1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

assistance please...thanks!!!!!!!

Discussion in 'Virus & Other Malware Removal' started by iSLANDgIRL117, Dec 11, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    having probs galore!! have a look at the HJT i just ran...help!!!! PLEASE!! :eek:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:16:47 AM, on 12/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\POL\POL.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\DOCUME~1\Natalie\LOCALS~1\Temp\IXP009.TMP\Setup_ver1.1595.0.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\ATKKBService.exe
    E:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svcmon.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    e:\PROGRA~1\FREEDO~1\fdm.exe
    C:\Documents and Settings\Natalie\Desktop\HJT\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.60.153.170:80
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {A99E71FC-4039-4C22-AEA9-BB12F3EA14D9} - C:\WINDOWS\system32\yayaArqP.dll (file missing)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [POL Agent] e:\Program Files\POL\POL.exe
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Natalie\LOCALS~1\Temp\IXP009.TMP\"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Download all with Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://e:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A206D4F-5A6C-40A4-8823-E2083722CE2A}: NameServer = 24.29.103.15,24.29.103.16
    O20 - AppInit_DLLs: rrlhwm.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NetSvc - Unknown owner - C:\WINDOWS\system32\lshost.exe (file missing)
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - (no file)
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Microsoft Svc-Mon (SvcMon) - Unknown owner - C:\WINDOWS\System32\svcmon.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - E:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)
    --
    End of file - 10784 bytes
     
  2. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    here is my scan report from Kaspersky that just completed...hope it helps...

    Thursday, December 11, 2008
    Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Thursday, December 11, 2008 07:37:34
    Records in database: 1451618
    Scan settingsScan using the following databaseextendedScan archivesyesScan mail databasesyesScan areaCritical AreasC:\Documents and Settings\All Users\Start Menu\Programs\Startup
    C:\Documents and Settings\Natalie\Start Menu\Programs\Startup
    C:\Program Files
    C:\WINDOWS Scan statisticsFiles scanned42817Threat name4Infected objects6Suspicious objects0Duration of the scan00:55:30
    File nameThreat nameThreats countE:\Program Files\POL\POL.exe/E:\Program Files\POL\POL.exeInfected: Trojan-Downloader.Win32.Zlob.abds1C:\DOCUME~1\Natalie\LOCALS~1\Temp\IXP009.TMP\Setup_ver1.1595.0.exe/C:\DOCUME~1\Natalie\LOCALS~1\Temp\IXP009.TMP\Setup_ver1.1595.0.exeInfected: Trojan-Downloader.Win32.Zlob.wzf1SVCMON.EXE\svcmon.exe/SVCMON.EXE\svcmon.exeInfected: not-a-virus:Server-FTP.Win32.Serv-U.41031C:\WINDOWS\System32\svcmon.exe//UPX/C:\WINDOWS\System32\svcmon.exe//UPXInfected: not-a-virus:Server-FTP.Win32.Serv-U.41031C:\WINDOWS\system32\svcmon.exeInfected: not-a-virus:Server-FTP.Win32.Serv-U.41031C:\WINDOWS\Downloaded Installations\{31F7F79D-9291-43E7-98DE-944A3EA27ECF}\Halloween Haunts.msiInfected: not-a-virus:AdWare.Win32.MyWay.ac1The selected area was scanned.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,547
    First Name:
    Derek
    Download ComboFix from Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns
     
  4. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    Derek, thanks so much for taking my case....

    as requested...

    combofix:

    ComboFix 08-12-11.03 - Natalie 2008-12-11 23:19:14.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT -5:00]
    Running from: c:\documents and settings\Natalie\Desktop\ComboFix\ComboFix.exe
    * Created a new restore point
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\Jeff\Application Data\YMBOLS~1
    c:\documents and settings\Jeff\Application Data\YMBOLS~1\?ymbols\
    c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\fbk.sts
    c:\program files\Common Files\{84DE3~1
    c:\program files\Common Files\fnts~1
    c:\program files\Common Files\fnts~1\FNTS~1
    c:\program files\Common Files\smbols~1
    c:\program files\INSTALL.LOG
    c:\windows\icroso~1
    c:\windows\IE4 Error Log.txt
    c:\windows\system32\MabryObj.dll
    c:\windows\system32\nthst32.dll
    c:\windows\system32ghynf.exe
    c:\windows\wiaserviv.log
    C:\xcrashdump.dat
    .
    ((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
    .
    2008-12-10 09:18 . 2008-12-10 09:18 54,156 --ah----- c:\windows\QTFont.qfn
    2008-12-10 09:18 . 2008-12-10 09:18 1,409 --a------ c:\windows\QTFont.for
    2008-11-29 16:04 . 2008-11-29 16:04 <DIR> d-------- c:\documents and settings\Natalie\Application Data\FrostWire
    2008-11-29 16:03 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
    2008-11-29 16:02 . 2008-11-29 16:02 <DIR> d-------- c:\program files\Common Files\Java
    2008-11-29 09:05 . 2008-11-29 09:05 269,824 --a------ c:\windows\system32\wehripesi.dll
    2008-11-27 19:07 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
    2008-11-27 19:07 . 2006-09-28 16:05 2,414,360 --a------ c:\windows\system32\d3dx9_31.dll
    2008-11-22 20:28 . 2008-11-22 20:28 <DIR> d-------- c:\documents and settings\Natalie\Application Data\GlobalSCAPE
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-11 14:53 5,756 ----a-w c:\windows\system32\netmancfg.dll
    2008-11-07 20:16 3,035 ---ha-w C:\hpothb07.dat
    2008-11-07 20:16 1,845 ---ha-w c:\documents and settings\Natalie\hpothb07.dat
    2008-10-28 17:23 --------- d-----w c:\documents and settings\Natalie\Application Data\Malwarebytes
    2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
    2008-10-15 03:01 --------- d-----w c:\documents and settings\Jeff\Application Data\GlobalSCAPE
    2008-10-15 02:34 --------- d-----w c:\documents and settings\Jeff\Application Data\SmartFTP
    2007-05-21 15:08 630,784 ----a-w c:\documents and settings\Natalie\GoToAssist_chat2way__317_en.exe
    2007-02-26 13:41 15,979 ---ha-w c:\documents and settings\Jeff\hpothb07.dat
    2007-02-22 01:08 92,064 ----a-w c:\documents and settings\Jeff\mqdmmdm.sys
    2007-02-22 01:08 9,232 ----a-w c:\documents and settings\Jeff\mqdmmdfl.sys
    2007-02-22 01:08 79,328 ----a-w c:\documents and settings\Jeff\mqdmserd.sys
    2007-02-22 01:08 66,656 ----a-w c:\documents and settings\Jeff\mqdmbus.sys
    2007-02-22 01:08 6,208 ----a-w c:\documents and settings\Jeff\mqdmcmnt.sys
    2007-02-22 01:08 5,936 ----a-w c:\documents and settings\Jeff\mqdmwhnt.sys
    2007-02-22 01:08 4,048 ----a-w c:\documents and settings\Jeff\mqdmcr.sys
    2007-02-22 01:08 25,600 ----a-w c:\documents and settings\Jeff\usbsermptxp.sys
    2007-02-22 01:08 22,768 ----a-w c:\documents and settings\Jeff\usbsermpt.sys
    2006-08-02 14:36 11,749 ----a-w c:\program files\hijackthis.log
    2006-07-22 17:26 563,712 ----a-w c:\documents and settings\Natalie\gotomypc_370.exe
    2006-07-19 20:22 563,712 ----a-w c:\documents and settings\Natalie\370_gotomypc.exe
    2006-06-30 19:43 557,056 ----a-w c:\documents and settings\Natalie\chatlnk.exe
    2006-03-20 15:30 65,536 ----a-w c:\documents and settings\Jeff\hobjni.dll
    2006-03-20 15:30 49,152 ----a-w c:\documents and settings\Jeff\IDHWTSS1.dll
    2006-03-20 15:30 36,866 ----a-w c:\documents and settings\Jeff\PrtDLL.dll
    2005-02-16 16:06 218,112 ----a-w c:\program files\HijackThis.exe
    2005-10-14 02:27 422,400 --sha-r c:\windows\x2.64.exe
    2005-05-13 22:12 217,073 --sha-r c:\windows\meta4.exe
    2005-10-24 16:13 66,560 --sha-r c:\windows\MOTA113.exe
    2005-06-26 20:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
    2005-06-22 03:37 45,568 --sha-r c:\windows\system32\cygz.dll
    2005-10-08 00:14 308,224 --sha-r c:\windows\system32\avisynth.dll
    2004-01-25 05:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
    2004-01-25 05:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
    2005-02-28 18:16 240,128 --sha-r c:\windows\system32\x.264.exe
    2005-07-14 17:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
    2006-04-27 15:24 2,945,024 --sha-r c:\windows\system32\Smab.dll
    2008-07-08 02:11 8 --sh--r c:\windows\system32\52148B9D20.dll
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 90,112 2000-05-11 06:00:00 c:\windows\bak\UpdReg.EXE
    ----a-w 15,360 2004-08-04 08:56:48 c:\windows\system32\bak\ctfmon.exe
    ----a-w 15,360 2004-08-04 08:56:48 c:\windows\system32\ctfmon.exe
    ----a-w 185,896 2007-04-05 20:44:08 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
    ----a-w 69,632 2002-04-11 09:19:34 c:\program files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
    ----a-w 28,672 2001-11-29 06:00:00 c:\program files\Creative\SBLive\Program\bak\ADGJDet.exe
    ----a-w 81,920 2003-09-02 16:50:20 c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe
    ----a-w 483,328 2006-01-13 01:52:32 c:\program files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
    ----a-w 483,328 2006-01-13 01:52:32 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    ----a-w 257,088 2007-06-01 20:51:26 d:\program files\iTunes\bak\iTunesHelper.exe
    ----a-w 267,048 2008-02-19 17:10:32 d:\program files\iTunes\iTunesHelper.exe
    ----a-w 177 2008-03-02 15:27:13 e:\program files\A8GSdsApp\bak\GE.dat
    ----a-w 607 2008-02-05 04:02:12 e:\program files\A8GSdsApp\GE.dat
    ----a-w 282,624 2007-04-27 13:41:54 e:\program files\QuickTime\bak\qttask.exe
    ----a-w 385,024 2008-02-01 03:13:08 e:\program files\QuickTime\QTTask.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UpdReg"="c:\windows\UpdReg.EXE" [N/A]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
    "nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
    "NvMediaCenter"="NvMCTray.dll" [2006-10-22 c:\windows\system32\nvmctray.dll]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 323646]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=rrlhwm.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.I420"= i420vfw.dll
    "VIDC.I263"= i263_32.drv
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AdsGone 2003.lnk]
    backup=c:\windows\pss\AdsGone 2003.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
    backup=c:\windows\pss\Billminder.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
    backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
    backup=c:\windows\pss\Image Transfer.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
    backup=c:\windows\pss\officejet 6100.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Proventia Desktop Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Proventia Desktop Agent.lnk
    backup=c:\windows\pss\Proventia Desktop Agent.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
    backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
    backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^AdsGone.lnk]
    backup=c:\windows\pss\AdsGone.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
    backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Nick^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
    backup=c:\windows\pss\PowerReg Scheduler.exeStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sscn]
    c:\program files\Common Files\?ymbols\t?skmgr.exe [?]
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A8GSdsApp]
    e:\program files\A8GSdsApp\AGSeiApp.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    --a------ 2006-01-12 20:52 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    --a------ 2004-02-04 15:29 61440 c:\program files\AIM95\aim.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    c:\program files\AIM6\aim6.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bcst]
    c:\docume~1\Jeff\APPLIC~1\YMBOLS~1\alg.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneDVDElbyDelay]
    --a------ 2002-11-02 01:33 45056 e:\program files\Elaborate Bytes\CloneDVD\ElbyCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 03:56 15360 c:\windows\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
    --a------ 2003-10-02 02:20 81920 e:\program files\D-Tools\daemon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisplayTrayIcon]
    -ra------ 2001-10-17 08:27 147456 c:\windows\system32\TrayIcon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
    --a------ 2003-05-19 22:09 172075 e:\progra~1\INCRED~1\bin\IncMail.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-02-19 12:10 267048 d:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
    c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
    c:\windows\kdx\KHost.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    c:\program files\MSN Messenger\msnmsgr.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    --a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2006-10-22 12:22 7700480 c:\windows\system32\nvcpl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    --a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2007-08-06 19:05 200704 e:\program files\PowerISO\PWRISOVM.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QAGENT]
    --a------ 1999-08-10 13:51 98304 c:\program files\Intuit\QAgent\qagent.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-31 22:13 385024 e:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    --a------ 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenShot2Print]
    --a------ 2007-03-30 11:33 579584 d:\program files\ScreenShot2Print\ScreenShot2Print.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SideWinderTrayV4]
    d:\progra~1\MICROS~3\GAMECO~1\common\swtrayv4.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\The Assistant]
    --a------ 2007-04-16 10:18 99840 c:\program files\a la mode\Sched\eSched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    --a------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    c:\progra~1\SYMANT~2\VPTray.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
    e:\program files\mobile PhoneTools\WatchDog.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    --a------ 2008-08-03 18:02 36352 e:\program files\Winamp\winampa.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    c:\program files\Yahoo!\Messenger\ypager.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
    --a------ 2002-10-15 18:00 1818624 c:\windows\mixer.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2006-10-22 12:22 1622016 c:\windows\system32\nwiz.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
    --a------ 2002-07-02 17:56 24576 c:\windows\system32\CTHELPER.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "BlackICE"=2 (0x2)
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "e:\\Program Files\\AIM95\\aim.exe"=
    "e:\\Program Files\\LimeWire\\LimeWire 4.0.8 Pro\\LimeWire.exe"=
    "e:\\Program Files\\BitTornado\\btdownloadgui.exe"=
    "d:\\program files\\iTunes\\iTunes.exe"=
    R0 pnpshark;pnpshark;c:\windows\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
    R0 sojubus;sojubus;c:\windows\system32\DRIVERS\sojubus.sys [2003-10-05 123520]
    R0 sojuscsi;sojuscsi;c:\windows\system32\DRIVERS\sojuscsi.sys [2003-09-28 5504]
    R0 st3shark;st3shark;c:\windows\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
    R2 mrtRate;mrtRate;c:\windows\system32\drivers\mrtRate.sys [2003-02-19 34916]
    R2 MSSQL$ALAMODE;MSSQL$ALAMODE;"c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" -sALAMODE [2005-05-04 9150464]
    R2 SvcMon;Microsoft Svc-Mon;c:\windows\System32\svcmon.exe [2003-12-11 593408]
    S0 MFX;MFX; []
    S0 XMS1563K;XMS1563K;c:\windows\system32\drivers\XMS1563K.sys [2003-03-06 20780]
    S1 ensqio;ensqio;c:\windows\system32\DRIVERS\ensqio.sys []
    S1 es137140;SB AudioPCI 64V;c:\windows\system32\DRIVERS\es137140.sys []
    S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-02-27 113952]
    S2 VPatch;ISS Buffer Overflow Exploit Prevention; []
    S3 Atmtaseuhiad;Atmtaseuhiad; []
    S3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2006-10-30 76913]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2006-10-17 35072]
    S3 pohci13F;pohci13F;\??\c:\docume~1\Jeff\LOCALS~1\Temp\pohci13F.sys []
    S3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2006-10-30 46001]
    S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;"c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" -i ALAMODE [2005-05-03 323584]
    S4 black;black;c:\windows\system32\drivers\BlackCat.sys [2006-10-30 234155]
    S4 BlackICE;BlackICE; []
    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder
    2004-02-05 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1075949792.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 01:46]
    2008-12-11 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-04 03:56]
    .
    - - - - ORPHANS REMOVED - - - -
    BHO-{A99E71FC-4039-4C22-AEA9-BB12F3EA14D9} - c:\windows\system32\yayaArqP.dll
    Notify-NavLogon - (no file)
    Notify-WgaLogon - (no file)

    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyServer = 64.60.153.170:80
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
    IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Download all with Free Download Manager - file://e:\program files\Free Download Manager\dlall.htm
    IE: Download selected with Free Download Manager - file://e:\program files\Free Download Manager\dlselected.htm
    IE: Download video with Free Download Manager - file://e:\program files\Free Download Manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://e:\program files\Free Download Manager\dllink.htm
    IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: {{20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} -
    LSP: c:\program files\ISS\Proventia Desktop\IBE\ICELSP_8.0.675.0.dll
    LSP: xfire_lsp_10650.dll
    TCP: {3A206D4F-5A6C-40A4-8823-E2083722CE2A} = 24.29.103.15,24.29.103.16
    O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
    FF - ProfilePath - c:\documents and settings\Natalie\Application Data\Mozilla\Firefox\Profiles\4frluc7b.default\
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
    FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npnul32.dll
    FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin.dll
    FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin2.dll
    FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin3.dll
    FF - plugin: e:\program files\Reader\browser\nppdf32.dll
    FF - plugin: e:\program files\Reader\Browser\nppdf32.dll
    FF - plugin: e:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
    FF - plugin: e:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
    FF - plugin: e:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
    .
    **************************************************************************
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-11 23:21:17
    Windows 5.1.2600 Service Pack 2 FAT NTAPI
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    Completion time: 2008-12-11 23:23:52
    ComboFix-quarantined-files.txt 2008-12-12 04:23:52
    Pre-Run: 1,589,854,208 bytes free
    Post-Run: 2,187,722,752 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    356 --- E O F --- 2008-03-30 04:17:34
     
  5. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    HijackThis log rerun just now:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:29:17 PM, on 12/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\POL\POL.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\ATKKBService.exe
    E:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svcmon.exe
    C:\WINDOWS\System32\HPZipm12.exe
    E:\Program Files\AIM95\aim.exe
    C:\DOCUME~1\Natalie\LOCALS~1\Temp\IXP009.TMP\POL.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Natalie\Desktop\HJT\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.60.153.170:80
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Download all with Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://e:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A206D4F-5A6C-40A4-8823-E2083722CE2A}: NameServer = 24.29.103.15,24.29.103.16
    O20 - AppInit_DLLs: rrlhwm.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NetSvc - Unknown owner - C:\WINDOWS\system32\lshost.exe (file missing)
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - (no file)
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Microsoft Svc-Mon (SvcMon) - Unknown owner - C:\WINDOWS\System32\svcmon.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - E:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)
    --
    End of file - 10494 bytes


    hope this doesn't cause too much grief....for either of us!! ;)
     
  6. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    i'm especially puzzled by these entries:

    PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - (no file)
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Microsoft Svc-Mon (SvcMon) - Unknown owner - C:\WINDOWS\System32\svcmon.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - E:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)
     
  7. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    FYI....while using Firefox browser, if i attempt to connect to a .pdf web page, it locks up the entire Firefox program and i need to "End Task" and start over....i noticed a lot of entries in the HJT log having to do with Adobe...
     
  8. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    here is the very latest HJT log from this morning's log in...no POL.EXE in the processes

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:10:35 AM, on 12/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\ATKKBService.exe
    E:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svcmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Natalie\Desktop\HJT\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.60.153.170:80
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Download all with Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://e:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A206D4F-5A6C-40A4-8823-E2083722CE2A}: NameServer = 24.29.103.15,24.29.103.16
    O20 - AppInit_DLLs: rrlhwm.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NetSvc - Unknown owner - C:\WINDOWS\system32\lshost.exe (file missing)
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - (no file)
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Microsoft Svc-Mon (SvcMon) - Unknown owner - C:\WINDOWS\System32\svcmon.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - E:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)
    --
    End of file - 10378 bytes
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,547
    First Name:
    Derek
    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

    This will create a zip file inside C:\QooBox\ named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]

    I will explain the other entries a bit later when we have cleared up everything


    then

    * Run Kaspersky online virus scan Kaspersky Online Scanner.

    After the updates have downloaded, click on the "Scan Settings" button.
    select the (b)"Spyware, Adware, Dialers and other potentially dangerous programs" for the scan.
    Under "Please select a target to scan", click "My Computer".
    When the scan is finished, Save the results from the scan!

    Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from
     

    Attached Files:

  10. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    ComboFix 08-12-11.03 - Natalie 2008-12-13 0:38:25.2 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.262 [GMT -5:00]
    Running from: c:\documents and settings\Natalie\Desktop\ComboFix\ComboFix.exe
    Command switches used :: c:\documents and settings\Natalie\Desktop\CFScript.txt
    * Created a new restore point
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\windows\system32\netmancfg.dll
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    -------\Legacy_MFX
    -------\Legacy_POHCI13F
    -------\Service_Atmtaseuhiad
    -------\Service_MFX
    -------\Service_pohci13F

    ((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
    .
    2008-12-10 09:18 . 2008-12-10 09:18 54,156 --ah----- c:\windows\QTFont.qfn
    2008-12-10 09:18 . 2008-12-10 09:18 1,409 --a------ c:\windows\QTFont.for
    2008-11-29 16:04 . 2008-11-29 16:04 <DIR> d-------- c:\documents and settings\Natalie\Application Data\FrostWire
    2008-11-29 16:03 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
    2008-11-29 16:02 . 2008-11-29 16:02 <DIR> d-------- c:\program files\Common Files\Java
    2008-11-29 09:05 . 2008-11-29 09:05 269,824 --a------ c:\windows\system32\wehripesi.dll
    2008-11-27 19:07 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
    2008-11-27 19:07 . 2006-09-28 16:05 2,414,360 --a------ c:\windows\system32\d3dx9_31.dll
    2008-11-22 20:28 . 2008-11-22 20:28 <DIR> d-------- c:\documents and settings\Natalie\Application Data\GlobalSCAPE
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-07 20:16 3,035 ---ha-w C:\hpothb07.dat
    2008-11-07 20:16 1,845 ---ha-w c:\documents and settings\Natalie\hpothb07.dat
    2008-10-28 17:23 --------- d-----w c:\documents and settings\Natalie\Application Data\Malwarebytes
    2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
    2008-10-15 03:01 --------- d-----w c:\documents and settings\Jeff\Application Data\GlobalSCAPE
    2008-10-15 02:34 --------- d-----w c:\documents and settings\Jeff\Application Data\SmartFTP
    2007-05-21 15:08 630,784 ----a-w c:\documents and settings\Natalie\GoToAssist_chat2way__317_en.exe
    2007-02-26 13:41 15,979 ---ha-w c:\documents and settings\Jeff\hpothb07.dat
    2007-02-22 01:08 92,064 ----a-w c:\documents and settings\Jeff\mqdmmdm.sys
    2007-02-22 01:08 9,232 ----a-w c:\documents and settings\Jeff\mqdmmdfl.sys
    2007-02-22 01:08 79,328 ----a-w c:\documents and settings\Jeff\mqdmserd.sys
    2007-02-22 01:08 66,656 ----a-w c:\documents and settings\Jeff\mqdmbus.sys
    2007-02-22 01:08 6,208 ----a-w c:\documents and settings\Jeff\mqdmcmnt.sys
    2007-02-22 01:08 5,936 ----a-w c:\documents and settings\Jeff\mqdmwhnt.sys
    2007-02-22 01:08 4,048 ----a-w c:\documents and settings\Jeff\mqdmcr.sys
    2007-02-22 01:08 25,600 ----a-w c:\documents and settings\Jeff\usbsermptxp.sys
    2007-02-22 01:08 22,768 ----a-w c:\documents and settings\Jeff\usbsermpt.sys
    2006-08-02 14:36 11,749 ----a-w c:\program files\hijackthis.log
    2006-07-22 17:26 563,712 ----a-w c:\documents and settings\Natalie\gotomypc_370.exe
    2006-07-19 20:22 563,712 ----a-w c:\documents and settings\Natalie\370_gotomypc.exe
    2006-06-30 19:43 557,056 ----a-w c:\documents and settings\Natalie\chatlnk.exe
    2006-03-20 15:30 65,536 ----a-w c:\documents and settings\Jeff\hobjni.dll
    2006-03-20 15:30 49,152 ----a-w c:\documents and settings\Jeff\IDHWTSS1.dll
    2006-03-20 15:30 36,866 ----a-w c:\documents and settings\Jeff\PrtDLL.dll
    2005-02-16 16:06 218,112 ----a-w c:\program files\HijackThis.exe
    2005-10-14 02:27 422,400 --sha-r c:\windows\x2.64.exe
    2005-05-13 22:12 217,073 --sha-r c:\windows\meta4.exe
    2005-10-24 16:13 66,560 --sha-r c:\windows\MOTA113.exe
    2005-06-26 20:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
    2005-06-22 03:37 45,568 --sha-r c:\windows\system32\cygz.dll
    2005-10-08 00:14 308,224 --sha-r c:\windows\system32\avisynth.dll
    2004-01-25 05:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
    2004-01-25 05:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
    2005-02-28 18:16 240,128 --sha-r c:\windows\system32\x.264.exe
    2005-07-14 17:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
    2006-04-27 15:24 2,945,024 --sha-r c:\windows\system32\Smab.dll
    2008-07-08 02:11 8 --sh--r c:\windows\system32\52148B9D20.dll
    .
    ((((((((((((((((((((((((((((( [email protected]_23.21.35.07 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
    + 2008-12-13 05:44:36 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_678.dat
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 90,112 2000-05-11 06:00:00 c:\windows\bak\UpdReg.EXE
    ----a-w 15,360 2004-08-04 08:56:48 c:\windows\system32\bak\ctfmon.exe
    ----a-w 15,360 2004-08-04 08:56:48 c:\windows\system32\ctfmon.exe
    ----a-w 185,896 2007-04-05 20:44:08 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
    ----a-w 69,632 2002-04-11 09:19:34 c:\program files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
    ----a-w 28,672 2001-11-29 06:00:00 c:\program files\Creative\SBLive\Program\bak\ADGJDet.exe
    ----a-w 81,920 2003-09-02 16:50:20 c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe
    ----a-w 483,328 2006-01-13 01:52:32 c:\program files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
    ----a-w 483,328 2006-01-13 01:52:32 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    ----a-w 257,088 2007-06-01 20:51:26 d:\program files\iTunes\bak\iTunesHelper.exe
    ----a-w 267,048 2008-02-19 17:10:32 d:\program files\iTunes\iTunesHelper.exe
    ----a-w 177 2008-03-02 15:27:13 e:\program files\A8GSdsApp\bak\GE.dat
    ----a-w 607 2008-02-05 04:02:12 e:\program files\A8GSdsApp\GE.dat
    ----a-w 282,624 2007-04-27 13:41:54 e:\program files\QuickTime\bak\qttask.exe
    ----a-w 385,024 2008-02-01 03:13:08 e:\program files\QuickTime\QTTask.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UpdReg"="c:\windows\UpdReg.EXE" [N/A]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
    "nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
    "NvMediaCenter"="NvMCTray.dll" [2006-10-22 c:\windows\system32\nvmctray.dll]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 323646]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.I420"= i420vfw.dll
    "VIDC.I263"= i263_32.drv
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AdsGone 2003.lnk]
    backup=c:\windows\pss\AdsGone 2003.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
    backup=c:\windows\pss\Billminder.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
    backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
    backup=c:\windows\pss\Image Transfer.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
    backup=c:\windows\pss\officejet 6100.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Proventia Desktop Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Proventia Desktop Agent.lnk
    backup=c:\windows\pss\Proventia Desktop Agent.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
    backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
    backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^AdsGone.lnk]
    backup=c:\windows\pss\AdsGone.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
    backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Nick^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
    backup=c:\windows\pss\PowerReg Scheduler.exeStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A8GSdsApp]
    e:\program files\A8GSdsApp\AGSeiApp.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    --a------ 2006-01-12 20:52 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    --a------ 2004-02-04 15:29 61440 c:\program files\AIM95\aim.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    c:\program files\AIM6\aim6.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneDVDElbyDelay]
    --a------ 2002-11-02 01:33 45056 e:\program files\Elaborate Bytes\CloneDVD\ElbyCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 03:56 15360 c:\windows\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
    --a------ 2003-10-02 02:20 81920 e:\program files\D-Tools\daemon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisplayTrayIcon]
    -ra------ 2001-10-17 08:27 147456 c:\windows\system32\TrayIcon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
    --a------ 2003-05-19 22:09 172075 e:\progra~1\INCRED~1\bin\IncMail.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-02-19 12:10 267048 d:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
    c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
    c:\windows\kdx\KHost.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    c:\program files\MSN Messenger\msnmsgr.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    --a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2006-10-22 12:22 7700480 c:\windows\system32\nvcpl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    --a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2007-08-06 19:05 200704 e:\program files\PowerISO\PWRISOVM.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QAGENT]
    --a------ 1999-08-10 13:51 98304 c:\program files\Intuit\QAgent\qagent.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-31 22:13 385024 e:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    --a------ 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenShot2Print]
    --a------ 2007-03-30 11:33 579584 d:\program files\ScreenShot2Print\ScreenShot2Print.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SideWinderTrayV4]
    d:\progra~1\MICROS~3\GAMECO~1\common\swtrayv4.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\The Assistant]
    --a------ 2007-04-16 10:18 99840 c:\program files\a la mode\Sched\eSched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    --a------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    c:\progra~1\SYMANT~2\VPTray.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
    e:\program files\mobile PhoneTools\WatchDog.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    --a------ 2008-08-03 18:02 36352 e:\program files\Winamp\winampa.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    c:\program files\Yahoo!\Messenger\ypager.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
    --a------ 2002-10-15 18:00 1818624 c:\windows\mixer.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2006-10-22 12:22 1622016 c:\windows\system32\nwiz.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
    --a------ 2002-07-02 17:56 24576 c:\windows\system32\CTHELPER.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "BlackICE"=2 (0x2)
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "e:\\Program Files\\AIM95\\aim.exe"=
    "e:\\Program Files\\LimeWire\\LimeWire 4.0.8 Pro\\LimeWire.exe"=
    "e:\\Program Files\\BitTornado\\btdownloadgui.exe"=
    "d:\\program files\\iTunes\\iTunes.exe"=
    R0 pnpshark;pnpshark;c:\windows\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
    R0 sojubus;sojubus;c:\windows\system32\DRIVERS\sojubus.sys [2003-10-05 123520]
    R0 sojuscsi;sojuscsi;c:\windows\system32\DRIVERS\sojuscsi.sys [2003-09-28 5504]
    R0 st3shark;st3shark;c:\windows\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
    R0 XMS1563K;XMS1563K;c:\windows\system32\drivers\XMS1563K.sys [2003-03-06 20780]
    R2 mrtRate;mrtRate;c:\windows\system32\drivers\mrtRate.sys [2003-02-19 34916]
    R2 MSSQL$ALAMODE;MSSQL$ALAMODE;"c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" -sALAMODE [2005-05-04 9150464]
    R2 SvcMon;Microsoft Svc-Mon;c:\windows\System32\svcmon.exe [2003-12-11 593408]
    S1 ensqio;ensqio;c:\windows\system32\DRIVERS\ensqio.sys []
    S1 es137140;SB AudioPCI 64V;c:\windows\system32\DRIVERS\es137140.sys []
    S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-02-27 113952]
    S2 VPatch;ISS Buffer Overflow Exploit Prevention; []
    S3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2006-10-30 76913]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2006-10-17 35072]
    S3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2006-10-30 46001]
    S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;"c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" -i ALAMODE [2005-05-03 323584]
    S4 black;black;c:\windows\system32\drivers\BlackCat.sys [2006-10-30 234155]
    S4 BlackICE;BlackICE; []
    *Newly Created Service* - XMS1563K
    .
    Contents of the 'Scheduled Tasks' folder
    2004-02-05 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1075949792.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 01:46]
    2008-12-12 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-04 03:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyServer = 64.60.153.170:80
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
    IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Download all with Free Download Manager - file://e:\program files\Free Download Manager\dlall.htm
    IE: Download selected with Free Download Manager - file://e:\program files\Free Download Manager\dlselected.htm
    IE: Download video with Free Download Manager - file://e:\program files\Free Download Manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://e:\program files\Free Download Manager\dllink.htm
    IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: {{20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} -
    LSP: c:\program files\ISS\Proventia Desktop\IBE\ICELSP_8.0.675.0.dll
    LSP: xfire_lsp_10650.dll
    TCP: {3A206D4F-5A6C-40A4-8823-E2083722CE2A} = 24.29.103.15,24.29.103.16
    O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
    FF - ProfilePath - c:\documents and settings\Natalie\Application Data\Mozilla\Firefox\Profiles\4frluc7b.default\
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
    FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npnul32.dll
    FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin.dll
    FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin2.dll
    FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin3.dll
    FF - plugin: e:\program files\Reader\browser\nppdf32.dll
    FF - plugin: e:\program files\Reader\Browser\nppdf32.dll
    FF - plugin: e:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
    FF - plugin: e:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
    FF - plugin: e:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
    .
    **************************************************************************
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-13 00:54:09
    Windows 5.1.2600 Service Pack 2 FAT NTAPI
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    e:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
    c:\windows\ATKKBSERVICE.EXE
    e:\program files\AVG Anti-Spyware 7.5\guard.exe
    c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    c:\windows\SYSTEM32\NVSVC32.EXE
    c:\windows\SYSTEM32\PNKBSTRA.EXE
    c:\windows\system32\wscntfy.exe
    c:\program files\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
    c:\program files\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
    c:\windows\SYSTEM32\HPZIPM12.EXE
    .
    **************************************************************************
    .
    Completion time: 2008-12-13 0:57:42 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-12-13 05:57:40
    ComboFix2.txt 2008-12-12 04:23:56
    Pre-Run: 1,889,550,336 bytes free
    Post-Run: 1,904,754,688 bytes free
    345 --- E O F --- 2008-03-30 04:17:34
     
  11. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:02:42 AM, on 12/13/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\ATKKBService.exe
    E:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svcmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Natalie\Desktop\HJT\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.60.153.170:80
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Download all with Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://e:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
    O10 - Unknown file in Winsock LSP: c:\program files\iss\proventia desktop\ibe\icelsp_8.0.675.0.dll
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A206D4F-5A6C-40A4-8823-E2083722CE2A}: NameServer = 24.29.103.15,24.29.103.16
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NetSvc - Unknown owner - C:\WINDOWS\system32\lshost.exe (file missing)
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - (no file)
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Microsoft Svc-Mon (SvcMon) - Unknown owner - C:\WINDOWS\System32\svcmon.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - E:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)
    --
    End of file - 10313 bytes
     
  12. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    this went smoothly....it submitted the .zip file for your examination.
     
  13. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    will do Kaspersky in the AM....
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,547
    First Name:
    Derek
    next

    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

    This will create a zip file inside C:\QooBox\ named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file inside C:\QooBox\ created by combofix named something like [38][email protected]

    then

    Download FindAWF by Noahdfear

    save it to desktop & double click it to run it. Select option 1 scan only & post back the log it makes
     

    Attached Files:

  15. iSLANDgIRL117

    iSLANDgIRL117 Thread Starter

    Joined:
    Dec 31, 1969
    Messages:
    19
    ComboFix 08-12-11.03 - Natalie 2008-12-13 17:40:15.3 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.226 [GMT -5:00]
    Running from: c:\documents and settings\Natalie\Desktop\ComboFix\ComboFix.exe
    Command switches used :: c:\documents and settings\Natalie\Desktop\CFScript.txt
    * Created a new restore point
    FILE ::
    c:\windows\System32\svcmon.exe
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\windows\system32\netmancfg.dll
    c:\windows\system32\prchelper.dll
    c:\windows\System32\svcmon.exe
    c:\windows\system32\wehripesi.dll
    e:\program files\A8GSdsApp
    e:\program files\A8GSdsApp\bak\GE.dat
    e:\program files\A8GSdsApp\BMPToJPG.dll
    e:\program files\A8GSdsApp\GE.dat
    e:\program files\A8GSdsApp\Golden Eye.lnk
    e:\program files\A8GSdsApp\Help.lnk
    e:\program files\A8GSdsApp\help\Help.chm
    e:\program files\A8GSdsApp\KBHOOK.DLL
    e:\program files\A8GSdsApp\License.txt
    e:\program files\A8GSdsApp\MSCOMCTL.OCX
    e:\program files\A8GSdsApp\OLEAUT32.DLL
    e:\program files\A8GSdsApp\PICCLP32.OCX
    e:\program files\A8GSdsApp\report\aim32.gif
    e:\program files\A8GSdsApp\report\app.gif
    e:\program files\A8GSdsApp\report\bullet.gif
    e:\program files\A8GSdsApp\report\Clipboard.gif
    e:\program files\A8GSdsApp\report\computer.gif
    e:\program files\A8GSdsApp\report\ExeFilePath.gif
    e:\program files\A8GSdsApp\report\eye3.jpg
    e:\program files\A8GSdsApp\report\FileFolder.gif
    e:\program files\A8GSdsApp\report\icq32.gif
    e:\program files\A8GSdsApp\report\ie.gif
    e:\program files\A8GSdsApp\report\keyboard.gif
    e:\program files\A8GSdsApp\report\Msm32.gif
    e:\program files\A8GSdsApp\report\rule.gif
    e:\program files\A8GSdsApp\report\rule2.gif
    e:\program files\A8GSdsApp\report\screenshot.gif
    e:\program files\A8GSdsApp\report\yahoo32.gif
    e:\program files\A8GSdsApp\TabCtl32.ocx
    e:\program files\A8GSdsApp\unins000.dat
    e:\program files\A8GSdsApp\unins000.exe
    e:\program files\A8GSdsApp\Uninstall.lnk
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    -------\Legacy_BLACKICE
    -------\Legacy_SVCMON
    -------\Service_BlackICE
    -------\Service_SvcMon

    ((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
    .
    2008-12-10 09:18 . 2008-12-10 09:18 54,156 --ah----- c:\windows\QTFont.qfn
    2008-12-10 09:18 . 2008-12-10 09:18 1,409 --a------ c:\windows\QTFont.for
    2008-11-29 16:04 . 2008-11-29 16:04 <DIR> d-------- c:\documents and settings\Natalie\Application Data\FrostWire
    2008-11-29 16:03 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
    2008-11-29 16:02 . 2008-11-29 16:02 <DIR> d-------- c:\program files\Common Files\Java
    2008-11-27 19:07 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
    2008-11-27 19:07 . 2006-09-28 16:05 2,414,360 --a------ c:\windows\system32\d3dx9_31.dll
    2008-11-22 20:28 . 2008-11-22 20:28 <DIR> d-------- c:\documents and settings\Natalie\Application Data\GlobalSCAPE
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-07 20:16 3,035 ---ha-w C:\hpothb07.dat
    2008-11-07 20:16 1,845 ---ha-w c:\documents and settings\Natalie\hpothb07.dat
    2008-10-28 17:23 --------- d-----w c:\documents and settings\Natalie\Application Data\Malwarebytes
    2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
    2008-10-15 03:01 --------- d-----w c:\documents and settings\Jeff\Application Data\GlobalSCAPE
    2008-10-15 02:34 --------- d-----w c:\documents and settings\Jeff\Application Data\SmartFTP
    2007-05-21 15:08 630,784 ----a-w c:\documents and settings\Natalie\GoToAssist_chat2way__317_en.exe
    2007-02-26 13:41 15,979 ---ha-w c:\documents and settings\Jeff\hpothb07.dat
    2007-02-22 01:08 92,064 ----a-w c:\documents and settings\Jeff\mqdmmdm.sys
    2007-02-22 01:08 9,232 ----a-w c:\documents and settings\Jeff\mqdmmdfl.sys
    2007-02-22 01:08 79,328 ----a-w c:\documents and settings\Jeff\mqdmserd.sys
    2007-02-22 01:08 66,656 ----a-w c:\documents and settings\Jeff\mqdmbus.sys
    2007-02-22 01:08 6,208 ----a-w c:\documents and settings\Jeff\mqdmcmnt.sys
    2007-02-22 01:08 5,936 ----a-w c:\documents and settings\Jeff\mqdmwhnt.sys
    2007-02-22 01:08 4,048 ----a-w c:\documents and settings\Jeff\mqdmcr.sys
    2007-02-22 01:08 25,600 ----a-w c:\documents and settings\Jeff\usbsermptxp.sys
    2007-02-22 01:08 22,768 ----a-w c:\documents and settings\Jeff\usbsermpt.sys
    2006-08-02 14:36 11,749 ----a-w c:\program files\hijackthis.log
    2006-07-22 17:26 563,712 ----a-w c:\documents and settings\Natalie\gotomypc_370.exe
    2006-07-19 20:22 563,712 ----a-w c:\documents and settings\Natalie\370_gotomypc.exe
    2006-06-30 19:43 557,056 ----a-w c:\documents and settings\Natalie\chatlnk.exe
    2006-03-20 15:30 65,536 ----a-w c:\documents and settings\Jeff\hobjni.dll
    2006-03-20 15:30 49,152 ----a-w c:\documents and settings\Jeff\IDHWTSS1.dll
    2006-03-20 15:30 36,866 ----a-w c:\documents and settings\Jeff\PrtDLL.dll
    2005-02-16 16:06 218,112 ----a-w c:\program files\HijackThis.exe
    2005-10-14 02:27 422,400 --sha-r c:\windows\x2.64.exe
    2005-05-13 22:12 217,073 --sha-r c:\windows\meta4.exe
    2005-10-24 16:13 66,560 --sha-r c:\windows\MOTA113.exe
    2005-06-26 20:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
    2005-06-22 03:37 45,568 --sha-r c:\windows\system32\cygz.dll
    2005-10-08 00:14 308,224 --sha-r c:\windows\system32\avisynth.dll
    2004-01-25 05:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
    2004-01-25 05:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
    2005-02-28 18:16 240,128 --sha-r c:\windows\system32\x.264.exe
    2005-07-14 17:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
    2006-04-27 15:24 2,945,024 --sha-r c:\windows\system32\Smab.dll
    2008-07-08 02:11 8 --sh--r c:\windows\system32\52148B9D20.dll
    .
    ((((((((((((((((((((((((((((( [email protected]_23.21.35.07 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
    + 2008-12-13 22:46:04 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_6a0.dat
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 90,112 2000-05-11 06:00:00 c:\windows\bak\UpdReg.EXE
    ----a-w 15,360 2004-08-04 08:56:48 c:\windows\system32\bak\ctfmon.exe
    ----a-w 15,360 2004-08-04 08:56:48 c:\windows\system32\ctfmon.exe
    ----a-w 185,896 2007-04-05 20:44:08 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
    ----a-w 69,632 2002-04-11 09:19:34 c:\program files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
    ----a-w 28,672 2001-11-29 06:00:00 c:\program files\Creative\SBLive\Program\bak\ADGJDet.exe
    ----a-w 81,920 2003-09-02 16:50:20 c:\program files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe
    ----a-w 483,328 2006-01-13 01:52:32 c:\program files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
    ----a-w 483,328 2006-01-13 01:52:32 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    ----a-w 257,088 2007-06-01 20:51:26 d:\program files\iTunes\bak\iTunesHelper.exe
    ----a-w 267,048 2008-02-19 17:10:32 d:\program files\iTunes\iTunesHelper.exe
    ----a-w 282,624 2007-04-27 13:41:54 e:\program files\QuickTime\bak\qttask.exe
    ----a-w 385,024 2008-02-01 03:13:08 e:\program files\QuickTime\QTTask.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UpdReg"="c:\windows\UpdReg.EXE" [N/A]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
    "nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
    "NvMediaCenter"="NvMCTray.dll" [2006-10-22 c:\windows\system32\nvmctray.dll]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 323646]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.I420"= i420vfw.dll
    "VIDC.I263"= i263_32.drv
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AdsGone 2003.lnk]
    backup=c:\windows\pss\AdsGone 2003.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
    backup=c:\windows\pss\Billminder.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
    backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
    backup=c:\windows\pss\Image Transfer.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
    backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
    backup=c:\windows\pss\officejet 6100.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Proventia Desktop Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Proventia Desktop Agent.lnk
    backup=c:\windows\pss\Proventia Desktop Agent.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
    backup=c:\windows\pss\Quicken Startup.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
    backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^AdsGone.lnk]
    backup=c:\windows\pss\AdsGone.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Jeff^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
    backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Nick^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
    backup=c:\windows\pss\PowerReg Scheduler.exeStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    --a------ 2006-01-12 20:52 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    --a------ 2004-02-04 15:29 61440 c:\program files\AIM95\aim.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    c:\program files\AIM6\aim6.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneDVDElbyDelay]
    --a------ 2002-11-02 01:33 45056 e:\program files\Elaborate Bytes\CloneDVD\ElbyCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 03:56 15360 c:\windows\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
    --a------ 2003-10-02 02:20 81920 e:\program files\D-Tools\daemon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisplayTrayIcon]
    -ra------ 2001-10-17 08:27 147456 c:\windows\system32\TrayIcon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
    --a------ 2003-05-19 22:09 172075 e:\progra~1\INCRED~1\bin\IncMail.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-02-19 12:10 267048 d:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
    c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
    c:\windows\kdx\KHost.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    c:\program files\MSN Messenger\msnmsgr.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    --a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2006-10-22 12:22 7700480 c:\windows\system32\nvcpl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    --a------ 2006-10-22 12:22 86016 c:\windows\system32\nvmctray.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2007-08-06 19:05 200704 e:\program files\PowerISO\PWRISOVM.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QAGENT]
    --a------ 1999-08-10 13:51 98304 c:\program files\Intuit\QAgent\qagent.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-31 22:13 385024 e:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    --a------ 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScreenShot2Print]
    --a------ 2007-03-30 11:33 579584 d:\program files\ScreenShot2Print\ScreenShot2Print.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SideWinderTrayV4]
    d:\progra~1\MICROS~3\GAMECO~1\common\swtrayv4.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\The Assistant]
    --a------ 2007-04-16 10:18 99840 c:\program files\a la mode\Sched\eSched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    --a------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    c:\progra~1\SYMANT~2\VPTray.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
    e:\program files\mobile PhoneTools\WatchDog.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    --a------ 2008-08-03 18:02 36352 e:\program files\Winamp\winampa.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    c:\program files\Yahoo!\Messenger\ypager.exe [N/A]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
    --a------ 2002-10-15 18:00 1818624 c:\windows\mixer.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2006-10-22 12:22 1622016 c:\windows\system32\nwiz.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
    --a------ 2002-07-02 17:56 24576 c:\windows\system32\CTHELPER.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "BlackICE"=2 (0x2)
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "e:\\Program Files\\AIM95\\aim.exe"=
    "e:\\Program Files\\LimeWire\\LimeWire 4.0.8 Pro\\LimeWire.exe"=
    "e:\\Program Files\\BitTornado\\btdownloadgui.exe"=
    "d:\\program files\\iTunes\\iTunes.exe"=
    R0 pnpshark;pnpshark;c:\windows\system32\DRIVERS\pnpshark.sys [2003-10-02 119552]
    R0 sojubus;sojubus;c:\windows\system32\DRIVERS\sojubus.sys [2003-10-05 123520]
    R0 sojuscsi;sojuscsi;c:\windows\system32\DRIVERS\sojuscsi.sys [2003-09-28 5504]
    R0 st3shark;st3shark;c:\windows\system32\DRIVERS\st3shark.sys [2003-09-27 5504]
    R0 XMS1563K;XMS1563K;c:\windows\system32\drivers\XMS1563K.sys [2003-03-06 20780]
    R2 mrtRate;mrtRate;c:\windows\system32\drivers\mrtRate.sys [2003-02-19 34916]
    R2 MSSQL$ALAMODE;MSSQL$ALAMODE;"c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe" -sALAMODE [2005-05-04 9150464]
    S1 ensqio;ensqio;c:\windows\system32\DRIVERS\ensqio.sys []
    S1 es137140;SB AudioPCI 64V;c:\windows\system32\DRIVERS\es137140.sys []
    S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-02-27 113952]
    S2 VPatch;ISS Buffer Overflow Exploit Prevention; []
    S3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2006-10-30 76913]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2006-10-17 35072]
    S3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2006-10-30 46001]
    S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;"c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE" -i ALAMODE [2005-05-03 323584]
    S4 black;black;c:\windows\system32\drivers\BlackCat.sys [2006-10-30 234155]
    .
    Contents of the 'Scheduled Tasks' folder
    2004-02-05 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1075949792.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 01:46]
    2008-12-13 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-04 03:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyServer = 64.60.153.170:80
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
    IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Download all with Free Download Manager - file://e:\program files\Free Download Manager\dlall.htm
    IE: Download selected with Free Download Manager - file://e:\program files\Free Download Manager\dlselected.htm
    IE: Download video with Free Download Manager - file://e:\program files\Free Download Manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://e:\program files\Free Download Manager\dllink.htm
    IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
    IE: {{20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} -
    LSP: c:\program files\ISS\Proventia Desktop\IBE\ICELSP_8.0.675.0.dll
    LSP: xfire_lsp_10650.dll
    TCP: {3A206D4F-5A6C-40A4-8823-E2083722CE2A} = 24.29.103.15,24.29.103.16
    O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
    FF - ProfilePath - c:\documents and settings\Natalie\Application Data\Mozilla\Firefox\Profiles\4frluc7b.default\
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
    FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npnul32.dll
    FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin.dll
    FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin2.dll
    FF - plugin: e:\program files\QuickTime\Plugins\npqtplugin3.dll
    FF - plugin: e:\program files\Reader\browser\nppdf32.dll
    FF - plugin: e:\program files\Reader\Browser\nppdf32.dll
    FF - plugin: e:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
    FF - plugin: e:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
    FF - plugin: e:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
    .
    **************************************************************************
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-13 17:46:52
    Windows 5.1.2600 Service Pack 2 FAT NTAPI
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    e:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
    c:\windows\ATKKBSERVICE.EXE
    e:\program files\AVG Anti-Spyware 7.5\guard.exe
    c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    c:\windows\SYSTEM32\NMSSVC.EXE
    c:\windows\SYSTEM32\NVSVC32.EXE
    c:\windows\SYSTEM32\PNKBSTRA.EXE
    c:\windows\system32\wscntfy.exe
    c:\program files\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
    c:\program files\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
    c:\windows\System32\HPZipm12.exe
    .
    **************************************************************************
    .
    Completion time: 2008-12-13 17:50:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-12-13 22:50:36
    ComboFix3.txt 2008-12-12 04:23:56
    ComboFix2.txt 2008-12-13 05:57:46
    Pre-Run: 1,760,608,256 bytes free
    Post-Run: 1,821,425,664 bytes free
    375 --- E O F --- 2008-03-30 04:17:34
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/778466

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice