Trojan Issues

n_ver_ending

Hi guys/girls,

I was having a Trojan problem. I got this icon made of a red circle with a white X but I could not identify it. It would not give me any information when i right clicked it. It had never been there before so i knew I had something.

I tried to do a scan with Trend Micro and Panda but Micro froze and Panda took forever.

Here is my HTJ log and my Malwarebytes log:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:39 PM, on 10/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\JAM\Desktop\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: 4APPINITSOFTWARE\Microsoft\Windows,NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll,avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)



Malwarebytes' Anti-Malware 1.29
Database version: 1276
Windows 5.1.2600 Service Pack 3

10/16/2008 10:36:45 PM
mbam-log-2008-10-16 (22-36-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 97630
Time elapsed: 54 minute(s), 9 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 22
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\actsmartapp (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrt_Shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_id (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_options (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_server1 (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_reserv (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_forms (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_certs (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_options (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_ss (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pstorage (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_command (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_file (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_idproject (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pauseopt (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pausecert (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletecookie (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletesol (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\vklezwxe.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\Documents and Settings\JAM\xrt_txlg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\JAM\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

n_ver_ending

Also, Malwarebytes could not remove:

C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\vklezwxe.exe
C:\WINDOWS\system32\brastk.exe

Katana

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

---

---

---

Please reboot your machine before doing the following

---

---

Download and Run RSIT

• Please download Random's System Information Tool by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  
  • log.txt will be opened maximized.
  • info.txt will be opened minimized.
• Please post the contents of both log.txt and info.txt.

n_ver_ending

Here is the log file. For some reason when I rebooted the system the Info Log would not pop up


Logfile of random's system information tool 1.04 (written by random/random)
Run by JAM at 2008-10-17 16:54:13
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 51 GB (67%) free of 76 GB
Total RAM: 1519 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:01 PM, on 10/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Documents and Settings\JAM\Desktop\RSIT.exe
C:\Program Files\trend micro\JAM.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.sdc.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: 4APPINITSOFTWARE\Microsoft\Windows,NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll,avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe (file missing)

--
End of file - 7156 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-06-13 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2005-06-13 126976]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-06-13 98393]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-06-13 688217]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2004-08-06 385024]
"EOUApp"=C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe [2004-08-06 356352]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE [2004-08-04 44032]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-30 1234712]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
C:\Program Files\CCleaner\ccleaner.exe [2007-05-10 598920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2
"gusvc"=3
"AVGEMS"=2
"Apple Mobile Device"=2

C:\Documents and Settings\JAM\Start Menu\Programs\Startup
OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="4APPINITSOFTWARE\Microsoft\Windows,NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll,avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-06-13 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [2004-08-06 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
C:\Program Files\AlienGUIse\fastload.dll [2001-12-21 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\iMesh\iMesh5\iMesh.exe"="C:\Program Files\iMesh\iMesh5\iMesh.exe:*:Disabled:iMesh 5"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1135405169\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1135405169\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1135405169\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1135405169\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire"
"C:\Program Files\Common Files\AOL\1135747042\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1135747042\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1135747042\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1135747042\ee\aim6.exe:*:Enabled:AIM"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2008-10-17 16:43:02 ----D---- C:\rsit
2008-10-17 00:14:44 ----D---- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-17 00:14:09 ----A---- C:\WINDOWS\zllsputility.exe
2008-10-17 00:13:39 ----A---- C:\WINDOWS\system32\libeay32_0.9.6l.dll
2008-10-17 00:13:38 ----A---- C:\WINDOWS\system32\vsregexp.dll
2008-10-17 00:13:28 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2008-10-17 00:13:28 ----A---- C:\WINDOWS\system32\zlcomm.dll
2008-10-17 00:13:22 ----A---- C:\WINDOWS\system32\vswmi.dll
2008-10-17 00:13:21 ----A---- C:\WINDOWS\system32\zpeng24.dll
2008-10-17 00:13:20 ----D---- C:\WINDOWS\system32\ZoneLabs
2008-10-17 00:13:20 ----D---- C:\Program Files\Zone Labs
2008-10-17 00:13:20 ----A---- C:\WINDOWS\system32\vsxml.dll
2008-10-17 00:13:20 ----A---- C:\WINDOWS\system32\vspubapi.dll
2008-10-17 00:13:20 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2008-10-17 00:12:49 ----A---- C:\WINDOWS\system32\vsutil.dll
2008-10-17 00:12:49 ----A---- C:\WINDOWS\system32\vsinit.dll
2008-10-17 00:12:49 ----A---- C:\WINDOWS\system32\vsdata.dll
2008-10-16 23:24:29 ----D---- C:\Documents and Settings\JAM\Application Data\OpenOffice.org
2008-10-16 23:21:23 ----D---- C:\Program Files\JRE
2008-10-16 23:21:12 ----D---- C:\Program Files\OpenOffice.org 3
2008-10-16 21:49:26 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-16 21:49:26 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-16 21:40:25 ----D---- C:\Documents and Settings\JAM\Application Data\Malwarebytes
2008-10-16 21:40:16 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-16 21:40:15 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-16 18:03:42 ----D---- C:\Documents and Settings\All Users\Application Data\punaxcpa
2008-10-15 20:04:11 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 20:04:00 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 20:03:51 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 20:03:06 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-15 20:03:02 ----A---- C:\WINDOWS\imsins.BAK
2008-10-15 20:02:54 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-06 17:02:04 ----D---- C:\Documents and Settings\JAM\Application Data\OpenOffice.org2
2008-10-06 16:59:02 ----D---- C:\Program Files\OpenOffice.org 2.4
2008-10-06 16:58:41 ----A---- C:\WINDOWS\system32\javaws.exe
2008-10-06 16:58:41 ----A---- C:\WINDOWS\system32\javaw.exe
2008-10-06 16:58:41 ----A---- C:\WINDOWS\system32\java.exe
2008-09-30 18:34:41 ----HD---- C:\$AVG8.VAULT$
2008-09-27 13:12:21 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-09-26 17:42:03 ----D---- C:\WINDOWS\Prefetch
2008-09-26 17:37:11 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-09-26 17:37:02 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-09-26 17:36:54 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-09-26 17:36:42 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-09-26 17:36:33 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-09-26 17:36:24 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-09-26 17:36:14 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-09-26 17:36:06 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-09-26 17:36:00 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-09-26 17:35:51 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-09-26 17:35:44 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-26 17:30:39 ----D---- C:\WINDOWS\system32\scripting
2008-09-26 17:30:38 ----D---- C:\WINDOWS\l2schemas
2008-09-26 17:30:37 ----D---- C:\WINDOWS\system32\en
2008-09-26 17:30:37 ----D---- C:\WINDOWS\system32\bits
2008-09-26 17:25:56 ----D---- C:\WINDOWS\ServicePackFiles
2008-09-26 17:17:32 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-09-26 17:17:29 ----D---- C:\WINDOWS\EHome
2008-09-24 22:41:47 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-09-24 22:41:46 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-09-24 22:41:45 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-09-24 22:41:45 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-09-24 22:41:41 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-09-24 22:41:41 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-09-24 22:41:38 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2008-09-24 22:41:38 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2008-09-24 22:41:36 ----N---- C:\WINDOWS\system32\slrundll.exe
2008-09-24 22:41:36 ----N---- C:\WINDOWS\system32\slcoinst.dll
2008-09-24 22:41:35 ----N---- C:\WINDOWS\system32\setupn.exe
2008-09-24 22:41:33 ----N---- C:\WINDOWS\system32\s3gnb.dll
2008-09-24 22:41:33 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-09-24 22:41:32 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-09-24 22:41:31 ----N---- C:\WINDOWS\system32\qutil.dll
2008-09-24 22:41:31 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-09-24 22:41:31 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-09-24 22:41:31 ----N---- C:\WINDOWS\system32\qagent.dll
2008-09-24 22:41:30 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-09-24 22:41:28 ----N---- C:\WINDOWS\system32\onex.dll
2008-09-24 22:41:27 ----N---- C:\WINDOWS\system32\nv4_disp.dll
2008-09-24 22:41:24 ----N---- C:\WINDOWS\system32\napstat.exe
2008-09-24 22:41:24 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-09-24 22:41:24 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-09-24 22:41:23 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2008-09-24 22:41:23 ----N---- C:\WINDOWS\system32\msxml6r.dll
2008-09-24 22:41:23 ----N---- C:\WINDOWS\system32\msxml6.dll
2008-09-24 22:41:21 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-09-24 22:41:21 ----N---- C:\WINDOWS\system32\mssha.dll
2008-09-24 22:41:15 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-09-24 22:41:15 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-09-24 22:41:15 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-09-24 22:41:14 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-09-24 22:41:13 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2008-09-24 22:41:08 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-09-24 22:40:47 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-09-24 22:40:46 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-09-24 22:40:46 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-09-24 22:40:46 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-09-24 22:40:46 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-09-24 22:40:22 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2008-09-24 22:40:19 ----N---- C:\WINDOWS\system32\faxpatch.exe
2008-09-24 22:40:19 ----A---- C:\WINDOWS\002821_.tmp
2008-09-24 22:40:18 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-09-24 22:40:18 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-09-24 22:40:18 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-09-24 22:40:18 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-09-24 22:40:18 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-09-24 22:40:18 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-09-24 22:40:18 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-09-24 22:40:17 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-09-24 22:40:16 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-09-24 22:40:16 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-09-24 22:40:16 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-09-24 22:40:16 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-09-24 22:40:16 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-09-24 22:40:16 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-09-24 22:40:16 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-09-24 22:40:15 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-09-24 22:40:15 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-09-24 22:40:14 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-09-24 22:40:12 ----N---- C:\WINDOWS\system32\credssp.dll
2008-09-24 22:40:06 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-09-24 22:40:05 ----N---- C:\WINDOWS\system32\azroles.dll
2008-09-24 22:40:04 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2008-09-24 22:40:04 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2008-09-24 22:40:03 ----N---- C:\WINDOWS\system32\ati3duag.dll
2008-09-24 22:40:03 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2008-09-24 22:40:02 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2008-09-24 22:40:02 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2008-09-24 22:40:02 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2008-09-24 22:39:53 ----N---- C:\WINDOWS\system32\aaclient.dll

======List of files/folders modified in the last 1 months======

2008-10-17 16:55:01 ----D---- C:\WINDOWS\Temp
2008-10-17 16:54:24 ----D---- C:\Program Files\Trend Micro
2008-10-17 16:50:32 ----D---- C:\WINDOWS\Internet Logs
2008-10-17 16:45:17 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-17 16:39:53 ----D---- C:\Program Files\Mozilla Firefox
2008-10-17 00:22:17 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-17 00:22:11 ----D---- C:\Program Files\SpywareBlaster
2008-10-17 00:18:44 ----D---- C:\WINDOWS
2008-10-17 00:17:54 ----D---- C:\WINDOWS\system32\drivers
2008-10-17 00:14:32 ----AD---- C:\WINDOWS\system32
2008-10-17 00:14:03 ----HD---- C:\WINDOWS\inf
2008-10-17 00:13:57 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-17 00:13:20 ----RD---- C:\Program Files
2008-10-16 23:23:59 ----SHD---- C:\WINDOWS\Installer
2008-10-16 23:23:19 ----HD---- C:\Config.Msi
2008-10-16 23:23:15 ----RSD---- C:\WINDOWS\assembly
2008-10-16 23:23:08 ----D---- C:\WINDOWS\WinSxS
2008-10-16 23:21:47 ----RSD---- C:\WINDOWS\Fonts
2008-10-16 21:49:23 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-16 21:47:35 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 19:21:05 ----D---- C:\My Downloads
2008-10-16 18:04:35 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-16 18:03:06 ----A---- C:\WINDOWS\system32\winlogon.exe
2008-10-16 18:03:06 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-10-15 20:04:09 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-15 20:03:37 ----D---- C:\Program Files\Internet Explorer
2008-10-15 20:03:20 ----D---- C:\WINDOWS\ie7updates
2008-10-15 19:59:58 ----D---- C:\WINDOWS\Debug
2008-10-07 14:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-06 18:31:56 ----D---- C:\Program Files\Microsoft Office
2008-10-06 18:31:56 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-10-06 18:31:55 ----D---- C:\WINDOWS\Media
2008-10-06 18:31:36 ----D---- C:\Program Files\Common Files
2008-10-06 18:31:20 ----A---- C:\WINDOWS\vbaddin.ini
2008-10-06 16:58:41 ----D---- C:\Program Files\Java
2008-10-03 12:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-10-02 20:05:16 ----HD---- C:\Program Files\InstallShield Installation Information
2008-09-27 16:51:45 ----D---- C:\Program Files\MSN Messenger
2008-09-26 17:44:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-09-26 17:40:56 ----D---- C:\WINDOWS\system32\wbem
2008-09-26 17:40:56 ----D---- C:\WINDOWS\system32\Setup
2008-09-26 17:40:56 ----D---- C:\WINDOWS\AppPatch
2008-09-26 17:40:18 ----D---- C:\WINDOWS\security
2008-09-26 17:37:14 ----D---- C:\WINDOWS\system32\CatRoot
2008-09-26 17:35:53 ----D---- C:\Program Files\Messenger
2008-09-26 17:30:56 ----D---- C:\WINDOWS\network diagnostic
2008-09-26 17:30:56 ----D---- C:\WINDOWS\ime
2008-09-26 17:30:55 ----D---- C:\WINDOWS\Help
2008-09-26 17:30:40 ----D---- C:\WINDOWS\system32\en-US
2008-09-26 17:30:39 ----D---- C:\WINDOWS\system32\usmt
2008-09-26 17:30:37 ----D---- C:\WINDOWS\PeerNet
2008-09-26 17:30:37 ----D---- C:\Program Files\Movie Maker
2008-09-26 17:25:49 ----D---- C:\WINDOWS\system32\Restore
2008-09-26 17:25:49 ----D---- C:\WINDOWS\system32\npp
2008-09-26 17:25:45 ----D---- C:\WINDOWS\msagent
2008-09-26 17:25:43 ----D---- C:\WINDOWS\srchasst
2008-09-26 17:25:38 ----D---- C:\Program Files\NetMeeting
2008-09-26 17:25:36 ----D---- C:\WINDOWS\system32\Com
2008-09-26 17:25:33 ----D---- C:\Program Files\Windows Media Player
2008-09-26 17:25:28 ----D---- C:\Program Files\Windows NT
2008-09-26 17:25:28 ----D---- C:\Program Files\Outlook Express
2008-09-26 17:25:23 ----D---- C:\Program Files\Common Files\System
2008-09-26 17:24:57 ----D---- C:\WINDOWS\system32\oobe
2008-09-26 17:24:54 ----D---- C:\WINDOWS\system
2008-09-26 17:20:35 ----D---- C:\WINDOWS\system32\ReinstallBackups

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-08-31 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-08-10 26824]
R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2005-04-12 29056]
R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2005-04-12 28160]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2007-07-19 127768]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-07-09 394952]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-09-08 17056]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2004-08-06 11354]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-06-13 752093]
R3 IWCA;Intel Wireless Connection Agent Miniport for Win XP; C:\WINDOWS\system32\DRIVERS\iwca.sys [2004-08-12 234496]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 Mtlmnt5;Mtlmnt5; C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys [2005-06-13 226288]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2008-02-25 105088]
R3 Slntamr;SmartLink AMR_PCI Driver; C:\WINDOWS\system32\DRIVERS\slntamr.sys [2005-06-13 566256]
R3 SlWdmSup;SlWdmSup; C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys [2005-06-13 15712]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-06-13 188928]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2005-06-13 159488]
R3 w29n51;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-08-07 3210496]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2005-04-12 99456]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-07-07 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-07-07 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-07-07 21744]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 Mtlstrm;Mtlstrm; C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys [2005-06-13 1299976]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NtMtlFax;NtMtlFax; C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys [2005-06-13 180368]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SlNtHal;SlNtHal; C:\WINDOWS\system32\DRIVERS\Slnthal.sys [2005-06-13 87656]
S3 SoC PC-Camera Service;SoC PC-Camera; C:\WINDOWS\system32\DRIVERS\pfc027.sys [2004-07-28 136576]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbcm;USB Cable Modem 351000 NDIS Driver; C:\WINDOWS\system32\DRIVERS\usbcm.sys [2002-04-11 13335]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 vncdrv;vncdrv; C:\WINDOWS\system32\DRIVERS\vncdrv.sys [2002-11-20 2218]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-31 231704]
R2 EvtEng;EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2004-08-06 86016]
R2 InCDsrv;InCD Helper; C:\Program Files\Ahead\InCD\InCDsrv.exe [2005-04-12 869376]
R2 OwnershipProtocol;OwnershipProtocol; C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe [2004-08-06 98304]
R2 RegSrvc;RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2004-08-06 139264]
R2 S24EventMonitor;Spectrum24 Event Monitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2004-08-06 360521]
R2 SLService;SmartLinkService; C:\WINDOWS\system32\slserv.exe [2005-06-13 45056]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-07-09 75304]
S2 winvnc;VNC Server; C:\Program Files\UltraVNC\winvnc.exe -service []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-02-19 504104]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-03 136120]
S4 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe []
S4 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe []
S4 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
S4 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe []

---

EOF

---

Katana

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.




Logs/Information to Post in Reply
Please post the following logs/Information in your reply

• ComboFix Log
• Kaspersky Log
• How are things running now ?

n_ver_ending

Hi there Katana,
I ran both of the scans. The suspicious red circle with the with X has been gone since I ran Malwarebytes. Everything seems to be OK.
Here are the two logs. I have ran kaspersky several times and i don't get any sort of infection. I also turned off AVG and spywareblaster when i ran Combofix.

ComboFix 08-10-16.08 - JAM 2008-10-17 21:20:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.925 [GMT -5:00]
Running from: C:\Documents and Settings\JAM\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\windows

.
((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.

2008-10-17 16:43 . 2008-10-17 16:44 <DIR> d

---

C:\rsit
2008-10-17 00:17 . 2008-10-17 21:28 2,451,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-17 00:17 . 2008-10-17 21:23 33,860 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-17 00:14 . 2008-10-17 00:14 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-17 00:14 . 2008-07-09 09:05 75,248 --a

---

C:\WINDOWS\zllsputility.exe
2008-10-17 00:13 . 2008-10-17 00:13 <DIR> d

---

C:\Program Files\Zone Labs
2008-10-16 23:24 . 2008-10-16 23:24 <DIR> d

---

C:\Documents and Settings\JAM\Application Data\OpenOffice.org
2008-10-16 23:21 . 2008-10-16 23:21 <DIR> d

---

C:\Program Files\OpenOffice.org 3
2008-10-16 23:21 . 2008-10-16 23:21 <DIR> d

---

C:\Program Files\JRE
2008-10-16 21:49 . 2008-10-16 21:49 <DIR> d

---

C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-16 21:49 . 2008-10-16 21:49 <DIR> d

---

C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-16 21:40 . 2008-10-16 21:40 <DIR> d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-10-16 21:40 . 2008-10-16 21:40 <DIR> d

---

C:\Documents and Settings\JAM\Application Data\Malwarebytes
2008-10-16 21:40 . 2008-10-16 21:40 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-16 21:40 . 2008-10-16 20:25 38,496 --a

---

C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-16 21:40 . 2008-10-16 20:25 15,504 --a

---

C:\WINDOWS\system32\drivers\mbam.sys
2008-10-16 19:28 . 2008-06-19 17:24 28,544 --a

---

C:\WINDOWS\system32\drivers\pavboot.sys
2008-10-16 18:10 . 2008-10-16 21:15 164 --a

---

C:\Documents and Settings\JAM\xrt_log.dat
2008-10-16 18:03 . 2008-10-16 18:03 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\punaxcpa
2008-10-15 20:03 . 2008-10-15 20:04 1,393 --a

---

C:\WINDOWS\imsins.BAK
2008-10-15 19:57 . 2008-09-08 05:41 333,824

---

c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 19:55 . 2008-09-15 07:12 1,846,400

---

c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 19:54 . 2008-08-14 05:11 2,189,184

---

c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 19:54 . 2008-08-14 05:09 2,145,280

---

c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 19:54 . 2008-08-14 04:33 2,066,048

---

c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 19:54 . 2008-08-14 04:33 2,023,936

---

c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-06 17:02 . 2008-10-16 23:04 <DIR> d

---

C:\Documents and Settings\JAM\Application Data\OpenOffice.org2
2008-10-06 16:59 . 2008-10-16 23:19 <DIR> d

---

C:\Program Files\OpenOffice.org 2.4
2008-10-05 16:12 . 2008-10-05 16:12 54,156 --ah

---

C:\WINDOWS\QTFont.qfn
2008-10-05 16:12 . 2008-10-05 16:12 1,409 --a

---

C:\WINDOWS\QTFont.for
2008-09-30 18:34 . 2008-10-16 20:29 <DIR> d--h

---

C:\$AVG8.VAULT$
2008-09-26 17:30 . 2008-09-26 17:30 <DIR> d

---

C:\WINDOWS\system32\scripting
2008-09-26 17:30 . 2008-09-26 17:30 <DIR> d

---

C:\WINDOWS\system32\en
2008-09-26 17:30 . 2008-09-26 17:30 <DIR> d

---

C:\WINDOWS\system32\bits
2008-09-26 17:30 . 2008-09-26 17:30 <DIR> d

---

C:\WINDOWS\l2schemas
2008-09-26 17:25 . 2008-09-26 17:31 <DIR> d

---

C:\WINDOWS\ServicePackFiles
2008-09-26 17:17 . 2008-09-26 17:17 <DIR> d

---

C:\WINDOWS\EHome
2008-09-24 22:40 . 2008-04-13 19:11 1,888,992

---

C:\WINDOWS\system32\ati3duag.dll
2008-09-24 22:39 . 2008-04-13 19:11 136,192

---

C:\WINDOWS\system32\aaclient.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 02:15

---

d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-17 22:02

---

d

---

w C:\Program Files\Trend Micro
2008-10-17 05:22

---

d

---

w C:\Program Files\SpywareBlaster
2008-10-17 02:49

---

d

---

w C:\Program Files\Spybot - Search & Destroy
2008-10-17 02:47

---

d

---

w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 23:04 45,633 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_10_16_17_56_11_small.dmp.zip
2008-10-16 23:03 507,904 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-10-16 23:03 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-10-16 01:00 40,181 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_10_15_19_47_19_small.dmp.zip
2008-10-06 21:58

---

d

---

w C:\Program Files\Java
2008-10-03 01:05

---

d--h--w C:\Program Files\InstallShield Installation Information
2008-09-27 21:51

---

d

---

w C:\Program Files\MSN Messenger
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-01 04:14 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-10 20:20 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
.

---

Sigcheck

---

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-10-16 18:03 507904 3969440ba384d35317dbbdeeaae641ce C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-13 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-13 126976]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-06-13 98393]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-13 688217]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-08-06 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-08-06 356352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

C:\Documents and Settings\JAM\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-08-06 18:48 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a

---

2007-05-10 06:01 598920 C:\Program Files\CCleaner\ccleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)
"gusvc"=3 (0x3)
"AVGEMS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-31 97928]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-31 231704]
.
Contents of the 'Scheduled Tasks' folder

2008-08-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.

---

Supplementary Scan

---

.
FireFox -: Profile - C:\Documents and Settings\JAM\Application Data\Mozilla\Firefox\Profiles\68u9keg2.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.independent.co.uk
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-17 21:25:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

Other Running Processes

---

.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-10-17 21:30:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-18 02:30:11
ComboFix2.txt 2006-08-13 20:53:43

Pre-Run: 53,405,040,640 bytes free
Post-Run: 53,443,805,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /noguiboot

208 --- E O F --- 2008-10-16 01:04:16





Friday, October 17, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, October 18, 2008 02:33:57
Records in database: 1320107


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\JAM\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Files scanned 40899
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:45:47

No malware has been detected. The scan area is clean.
The selected area was scanned.

Katana

When you run Malwarebytes, does it still find the files you said it could not delete ?

Also, Malwarebytes could not remove:

C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\vklezwxe.exe
C:\WINDOWS\system32\brastk.exe

n_ver_ending

Morning Katana, or afternoon for you,

I ran it more than once and after it said it was going to delete them on the next reboot, which i did right away, they never came back up.

Katana

Well, there is nothing obvious showing now, but there are a couple of windows files that look as if they have been patched.

If you don't mind, I will take a copy of them and get them looked at.




Upload a File
Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\termsrv.dll

Go to spykiller

Please start a new thread Titled Suspect Winlogon.exe and give the following information

• Name:-- Your name
• E-mail:-- Your E-mail (this is confidential and will not be displayed)
• Subject:-- Suspect Winlogon.exe

In the main text window please put the following info

http://icrontic.com/forum/showpost.php?p=646973&postcount=6
Patched Winlogon.exe and  [I]termsrv. dll created at the same time
[/I]requested by Katana

you may also add any comments you wish
then press attach and upload the zip/cab file that was created.

Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files


Please post back with the link to your Spykiller topic, and then we can see about replacing those files.

n_ver_ending

Done,
Here is the link:
http://thespykiller.co.uk/index.php/topic,7162.new.html#new

Katana

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

  http://icrontic.com/forum/showpost.php?p=646973&postcount=6
  Comment:: Suspect Winlogon along with termsrv.dll created at the same time. -- Katana
  
  Suspect::[4]
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\termsrv.dll
  
  FCopy::
  C:\WINDOWS\ServicePackFiles\i386\winlogon.exe | C:\WINDOWS\system32\winlogon.exe
  

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  
• A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  
• Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

n_ver_ending

Here is the log report:

ComboFix 08-10-16.08 - JAM 2008-10-18 14:30:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.814 [GMT -5:00]
Running from: C:\Documents and Settings\JAM\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JAM\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.

---

FCopy

---

C:\WINDOWS\ServicePackFiles\i386\winlogon.exe --> C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.

2008-10-17 16:43 . 2008-10-17 16:44 <DIR> d

---

C:\rsit
2008-10-17 00:17 . 2008-10-18 14:34 2,646,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-17 00:17 . 2008-10-18 00:54 35,204 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-17 00:14 . 2008-10-17 00:14 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-17 00:14 . 2008-07-09 09:05 75,248 --a

---

C:\WINDOWS\zllsputility.exe
2008-10-17 00:13 . 2008-10-17 00:13 <DIR> d

---

C:\Program Files\Zone Labs
2008-10-16 23:24 . 2008-10-16 23:24 <DIR> d

---

C:\Documents and Settings\JAM\Application Data\OpenOffice.org
2008-10-16 23:21 . 2008-10-16 23:21 <DIR> d

---

C:\Program Files\OpenOffice.org 3
2008-10-16 23:21 . 2008-10-16 23:21 <DIR> d

---

C:\Program Files\JRE
2008-10-16 21:49 . 2008-10-16 21:49 <DIR> d

---

C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-10-16 21:49 . 2008-10-16 21:49 <DIR> d

---

C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-10-16 21:40 . 2008-10-16 21:40 <DIR> d

---

C:\Program Files\Malwarebytes' Anti-Malware
2008-10-16 21:40 . 2008-10-16 21:40 <DIR> d

---

C:\Documents and Settings\JAM\Application Data\Malwarebytes
2008-10-16 21:40 . 2008-10-16 21:40 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-16 21:40 . 2008-10-16 20:25 38,496 --a

---

C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-16 21:40 . 2008-10-16 20:25 15,504 --a

---

C:\WINDOWS\system32\drivers\mbam.sys
2008-10-16 19:28 . 2008-06-19 17:24 28,544 --a

---

C:\WINDOWS\system32\drivers\pavboot.sys
2008-10-16 18:10 . 2008-10-16 21:15 164 --a

---

C:\Documents and Settings\JAM\xrt_log.dat
2008-10-16 18:03 . 2008-10-16 18:03 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\punaxcpa
2008-10-15 20:03 . 2008-10-15 20:04 1,393 --a

---

C:\WINDOWS\imsins.BAK
2008-10-15 19:57 . 2008-09-08 05:41 333,824

---

c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 19:55 . 2008-09-15 07:12 1,846,400

---

c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 19:54 . 2008-08-14 05:11 2,189,184

---

c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 19:54 . 2008-08-14 05:09 2,145,280

---

c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 19:54 . 2008-08-14 04:33 2,066,048

---

c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 19:54 . 2008-08-14 04:33 2,023,936

---

c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-06 17:02 . 2008-10-16 23:04 <DIR> d

---

C:\Documents and Settings\JAM\Application Data\OpenOffice.org2
2008-10-06 16:59 . 2008-10-16 23:19 <DIR> d

---

C:\Program Files\OpenOffice.org 2.4
2008-10-05 16:12 . 2008-10-05 16:12 54,156 --ah

---

C:\WINDOWS\QTFont.qfn
2008-10-05 16:12 . 2008-10-05 16:12 1,409 --a

---

C:\WINDOWS\QTFont.for
2008-09-30 18:34 . 2008-10-16 20:29 <DIR> d--h

---

C:\$AVG8.VAULT$
2008-09-26 17:30 . 2008-09-26 17:30 <DIR> d

---

C:\WINDOWS\system32\scripting
2008-09-26 17:30 . 2008-09-26 17:30 <DIR> d

---

C:\WINDOWS\system32\en
2008-09-26 17:30 . 2008-09-26 17:30 <DIR> d

---

C:\WINDOWS\system32\bits
2008-09-26 17:30 . 2008-09-26 17:30 <DIR> d

---

C:\WINDOWS\l2schemas
2008-09-26 17:25 . 2008-09-26 17:31 <DIR> d

---

C:\WINDOWS\ServicePackFiles
2008-09-26 17:17 . 2008-09-26 17:17 <DIR> d

---

C:\WINDOWS\EHome
2008-09-24 22:40 . 2008-04-13 19:11 1,888,992

---

C:\WINDOWS\system32\ati3duag.dll
2008-09-24 22:39 . 2008-04-13 19:11 136,192

---

C:\WINDOWS\system32\aaclient.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 02:15

---

d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-17 22:02

---

d

---

w C:\Program Files\Trend Micro
2008-10-17 05:22

---

d

---

w C:\Program Files\SpywareBlaster
2008-10-17 02:49

---

d

---

w C:\Program Files\Spybot - Search & Destroy
2008-10-17 02:47

---

d

---

w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 23:04 45,633 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_10_16_17_56_11_small.dmp.zip
2008-10-16 23:03 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-10-16 01:00 40,181 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_10_15_19_47_19_small.dmp.zip
2008-10-06 21:58

---

d

---

w C:\Program Files\Java
2008-10-03 01:05

---

d--h--w C:\Program Files\InstallShield Installation Information
2008-09-27 21:51

---

d

---

w C:\Program Files\MSN Messenger
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-01 04:14 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-10 20:20 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
.

((((((((((((((((((((((((((((( snapshot@2008-10-17_21.29.34.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:39 507,904 -c--a-w C:\WINDOWS\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-13 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-13 126976]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-06-13 98393]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-13 688217]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-08-06 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-08-06 356352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

C:\Documents and Settings\JAM\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-08-06 18:48 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 00:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a

---

2007-05-10 06:01 598920 C:\Program Files\CCleaner\ccleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)
"gusvc"=3 (0x3)
"AVGEMS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-31 97928]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-31 231704]
.
Contents of the 'Scheduled Tasks' folder

2008-08-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-18 14:33:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-18 14:35:26
ComboFix-quarantined-files.txt 2008-10-18 19:35:21
ComboFix2.txt 2008-10-18 02:30:19
ComboFix3.txt 2006-08-13 20:53:43

Pre-Run: 53,509,836,800 bytes free
Post-Run: 53,530,062,848 bytes free

170 --- E O F --- 2008-10-16 01:04:16

Katana

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Please delete any .zip and .cab files that were created on your desktop

• This will clear your System Volume Information restore points and remove all the infected files that were quarantined
• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • 

You can also delete any logs we have produced, and empty your Recycle bin.





The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

• AntiSpyware is not the same thing as Antivirus.
  Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
  You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
  Most of the programs in this list have a free (for Home Users ) and paid versions,
  it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
• Spybot - Search & Destroy <<< A must have program
  • It includes host protection and registry protection
  • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
• MalwareBytes Anti-malware <<< A New and effective program
• a-squared Free <<< A good "realtime" or "on demand" scanner
• superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

• These programs don't detect malware, they help stop it getting on your machine in the first place.
  Each does a different job, so you can have more than one
• Winpatrol
  • An excellent startup manager and then some !!
  • Notifies you if programs are added to startup
  • Allows delayed startup
  • A must have addition
• SpywareBlaster 4.0
  • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
• SpywareGuard 2.2
  • SpywareGuard provides real-time protection against spyware.
  • Not required if you have other "realtime" antispyware or Winpatrol
• ZonedOut
  • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
• MVPS HOSTS
  • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
  • For information on how to download and install, please read this tutorial by WinHelp2002.
  • Not required if you are using other host file protections

Internet Browsers

• Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
  Using a different web browser can help stop malware getting on your machine.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
       • Change the Download signed ActiveX controls to Prompt
       • Change the Download unsigned ActiveX controls to Disable
       • Change the Initialise and script ActiveX controls not marked as safe to Disable
       • Change the Installation of desktop items to Prompt
       • Change the Launching programs and files in an IFRAME to Prompt
       • Change the Navigate sub-frames across different domains to Prompt
       • When all these settings have been made, click on the OK button.
       • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  
  If you are still using IE6 then either update, or get one of the following.
  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential
  • Opera
    • Another popular alternative
  • Netscape
    • Another popular alternative
    • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

• Temporary Internet Files are mainly the files that are downloaded when you open a web page.
  Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
  It is a good idea to empty the Temporary Internet Files folder on a regular basis.
  
  Tracking Cookies are files that websites use to monitor which sites you visit and how often.
  A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
  CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
  
  Both of these can be cleaned manually, but a quicker option is to use a program
• ATF Cleaner
  • Free and very simple to use
• CCleaner
  • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

n_ver_ending

Thank you very much.

I also have another another lap top i need to get cleaned out. I will being another thread for that one though.

Thank you so much Katana

Katana

n_ver_ending wrote:

Thank you very much.

I also have another another lap top i need to get cleaned out. I will being another thread for that one though.

Thank you so much Katana

No problem, we're here to help

Just start a fresh thread, and one of us will pick it up soon

Katana

Glad we could be of assistance! This topic is now closed.

If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead