Solved: Invisible Trojan Problem and Possible Registry Problems

eyelinerbunnie · 12:30 AM

Please help!

I accidentally left my computer on over the weekend. The internet was still up. When I got home, a program called AntiSpywareMaster had installed itself. When I ran AVG, it found a few problems which cleaned with no problems but the program kept installing itself even though I kept uninstalling it. I uninstalled AVG and installed TrendMicro. TrendMicro found TROJ_VUNDO.BMF in the following registry files: cuygnjys.dll, rqRHyww.dll, and A0008403.dll. TrendMicro could not solve the problems (no clean or quarantine) but gave me instructions on how to edit my regitry though RUN:REGEDIT. I attempted to delete some CLSID files but it didn't seem to work. Now, when I restart my computer I get an error that says RUN cannot open/find C:\WINDOWS\system32\cuygnjys.dll.

Also, as I was trying to find online fixes for this problem I came upon this thread: http://forums.techguy.org/malware-re...lorer-exe.html. I had the same buffer overrun error. Whatever is on my computer is constantly trying to download something and sends pop-ups galore.

I hope you can help me! I tried to run the VundoFix.exe but it didn't find anything.

Right now I am usng McAfee VirusScan Enterprise 8.5.0i Patch 5 but it couldn't find anything with the on-demand scan. The on-access scan found 3 problems but couldn't fix any of them (not yet anyway) and has blocked 11 file actions in the past hour.

I changed my security settings to prompt on all cookies and noticed these ones would come up with the pop ups occured: junkor.com, affiliates.digitalriver.com, and 82.98.235.210

I have attached my HijackThis Log and ComboFix Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:25 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winmine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 128.95.198.85 uwcps_rainiers.uwcps.pubserv.washington.edu
O1 - Hosts: 128.95.198.87 uwcps_libr_ps.uwcps.pubserv.washington.edu
O1 - Hosts: 128.95.198.88 uwcps-art-sci.uwcps.pubserv.washington.edu
O1 - Hosts: 128.95.198.86 uwcps-dept-ps.uwcps.pubserv.washington.edu
O1 - Hosts: 128.95.198.85 uwcps_rainiers
O1 - Hosts: 128.95.198.87 uwcps_libr_ps
O1 - Hosts: 128.95.198.88 uwcps-art-sci
O1 - Hosts: 128.95.198.86 uwcps-dept-ps
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [BM67ec1ded] Rundll32.exe "C:\WINDOWS\system32\jmgcbbhm.dll",s
O4 - HKLM\..\Run: [64df2e71] rundll32.exe "C:\WINDOWS\system32\otcjdwap.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8665 bytes

ComboFix 08-04-22.5 - AMR 2008-04-23 21:12:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.422 [GMT -7:00]
Running from: C:\Documents and Settings\AMR\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiSpywareMaster
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cbXopNff.dll
C:\WINDOWS\system32\jmgcbbhm.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\otcjdwap.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pawdjcto.ini
C:\WINDOWS\system32\rqRHywwx.dll
C:\WINDOWS\system32\xwwyHRqr.ini
C:\WINDOWS\system32\xwwyHRqr.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-23 21:12 . 2008-04-23 21:12 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-23 19:50 . 2008-04-23 19:46 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-23 19:46 . 2008-04-23 20:01 <DIR> d-------- C:\Documents and Settings\AMR\.housecall6.6
2008-04-23 19:38 . 2008-04-23 19:39 <DIR> d-------- C:\Program Files\Script Sentry
2008-04-23 19:22 . 2008-04-23 19:22 <DIR> d-------- C:\Program Files\PrevxCSI
2008-04-23 19:22 . 2008-04-23 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-04-23 19:22 . 2008-04-23 19:22 10,880 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-04-23 19:20 . 2008-04-23 19:20 <DIR> d-------- C:\Program Files\Cookie Jar
2008-04-23 18:55 . 2008-04-23 19:25 <DIR> d-------- C:\Program Files\SpywareGuard
2008-04-23 18:42 . 2008-04-23 18:56 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-23 18:42 . 2008-04-23 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-23 17:06 . 2008-04-23 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 16:51 . 2008-04-23 16:51 <DIR> d-------- C:\VundoFix Backups
2008-04-23 09:08 . 2008-04-23 09:08 <DIR> d-------- C:\WINDOWS\35C03C043F1F42C2A989A757EE691F65.TMP
2008-04-22 17:20 . 2008-04-22 17:20 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-04-22 17:20 . 2008-04-22 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-22 17:20 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-04-22 17:20 . 2008-01-24 20:50 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-22 17:20 . 2008-01-24 20:50 72,936 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-22 17:20 . 2008-01-24 20:50 64,232 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-04-22 17:20 . 2008-01-24 20:50 52,104 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-04-22 17:20 . 2008-01-24 20:50 33,960 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-22 17:20 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-04-22 17:19 . 2008-04-22 17:20 <DIR> d-------- C:\Program Files\McAfee
2008-04-22 17:19 . 2008-04-22 17:19 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-21 20:13 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-21 18:51 . 2008-04-23 18:53 109,795 --a------ C:\WINDOWS\BM67ec1ded.xml
2008-04-21 18:45 . 2008-04-21 19:37 <DIR> d-------- C:\WINDOWS\system32\xcsDd01
2008-04-17 22:22 . 2008-04-17 22:22 <DIR> d-------- C:\Temp\berDrv11
2008-04-17 22:22 . 2008-04-23 21:13 <DIR> d-------- C:\Temp
2008-04-17 22:22 . 2008-04-17 22:22 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-12 00:21 . 2008-04-12 00:21 96,577 --a------ C:\WINDOWS\hpqins16.dat
2008-04-09 21:16 . 2008-04-12 11:46 479 --a------ C:\WirelessDiagLog.csv
2008-04-09 12:33 . 2008-04-09 12:33 <DIR> d-------- C:\Program Files\Auslogics
2008-04-09 12:33 . 2008-04-09 12:33 <DIR> d-------- C:\Documents and Settings\AMR\Application Data\Auslogics
2008-04-08 12:29 . 2008-04-08 12:29 <DIR> d-------- C:\Program Files\PharosSystems
2008-04-08 12:29 . 2008-04-08 12:29 <DIR> d-------- C:\Program Files\Pharos
2008-03-31 12:40 . 2008-03-31 12:40 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-25 11:54 . 2008-03-25 11:55 <DIR> d-------- C:\Documents and Settings\AMR\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 01:13 --------- d-----w C:\Program Files\Windows Desktop Search
2008-04-22 03:13 --------- d-----w C:\Program Files\Java
2008-04-12 07:20 --------- d-----w C:\Program Files\HP
2008-04-08 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-28 21:38 21,361 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-28 21:38 21,361 ----a-w C:\WINDOWS\AegisP.sys
2008-03-22 19:30 --------- d-----w C:\Program Files\Soulseek
2008-03-17 07:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-17 02:32 --------- d-----w C:\Documents and Settings\AMR\Application Data\vlc
2008-03-17 01:53 --------- d-----w C:\Program Files\VideoLAN
2008-03-13 07:26 --------- d-----w C:\Program Files\Common Files\HP
2008-03-13 00:01 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-13 00:01 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-12 23:55 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-12 22:03 --------- d-----w C:\Program Files\Windows Defender
2008-03-12 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-03-12 01:55 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-03-12 01:50 --------- d-----w C:\Documents and Settings\AMR\Application Data\HP
2008-03-12 01:43 --------- d-----w C:\Program Files\Microsoft Works
2008-03-12 01:42 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-12 01:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 01:33 --------- d-----w C:\Program Files\SigmaTel
2008-03-12 01:26 --------- d-----w C:\Program Files\CONEXANT
2008-03-12 01:14 --------- d-----w C:\Program Files\BlueTooth
2008-03-12 01:08 --------- d-----w C:\Program Files\Toshiba
2008-03-12 00:56 --------- d-----w C:\Program Files\Synaptics
2008-03-12 00:21 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-03-12 00:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-03-12 00:21 --------- d-----w C:\Documents and Settings\AMR\Application Data\Intel
2008-03-12 00:20 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-03-12 00:20 --------- d-----w C:\Program Files\Intel
2008-03-12 00:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-03-12 00:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-12 00:14 --------- d-----w C:\Program Files\Broadcom
2008-03-11 23:33 5 ----a-w C:\WINDOWS\system32\drivers\DELL__.MRK
2008-03-11 23:33 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL__.MRK
2008-03-11 23:32 --------- d-----w C:\Program Files\Dell
2008-03-11 22:06 --------- d-----w C:\Program Files\Common Files\Java
2008-03-11 21:48 --------- d-----w C:\Program Files\RGB
2008-03-11 21:46 --------- d-----w C:\Program Files\GemMaster
2008-03-11 21:46 --------- d-----w C:\Program Files\ESPNMotion
2008-03-11 21:46 --------- d-----w C:\Program Files\EnglishOtto
2008-03-11 21:46 --------- d-----w C:\Program Files\DIGStream
2008-03-11 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-03-11 21:34 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-11 21:27 --------- d-----w C:\Program Files\Windows Plus
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 04:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 11:44 839680]
"ShowLOMControl"="1 (0x1)" []
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 15:18 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 15:13 1101824]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-30 21:00 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-30 21:00 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-30 20:59 138008]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 13:48 761947]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 11:22 405504]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008-01-24 20:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
"ScriptSentry"="C:\Program Files\Script Sentry\ScriptSentry.exe" [2008-04-23 19:38 262144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 03:18 437160]

C:\Documents and Settings\AMR\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 12:11:42 49152]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXopNff]
cbXopNff.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"4940:UDP"= 4940:UDP:Windows Media Format SDK (iexplore.exe)
"4941:UDP"= 4941:UDP:Windows Media Format SDK (iexplore.exe)

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-04-23 19:22]
R2 CSIScanner;CSIScanner;"C:\Program Files\PrevxCSI\\PrevxCSI.exe" /service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{7feb84c4-10ca-11dd-b414-001302487e2b}]
\Shell\AutoRun\command - E:\autorun.bat

.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 01:38:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-22 03:03:14 C:\WINDOWS\Tasks\User_Feed_Synchronization-{3CF604DE-6C80-4C11-A6C4-483334CA3502}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 21:19:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\AMR\Local Settings\Application Data\Toshiba\BluetoothStack\V1.0\SDP00124.sdb 2479 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-23 21:21:42 - machine was rebooted [AMR]
ComboFix-quarantined-files.txt 2008-04-24 04:21:37

Pre-Run: 58,206,957,568 bytes free
Post-Run: 58,316,681,216 bytes free

244 --- E O F --- 2008-04-24 01:16:48

**cybertech** · 25-Apr-2008, 02:19 PM #2

Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy the entire report and paste it in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

eyelinerbunnie · 01-May-2008, 12:48 AM #3

Sorry it has taken me so long! I suffered the loss of two very dear pets so I haven't been on my computer since. I attached the log:

Malwarebytes' Anti-Malware 1.11
Database version: 704

Scan type: Full Scan (C:\|)
Objects scanned: 60328
Time elapsed: 36 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\xcsDd01 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\jmgcbbhm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRHywwx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F186E588-DCB7-4DC6-9C77-27622E9EEB37}\RP2\A0000065.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F186E588-DCB7-4DC6-9C77-27622E9EEB37}\RP2\A0000072.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Quarantined and deleted successfully.

**cybertech** · 01-May-2008, 11:11 AM #4

Quote:

Originally Posted by eyelinerbunnie

Sorry it has taken me so long! I suffered the loss of two very dear pets so I haven't been on my computer since.

Sorry to hear about that!

Open Notepad and copy and paste the text in the quote box below into it:

Quote:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXopNff]

Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

eyelinerbunnie · 02-May-2008, 04:07 PM #5

I have attached the combo fix log: (the HT log wouldn't fit so I put it in a different post)

ComboFix 08-04-22.5 - AMR 2008-05-02 12:56:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.475 [GMT -7:00]
Running from: C:\Documents and Settings\AMR\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\AMR\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-04-30 20:36 . 2008-04-30 20:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-30 20:36 . 2008-04-30 20:36 <DIR> d-------- C:\Documents and Settings\AMR\Application Data\Malwarebytes
2008-04-30 20:36 . 2008-04-30 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 03:03 . 2008-05-02 12:56 <DIR> d-------- C:\QUARANTINE
2008-04-23 22:38 . 2008-04-23 22:38 <DIR> d-------- C:\Documents and Settings\AMR\Application Data\Windows Desktop Search
2008-04-23 21:12 . 2008-04-23 21:12 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-23 19:50 . 2008-04-23 19:46 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-23 19:46 . 2008-04-23 20:01 <DIR> d-------- C:\Documents and Settings\AMR\.housecall6.6
2008-04-23 19:20 . 2008-04-23 19:20 <DIR> d-------- C:\Program Files\Cookie Jar
2008-04-23 18:55 . 2008-04-24 01:18 <DIR> d-------- C:\Program Files\SpywareGuard
2008-04-23 18:42 . 2008-04-30 20:14 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-23 18:42 . 2008-04-30 20:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-23 17:06 . 2008-04-23 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 16:51 . 2008-04-23 16:51 <DIR> d-------- C:\VundoFix Backups
2008-04-23 09:08 . 2008-04-23 09:08 <DIR> d-------- C:\WINDOWS\35C03C043F1F42C2A989A757EE691F65.TMP
2008-04-22 17:20 . 2008-04-22 17:20 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-04-22 17:20 . 2008-04-22 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-22 17:20 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-04-22 17:20 . 2008-01-24 20:50 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-22 17:20 . 2008-01-24 20:50 72,936 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-22 17:20 . 2008-01-24 20:50 64,232 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-04-22 17:20 . 2008-01-24 20:50 52,104 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-04-22 17:20 . 2008-01-24 20:50 33,960 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-22 17:20 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-04-22 17:19 . 2008-04-22 17:20 <DIR> d-------- C:\Program Files\McAfee
2008-04-22 17:19 . 2008-04-22 17:19 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-21 20:13 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-21 18:51 . 2008-04-23 18:53 109,795 --a------ C:\WINDOWS\BM67ec1ded.xml
2008-04-17 22:22 . 2008-04-17 22:22 <DIR> d-------- C:\Temp\berDrv11
2008-04-17 22:22 . 2008-04-23 21:13 <DIR> d-------- C:\Temp
2008-04-12 00:21 . 2008-04-12 00:21 96,577 --a------ C:\WINDOWS\hpqins16.dat
2008-04-09 21:16 . 2008-04-12 11:46 479 --------- C:\WirelessDiagLog.csv
2008-04-09 12:33 . 2008-04-09 12:33 <DIR> d-------- C:\Program Files\Auslogics
2008-04-09 12:33 . 2008-04-09 12:33 <DIR> d-------- C:\Documents and Settings\AMR\Application Data\Auslogics
2008-04-08 12:29 . 2008-04-08 12:29 <DIR> d-------- C:\Program Files\PharosSystems
2008-04-08 12:29 . 2008-04-08 12:29 <DIR> d-------- C:\Program Files\Pharos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-24 05:37 --------- d-----w C:\Program Files\Windows Desktop Search
2008-04-22 03:13 --------- d-----w C:\Program Files\Java
2008-04-12 07:20 --------- d-----w C:\Program Files\HP
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS02105.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS02104.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS02103.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS02102.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS02101.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS02100.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS020FF.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS020FE.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS020FD.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS020FC.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS020FB.DLL
2008-04-08 19:29 10,752 ----a-w C:\WINDOWS\system32\PSS020FA.DLL
2008-03-28 21:38 376,832 ----a-w C:\WINDOWS\system32\AegisI5Installer.exe
2008-03-28 21:38 21,361 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-28 21:38 21,361 ----a-w C:\WINDOWS\AegisP.sys
2008-03-25 18:55 --------- d-----w C:\Documents and Settings\AMR\Application Data\Move Networks
2008-03-22 19:30 --------- d-----w C:\Program Files\Soulseek
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 07:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-17 02:32 --------- d-----w C:\Documents and Settings\AMR\Application Data\vlc
2008-03-17 01:53 --------- d-----w C:\Program Files\VideoLAN
2008-03-13 07:26 --------- d-----w C:\Program Files\Common Files\HP
2008-03-13 06:51 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll
2008-03-13 00:01 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-13 00:01 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-12 23:55 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-12 22:03 --------- d-----w C:\Program Files\Windows Defender
2008-03-12 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-03-12 01:55 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-03-12 01:50 --------- d-----w C:\Documents and Settings\AMR\Application Data\HP
2008-03-12 01:43 --------- d-----w C:\Program Files\Microsoft Works
2008-03-12 01:42 --------- d-----w C:\Program Files\Microsoft.NET
2008-03-12 01:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 01:33 --------- d-----w C:\Program Files\SigmaTel
2008-03-12 01:26 --------- d-----w C:\Program Files\CONEXANT
2008-03-12 01:14 --------- d-----w C:\Program Files\BlueTooth
2008-03-12 01:08 --------- d-----w C:\Program Files\Toshiba
2008-03-12 00:56 --------- d-----w C:\Program Files\Synaptics
2008-03-12 00:21 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-03-12 00:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-03-12 00:21 --------- d-----w C:\Documents and Settings\AMR\Application Data\Intel
2008-03-12 00:20 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-03-12 00:20 --------- d-----w C:\Program Files\Intel
2008-03-12 00:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-03-12 00:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-12 00:14 --------- d-----w C:\Program Files\Broadcom
2008-03-11 23:33 5 ----a-w C:\WINDOWS\system32\drivers\DELL__.MRK
2008-03-11 23:33 5 ----a-w C:\WINDOWS\system32\drivers\1028_DELL__.MRK
2008-03-11 23:32 --------- d-----w C:\Program Files\Dell
2008-03-11 22:06 --------- d-----w C:\Program Files\Common Files\Java
2008-03-11 21:48 --------- d-----w C:\Program Files\RGB
2008-03-11 21:46 --------- d-----w C:\Program Files\GemMaster
2008-03-11 21:46 --------- d-----w C:\Program Files\ESPNMotion
2008-03-11 21:46 --------- d-----w C:\Program Files\EnglishOtto
2008-03-11 21:46 --------- d-----w C:\Program Files\DIGStream
2008-03-11 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-03-11 21:34 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-11 21:27 --------- d-----w C:\Program Files\Windows Plus
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-23_21.21.23.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-11 16:35:59 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB920342\SP2QFE\p2p.dll
+ 2006-10-11 16:35:59 104,960 ----a-w C:\WINDOWS\$hf_mig$\KB920342\SP2QFE\p2pgasvc.dll
+ 2006-10-11 16:35:59 313,344 ----a-w C:\WINDOWS\$hf_mig$\KB920342\SP2QFE\p2pgraph.dll
+ 2006-10-11 16:35:59 115,712 ----a-w C:\WINDOWS\$hf_mig$\KB920342\SP2QFE\p2pnetsh.dll
+ 2006-10-11 16:35:59 553,984 ----a-w C:\WINDOWS\$hf_mig$\KB920342\SP2QFE\p2psvc.dll
+ 2006-10-11 16:35:59 58,880 ----a-w C:\WINDOWS\$hf_mig$\KB920342\SP2QFE\pnrpnsp.dll
+ 2006-09-26 08:51:38 212,480 ----a-w C:\WINDOWS\$hf_mig$\KB920342\SP2QFE\xpsp3res.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB920342\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB920342\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB920342\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920342\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB920342\update\updspapi.dll
- 2008-04-24 04:18:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 19:49:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2005-06-28 23:43:35 19,200 ------w C:\WINDOWS\Driver Cache\i386\hidir.sys
+ 2006-01-11 00:48:53 19,200 ------w C:\WINDOWS\Driver Cache\i386\hidir.sys
- 2005-06-28 23:43:39 46,592 ------w C:\WINDOWS\Driver Cache\i386\irbus.sys
+ 2006-01-11 00:48:58 46,592 ------w C:\WINDOWS\Driver Cache\i386\irbus.sys
- 2004-08-10 11:00:00 123,904 -c--a-w C:\WINDOWS\system32\dllcache\guitrn.dll
+ 2005-04-28 19:16:29 133,120 -c--a-w C:\WINDOWS\system32\dllcache\guitrn.dll
- 2004-08-10 11:00:00 19,968 -c--a-w C:\WINDOWS\system32\dllcache\log.dll
+ 2005-04-28 19:16:29 19,968 -c--a-w C:\WINDOWS\system32\dllcache\log.dll
- 2004-08-10 11:00:00 201,216 -c--a-w C:\WINDOWS\system32\dllcache\migism.dll
+ 2005-04-28 19:16:29 274,432 -c--a-w C:\WINDOWS\system32\dllcache\migism.dll
- 2004-08-10 11:00:00 103,424 -c--a-w C:\WINDOWS\system32\dllcache\migload.exe
+ 2005-04-28 00:12:58 103,424 -c--a-w C:\WINDOWS\system32\dllcache\migload.exe
- 2004-08-10 11:00:00 240,128 -c--a-w C:\WINDOWS\system32\dllcache\migwiz.exe
+ 2005-04-28 00:12:57 245,248 -c--a-w C:\WINDOWS\system32\dllcache\migwiz.exe
- 2004-08-10 11:00:00 116,224 -c--a-w C:\WINDOWS\system32\dllcache\p2p.dll
+ 2006-10-11 16:24:45 153,088 -c--a-w C:\WINDOWS\system32\dllcache\p2p.dll
- 2004-08-10 11:00:00 86,016 -c--a-w C:\WINDOWS\system32\dllcache\p2pgasvc.dll
+ 2006-10-11 16:24:45 104,960 -c--a-w C:\WINDOWS\system32\dllcache\p2pgasvc.dll
- 2004-08-10 11:00:00 312,320 -c--a-w C:\WINDOWS\system32\dllcache\p2pgraph.dll
+ 2006-10-11 16:24:45 313,344 -c--a-w C:\WINDOWS\system32\dllcache\p2pgraph.dll
- 2004-08-10 11:00:00 88,064 -c--a-w C:\WINDOWS\system32\dllcache\p2pnetsh.dll
+ 2006-10-11 16:24:45 116,224 -c--a-w C:\WINDOWS\system32\dllcache\p2pnetsh.dll
- 2004-08-10 11:00:00 526,848 -c--a-w C:\WINDOWS\system32\dllcache\p2psvc.dll
+ 2006-10-11 16:24:45 553,984 -c--a-w C:\WINDOWS\system32\dllcache\p2psvc.dll
- 2004-08-10 11:00:00 48,640 -c--a-w C:\WINDOWS\system32\dllcache\pnrpnsp.dll
+ 2006-10-11 16:24:45 58,880 -c--a-w C:\WINDOWS\system32\dllcache\pnrpnsp.dll
- 2004-08-10 11:00:00 202,752 -c--a-w C:\WINDOWS\system32\dllcache\script.dll
+ 2005-04-28 19:16:29 215,552 -c--a-w C:\WINDOWS\system32\dllcache\script.dll
- 2004-08-10 11:00:00 168,960 -c--a-w C:\WINDOWS\system32\dllcache\sysmod.dll
+ 2005-04-28 19:16:29 193,024 -c--a-w C:\WINDOWS\system32\dllcache\sysmod.dll
- 2005-06-28 23:43:35 19,200 ------w C:\WINDOWS\system32\drivers\hidir.sys
+ 2006-01-11 00:48:53 19,200 ------w C:\WINDOWS\system32\drivers\hidir.sys
- 2005-06-28 23:43:39 46,592 ------w C:\WINDOWS\system32\drivers\irbus.sys
+ 2006-01-11 00:48:58 46,592 ------w C:\WINDOWS\system32\drivers\irbus.sys
- 2007-10-11 22:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2008-03-21 01:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-02-05 22:30:16 23,552 ------w C:\WINDOWS\system32\msscb.dll
+ 2007-02-05 22:29:24 51,200 ------w C:\WINDOWS\system32\msscntrs.dll
+ 2007-02-05 22:35:38 248,320 ------w C:\WINDOWS\system32\msshsq.dll
+ 2007-02-05 22:29:14 98,816 ------w C:\WINDOWS\system32\mssitlb.dll
+ 2007-02-05 22:33:54 331,776 ------w C:\WINDOWS\system32\mssph.dll
+ 2007-02-05 22:35:24 167,424 ------w C:\WINDOWS\system32\mssphtb.dll
+ 2007-02-05 22:28:56 32,256 ------w C:\WINDOWS\system32\mssprxy.dll
+ 2007-02-05 22:43:06 1,481,728 ------w C:\WINDOWS\system32\mssrch.dll
+ 2007-02-05 22:36:48 52,224 ------w C:\WINDOWS\system32\msstrc.dll
+ 2007-02-05 22:40:56 260,096 ------w C:\WINDOWS\system32\oeph.dll
+ 2007-02-05 22:24:36 11,264 ------w C:\WINDOWS\system32\oephRes.dll
- 2004-08-10 11:00:00 116,224 ----a-w C:\WINDOWS\system32\p2p.dll
+ 2006-10-11 16:24:45 153,088 ----a-w C:\WINDOWS\system32\p2p.dll
- 2004-08-10 11:00:00 86,016 ----a-w C:\WINDOWS\system32\p2pgasvc.dll
+ 2006-10-11 16:24:45 104,960 ----a-w C:\WINDOWS\system32\p2pgasvc.dll
- 2004-08-10 11:00:00 312,320 ----a-w C:\WINDOWS\system32\p2pgraph.dll
+ 2006-10-11 16:24:45 313,344 ----a-w C:\WINDOWS\system32\p2pgraph.dll
- 2004-08-10 11:00:00 88,064 ----a-w C:\WINDOWS\system32\p2pnetsh.dll
+ 2006-10-11 16:24:45 116,224 ----a-w C:\WINDOWS\system32\p2pnetsh.dll
- 2004-08-10 11:00:00 526,848 ----a-w C:\WINDOWS\system32\p2psvc.dll
+ 2006-10-11 16:24:45 553,984 ----a-w C:\WINDOWS\system32\p2psvc.dll
- 2008-04-24 01:39:22 54,010 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-02 19:53:58 61,064 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-24 01:39:22 383,822 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-02 19:53:58 404,866 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2004-08-10 11:00:00 48,640 ----a-w C:\WINDOWS\system32\pnrpnsp.dll
+ 2006-10-11 16:24:45 58,880 ----a-w C:\WINDOWS\system32\pnrpnsp.dll
+ 2007-02-05 22:32:02 65,536 ------w C:\WINDOWS\system32\propdefs.dll
+ 2007-02-05 22:28:46 733,696 ------w C:\WINDOWS\system32\propsys.dll
+ 2007-02-05 22:36:08 27,136 ------w C:\WINDOWS\system32\rtffilt.dll
+ 2007-02-05 22:31:10 76,800 ------w C:\WINDOWS\system32\searchfilterhost.exe
+ 2007-02-05 22:34:38 300,032 ------w C:\WINDOWS\system32\searchindexer.exe
+ 2007-02-05 22:32:28 182,784 ------w C:\WINDOWS\system32\searchprotocolhost.exe
- 2007-01-03 19:21:06 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-01-03 18:21:06 14,640 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-01-03 19:21:06 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2007-01-03 18:21:06 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2007-02-05 22:29:12 255,488 ------w C:\WINDOWS\system32\srchadmin.dll
+ 2007-02-05 21:24:26 99,999 ------w C:\WINDOWS\system32\structuredqueryschema.bin
+ 2007-02-05 21:24:28 18,271 ------w C:\WINDOWS\system32\structuredqueryschematrivial.bin
+ 2007-02-05 22:42:10 1,504,768 ------w C:\WINDOWS\system32\tquery.dll
+ 2007-02-05 22:40:58 98,304 ------w C:\WINDOWS\system32\UncCplExt.dll
+ 2007-02-05 22:41:06 134,656 ------w C:\WINDOWS\system32\UncDMS.dll
+ 2007-02-05 22:41:04 108,544 ------w C:\WINDOWS\system32\UncNE.dll
+ 2007-02-05 22:41:14 122,368 ------w C:\WINDOWS\system32\UncPH.dll
+ 2007-02-05 22:24:38 2,048 ------w C:\WINDOWS\system32\UncRes.dll
+ 2005-04-27 23:15:36 17,920 ------w C:\WINDOWS\system32\usmt\cobramsg.dll
- 2004-08-10 11:00:00 123,904 ----a-w C:\WINDOWS\system32\usmt\guitrn.dll
+ 2005-04-28 19:16:29 133,120 ----a-w C:\WINDOWS\system32\usmt\guitrn.dll
+ 2005-04-28 19:16:29 115,200 ------w C:\WINDOWS\system32\usmt\guitrna.dll
- 2004-08-10 11:00:00 4,096 ----a-w C:\WINDOWS\system32\usmt\iconlib.dll
+ 2005-04-27 23:15:45 2,560 ----a-w C:\WINDOWS\system32\usmt\iconlib.dll
- 2004-08-10 11:00:00 19,968 ----a-w C:\WINDOWS\system32\usmt\log.dll
+ 2005-04-28 19:16:29 19,968 ----a-w C:\WINDOWS\system32\usmt\log.dll
- 2004-08-10 11:00:00 201,216 ----a-w C:\WINDOWS\system32\usmt\migism.dll
+ 2005-04-28 19:16:29 274,432 ----a-w C:\WINDOWS\system32\usmt\migism.dll
+ 2005-04-28 19:16:30 261,120 ------w C:\WINDOWS\system32\usmt\migisma.dll
- 2004-08-10 11:00:00 103,424 ----a-w C:\WINDOWS\system32\usmt\migload.exe
+ 2005-04-28 00:12:58 103,424 ----a-w C:\WINDOWS\system32\usmt\migload.exe
- 2004-08-10 11:00:00 240,128 ----a-w C:\WINDOWS\system32\usmt\migwiz.exe
+ 2005-04-28 00:12:57 245,248 ----a-w C:\WINDOWS\system32\usmt\migwiz.exe
+ 2005-04-28 00:12:57 241,152 ------w C:\WINDOWS\system32\usmt\migwiza.exe
- 2004-08-10 11:00:00 202,752 ----a-w C:\WINDOWS\system32\usmt\script.dll
+ 2005-04-28 19:16:29 215,552 ----a-w C:\WINDOWS\system32\usmt\script.dll
+ 2005-04-28 19:16:29 199,680 ------w C:\WINDOWS\system32\usmt\scripta.dll
- 2004-08-10 11:00:00 168,960 ----a-w C:\WINDOWS\system32\usmt\sysmod.dll
+ 2005-04-28 19:16:29 193,024 ----a-w C:\WINDOWS\system32\usmt\sysmod.dll
+ 2005-04-28 19:16:29 173,568 ------w C:\WINDOWS\system32\usmt\sysmoda.dll
+ 2007-02-05 22:36:06 111,104 ------w C:\WINDOWS\system32\xmlfilter.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 04:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 11:44 839680]
"ShowLOMControl"="1 (0x1)" []
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 15:18 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 15:13 1101824]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-30 21:00 138008]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-30 21:00 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-30 20:59 138008]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 13:48 761947]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 11:22 405504]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008-01-24 20:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
"ScriptSentry"="C:\Program Files\Script Sentry\ScriptSentry.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 03:18 437160]

C:\Documents and Settings\AMR\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 12:11:42 49152]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"4940:UDP"= 4940:UDP:Windows Media Format SDK (iexplore.exe)
"4941:UDP"= 4941:UDP:Windows Media Format SDK (iexplore.exe)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{7feb84c4-10ca-11dd-b414-001302487e2b}]
cbXopNff\Shell\AutoRun\command - E:\autorun.bat

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 19:52:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-29 23:43:04 C:\WINDOWS\Tasks\User_Feed_Synchronization-{3CF604DE-6C80-4C11-A6C4-483334CA3502}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 12:58:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
Completion time: 2008-05-02 12:59:40
ComboFix-quarantined-files.txt 2008-05-02 19:59:33
ComboFix2.txt 2008-04-24 04:21:43

Pre-Run: 57,910,398,976 bytes free
Post-Run: 57,906,298,880 bytes free

333 --- E O F --- 2008-04-30 00:00:27

eyelinerbunnie · 02-May-2008, 04:08 PM #6

HT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:44 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8933 bytes

**cybertech** · 02-May-2008, 04:41 PM #7

Important!! Please delete your version of ComboFix. We may use ComboFix again but a bug has been found and I need you to not use that version anymore.

**cybertech** · 02-May-2008, 04:45 PM #8

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
```
C:\WINDOWS\35C03C043F1F42C2A989A757EE691F65.TMP
C:\WINDOWS\BM67ec1ded.xml
C:\Temp\berDrv11
C:\WINDOWS\TEMP\mc21.tmp
```
Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive and all other fixed drives..
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
Click Close to exit the program.

Please perform a scan with Kaspersky Webscan Online Virus Scanner

Read the Requirements and Privacy statement, then select "Accept".
A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next".
Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
Click "OK".
Under "Select a target to scan", click on "My Computer".
When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!

Search
Search in:
Show Threads Show Posts
Advanced Search