/2002 01:23 AM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

04/13/2005 04:48 AM 36,975 jusched.exe
1 File(s) 36,975 bytes


04/10/2002 06:44 PM 679,936 DirectCD.exe
1 File(s) 679,936 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\COMMON~1\{B04E6~1\BAK

02/18/2007 12:29 AM 14,336 Update.exe.vir
1 File(s) 14,336 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\WEBHAN~1\PROGRAMS\BAK

02/21/2007 04:18 PM 565,248 whagent.exe.vir
1 File(s) 565,248 bytes

Directory of C:\QOOBOX\QUARAN~1\C\WINDOWS\SYSTEM32\MANTEC~1\BAK

02/18/2007 12:30 AM 70,144 msiexec.exe.vir
1 File(s) 70,144 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

07/25/2003 10:14 AM 188,416 hpztsb09.exe
10/21/2001 04:54 PM 36,864 printray.exe
2 File(s) 225,280 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\MYWEBS~1\BAR\1.BIN\BAK

02/26/2007 10:27 PM 28,672 mwsoemon.exe.vir
1 File(s) 28,672 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

37697 Apr 9 2007 "C:\Program Files\Dell Support\DSAgnt.exe "
306688 Jul 19 2004 "C:\Program Files\Dell Support\bak\DSAgnt.exe "
37697 Apr 9 2007 "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
57344 Aug 19 2003 "C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe "
37697 Apr 9 2007 "C:\Program Files\Messenger\msmsgs.exe "
1511453 Aug 20 2002 "C:\Program Files\Messenger\bak\msmsgs.exe "
37697 Apr 9 2007 "C:\Program Files\QuickTime\qttask.exe "
77824 Jan 12 2004 "C:\Program Files\QuickTime\bak\qttask.exe "
37697 Apr 9 2007 "C:\WINDOWS\SYSTEM32\DSentry.exe "
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe "
114688 Jun 20 2002 "C:\DRIVERS\VIDEO\HKCMD.EXE "
37697 Apr 9 2007 "C:\WINDOWS\SYSTEM32\hkcmd.exe "
114688 Jun 20 2002 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe "
114688 Jun 20 2002 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\hkcmd.exe "
37697 Apr 9 2007 "C:\WINDOWS\SYSTEM32\hphmon05.exe "
483328 Aug 20 2003 "C:\WINDOWS\SYSTEM32\bak\hphmon05.exe "
155648 Jun 20 2002 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE "
37697 Apr 9 2007 "C:\WINDOWS\SYSTEM32\igfxtray.exe "
155648 Jun 20 2002 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe "
155648 Jun 20 2002 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxtray.exe "
37382 Mar 29 2007 "C:\WINDOWS\SYSTEM32\bak\lsasss.exe "
37697 Apr 9 2007 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe "
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe "
37697 Apr 9 2007 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
49152 Jun 25 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe "
37697 Apr 9 2007 "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe "
49152 Aug 20 2003 "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe "
37697 Apr 9 2007 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
221184 Aug 20 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe "
37697 Apr 9 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
90112 Aug 14 2002 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe "
135168 Feb 20 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\ChanDir\MMJB\mm_tray.exe "
37697 Apr 9 2007 "C:\Program Files\Real\RealPlayer\RealPlay.exe "
26112 Dec 29 2002 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe "
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe "
4670968 Jan 19 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE "
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe "
37697 Apr 9 2007 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe "
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe "
37697 Apr 9 2007 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe "
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe "
37697 Apr 9 2007 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
679936 Apr 10 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe "
37697 Apr 9 2007 "C:\QooBox\Quarantine\C\Program Files\Common Files\{B04E6~1\Update.exe.vir "
14336 Jul 26 2007 "C:\QooBox\Quarantine\C\Program Files\Common Files\{B04E6~2\Update.exe.vir "
14336 Feb 18 2007 "C:\QooBox\Quarantine\C\Program Files\Common Files\{B04E6~1\bak\Update.exe.vir "
565248 Feb 21 2007 "C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\bak\whagent.exe.vir "
71680 Apr 9 2007 "C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\MANTEC~1\msiexec.exe.vir "
70144 Feb 18 2007 "C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\MANTEC~1\bak\msiexec.exe.vir "
37697 Apr 9 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb09.exe "
188416 Jul 25 2003 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\hpztsb09.exe "
37697 Apr 9 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\printray.exe "
36864 Oct 21 2001 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x63b8e1\printray.exe "
36864 Oct 21 2001 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\printray.exe "
37697 Apr 9 2007 "C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe.vir "
28672 Feb 26 2007 "C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe.vir "


end of report

looks like I still have a bit of work to to...

 

Yes, there's still a bit to do. Hang in there, you're doing great!

First, double click on the clock in the taskbar, then set the correct time and date. Apply and OK out.

Scan again with HijackThis, place a check next to the following entries, then click Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0...ir.asp?Ext=pdf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKCU\..\Run: [Microsoft Visual Enhance V2.1] C:\WINDOWS\iuntfs32.exe

Close HijackThis.

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::

C:\WINDOWS\system32\cent.exe
C:\xx1232255.exe
C:\WINDOWS\bstdin.bin
C:\command.exe
C:\WINDOWS\iuntfs32.exe
C:\WINDOWS\cmfbr43.dll
C:\WINDOWS\system32\ksxc.dll
C:\StubInstaller.exe
C:\WINDOWS\system32\windev-4134-6407.sys

Folder::

C:\Program Files\Common Files\imqu
C:\WINDOWS\U3VzYW4

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft Visual Enhance V2.1]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


There is an infection present that has replaced legitimate files with a rogue and placed the original in a folder named bak. We are going to use FindAWF to delete those rogues and put the originals back where they belong.

Run FindAWF again, this time selecting Option 2. A text file will open called: files.txt
Click below the line and paste the following list of files to be restored. Make sure quotes are included.

"C:\Program Files\Dell Support\bak\DSAgnt.exe "
"C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe "
"C:\Program Files\Messenger\bak\msmsgs.exe "
"C:\Program Files\QuickTime\bak\qttask.exe "
"C:\WINDOWS\SYSTEM32\bak\hkcmd.exe "
"C:\WINDOWS\SYSTEM32\bak\hphmon05.exe "
"C:\WINDOWS\SYSTEM32\bak\igfxtray.exe "
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe "
"C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe "
"C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe "
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe "
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe "
"C:\Program Files\Real\RealPlayer\bak\RealPlay.exe "
"C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe "
"C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe "
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe "
"C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\hp ztsb09.exe "
"C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\pr intray.exe "


Close the text file and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file(s) from the parent folder(s), if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please post the contents of the new awf.txt log, as well as a new HijackThis log.

 

Please also post the contents of the combofix_quarantined_files.txt

 

can you tell based on the logs or what is going on exactly what the infection is? Just curious what we are dealing with here. will try to follow along once again.m Combofix quarantined list now or after this next set of instructions?

 

Either is fine. As far as what we're dealing with ....... yes, I can tell. Basically, that machine has a host of different infections. Backdoors, rootkits, trojans, bots, adware, malware and several other viruses. The bulk of it has been removed already, but there will be several more tasks to complete before it's clean and protected.

 

I didn't think we were done, it's just good to know what you are dealing with..so to be better prepared the next time I come in contact with these things.. I don't want to see it on my personal machine, but maybe if it comes up again, I can catch it before it gets this far out of control (or better yet, before it gets on the machine period!)

here are the requested logs:

awf

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

07/19/2004 08:51 AM 306,688 DSAgnt.exe
1 File(s) 306,688 bytes

Directory of C:\PROGRA~1\LEXMAR~1\BAK

08/19/2003 06:43 AM 57,344 lxbkbmgr.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

08/20/2002 05:08 PM 1,511,453 msmsgs.exe
1 File(s) 1,511,453 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/12/2004 10:37 AM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/14/2002 08:22 PM 28,672 DSentry.exe
06/20/2002 04:05 AM 114,688 hkcmd.exe
08/20/2003 05:15 PM 483,328 hphmon05.exe
06/20/2002 04:14 AM 155,648 igfxtray.exe
03/29/2007 11:10 AM 37,382 lsasss.exe
5 File(s) 819,718 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 11:42 AM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

06/25/2003 12:24 PM 49,152 HPWuSchd.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\{45B61~1\BAK

08/20/2003 05:23 PM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

08/20/2003 03:57 PM 221,184 hpcmpmgr.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

08/14/2002 07:29 PM 90,112 mm_tray.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

12/29/2002 12:57 PM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

01/19/2007 01:49 PM 4,670,968 YAHOOM~1.EXE
03/27/2007 04:22 PM 4,670,968 YahooMessenger.exe
2 File(s) 9,341,936 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

10/07/2002 01:23 AM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

04/13/2005 04:48 AM 36,975 jusched.exe
1 File(s) 36,975 bytes


04/10/2002 06:44 PM 679,936 DirectCD.exe
1 File(s) 679,936 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\COMMON~1\{B04E6~1\BAK

02/18/2007 12:29 AM 14,336 Update.exe.vir
1 File(s) 14,336 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\WEBHAN~1\PROGRAMS\BAK

02/21/2007 04:18 PM 565,248 whagent.exe.vir
1 File(s) 565,248 bytes

Directory of C:\QOOBOX\QUARAN~1\C\WINDOWS\SYSTEM32\MANTEC~1\BAK

02/18/2007 12:30 AM 70,144 msiexec.exe.vir
1 File(s) 70,144 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

07/25/2003 10:14 AM 188,416 hpztsb09.exe
10/21/2001 04:54 PM 36,864 printray.exe
2 File(s) 225,280 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\MYWEBS~1\BAR\1.BIN\BAK

02/26/2007 10:27 PM 28,672 mwsoemon.exe.vir
1 File(s) 28,672 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

306688 Jul 19 2004 "C:\Program Files\Dell Support\DSAgnt.exe "
306688 Jul 19 2004 "C:\Program Files\Dell Support\bak\DSAgnt.exe "
57344 Aug 19 2003 "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
57344 Aug 19 2003 "C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe "
1511453 Aug 20 2002 "C:\Program Files\Messenger\msmsgs.exe "
1511453 Aug 20 2002 "C:\Program Files\Messenger\bak\msmsgs.exe "
77824 Jan 12 2004 "C:\Program Files\QuickTime\qttask.exe "
77824 Jan 12 2004 "C:\Program Files\QuickTime\bak\qttask.exe "
37697 Apr 9 2007 "C:\WINDOWS\SYSTEM32\DSentry.exe "
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe "
114688 Jun 20 2002 "C:\DRIVERS\VIDEO\HKCMD.EXE "
114688 Jun 20 2002 "C:\WINDOWS\SYSTEM32\hkcmd.exe "
114688 Jun 20 2002 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe "
114688 Jun 20 2002 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\hkcmd.exe "
483328 Aug 20 2003 "C:\WINDOWS\SYSTEM32\hphmon05.exe "
483328 Aug 20 2003 "C:\WINDOWS\SYSTEM32\bak\hphmon05.exe "
155648 Jun 20 2002 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE "
155648 Jun 20 2002 "C:\WINDOWS\SYSTEM32\igfxtray.exe "
155648 Jun 20 2002 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe "
155648 Jun 20 2002 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxtray.exe "
37382 Mar 29 2007 "C:\WINDOWS\SYSTEM32\bak\lsasss.exe "
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe "
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe "
49152 Jun 25 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
49152 Jun 25 2003 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd.exe "
49152 Aug 20 2003 "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe "
49152 Aug 20 2003 "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe "
221184 Aug 20 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
221184 Aug 20 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe "
90112 Aug 14 2002 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
90112 Aug 14 2002 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe "
135168 Feb 20 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\ChanDir\MMJB\mm_tray.exe "
26112 Dec 29 2002 "C:\Program Files\Real\RealPlayer\RealPlay.exe "
26112 Dec 29 2002 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe "
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe "
4670968 Jan 19 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE "
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe "
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe "
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe "
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe "
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe "
679936 Apr 10 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
679936 Apr 10 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe "
37697 Apr 9 2007 "C:\QooBox\Quarantine\C\Program Files\Common Files\{B04E6~1\Update.exe.vir "
14336 Jul 26 2007 "C:\QooBox\Quarantine\C\Program Files\Common Files\{B04E6~2\Update.exe.vir "
14336 Feb 18 2007 "C:\QooBox\Quarantine\C\Program Files\Common Files\{B04E6~1\bak\Update.exe.vir "
565248 Feb 21 2007 "C:\QooBox\Quarantine\C\Program Files\webHancer\Programs\bak\whagent.exe.vir "
71680 Apr 9 2007 "C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\MANTEC~1\msiexec.exe.vir "
70144 Feb 18 2007 "C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\MANTEC~1\bak\msiexec.exe.vir "
37697 Apr 9 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb09.exe "
188416 Jul 25 2003 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\hpztsb09.exe "
37697 Apr 9 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\printray.exe "
36864 Oct 21 2001 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\lexmarklexmark_x63b8e1\printray.exe "
36864 Oct 21 2001 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\printray.exe "
37697 Apr 9 2007 "C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe.vir "
28672 Feb 26 2007 "C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe.vir "


end of report

 

here is the hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 12:58:18 AM, on 8/1/2001
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm231YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

and last combofix qt list:

Code:

2001-01-01 01:39      1014    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_LDRSVC.reg.cf
2001-01-01 01:39      1072    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
2001-01-01 01:39      1122    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
2001-01-01 01:39      1122    --a------    C:\Qoobox\Quarantine\Registry_backups\services_ntldr.reg.cf
2001-01-01 01:39      1148    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.cf
2001-01-01 01:39      1168    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NTLDR.SYS.reg.cf
2001-01-01 01:39      2510    --a------    C:\Qoobox\Quarantine\Registry_backups\services_cmdService.reg.cf
2001-01-01 01:39      2822    --a------    C:\Qoobox\Quarantine\Registry_backups\services_Network Monitor.reg.cf
2001-01-01 01:39      2850    --a------    C:\Qoobox\Quarantine\Registry_backups\services_COM+ Messages.reg.cf
2001-01-01 01:39      3400    --a------    C:\Qoobox\Quarantine\Registry_backups\services_ldrsvc.reg.cf
2001-01-01 01:39      750    --a------    C:\Qoobox\Quarantine\Registry_backups\services_Runtime.reg.cf
2001-01-01 01:39      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_COM+_MESSAGES.reg.cf
2001-01-01 01:40      256    --a------    C:\Qoobox\Quarantine\catchme.log
2001-01-01 01:40      8886    --a------    C:\Qoobox\Quarantine\catchme2001-01-01_ 04427.01.zip
2002-02-19 00:22      12008    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\fad.sys.vir
2004-02-18 07:26      46080    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\imqu\imqud\imquc.dll.vir
2004-04-19 22:26      4933375    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\imqu\imqud\class-barrel.vir
2005-07-29 17:24      472    --a------    C:\Qoobox\Quarantine\C\WINDOWS\U3VzYW4\oapWsqb.vbs.vir
2005-08-02 17:46      187904    --a------    C:\Qoobox\Quarantine\C\WINDOWS\U3VzYW4\asappsrv.dll.vir
2005-08-02 17:58      293888    --a------    C:\Qoobox\Quarantine\C\WINDOWS\U3VzYW4\command.exe.vir
2005-10-31 11:56      700416    --a------    C:\Qoobox\Quarantine\C\StubInstaller.exe.vir
2006-01-03 18:45      1989    --a------    C:\Qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir
2006-01-04 19:09      94208    --a------    C:\Qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir
2006-04-19 16:43      14848    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ksxc.dll.vir
2006-05-02 11:56      16929    --a------    C:\Qoobox\Quarantine\C\Program Files\Cowabanga\License.txt.vir
2006-07-21 19:55      127578    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tsuninst.exe.vir
2006-10-11 10:15      352256    --a------    C:\Qoobox\Quarantine\C\Program Files\OIN Search\OINSearch.dll.vir
2007-01-03 17:19      171008    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinAdmin.exe.vir
2007-01-12 16:00      1150    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\outerinfo.ico.vir
2007-01-12 16:00      18031    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir
2007-02-18 00:29      12800    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\{304E6~1\UnInstall.exe.vir
2007-02-18 00:29      14336    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\{B04E6~1\bak\Update.exe.vir
2007-02-18 00:29      6656    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\{B04E6~1\system.dll.vir
2007-02-18 00:30      70144    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\MANTEC~1\bak\msiexec.exe.vir
2007-02-18 00:31      95863    --a------    C:\Qoobox\Quarantine\C\Program Files\Cowabanga\uninstaller.exe.vir
2007-02-18 11:46      687592    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\atmtd.dll._.vir
2007-02-18 11:46      687592    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\atmtd.dll.vir
2007-02-18 12:18      0    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\imqu\imqua.lck.vir
2007-02-18 12:18      0    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\imqu\imqum.lck.vir
2007-02-18 12:19      0    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\imqu\imqul.lck.vir
2007-02-18 12:48      32177    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1122OinUninstaller.exe.vir
2007-02-20 12:51      0    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\imqu\imqup.lck.vir
2007-02-21 16:18      565248    --a------    C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\bak\whagent.exe.vir
2007-02-26 22:27      118784    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir
2007-02-26 22:27      118784    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir
2007-02-26 22:27      139264    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir
2007-02-26 22:27      140    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST.vir
2007-02-26 22:27      140    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST.vir
2007-02-26 22:27      143360    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir
2007-02-26 22:27      143421    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir
2007-02-26 22:27      147456    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir
2007-02-26 22:27      16384    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE.vir
2007-02-26 22:27      20164    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG.vir
2007-02-26 22:27      20480    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir
2007-02-26 22:27      24576    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir
2007-02-26 22:27      24576    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir
2007-02-26 22:27      24576    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE.vir
2007-02-26 22:27      24658    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir
2007-02-26 22:27      24660    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir
2007-02-26 22:27      24662    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir
2007-02-26 22:27      249856    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir
2007-02-26 22:27      28672    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\bak\mwsoemon.exe.vir
2007-02-26 22:27      28672    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir
2007-02-26 22:27      28672    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir
2007-02-26 22:27      28672    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\f3PSSavr.scr.vir
2007-02-26 22:27      290816    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir
2007-02-26 22:27      305    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT.vir
2007-02-26 22:27      319560    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir
2007-02-26 22:27      40960    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir
2007-02-26 22:27      4814    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR.vir
2007-02-26 22:27      49230    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir
2007-02-26 22:27      5446    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV.vir
2007-02-26 22:27      57344    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir
2007-02-26 22:27      6462    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR.vir
2007-02-26 22:27      65536    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir
2007-02-26 22:27      65536    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir
2007-02-26 22:27      73728    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir
2007-02-26 22:27      81920    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir
2007-02-26 22:27      86085    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir
2007-02-26 22:27      94208    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir
2007-02-26 22:28      1024    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\History\search2.vir
2007-02-26 22:28      106998    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\FISH.F3S.vir
2007-02-26 22:28      113081    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S.vir
2007-02-26 22:28      122747    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\MAID.F3S.vir
2007-02-26 22:28      1284    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0EF01DD0.bin.vir
2007-02-26 22:28      129559    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S.vir
2007-02-26 22:28      149817    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S.vir
2007-02-26 22:28      155471    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S.vir
2007-02-26 22:28      1668    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0EF022B2.bin.vir
2007-02-26 22:28      1724    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0EF02041.bin.vir
2007-02-26 22:28      1940    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0EF0240A.bin.vir
2007-02-26 22:28      24    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Settings\s_pid.dat.vir
2007-02-26 22:28      243509    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S.vir
2007-02-26 22:28      24871    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Message\COMMON.F3S.vir
2007-02-26 22:28      272367    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S.vir
2007-02-26 22:28      301118    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S.vir
2007-02-26 22:28      43287    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S.vir
2007-02-26 22:28      509    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Settings\setting2.htm.vir
2007-02-26 22:28      56438    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S.vir
2007-02-26 22:28      56688    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\REVERSI.F3S.vir
2007-02-26 22:28      58    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Settings\settings.dat.vir
2007-02-26 22:28      66726    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Game\CHESS.F3S.vir
2007-02-26 22:28      71675    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Notifier\DOG.F3S.vir
2007-02-26 22:28      76013    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S.vir
2007-02-26 22:28      78829    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm.vir
2007-02-27 18:41      1000    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\01614AFE.bin.vir
2007-02-27 18:41      1928    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\016144C4.bin.vir
2007-02-27 18:42      116    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0EF00595.vir
2007-02-27 18:42      244    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\01615A40.bin.vir
2007-02-27 18:42      944    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\01614C94.bin.vir
2007-02-27 18:42      976    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\01615908.bin.vir
2007-03-06 06:00      56222    --a------    C:\Qoobox\Quarantine\C\Program Files\OIN Search\Uninstall.exe.vir
2007-03-13 09:43      2    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wnstssv.exe.vir
2007-03-18 20:57      1140    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0006A76E.bin.vir
2007-03-18 20:57      116    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0006C229.vir
2007-03-18 20:57      47487    --a------    C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html.vir
2007-03-18 20:57      56777    --a------    C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html.vir
2007-03-18 20:57      608    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0006B671.bin.vir
2007-03-18 20:57      688    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0006B103.bin.vir
2007-03-18 20:57      856    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0006B355.bin.vir
2007-03-18 20:57      952    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\0006BF7A.bin.vir
2007-03-19 14:31      228864    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\Brent\MYDOCU~1\YSTEM3~1\??plorer.exe.vir
2007-03-19 21:24      13650    --a------    C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\0EF14CCB.dat.vir
2007-03-28 12:10      8704    --a------    C:\Qoobox\Quarantine\C\WINDOWS\cmfbr43.dll.vir
2007-03-28 14:23      24026    --a------    C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html.vir
2007-03-28 14:23      31236    --a------    C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html.vir
2007-03-28 14:23      65035    --a------    C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html.vir
2007-03-29 09:02      1536    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\imqu\imquh.vir
2007-03-29 09:17      96256    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\driverc.exe.vir
2007-03-29 09:17      96256    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\monterreyc_redux.exe.vir
2007-03-29 11:31      71680    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\MANTEC~1\msiexec.exe1176139249.vir
2007-04-09 13:19      37697    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\{B04E6~1\Update.exe.vir
2007-04-09 13:19      37697    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\imqu\imqum.exe.vir
2007-04-09 13:19      37697    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe.vir
2007-04-09 13:19      37697    --a------    C:\Qoobox\Quarantine\C\WINDOWS\iuntfs32.exe.vir
2007-04-09 18:57      123325    --a------    C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html.vir
2007-04-09 18:57      423517    --a------    C:\Qoobox\Quarantine\C\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html.vir
2007-04-09 20:38      71680    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\MANTEC~1\msiexec.exe.vir
2007-04-10 14:23      45056    --a------    C:\Qoobox\Quarantine\C\command.exe.vir
2007-04-11 05:23      96256    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\driverd.exe.vir
2007-04-11 05:23      96256    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\monterreyd_a4m.exe.vir
2007-04-11 05:23      96256    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\monterreyd_olive.exe.vir
2007-04-14 12:15      19625    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dinGR1.dll.vir
2007-04-17 12:30      26694    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iifcyyv.dll.vir
2007-04-17 12:33      229376    --a------    C:\Qoobox\Quarantine\C\Program Files\NewDotNet\newdotnet6_38(2).dll.vir
2007-04-17 12:33      6273    --a------    C:\Qoobox\Quarantine\C\Program Files\NewDotNet\readme.html.vir
2007-04-17 12:34      134656    --a------    C:\Qoobox\Quarantine\C\Program Files\DeluxeCommunications\Dxc.exe.vir
2007-04-17 12:34      294912    --a------    C:\Qoobox\Quarantine\C\Program Files\DeluxeCommunications\DxcCore.dll.vir
2007-04-17 12:34      96768    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DXCLIB~1.DLL.vir
2007-04-17 12:34      98816    --a------    C:\Qoobox\Quarantine\C\Program Files\DeluxeCommunications\DxcBho.dll.vir
2007-04-18 01:29      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\bstdin.bin.vir
2007-04-18 18:04      106767    --a------    C:\Qoobox\Quarantine\C\WINDOWS\awttuu.dll.vir
2007-04-18 18:23      4669    --a------    C:\Qoobox\Quarantine\C\1.exe.vir
2007-04-18 18:23      9526    --a------    C:\Qoobox\Quarantine\C\xx1232255.exe.vir
2007-04-18 18:24      10045    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\a3dxq.dll.vir
2007-04-18 18:24      26694    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hggdabb.dll.vir
2007-04-19 16:43      169472    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sdetvtv.dll.vir
2007-04-19 16:43      21504    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\drhpmit.dll.vir
2007-04-19 16:43      265988    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS.vir
2007-04-19 16:44      7296    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\ip6fw.sys.vir
2007-04-19 16:46      2    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wnstsicomsv.exe.vir
2007-04-19 16:46      91958    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cent.exe.vir
2007-04-19 17:13      119    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\desktop.ini.vir
2007-07-26 19:43      14336    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\{B04E6~2\Update.exe.vir
2007-07-26 19:43      6656    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\{B04E6~2\system.dll.vir
2007-07-26 23:45      81920    --a------    C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WinHealer.dll.vir
2007-07-28 13:35      1096165    --a------    C:\Qoobox\Quarantine\C\WINDOWS\uuttwa.ini.vir
2007-07-30 23:25      1521    --a------    C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\Cache\files.ini.vir


Folder PATH listing
Volume serial number is 71FAE346 B04E:6D12
C:\QOOBOX
\---Quarantine
    |   catchme.log
    |   catchme2001-01-01_ 04427.01.zip
    |   
    +---C
    |   |   1.exe.vir
    |   |   command.exe.vir
    |   |   StubInstaller.exe.vir
    |   |   xx1232255.exe.vir
    |   |   
    |   +---Documents and Settings
    |   |   +---All Users
    |   |   |   \---Documents
    |   |   |       \---Settings
    |   |   |               desktop.ini.vir
    |   |   |               
    |   |   \---Brent
    |   |       \---MYDOCU~1
    |   |           \---YSTEM3~1
    |   |                   ??plorer.exe.vir
    |   |                   
    |   +---Program Files
    |   |   +---Common Files
    |   |   |   |   Yazzle1122OinAdmin.exe.vir
    |   |   |   |   Yazzle1122OinUninstaller.exe.vir
    |   |   |   |   
    |   |   |   +---imqu
    |   |   |   |   |   imqua.lck.vir
    |   |   |   |   |   imquh.vir
    |   |   |   |   |   imqul.lck.vir
    |   |   |   |   |   imqum.exe.vir
    |   |   |   |   |   imqum.lck.vir
    |   |   |   |   |   imqup.lck.vir
    |   |   |   |   |   
    |   |   |   |   \---imqud
    |   |   |   |           class-barrel.vir
    |   |   |   |           imquc.dll.vir
    |   |   |   |           
    |   |   |   +---{304E6~1
    |   |   |   |       UnInstall.exe.vir
    |   |   |   |       
    |   |   |   +---{B04E6~1
    |   |   |   |   |   system.dll.vir
    |   |   |   |   |   Update.exe.vir
    |   |   |   |   |   
    |   |   |   |   \---bak
    |   |   |   |           Update.exe.vir
    |   |   |   |           
    |   |   |   \---{B04E6~2
    |   |   |           system.dll.vir
    |   |   |           Update.exe.vir
    |   |   |           
    |   |   +---Cowabanga
    |   |   |       License.txt.vir
    |   |   |       uninstaller.exe.vir
    |   |   |       
    |   |   +---DeluxeCommunications
    |   |   |       Dxc.exe.vir
    |   |   |       DxcBho.dll.vir
    |   |   |       DxcCore.dll.vir
    |   |   |       
    |   |   +---FunWebProducts
    |   |   |   \---Shared
    |   |   |       |   0EF14CCB.dat.vir
    |   |   |       |   
    |   |   |       \---Cache
    |   |   |               AvatarSmallBtn.html.vir
    |   |   |               CursorManiaBtn.html.vir
    |   |   |               FunBuddyIconBtn.html.vir
    |   |   |               MailStampBtn.html.vir
    |   |   |               MyFunCardsIMBtn.html.vir
    |   |   |               MyStationeryBtn.html.vir
    |   |   |               SmileyCentralBtn.html.vir
    |   |   |               
    |   |   +---MyWebSearch
    |   |   |   \---bar
    |   |   |       +---1.bin
    |   |   |       |   |   F3BKGERR.JPG.vir
    |   |   |       |   |   F3BROVLY.DLL.vir
    |   |   |       |   |   F3CJPEG.DLL.vir
    |   |   |       |   |   F3DTACTL.DLL.vir
    |   |   |       |   |   F3HISTSW.DLL.vir
    |   |   |       |   |   F3HTMLMU.DLL.vir
    |   |   |       |   |   F3HTTPCT.DLL.vir
    |   |   |       |   |   F3IMSTUB.DLL.vir
    |   |   |       |   |   F3POPSWT.DLL.vir
    |   |   |       |   |   F3PSSAVR.SCR.vir
    |   |   |       |   |   F3REPROX.DLL.vir
    |   |   |       |   |   F3RESTUB.DLL.vir
    |   |   |       |   |   F3SCHMON.EXE.vir
    |   |   |       |   |   F3SCRCTR.DLL.vir
    |   |   |       |   |   F3SHLLVW.DLL.vir
    |   |   |       |   |   F3SPACER.WMV.vir
    |   |   |       |   |   F3WALLPP.DAT.vir
    |   |   |       |   |   F3WPHOOK.DLL.vir
    |   |   |       |   |   M3FFXTBR.JAR.vir
    |   |   |       |   |   M3FFXTBR.MANIFEST.vir
    |   |   |       |   |   M3HTML.DLL.vir
    |   |   |       |   |   M3IDLE.DLL.vir
    |   |   |       |   |   M3IMPIPE.EXE.vir
    |   |   |       |   |   M3MSG.DLL.vir
    |   |   |       |   |   M3NTSTBR.JAR.vir
    |   |   |       |   |   M3NTSTBR.MANIFEST.vir
    |   |   |       |   |   M3OUTLCN.DLL.vir
    |   |   |       |   |   M3PLUGIN.DLL.vir
    |   |   |       |   |   M3SKIN.DLL.vir
    |   |   |       |   |   M3SKPLAY.EXE.vir
    |   |   |       |   |   M3SLSRCH.EXE.vir
    |   |   |       |   |   M3SRCHMN.EXE.vir
    |   |   |       |   |   mwsoemon.exe.vir
    |   |   |       |   |   MWSOEPLG.DLL.vir
    |   |   |       |   |   MWSOESTB.DLL.vir
    |   |   |       |   |   NPMYWEBS.DLL.vir
    |   |   |       |   |   
    |   |   |       |   \---bak
    |   |   |       |           mwsoemon.exe.vir
    |   |   |       |           
    |   |   |       +---Avatar
    |   |   |       |       COMMON.F3S.vir
    |   |   |       |       
    |   |   |       +---Cache
    |   |   |       |       0006A76E.bin.vir
    |   |   |       |       0006B103.bin.vir
    |   |   |       |       0006B355.bin.vir
    |   |   |       |       0006B671.bin.vir
    |   |   |       |       0006BF7A.bin.vir
    |   |   |       |       0006C229.vir
    |   |   |       |       016144C4.bin.vir
    |   |   |       |       01614AFE.bin.vir
    |   |   |       |       01614C94.bin.vir
    |   |   |       |       01615908.bin.vir
    |   |   |       |       01615A40.bin.vir
    |   |   |       |       0EF00595.vir
    |   |   |       |       0EF01DD0.bin.vir
    |   |   |       |       0EF02041.bin.vir
    |   |   |       |       0EF022B2.bin.vir
    |   |   |       |       0EF0240A.bin.vir
    |   |   |       |       files.ini.vir
    |   |   |       |       
    |   |   |       +---Game
    |   |   |       |       CHECKERS.F3S.vir
    |   |   |       |       CHESS.F3S.vir
    |   |   |       |       REVERSI.F3S.vir
    |   |   |       |       
    |   |   |       +---History
    |   |   |       |       search2.vir
    |   |   |       |       
    |   |   |       +---Message
    |   |   |       |       COMMON.F3S.vir
    |   |   |       |       
    |   |   |       +---Notifier
    |   |   |       |       COMMON.F3S.vir
    |   |   |       |       DOG.F3S.vir
    |   |   |       |       FISH.F3S.vir
    |   |   |       |       KUNGFU.F3S.vir
    |   |   |       |       LIFEGARD.F3S.vir
    |   |   |       |       MAID.F3S.vir
    |   |   |       |       MAILBOX.F3S.vir
    |   |   |       |       OPERA.F3S.vir
    |   |   |       |       ROBOT.F3S.vir
    |   |   |       |       SEDUCT.F3S.vir
    |   |   |       |       SURFER.F3S.vir
    |   |   |       |       
    |   |   |       \---Settings
    |   |   |               prevcfg2.htm.vir
    |   |   |               setting2.htm.vir
    |   |   |               settings.dat.vir
    |   |   |               s_pid.dat.vir
    |   |   |               
    |   |   +---Network Monitor
    |   |   |       netmon.exe.vir
    |   |   |       
    |   |   +---NewDotNet
    |   |   |       newdotnet6_38(2).dll.vir
    |   |   |       readme.html.vir
    |   |   |       
    |   |   +---OIN Search
    |   |   |       OINSearch.dll.vir
    |   |   |       Uninstall.exe.vir
    |   |   |       
    |   |   +---Outerinfo
    |   |   |       outerinfo.ico.vir
    |   |   |       Terms.rtf.vir
    |   |   |       
    |   |   \---webHancer
    |   |       \---Programs
    |   |           \---bak
    |   |                   whagent.exe.vir
    |   |                   
    |   \---WINDOWS
    |       |   awttuu.dll.vir
    |       |   bstdin.bin.vir
    |       |   cmfbr43.dll.vir
    |       |   iuntfs32.exe.vir
    |       |   uninstall_nmon.vbs.vir
    |       |   uuttwa.ini.vir
    |       |   
    |       +---SYSTEM32
    |       |   |   a3dxq.dll.vir
    |       |   |   atmtd.dll.vir
    |       |   |   atmtd.dll._.vir
    |       |   |   cent.exe.vir
    |       |   |   dinGR1.dll.vir
    |       |   |   drhpmit.dll.vir
    |       |   |   driverc.exe.vir
    |       |   |   driverd.exe.vir
    |       |   |   DXCLIB~1.DLL.vir
    |       |   |   f3PSSavr.scr.vir
    |       |   |   hggdabb.dll.vir
    |       |   |   iifcyyv.dll.vir
    |       |   |   ksxc.dll.vir
    |       |   |   monterreyc_redux.exe.vir
    |       |   |   monterreyd_a4m.exe.vir
    |       |   |   monterreyd_olive.exe.vir
    |       |   |   sdetvtv.dll.vir
    |       |   |   tsuninst.exe.vir
    |       |   |   WinHealer.dll.vir
    |       |   |   wnstsicomsv.exe.vir
    |       |   |   wnstssv.exe.vir
    |       |   |   
    |       |   +---DRIVERS
    |       |   |       fad.sys.vir
    |       |   |       ip6fw.sys.vir
    |       |   |       NDIS.SYS.vir
    |       |   |       
    |       |   \---MANTEC~1
    |       |       |   msiexec.exe.vir
    |       |       |   msiexec.exe1176139249.vir
    |       |       |   
    |       |       \---bak
    |       |               msiexec.exe.vir
    |       |               
    |       \---U3VzYW4
    |               asappsrv.dll.vir
    |               command.exe.vir
    |               oapWsqb.vbs.vir
    |               
    \---Registry_backups
            LEGACY_CMDSERVICE.reg.cf
            LEGACY_COM+_MESSAGES.reg.cf
            LEGACY_LDRSVC.reg.cf
            LEGACY_NETWORK_MONITOR.reg.cf
            LEGACY_NTLDR.SYS.reg.cf
            LEGACY_RUNTIME.reg.cf
            services_cmdService.reg.cf
            services_COM+ Messages.reg.cf
            services_ldrsvc.reg.cf
            services_Network Monitor.reg.cf
            services_ntldr.reg.cf
            services_Runtime.reg.cf
            

 

Great! Looking good!!

The system time is still not correct, shown in the HijackThis log. Maybe you created the log before changing the time?

I missed one ....... Run option 2 in FindAWF again and enter the following into files.txt, then save. Post the new awf.txt

"C:\WINDOWS\SYSTEM32\bak\DSentry.exe "

Open Add/Remove programs and uninstall all versions of Java (JRE) listed, then delete the Java folder in C:\Program Files

Don't forget to run the CFScript operation and post the new ComboFix log


When done with all of that, reboot and do another HijackThis scan, then post the log.

I'll look through the quarantine log tomorrow to make sure of what all was removed (or not removed).

BTW, have the virtual memory errors ceased?

 

I just did that ran hjt about 5 minutes before posting the log so it was current. I haven't gotten any virtual memory errors since this morning, atfer combofix finally ran completely through. Well keep editing until it's all fixed.... the only error I am getting now is when I windows loads, the tm proxy module experienced a critical error please reinstall (but I see that has nothing to do with windows, don't know what's going on with trend micro yet, will deal with that after fixing these other problems.) I did change the time, but couldn't remeber where combofix stored the qrt. file so I ran it again, and it changed the time..i will reset it again.. combofix keeps saying that it will fix it when it finishes but it hasn't yet.

 

I guess I failed to mention setting the correct date Would you set that please?

Good to hear the errors have stopped.

We're getting very close to putting this machine online and downloading some antispyware apps, doing online virus scans, and dumping trend to install something a bit less of a system hog, do updates, etc.

You've done a fantastic job!

I'm going to get some sleep now. We can continue tomorrow evening, once you've posted the rest of the logs.

 

here is the latest hjt log...going to bed will pick this up again tomorrow...

Logfile of HijackThis v1.99.1
Scan saved at 2:20:14 AM, on 8/1/2001
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm231YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

 

I guess I was really tired last night, I missed a couple of instructions..sorry...
here is the combofix log, I changed the date again combofix keeps changing it, but at least it fixed the time...


combofix log:
ComboFix 07-07-30.2 - "Brent" 2001-08-01 21:09:46.5 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.True


((((((((((((((((((((((((( Files Created from 2001-07-02 to 2001-08-02 )))))))))))))))))))))))))))))))


2001-08-18 00:36 8,192 --a------ C:\WINDOWS\SYSTEM32\STREAMCI.DLL
2001-08-18 00:36 67,072 --a------ C:\WINDOWS\SYSTEM32\USBUI.DLL
2001-08-18 00:36 585,344 --a------ C:\WINDOWS\SYSTEM32\I81XDNT5.DLL
2001-08-17 16:07 56,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AIC78XX.SYS
2001-08-17 16:07 55,168 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AIC78U2.SYS
2001-08-17 16:07 5,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PERC2HIB.SYS
2001-08-17 16:07 32,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMC8XX.SYS
2001-08-17 16:07 30,688 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYM_U3.SYS
2001-08-17 16:07 28,384 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYM_HI.SYS
2001-08-17 16:07 27,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PERC2.SYS
2001-08-17 16:07 25,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\HPN.SYS
2001-08-17 16:07 20,192 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DPTI2O.SYS
2001-08-17 16:07 19,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SPARROW.SYS
2001-08-17 16:07 16,256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMC810.SYS
2001-08-17 16:07 101,888 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ADPU160M.SYS
2001-08-17 15:59 3,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AUDSTUB.SYS
2001-08-17 15:58 35,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ISAPNP.SYS
2001-08-17 15:58 29,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AGPCPQ.SYS
2001-08-17 15:58 27,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AMDAGP.SYS
2001-08-17 15:58 27,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ALIM1541.SYS
2001-08-17 15:58 27,392 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\VIAAGP.SYS
2001-08-17 15:58 26,112 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SISAGP.SYS
2001-08-17 15:58 25,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AGP440.SYS
2001-08-17 15:56 7,680 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\I2OMGMT.SYS
2001-08-17 15:56 17,536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\I2OMP.SYS
2001-08-17 15:52 7,680 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CD20XRNT.SYS
2001-08-17 15:52 49,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\QL1280.SYS
2001-08-17 15:52 45,312 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\QL12160.SYS
2001-08-17 15:52 40,448 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\QL1240.SYS
2001-08-17 15:52 40,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\QL1080.SYS
2001-08-17 15:52 36,736 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ULTRA.SYS
2001-08-17 15:52 33,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\QL10WNT.SYS
2001-08-17 15:52 26,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASC.SYS
2001-08-17 15:52 23,552 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ABP480N5.SYS
2001-08-17 15:52 22,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASC3350P.SYS
2001-08-17 15:52 179,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DAC2W2K.SYS
2001-08-17 15:52 17,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MRAID35X.SYS
2001-08-17 15:52 16,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\INI910U.SYS
2001-08-17 15:52 14,976 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CPQARRAY.SYS
2001-08-17 15:52 14,720 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DAC960NT.SYS
2001-08-17 15:52 13,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CBIDF2K.SYS
2001-08-17 15:52 125,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\FTDISK.SYS
2001-08-17 15:52 12,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AHA154X.SYS
2001-08-17 15:52 12,032 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AMSINT.SYS
2001-08-17 15:51 6,656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CMDIDE.SYS
2001-08-17 15:51 5,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ALIIDE.SYS
2001-08-17 15:51 4,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TOSIDE.SYS
2001-08-17 15:51 3,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PCIIDE.SYS
2001-08-17 15:51 14,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASC3550.SYS
2001-08-17 15:48 3,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SWENUM.SYS
2001-08-17 14:49 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wATV03nt.sys
2001-08-17 14:49 31,104 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wATV04nt.sys
2001-08-17 14:49 29,440 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wATV01nt.sys
2001-08-17 14:49 23,680 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wCh7xxNT.sys
2001-08-17 14:49 19,456 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wATV02NT.sys
2001-08-17 14:49 18,688 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wVchNTxx.sys
2001-08-17 14:49 138,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\I81XNT5.SYS
2001-08-17 14:49 12,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wADV01nt.sys
2001-08-17 14:49 12,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wADV02NT.sys
2001-08-17 14:49 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wSiINTxx.sys
2001-08-17 14:49 12,032 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wADV05NT.sys
2001-08-17 14:11 66,591 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS
2001-08-15 18:31 57,344 --a------ C:\WINDOWS\SYSTEM32\LTWEB12n.dll
2001-08-13 11:03 99,840 --a------ C:\WINDOWS\SYSTEM32\LTCON12n.dll
2001-08-13 11:03 844,288 --a------ C:\WINDOWS\SYSTEM32\Ltwvc12n.dll
2001-08-13 11:03 83,456 --a------ C:\WINDOWS\SYSTEM32\lfdwg12N.dll
2001-08-13 11:03 824,832 --a------ C:\WINDOWS\SYSTEM32\LTDic12n.dll
2001-08-13 11:03 79,360 --a------ C:\WINDOWS\SYSTEM32\Lfplt12n.dll
2001-08-13 11:03 78,336 --a------ C:\WINDOWS\SYSTEM32\lffax12n.dll
2001-08-13 11:03 761,856 --a------ C:\WINDOWS\SYSTEM32\ltwen12n.dll
2001-08-13 11:03 76,800 --a------ C:\WINDOWS\SYSTEM32\LTTLB12n.dll
2001-08-13 11:03 752,640 --a------ C:\WINDOWS\SYSTEM32\ltann12n.dll
2001-08-13 11:03 73,728 --a------ C:\WINDOWS\SYSTEM32\ltlst12n.dll
2001-08-13 11:03 72,704 --a------ C:\WINDOWS\SYSTEM32\ltcap12n.dll
2001-08-13 11:03 71,680 --a------ C:\WINDOWS\SYSTEM32\Lfpct12n.dll
2001-08-13 11:03 69,120 --a------ C:\WINDOWS\SYSTEM32\lfXpm12n.dll
2001-08-13 11:03 66,048 --a------ C:\WINDOWS\SYSTEM32\Lfdgn12n.dll
2001-08-13 11:03 64,512 --a------ C:\WINDOWS\SYSTEM32\ltbar12n.dll
2001-08-13 11:03 64,000 --a------ C:\WINDOWS\SYSTEM32\Lfdrw12n.dll
2001-08-13 11:03 60,928 --a------ C:\WINDOWS\SYSTEM32\Lfcgm12n.dll
2001-08-13 11:03 60,416 --a------ C:\WINDOWS\SYSTEM32\Lvdx12n.dll
2001-08-13 11:03 59,904 --a------ C:\WINDOWS\SYSTEM32\Lvgl12n.dll
2001-08-13 11:03 59,392 --a------ C:\WINDOWS\SYSTEM32\Lfwmf12n.dll
2001-08-13 11:03 57,344 --a------ C:\WINDOWS\SYSTEM32\lfeps12n.dll
2001-08-13 11:03 56,320 --a------ C:\WINDOWS\SYSTEM32\lfpsd12n.dll
2001-08-13 11:03 51,712 --a------ C:\WINDOWS\SYSTEM32\lttmb12n.dll
2001-08-13 11:03 51,712 --a------ C:\WINDOWS\SYSTEM32\ltnet12n.dll
2001-08-13 11:03 497,664 --a------ C:\WINDOWS\SYSTEM32\lfdwf12n.dll
2001-08-13 11:03 48,640 --a------ C:\WINDOWS\SYSTEM32\LFPNM12n.dll
2001-08-13 11:03 48,640 --a------ C:\WINDOWS\SYSTEM32\lfica12n.dll
2001-08-13 11:03 46,080 --a------ C:\WINDOWS\SYSTEM32\lfflc12n.dll
2001-08-13 11:03 45,568 --a------ C:\WINDOWS\SYSTEM32\lfXbm12n.dll
2001-08-13 11:03 43,008 --a------ C:\WINDOWS\SYSTEM32\lfgif12n.dll
2001-08-13 11:03 41,472 --a------ C:\WINDOWS\SYSTEM32\lttwn12n.dll
2001-08-13 11:03 406,016 --a------ C:\WINDOWS\SYSTEM32\ltkrn12n.dll
2001-08-13 11:03 40,448 --a------ C:\WINDOWS\SYSTEM32\ltisi12n.dll
2001-08-13 11:03 36,864 --a------ C:\WINDOWS\SYSTEM32\LTWND12n.DLL
2001-08-13 11:03 36,864 --a------ C:\WINDOWS\SYSTEM32\lfbmp12n.dll
2001-08-13 11:03 35,840 --a------ C:\WINDOWS\SYSTEM32\lflma12n.dll
2001-08-13 11:03 35,840 --a------ C:\WINDOWS\SYSTEM32\lfcal12n.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 13:42 5558 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-27 13:27 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Webroot
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2007-03-28 20:05 26112 --a------ C:\WINDOWS\ntmsapi32.dll
2007-03-18 20:57 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\MSN6
2007-03-11 21:11 --------- dr-h----- C:\DOCUME~1\Brent\APPLIC~1\yahoo!
2007-02-17 18:59 --------- d-------- C:\Program Files\GameHouse
2007-02-15 23:52 --------- d-------- C:\Program Files\TryMedia
2007-02-13 21:57 --------- d-------- C:\Program Files\Yahoo!
2007-02-06 20:15 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Corel
2007-02-05 18:34 --------- d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-01-27 00:48 146 --ah----- C:\Program Files\hpothb07.dat
2006-09-06 20:27 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-09-06 20:27 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-09-06 20:09 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-04-27 17:49 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-03-05 23:44 --------- d-------- C:\Program Files\ItsDeductible2005
2006-03-05 21:19 --------- d--h----- C:\Program Files\InstallShield Installation Information
2006-03-05 21:19 --------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2006-03-05 21:17 --------- d-------- C:\Program Files\Common Files\Intuit
2006-03-05 21:16 --------- d-------- C:\Program Files\TurboTax
2006-03-05 21:15 --------- d-------- C:\Program Files\Common Files\InstallShield
2005-10-03 19:53 38784 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2005-09-07 18:27 1716297 --a------ C:\WINDOWS\system32\InetClnt.dll
2005-08-14 18:35 --------- d-------- C:\Program Files\Dell
2005-08-14 18:32 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2005-08-11 21:56 --------- d-------- C:\Program Files\Trend Micro
2005-08-03 23:05 --------- d--h----- C:\DOCUME~1\Brent\APPLIC~1\GTek
2005-08-03 20:55 --------- d-------- C:\Program Files\Support.com
2005-05-18 12:21 529 --ah----- C:\hpothb07.dat
2005-05-18 12:20 255 --ah----- C:\Program Files\hpothb07.tif
2005-04-28 19:21 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Symantec
2005-01-18 21:03 838870 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2004-09-19 23:34 --------- d-------- C:\Program Files\SymNetDrv
2004-07-31 18:50 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2004-06-20 21:56 --------- d-------- C:\Program Files\Hewlett-Packard
2004-06-17 12:56 7626 --a------ C:\WINDOWS\system32\GPCIEnu.sys
2004-06-09 15:31 6144 --a------ C:\WINDOWS\system32\DLPT.sys
2004-06-09 09:29 6977 --a------ C:\WINDOWS\system32\DDMI2.sys
2004-04-18 21:22 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Hewlett-Packard
2004-03-23 21:17 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Share-to-Web Upload Folder
2004-03-15 22:40 82380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2004-03-01 22:42 18283 --a------ C:\WINDOWS\HPHins01.dat
2004-03-01 22:39 --------- d-------- C:\Program Files\HP
2004-02-18 21:38 --------- d-------- C:\Program Files\ABBYY FineReader 6.0
2004-01-05 20:58 --------- d-------- C:\Program Files\Common Files\Nullsoft
2003-09-12 10:30 4284 --------- C:\WINDOWS\hphmdl01.dat
2003-09-03 21:28 --------- d-------- C:\Program Files\QUICKENW
2003-08-20 22:24 61440 --a------ C:\WINDOWS\system32\HPHap05.exe
2003-08-20 17:15 483328 --a------ C:\WINDOWS\system32\hphmon05.exe
2003-08-20 16:59 6371 -ra------ C:\WINDOWS\system32\hphmon05.dat
2003-08-19 06:51 69632 --a------ C:\WINDOWS\system32\LXBKCU.DLL
2003-08-19 06:43 90112 --a------ C:\WINDOWS\system32\LXBKCUR.DLL
2003-08-19 06:41 454656 --a------ C:\WINDOWS\system32\LXBKJSWR.DLL
2003-08-19 06:29 352256 --a------ C:\WINDOWS\system32\LXBKUTIL.DLL
2003-08-19 06:25 73728 --a------ C:\WINDOWS\system32\lxbkpwr.dll
2003-08-18 11:43 82432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2003-08-18 11:43 626960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2003-08-18 11:43 487424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2003-08-18 11:43 44544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2003-08-18 11:43 344064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2003-08-18 11:43 1230336 -ra------ C:\WINDOWS\system32\MSXML4.dll
2003-08-18 07:56 69632 --a------ C:\WINDOWS\system32\lxbkscin.dll
2003-08-18 07:56 57344 --a------ C:\WINDOWS\system32\lxbkcinf.dll
2003-08-18 07:56 49152 --a------ C:\WINDOWS\system32\lxbkcoin.dll
2003-08-18 07:03 544768 --a------ C:\WINDOWS\system32\LXBKLSNT.EXE
2003-08-18 06:58 217088 --a------ C:\WINDOWS\system32\LXBKLCNT.DLL
2003-08-18 06:57 286720 --a------ C:\WINDOWS\system32\LXBKPMNT.DLL
2003-08-18 06:55 86016 --a------ C:\WINDOWS\system32\LXBKIH.EXE
2003-08-18 06:55 155648 --a------ C:\WINDOWS\system32\LEXPING.EXE
2003-08-18 06:53 126976 --a------ C:\WINDOWS\system32\LXBKCFG.EXE
2003-08-18 06:52 286720 --a------ C:\WINDOWS\system32\lxbkcomm.dll
2003-08-18 06:46 77824 --a------ C:\WINDOWS\system32\LXBKLCNP.DLL
2003-07-25 09:57 147512 --a------ C:\WINDOWS\system32\hpzlnt09.dll
2003-07-25 09:53 270336 --a------ C:\WINDOWS\system32\hpzcon09.dll
2003-07-25 09:52 208896 --a------ C:\WINDOWS\system32\hpzcoi09.dll
2003-06-23 03:44 1415680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2003-06-05 21:13 53248 --a------ C:\WINDOWS\system32\Process.exe
2003-05-14 08:45 65795 -ra------ C:\WINDOWS\system32\HPZipm12.exe
2003-05-14 08:45 61699 -ra------ C:\WINDOWS\system32\HPZinw12.exe
2003-05-14 08:24 262144 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2003-05-14 08:23 196608 -ra------ C:\WINDOWS\system32\HPZipr12.dll
2003-05-14 08:21 266296 -ra------ C:\WINDOWS\system32\HPZidr12.dll
2003-05-14 08:19 51056 -ra------ C:\WINDOWS\system32\drivers\hpzid412.sys
2003-05-14 08:19 16496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2003-05-14 08:17 21488 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2003-05-14 08:14 94208 -ra------ C:\WINDOWS\system32\HPZipt12.dll
2003-05-14 08:14 57344 -ra------ C:\WINDOWS\system32\HPZisn12.dll
2003-02-26 19:27 --------- d-------- C:\DOCUME~1\Brent\APPLIC~1\Help
2003-01-09 19:39 --------- d-------- C:\Program Files\Headgames
2003-01-09 19:27 45056 --a------ C:\WINDOWS\NCUNINST.EXE
2003-01-07 22:08 --------- d-------- C:\Program Files\Common Files\SWF Studio
2002-12-29 13:04 59440 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2002-12-29 13:04 53248 --a------ C:\WINDOWS\uneng.exe
2002-12-29 13:04 45056 --a------ C:\WINDOWS\system32\cdrtc.dll
2002-12-29 13:04 45056 --a------ C:\WINDOWS\system32\cdral.dll
2002-12-29 13:04 23724 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2002-12-29 13:04 --------- d-------- C:\Program Files\Roxio
2002-12-29 13:04 --------- d-------- C:\Program Files\McAfee.com
2002-12-29 13:04 --------- d-------- C:\Program Files\Common Files\Adaptec Shared


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray "= "C:\Program Files\Real\RealPlayer\RealPlay.exe" [2002-12-29 12:57]
"MMTray "= "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 19:29]
"AdaptecDirectCD "= "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 18:44]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2004-01-12 10:37]
"Lexmark X1100 Series "= "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 06:43]
"HPHUPD05 "= "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 17:23]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-08-20 15:57]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 12:24]
"Share-to-Web Namespace Daemon "= "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"CamMonitor "= "C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 01:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 08:51]
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec Network Driver Update Warning "=C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
"ALUAlert "=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Symantec NetDriver Warning "=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
"Yahoo! Pager "= "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

C:\Documents and Settings\Brent\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 15:36:04]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-12-29 12:53:59]

R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\System32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 tmtdi;Trend Micro TDI Driver;C:\WINDOWS\System32\Drivers\tmtdi.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\System32\drivers\ASCTRM.sys
R2 tm_cfw;Common Firewall Driver;C:\WINDOWS\System32\Drivers\tm_cfw.sys
R2 Tmfilter;Tmfilter;C:\WINDOWS\System32\drivers\TmXPFlt.sys
R2 Tmpreflt;Tmpreflt;C:\WINDOWS\System32\drivers\Tmpreflt.sys
R2 Vsapint;Vsapint;C:\WINDOWS\System32\drivers\Vsapint.sys
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
S2 windev-4134-6407;windev-4134-6407;\??\C:\WINDOWS\system32\windev-4134-6407.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 i81x;i81x;C:\WINDOWS\System32\DRIVERS\i81xnt5.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\System32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\System32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\System32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\System32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\System32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\System32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\System32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\System32\DRIVERS\wanatw4.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\System32\DRIVERS\agpCPQ.sys


Contents of the 'Scheduled Tasks' folder
2007-04-02 01:40:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#140#CN3CN340S2J3.job - C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
2007-04-18 21:39:00 C:\WINDOWS\Tasks\HP Usg Daily.job - C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
2003-01-03 23:39:07 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2001-08-01 21:11:45
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2001-08-01 21:12:43
C:\ComboFix-quarantined-files.txt ... 2001-08-01 21:12
C:\ComboFix2.txt ... 2001-08-01 02:09
C:\ComboFix3.txt ... 2001-08-01 00:55

--- E O F ---