virtumonde problem...

Unknown · January 2008

i have zonealarm... and it sees an adware virtumonde.dyx but it wont get rid of it i have hijack this and virtufix but i did virtufix already and it didnt see anything but 1 file and it rebooted my puter so i did the scan on hijack and this is what it says....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:05 AM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Owner.OurComputer.001\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W6409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W6409
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DEEAD4C-F042-4DC5-AB90-69715EDF2BE9} - C:\WINDOWS\system32\vtstu.dll
O2 - BHO: (no name) - {4F31706C-9136-416A-84EE-9EEEB06849A8} - (no file)
O2 - BHO: {045b2506-ced2-dc48-dfa4-5a9f9d1c9076} - {6709c1d9-f9a5-4afd-84cd-2dec6052b540} - C:\WINDOWS\system32\jffmrwev.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\jkkigdb.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvtij.dll,startup
O4 - HKLM\..\Run: [50f84840] rundll32.exe "C:\WINDOWS\system32\labuyvxv.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll (file missing)
O20 - Winlogon Notify: jkkigdb - jkkigdb.dll (file missing)
O20 - Winlogon Notify: uvyxsezf - uvyxsezf.dll (file missing)
O20 - Winlogon Notify: winblg32 - C:\WINDOWS\SYSTEM32\winblg32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\eqefvwhm.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7254 bytes

if anyone can help plz lemmie know i know i see the
O2 - BHO: (no name) - {1DEEAD4C-F042-4DC5-AB90-69715EDF2BE9} - C:\WINDOWS\system32\vtstu.dll

and that is the file that zonealarm sees

Veka · January 2008

Hi defcon3.

I'll be handling your log to help you get cleaned up. Please give me some time to look it over.

defcon3 · January 2008

vekarppe wrote:

Hi defcon3.

I'll be handling your log to help you get cleaned up. Please give me some time to look it over.

thank you vekarppe

defcon3 · January 2008

srry i forgot to add the vundofix.exe log

VundoFix V6.5.10
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 7:28:25 AM 1/24/2008
Listing files found while scanning....
C:\WINDOWS\system32\uvyxsezf.dll
Beginning removal...
Performing Repairs to the registry.
Done!

Veka · January 2008

Step 1:

I dont see an antivirus installed. I ask you to download and install one Anti-Virus program below (they are free)

avast! 4 Home Edition
AVG Anti-Spyware Free Edition
Avira AntiVir PersonalEdition Classic

Reboot your computer after installation.

Step 2:

Please download ComboFix from Here or Here to your Desktop.

* In the event you already have Combofix, this is a new version that I need you to download.
* It is important that it is saved directly to your desktop

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

defcon3 · January 2008

vekarppe wrote:

Step 1:

I dont see an antivirus installed.

isnt the zonealarm i have an antivirus program as well as firewall and other stuff?

defcon3 · January 2008

ok here is the combofix log

ComboFix 08-01-23.1C - Owner 2008-01-25 20:00:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.690 [GMT -6:00]
Running from: C:\Documents and Settings\Owner.OurComputer.001\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Helper
C:\Program Files\Helper\superfindout.dll
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\jffmrwev.dll
C:\WINDOWS\system32\labuyvxv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mll_hp.dll
C:\WINDOWS\system32\qstwa.ini
C:\WINDOWS\system32\qstwa.ini2
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\uvyxsezf.dllbox
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\vxvyubal.ini
D:\Autorun.inf

<pre>
C:\Program Files\MSN Messenger\MsnMsgr .Exe ---> QooBox
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\LEGACY_DOMAINSERVICE

\DomainService

((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.
2008-01-25 20:06 . 2008-01-25 20:06 334,848 --a

C:\WINDOWS\system32\vtstu.dll.vir
2008-01-25 20:06 . 2008-01-25 20:06 163,904 --a

C:\WINDOWS\system32\hypkawoh.dll.vir
2008-01-25 19:57 . 2000-08-31 08:00 51,200 --a

C:\WINDOWS\Nircmd.exe
2008-01-25 16:07 . 2008-01-25 16:07 5 --a

C:\WINDOWS\system32\50f85ace
2008-01-23 20:10 . 2008-01-25 18:45 1,907 --a

C:\rollback.ini
2008-01-23 12:24 . 2008-01-25 20:18 2,569,760 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-23 12:24 . 2008-01-25 20:16 35,444 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-23 12:13 . 2008-01-25 20:18 <DIR> d

C:\WINDOWS\Internet Logs
2008-01-22 19:06 . 2008-01-22 19:06 163,904 --a

C:\WINDOWS\system32\hypkawoh.dll
2008-01-22 00:24 . 2008-01-25 20:10 <DIR> d

C:\Program Files\MSN Messenger
2008-01-21 19:22 . 2008-01-21 20:05 <DIR> d

C:\Program Files\Uniblue
2008-01-21 15:34 . 2004-08-10 13:00 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-21 15:34 . 2004-08-10 13:00 15,360 --a

C:\WINDOWS\system32\ctfmon.exe
2008-01-21 14:15 . 2008-01-21 14:15 54,764 --a

C:\WINDOWS\system32\drivers\astq.tga
2008-01-21 14:15 . 2008-01-21 14:15 2 --a

C:\1358448879
2008-01-21 14:14 . 2008-01-21 14:14 23,552 --a

C:\WINDOWS\system32\winblg32.dll
2008-01-21 14:03 . 2008-01-21 20:51 <DIR> d

C:\Program Files\Common Files\Symantec Shared
2008-01-21 13:35 . 2008-01-21 13:35 716,272 --a

C:\WINDOWS\system32\drivers\sptd.sys
2008-01-20 06:01 . 2008-01-20 16:08 2,091 --a

C:\WINDOWS\system32\profile.out
2008-01-17 17:30 . 2007-09-24 23:31 69,632 --a

C:\WINDOWS\system32\javacpl.cpl
2008-01-16 00:41 . 2008-01-16 01:21 664 --a

C:\WINDOWS\system32\d3d9caps.dat
2008-01-15 19:06 . 2008-01-21 19:01 <DIR> d

C:\Program Files\iTunes
2008-01-15 19:06 . 2008-01-15 19:06 <DIR> d

C:\Program Files\iPod
2008-01-15 19:06 . 2008-01-21 18:56 54,156 --ah

C:\WINDOWS\QTFont.qfn
2008-01-15 19:06 . 2008-01-21 16:47 1,409 --a

C:\WINDOWS\QTFont.for
2008-01-15 19:05 . 2008-01-15 19:05 <DIR> d

C:\Program Files\QuickTime
2008-01-15 19:05 . 2008-01-15 19:05 <DIR> d

C:\Program Files\Apple Software Update
2008-01-15 19:05 . 2008-01-15 02:39 30,464 --a

C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-15 19:04 . 2008-01-15 19:04 <DIR> d

C:\Program Files\Common Files\Apple
2008-01-12 10:22 . 2008-01-12 10:22 <DIR> d

C:\WINDOWS\Sun
2008-01-12 10:22 . 2008-01-12 10:22 <DIR> d

C:\WINDOWS\.jagex_cache_32
2008-01-12 10:11 . 2008-01-12 10:11 <DIR> d

C:\Program Files\SecondLife
2008-01-12 09:56 . 2008-01-12 10:01 <DIR> d

C:\Program Files\Second Life
2008-01-10 16:01 . 2008-01-10 16:01 <DIR> d

C:\Program Files\DVD Flick
2008-01-10 16:01 . 2000-05-19 17:56 81,920 --a

C:\WINDOWS\system32\mbmouse.ocx
2008-01-10 16:01 . 2000-11-05 15:27 36,864 --a

C:\WINDOWS\system32\trayicon.ocx
2008-01-10 15:37 . 2008-01-20 14:23 69 --a

C:\WINDOWS\NeroDigital.ini
2008-01-10 15:33 . 2005-09-01 12:03 127,488 --a

C:\WINDOWS\system32\drivers\imagesrv.sys
2008-01-10 15:33 . 2005-09-01 12:03 5,888 --a

C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-10 15:32 . 2008-01-10 15:32 <DIR> d

C:\Program Files\Common Files\Ahead
2008-01-10 15:32 . 2004-07-26 17:16 1,568,768 --a

C:\WINDOWS\system32\ImagX7.dll
2008-01-10 15:32 . 2004-07-26 17:16 476,320 --a

C:\WINDOWS\system32\ImagXpr7.dll
2008-01-10 15:32 . 2004-07-26 17:16 471,040 --a

C:\WINDOWS\system32\ImagXRA7.dll
2008-01-10 15:32 . 2004-07-09 09:43 364,544 --a

C:\WINDOWS\system32\TwnLib4.dll
2008-01-10 15:32 . 2004-07-26 17:16 262,144 --a

C:\WINDOWS\system32\ImagXR7.dll
2008-01-10 15:32 . 2000-06-26 11:45 106,496 --a

C:\WINDOWS\system32\TwnLib20.dll
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a

C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a

C:\WINDOWS\system32\QuickTime.qts
2008-01-08 13:26 . 2007-07-30 19:19 271,224 --a

C:\WINDOWS\system32\mucltui.dll
2008-01-08 13:26 . 2007-07-30 19:19 207,736 --a

C:\WINDOWS\system32\muweb.dll
2008-01-08 13:26 . 2007-07-30 19:19 30,072 --a

C:\WINDOWS\system32\mucltui.dll.mui
2008-01-07 22:05 . 2008-01-22 00:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-07 21:54 . 2008-01-22 00:25 <DIR> d

C:\Program Files\Windows Live
2008-01-07 21:54 . 2008-01-07 22:05 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-07 16:12 . 2008-01-07 16:12 16 --a

C:\WINDOWS\popcinfo.dat
2008-01-05 16:23 . 2008-01-05 16:24 <DIR> d

C:\Program Files\LimeWire
2008-01-05 03:06 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-05 03:01 . 2008-01-05 03:01 <DIR> d

C:\Program Files\MSXML 4.0
2008-01-05 02:57 . 2006-10-04 08:06 1,197,294 --a--c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-01-05 02:57 . 2006-10-04 08:06 764,868 --a--c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-01-05 02:57 . 2006-10-04 08:06 217,118 --a--c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-01-05 02:56 . 2008-01-05 02:56 <DIR> d

C:\Program Files\Windows Media Connect 2
2008-01-05 02:54 . 2008-01-05 02:54 <DIR> d

C:\WINDOWS\system32\LogFiles
2008-01-05 02:54 . 2008-01-05 02:55 <DIR> d

C:\WINDOWS\system32\drivers\UMDF
2008-01-05 02:47 . 2006-08-21 03:14 128,896 --a--c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-05 02:47 . 2006-08-21 03:14 23,040 --a--c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-05 02:47 . 2006-08-21 06:21 16,896 --a--c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-05 02:39 . 2007-07-09 07:16 582,656 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-05 00:07 . 2008-01-05 00:11 <DIR> d

C:\Program Files\VLC
2008-01-04 23:47 . 2008-01-10 15:50 <DIR> d

C:\Program Files\WinAVI Video Converter
2008-01-04 23:47 . 2008-01-21 14:52 <DIR> d

C:\Program Files\uTorrent
2008-01-04 23:47 . 2008-01-10 15:33 <DIR> d

C:\Program Files\Nero
2008-01-04 23:46 . 2008-01-04 23:47 <DIR> d

C:\Linksys Wireless-G Wireless Network Monitor
2008-01-04 23:46 . 2004-12-22 02:32 369,024 -ra

C:\WINDOWS\system32\drivers\BCMWL5.SYS
2008-01-04 23:32 . 2003-10-13 15:30 94,208 --a

C:\WINDOWS\system32\GTW32N50.dll
2008-01-04 23:32 . 2003-09-25 23:28 31,930 --a

C:\WINDOWS\system32\GTNDIS3.VXD
2008-01-04 23:32 . 2003-09-25 22:15 15,872 --a

C:\WINDOWS\system32\GTNDIS5.sys
2008-01-04 23:25 . 2008-01-04 23:25 2 --a

C:\WINDOWS\msoffice.ini
2008-01-04 22:33 . 2008-01-04 22:33 8,192 --a

C:\WINDOWS\REGLOCS.OLD
2008-01-04 22:30 . 2008-01-04 22:30 <DIR> d

C:\WINDOWS\system32\Lang
2008-01-04 22:30 . 2008-01-04 22:30 940,794 --a

C:\WINDOWS\system32\LoopyMusic.wav
2008-01-04 22:30 . 2008-01-04 22:30 146,650 --a

C:\WINDOWS\system32\BuzzingBee.wav
2008-01-04 22:30 . 2008-01-04 22:30 333 --a

C:\WINDOWS\system32\$ncsp$.inf
2008-01-04 22:30 . 2008-01-04 22:30 0 --a

C:\WINDOWS\system32\GATEWA_W6409__CRD6A30000525.MRK
2008-01-04 22:28 . 2008-01-21 13:56 64,672 --a

C:\WINDOWS\system32\Status.MPF
2008-01-04 22:25 . 2006-08-14 04:34 332,928 --a--c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-01-04 22:24 . 2006-06-22 04:47 181,248 --a--c--- C:\WINDOWS\system32\dllcache\rasmans.dll
2008-01-04 22:24 . 2006-06-26 11:37 148,480 --a--c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-01-04 22:24 . 2006-05-19 06:59 111,616 --a--c--- C:\WINDOWS\system32\dllcache\dhcpcsvc.dll
2008-01-04 22:24 . 2006-05-19 06:59 94,720 --a--c--- C:\WINDOWS\system32\dllcache\iphlpapi.dll
2008-01-04 22:23 . 2008-01-04 22:23 <DIR> d

C:\Program Files\SIFXINST
2008-01-04 22:23 . 2008-01-04 22:23 <DIR> d

C:\Program Files\McAfee
2008-01-04 22:22 . 2008-01-04 22:22 <DIR> d

C:\Program Files\gtw_logo
2008-01-04 22:22 . 2006-05-24 11:28 741,376 --a

C:\WINDOWS\system32\BigFixSuppress.exe
2008-01-04 22:22 . 2006-05-24 11:28 741,376 --a

C:\WINDOWS\system32\BigFixShortcutInStartup.exe
2008-01-04 22:22 . 2003-03-25 07:00 67,072 --a

C:\WINDOWS\POWERCFG.EXE
2008-01-04 22:22 . 2004-04-22 05:48 30,056 --a

C:\WINDOWS\system32\oemlogo.bmp
2008-01-04 22:21 . 2008-01-04 22:21 <DIR> d

C:\Program Files\Microsoft Money 2006
2008-01-04 22:21 . 2008-01-04 22:21 <DIR> d

C:\Program Files\Common Files\Nullsoft
2008-01-04 22:21 . 2006-01-18 20:41 80,512 --a

C:\WINDOWS\system32\drivers\Rtnicxp.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 04:20 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2008-01-05 03:38

d

w C:\Program Files\Windows Plus
2008-01-05 03:38

d

w C:\Program Files\microsoft frontpage
2008-01-05 03:38

d

w C:\Program Files\Common Files\New Boundary
2007-11-14 22:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [ ]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [ ]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 17:34 16143872 C:\WINDOWS\RTHDCPL.exe]
"CHotkey"="zHotkey.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ]
"MSDrive"="C:\WINDOWS\system32\drvtij.dll" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2008-01-04 22:19:49 2168360]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2008-01-04 22:23:44 729088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set]
C:\WINDOWS\Media\fuwarxyus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkigdb]
jkkigdb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uvyxsezf]
uvyxsezf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winblg32]
winblg32.dll 2008-01-21 14:14 23552 C:\WINDOWS\system32\winblg32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 16:50:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 20:19:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

DLLs Loaded Under Running Processes

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\winblg32.dll
.
Completion time: 2008-01-25 20:22:18 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-01-26 02:22:13
.
2008-01-09 09:04:26 --- E O F ---

and the new Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:20 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\lsass.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner.OurComputer.001\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvtij.dll,startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll (file missing)
O20 - Winlogon Notify: jkkigdb - jkkigdb.dll (file missing)
O20 - Winlogon Notify: uvyxsezf - uvyxsezf.dll (file missing)
O20 - Winlogon Notify: winblg32 - C:\WINDOWS\SYSTEM32\winblg32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6249 bytes

defcon3 · January 2008

ok i downloaded the avira antivirus program and installed and rebooted the puter.... are there any free good firewalls online?

defcon3 · January 2008

also.... the avira program has the update thing on it but it wont seem to update for me... it keeps saying internet connection failed... even though i can surf the net...

also a new problem arose.... everytime i boot up the computer.... and get past the welcome screen after everything is loaded a error window pops up and says

RUNDLL

Error loading C:\Windows\System32\drvtij.dll
The specified module could not be found.

i checked the net for drvtij.dll and i cannot find any information about that dll on any website even microsoft.com

im not sure what it is or what it does....

Veka · January 2008

I prefer Sunbelt Personal Firewall or COMODO. Both are good and free!

Please do the followings...

Step 1:

Open Notepad

Click Start, then Run
Type notepad.exe in the Run Box.

Step 2:

Copy & paste the entire content of the codebox below into the Notepad window

File:: 
C:\WINDOWS\system32\vtstu.dll.vir 
C:\WINDOWS\system32\hypkawoh.dll.vir 
C:\WINDOWS\system32\50f85ace 
C:\WINDOWS\system32\drivers\astq.tga 
C:\WINDOWS\system32\hypkawoh.dll 
C:\1358448879 
C:\WINDOWS\system32\winblg32.dll 
C:\WINDOWS\system32\winblg32.dll 
 
Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkigdb] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uvyxsezf] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winblg32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"=-

Save the above as CFScript.txt to your Desktop.

Step 3:

Now drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

defcon3 · January 2008

ok i did that i made the CFScript.txt dragged it on top of combofix and this is what it came up with

327882R2FWJFW\nircmd.com is not a valid Win32 application.

then i click ok and it comes up and says

Windows cannot find 'kmd.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

then i hit ok and nothing happens

defcon3 · January 2008

here is a hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24, on 2008-01-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.OurComputer.001\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvtij.dll,startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O20 - Winlogon Notify: crypt32set - C:\WINDOWS\Media\fuwarxyus.dll (file missing)
O20 - Winlogon Notify: jkkigdb - jkkigdb.dll (file missing)
O20 - Winlogon Notify: uvyxsezf - uvyxsezf.dll (file missing)
O20 - Winlogon Notify: winblg32 - winblg32.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
--
End of file - 7769 bytes

and the combofix wont work for me i downloaded it to the desktop and got the cfscript.txt and dragged it onto the combofix and it said that nircmd was not a valid Win 32 app.... and it couldnt find KMD.exe

defcon3 · January 2008

now i get access is denied and i cant even delete combofix from my desktop... i tried cmd.exe to delete it and it wont work either... says its in use by another app

Veka · February 2008

Hi defcon. Let's try this...

You may want to print out these instructions or save them as a text document because you'll not have internet access while in Safe Mode.

Step 1:

Please download to your Desktop

OTMoveIt2
Deckard's System Scanner

Step 2:

Reboot into Safe Mode

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Step 3:

Once in Safe Mode, please click Start > Run. Type Combofix /u and click OK.

After that, reboot back to Normal Mode.

Step 4:

Please double-click OTMoveIt2 to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\vtstu.dll.vir
C:\WINDOWS\system32\hypkawoh.dll.vir
C:\WINDOWS\system32\50f85ace
C:\WINDOWS\system32\drivers\astq.tga
C:\WINDOWS\system32\hypkawoh.dll
C:\1358448879
C:\WINDOWS\system32\winblg32.dll
C:\WINDOWS\popcinfo.dat
C:\WINDOWS\system32\winblg32.dll

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log).
Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 5:

Next, back up the registry as we are going to modify it

Click Start > Run > and type regedit > OK
Make sure that My Computer is selected.
On the File menu, click Export.
Choose the name and location (e.g. My Documents), and save it as a registry file.

Step 6:

Please open Notepad and copy the contents of the below code box to Notepad

Windows Registry Editor Version 5.00 
 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32set] 
 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkigdb] 
 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uvyxsezf] 
 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winblg32] 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"MSDrive"=-

Click File > Save As

Save the file to your desktop as Fix.reg (make sure you save as type: all files)

Step 7:

Double-click Fix.reg, and answer Yes when prompted.

After all that, reboot your computer.

Step 8:

Run Deckard's System Scanner

Attention: You must be logged onto an account with administrator privileges.

Close all open applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open:
- main.txt (this will be maximized)
- extra.txt (this will be minimized)
Copy and paste the contents of main.txt and the extra.txt to your post in your reply.

Step 9:

Please post OTMoveIt2 log, contents of main.txt and extra,txt, along with a new HijackThis.

defcon3 · February 2008

okie dokie... did what u asked here are the logs

Main.txt

Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-05 08:01:05
Computer is in Normal Mode.

-- System Restore

Successfully created a Deckard's System Scanner Restore Point.

-- Last 2 Restore Point(s) --
2: 2008-02-05 14:01:10 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-02-05 13:50:17 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Owner.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:11 AM, on 2008-02-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Owner.OurComputer.001\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\OWNERO~1.001\Desktop\Owner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
--
End of file - 7395 bytes
-- File Associations

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
S1 astq - c:\windows\system32\drivers\astq.tga (file missing)
S3 catchme - c:\windows\temp\catchme.sys (file missing)
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)

-- Device Manager: Disabled

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_D6018086&REV_10\4&2A3BFE78&0&10A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_D6018086&REV_10\4&2A3BFE78&0&10A4
Service: RTL8023xp

-- Scheduled Tasks

2008-01-30 10:50:02 284 --a

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-01-05 and 2008-02-05

2008-01-30 12:01:36 0 d--h

C:\WINDOWS\PIF
2008-01-26 00:13:36 0 d

C:\Documents and Settings\LocalService\Start Menu
2008-01-25 23:22:06 0 d

C:\Program Files\Spyware Doctor
2008-01-25 23:22:06 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\PC Tools
2008-01-25 23:17:44 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\PCToolsFirewallPlus
2008-01-25 22:58:26 0 d

C:\Program Files\Common Files\PC Tools
2008-01-25 22:58:25 0 d

C:\Program Files\PC Tools Firewall Plus
2008-01-25 22:57:06 0 d-a

C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 22:56:49 0 d

C:\Program Files\ThreatFire
2008-01-25 22:56:49 0 d

C:\Documents and Settings\All Users\Application Data\PC Tools
2008-01-25 21:21:27 0 d

C:\Program Files\Avira
2008-01-25 21:21:27 0 d

C:\Documents and Settings\All Users\Application Data\Avira
2008-01-25 20:24:11 0 d

C:\Program Files\Outerinfo
2008-01-25 20:22:33 0 d

C:\Program Files\Helper
2008-01-25 20:22:12 38912 --a

C:\WINDOWS\system32\ssqrrss.dll
2008-01-23 12:14:51 0 d

C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-23 12:14:47 4212 --ah

C:\WINDOWS\system32\zllictbl.dat
2008-01-23 12:14:40 11264 --a

C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-01-23 12:14:10 0 d

C:\WINDOWS\system32\ZoneLabs
2008-01-23 12:13:20 0 d

C:\WINDOWS\Internet Logs
2008-01-23 11:50:56 0 d--hs---- C:\WINDOWS\CSC
2008-01-22 00:24:28 0 d

C:\Program Files\MSN Messenger
2008-01-21 19:27:55 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\Uniblue
2008-01-21 19:22:30 0 d

C:\Program Files\Uniblue
2008-01-21 19:02:28 0 d

C:\WINDOWS\system32\appmgmt
2008-01-21 15:03:39 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\Symantec
2008-01-21 15:02:18 0 d

C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-01-21 14:46:12 0 d

C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-01-21 14:03:41 0 d

C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-21 14:03:26 0 d

C:\Program Files\Common Files\Symantec Shared
2008-01-21 13:35:38 716272 --a

C:\WINDOWS\system32\drivers\sptd.sys
2008-01-16 00:41:34 664 --a

C:\WINDOWS\system32\d3d9caps.dat
2008-01-15 19:06:56 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\Apple Computer
2008-01-15 19:06:36 0 d

C:\Program Files\iPod
2008-01-15 19:06:27 0 d

C:\Program Files\iTunes
2008-01-15 19:05:33 0 d

C:\Program Files\QuickTime
2008-01-15 19:05:31 0 d

C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-15 19:05:13 0 d

C:\Program Files\Apple Software Update
2008-01-15 19:04:39 0 d

C:\Program Files\Common Files\Apple
2008-01-15 19:04:38 0 d

C:\Documents and Settings\All Users\Application Data\Apple
2008-01-13 15:04:05 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\CyberLink
2008-01-12 10:22:58 0 d

C:\WINDOWS\.jagex_cache_32
2008-01-12 10:22:49 0 d

C:\WINDOWS\Sun
2008-01-12 10:22:49 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\Sun
2008-01-12 10:12:17 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\Mozilla
2008-01-12 10:11:55 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\SecondLife
2008-01-12 10:11:16 0 d

C:\Program Files\SecondLife
2008-01-12 09:56:28 0 d

C:\Program Files\Second Life
2008-01-10 18:37:56 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\dvdcss
2008-01-10 18:35:36 0 d

C:\Documents and Settings\All Users\Application Data\CyberLink
2008-01-10 16:05:28 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\AdobeUM
2008-01-10 16:01:45 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\DVD Flick
2008-01-10 16:01:17 0 d

C:\Program Files\DVD Flick
2008-01-10 15:32:35 364544 --a

C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4>
2008-01-10 15:32:35 106496 --a

C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-01-10 15:32:33 471040 --a

C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-01-10 15:32:33 262144 --a

C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-01-10 15:32:33 1568768 --a

C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-01-10 15:32:31 0 d

C:\Program Files\Common Files\Ahead
2008-01-08 18:15:32 0 d

C:\Documents and Settings\Guest\Application Data\Google
2008-01-07 22:07:59 0 d

C:\Documents and Settings\Owner.OurComputer.001\Contacts
2008-01-07 22:05:44 0 d

c- C:\WINDOWS\system32\DRVSTORE
2008-01-07 21:54:40 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-07 21:54:21 0 d

C:\Program Files\Windows Live
2008-01-07 21:54:11 0 d

C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-07 16:16:26 0 d

C:\Documents and Settings\Guest\Application Data\McAfee.com Personal Firewall
2008-01-07 16:16:04 0 d

C:\Documents and Settings\Guest\WINDOWS
2008-01-07 16:16:04 0 d--h

C:\Documents and Settings\Guest\Templates
2008-01-07 16:16:04 0 dr

C:\Documents and Settings\Guest\Start Menu
2008-01-07 16:16:04 0 dr-h

C:\Documents and Settings\Guest\SendTo
2008-01-07 16:16:04 0 dr-h

C:\Documents and Settings\Guest\Recent
2008-01-07 16:16:04 0 d--h

C:\Documents and Settings\Guest\PrintHood
2008-01-07 16:16:04 1048576 --ah

C:\Documents and Settings\Guest\NTUSER.DAT
2008-01-07 16:16:04 0 d--h

C:\Documents and Settings\Guest\NetHood
2008-01-07 16:16:04 0 dr

C:\Documents and Settings\Guest\My Documents
2008-01-07 16:16:04 0 d--h

C:\Documents and Settings\Guest\Local Settings
2008-01-07 16:16:04 0 dr

C:\Documents and Settings\Guest\Favorites
2008-01-07 16:16:04 0 d

C:\Documents and Settings\Guest\Desktop
2008-01-07 16:16:04 0 d--hs---- C:\Documents and Settings\Guest\Cookies
2008-01-07 16:16:04 0 dr-h

C:\Documents and Settings\Guest\Application Data
2008-01-07 16:16:04 0 d

C:\Documents and Settings\Guest\Application Data\You've Got Pictures Screensaver
2008-01-07 16:16:04 0 d

C:\Documents and Settings\Guest\Application Data\SampleView
2008-01-07 16:16:04 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-01-07 16:16:04 0 d

C:\Documents and Settings\Guest\Application Data\Identities
2008-01-06 11:57:13 0 d

C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-05 16:24:51 0 d

C:\Documents and Settings\Owner.OurComputer.001\LimeWire Store Purchased
2008-01-05 16:24:51 0 d

C:\Documents and Settings\Owner.OurComputer.001\LimeWire Shared
2008-01-05 16:24:51 0 d

C:\Documents and Settings\Owner.OurComputer.001\LimeWire Saved
2008-01-05 16:24:29 0 d

C:\Documents and Settings\Owner.OurComputer.001\Incomplete
2008-01-05 16:24:15 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\LimeWire
2008-01-05 16:23:54 0 d

C:\Program Files\LimeWire
2008-01-05 03:06:34 0 d

C:\WINDOWS\network diagnostic
2008-01-05 03:01:43 0 d

C:\Program Files\MSXML 4.0
2008-01-05 02:56:30 0 d

C:\Program Files\Windows Media Connect 2
2008-01-05 02:55:09 0 d

C:\95f6720d8dd27ff35de04d5892c1
2008-01-05 02:54:58 0 d

C:\WINDOWS\system32\LogFiles
2008-01-05 02:54:58 0 d

C:\WINDOWS\system32\drivers\UMDF
2008-01-05 02:54:41 0 d

C:\431b80cb0e136959e9bfea3c
2008-01-05 02:16:35 0 d

C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-01-05 02:15:51 0 d

C:\WINDOWS\system32\PreInstall
2008-01-05 02:14:18 0 d--hs---- C:\Documents and Settings\Owner.OurComputer.001\UserData
2008-01-05 01:50:38 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\Macromedia
2008-01-05 01:50:38 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\Adobe
2008-01-05 01:47:08 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\uTorrent
2008-01-05 00:11:19 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\vlc
2008-01-05 00:07:07 0 d

C:\Program Files\VLC
2008-01-05 00:06:14 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\Google

-- Find3M Report

2008-01-25 22:58:26 0 d

C:\Program Files\Common Files
2008-01-21 15:34:17 0 d

C:\Program Files\Digital Media Reader
2008-01-21 14:52:54 0 d

C:\Program Files\uTorrent
2008-01-17 17:30:03 0 d

C:\Program Files\Java
2008-01-10 15:50:08 0 d

C:\Program Files\WinAVI Video Converter
2008-01-10 15:33:47 0 d

C:\Program Files\Nero
2008-01-05 01:50:18 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\McAfee.com Personal Firewall
2008-01-04 23:42:04 0 d--h

C:\Program Files\InstallShield Installation Information
2008-01-04 23:34:53 0 d

C:\Program Files\Pure Networks
2008-01-04 23:26:11 0 d

C:\Program Files\Common Files\AOL
2008-01-04 22:49:24 0 d

C:\Program Files\Google
2008-01-04 22:29:14 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\SampleView
2008-01-04 22:27:44 0 --a

C:\REQUEST_OEMRESET_ENDUSER
2008-01-04 22:23:47 0 d

C:\Program Files\SIFXINST
2008-01-04 22:23:10 0 d

C:\Program Files\McAfee
2008-01-04 22:22:14 0 d

C:\Program Files\gtw_logo
2008-01-04 22:21:55 0 d

C:\Program Files\Realtek
2008-01-04 22:21:44 0 d

C:\Program Files\Microsoft Money 2006
2008-01-04 22:21:09 0 d

C:\Program Files\Common Files\Nullsoft
2008-01-04 22:21:09 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\You've Got Pictures Screensaver
2008-01-04 22:20:46 0 d

C:\Program Files\Common Files\Real
2008-01-04 22:20:42 0 d

C:\Program Files\Real
2008-01-04 22:20:30 0 d

C:\Program Files\Viewpoint
2008-01-04 22:19:56 335 --a

C:\WINDOWS\nsreg.dat
2008-01-04 22:19:49 0 d

C:\Program Files\BigFix
2008-01-04 22:19:36 0 d

C:\Program Files\Microsoft Works
2008-01-04 22:18:46 0 d

C:\Program Files\MSN Encarta Plus
2008-01-04 22:18:13 0 d

C:\Program Files\Microsoft Digital Image 2006
2008-01-04 22:18:06 4 --a

C:\WINDOWS\Pix11.dat
2008-01-04 22:17:33 0 d

C:\Program Files\Common Files\Adobe
2008-01-04 22:16:01 0 d

C:\Program Files\Gateway Games
2008-01-04 22:14:49 0 d

C:\Program Files\WildTangent
2008-01-04 22:13:25 0 d

C:\Program Files\Common Files\InstallShield
2008-01-04 22:12:52 0 d

C:\Program Files\Common Files\Java
2008-01-04 22:10:18 0 d

C:\Program Files\Microsoft ActiveSync
2008-01-04 22:09:52 0 d

C:\Program Files\Microsoft.NET
2008-01-04 22:09:01 0 d

C:\Program Files\CyberLink
2008-01-04 22:08:25 2 --a

C:\AUDIT_INSTALL_IN_PROGRESS
2008-01-04 22:00:22 2 -r-hs---- C:\USER
2008-01-04 21:58:38 0 d

C:\Program Files\CONEXANT
2008-01-04 21:44:38 60 --a

C:\WINDOWS\system32\SYSDRV.DAT
2008-01-04 21:43:06 0 d

C:\Program Files\Windows NT
2008-01-04 21:43:03 0 d

C:\Program Files\Movie Maker
2008-01-04 21:43:01 0 d

C:\Program Files\Messenger
2008-01-04 21:38:45 0 d

C:\Program Files\Windows Plus
2008-01-04 21:38:45 0 d

C:\Program Files\Online Services
2008-01-04 21:38:45 0 d

C:\Program Files\MSN Gaming Zone
2008-01-04 21:38:45 0 d

C:\Program Files\microsoft frontpage
2008-01-04 21:38:44 0 d

C:\Program Files\Common Files\SpeechEngines
2008-01-04 21:38:44 0 d

C:\Program Files\Common Files\ODBC
2008-01-04 21:38:44 0 d

C:\Program Files\Common Files\New Boundary
2008-01-04 21:38:44 0 d

C:\Program Files\Common Files\MSSoap
2008-01-04 21:38:38 0 d

C:\Documents and Settings\Owner.OurComputer.001\Application Data\Identities

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" []
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" []
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 05:34 PM C:\WINDOWS\RTHDCPL.exe]
"CHotkey"="zHotkey.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-25 11:13 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" []
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2007-12-20 11:13 AM]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-12-31 09:16 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 02:53 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 01:00 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2008-01-04 10:19:49 PM]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2008-01-04 10:23:44 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

-- End of Deckard's System Scanner: finished at 2008-02-05 08:03:38

Extra.txt

Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-05 08:01:05
Computer is in Normal Mode.