safenavweb - Infcted with Spyware- use recommended software to get rid of it

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

RKMole

Thread Starter
Joined
Nov 28, 2001
Messages
283
Hello - for the last day or two I have been getting messages like the one above. The virus/spyware (?) opens IE to: http://www.safenavweb.com/index.php?sid=502&pn=5&aid=921&said=0&pid=0

Trend Micro PC-cillin has alerted me that it has removed a Trojan and I need to restart to clean my memory. I've done that several times and although some things are better (like I got my desktop back- it had changed it to a warning and to click to go to website to get it removed. Trend says that http://www.safenavweb.com/ is Dangerous, as Category Adware/Joke Program and suggests I close browser and not reopen this web site. Of course, that's one of the problems- it keeps opening it itself, over and over.

I'd appreciate help with this annoyance. Thank you.
Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:05:28 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Documents and Settings\All Users\Application Data\sderaxob\uvedivet.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\QTTask.exe
F:\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\ujsbwtmh.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCMAIN.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccHCMS.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weightwatchers.com/commu...d_no=&daterange=2days&viewchange=OPENDATEDESC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {54BF6438-02AB-42AD-BC1D-31950D852B81} - (no file)
O2 - BHO: (no name) - {75D62690-EBF8-4DBE-A03B-7463E643F4F2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - (no file)
O2 - BHO: (no name) - {A3045125-B6D2-4033-93B4-9FAA4E5F1781} - (no file)
O2 - BHO: DVA Storm - {C796500F-4B97-4F2B-B886-11FA6B72F13F} - C:\WINDOWS\nslbvxpgrno.dll
O2 - BHO: (no name) - {E0F0D14C-DA73-4D24-AE67-6F51C7287EF9} - C:\WINDOWS\system32\urqQiIcA.dll (file missing)
O2 - BHO: (no name) - {EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9} - C:\WINDOWS\system32\xxyxULDv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: sgoblxtm - {54CF4CA2-C46C-4B5C-8DC5-0C0D42ECD69E} - C:\WINDOWS\sgoblxtm.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C42 Series on B1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P34 "Auto EPSON Stylus C42 Series on B1" /O13 "\\B1\Basement" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\B1\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P35 "\\B1\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series (Copy 1) on B1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P50 "Auto EPSON Stylus Photo R300 Series (Copy 1) on B1" /O20 "\\B1\EpsonStylusR300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\LAPTOP\EPSON] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P14 "\\LAPTOP\EPSON" /O14 "\\LAPTOP\EPSON" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [brvnzizj] C:\WINDOWS\system32\ujsbwtmh.exe
O4 - Startup: Epson printer Registration.lnk = E:\E_reg\EPSONREG.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136900030812
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - AppInit_DLLs: 34.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xxyxULDv - C:\WINDOWS\SYSTEM32\xxyxULDv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: dsktbwfe - {7B37F747-6B51-4CC6-88D1-B12BDB46DC5B} - C:\WINDOWS\dsktbwfe.dll
O21 - SSODL: ogxtsepr - {9DAF8F2A-EB78-40FC-A85F-DBA0F6AB869C} - C:\WINDOWS\ogxtsepr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PKSDGSY - Unknown owner - C:\DOCUME~1\Mom\LOCALS~1\Temp\PKSDGSY.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,192
Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
 

RKMole

Thread Starter
Joined
Nov 28, 2001
Messages
283
Hi - Thanks you for your help. I am sending the ComboFix log in this post and HJT log in the next post. Please advise.

ComboFix 08-04-13.3 - Mom 2008-04-14 21:14:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.78 [GMT -4:00]Running from: C:\Documents and Settings\Mom\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mom\Application Data\macromedia\Flash Player\#SharedObjects\JM6RPSL4\www.broadcaster.com
C:\Documents and Settings\Mom\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Mom\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Mom\Desktopblackbird.jpg
C:\Documents and Settings\Mom\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Mom\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Mom\Desktopfilemanagerclient.exe
C:\Documents and Settings\Mom\Desktopfkwp1.5.exe
C:\Documents and Settings\Mom\Desktopfkwp2.0.exe
C:\Documents and Settings\Mom\Desktopfwebd.exe
C:\Documents and Settings\Mom\DesktopFWebdEditor.exe
C:\Documents and Settings\Mom\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Mom\Desktopvirii
C:\Documents and Settings\Mom\Favorites\Error Cleaner.url
C:\Documents and Settings\Mom\Favorites\Privacy Protector.url
C:\Documents and Settings\Mom\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Roger\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Roger\Start Menu\Programs\Uninstall.lnk
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\Program Files\PC-Cleaner
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\system32\AcIiQqru.ini
C:\WINDOWS\system32\AcIiQqru.ini2
C:\WINDOWS\system32\CeLTCJlm.ini
C:\WINDOWS\system32\CeLTCJlm.ini2
C:\WINDOWS\system32\HgggNqss.ini
C:\WINDOWS\system32\HgggNqss.ini2
C:\WINDOWS\system32\nfrjoapa.ini
C:\WINDOWS\system32\PsYxayxx.ini
C:\WINDOWS\system32\PsYxayxx.ini2
C:\WINDOWS\system32\xogkojod.ini
C:\WINDOWS\system32\xxyxULDv.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\[email protected]@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWSAPAGENT
-------\Service_NwSapAgent


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 22:04 . 2008-04-14 22:04 90,112 --a------ C:\WINDOWS\system32\irmdqviv.exe
2008-04-14 14:57 . 2008-04-14 15:32 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-04-14 14:46 . 2008-04-14 14:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-14 11:14 . 2008-04-14 11:14 3,648 --a------ C:\WINDOWS\system32\nbvlypsc.dll
2008-04-14 11:14 . 2008-04-14 11:15 294 --ahs---- C:\WINDOWS\system32\bbeayjjd.ini
2008-04-13 23:31 . 2008-04-13 23:31 3,648 --a------ C:\WINDOWS\system32\chvlwjht.dll
2008-04-13 18:08 . 2008-04-13 18:08 3,648 --a------ C:\WINDOWS\system32\kqklpole.dll
2008-04-13 16:34 . 2008-04-13 16:34 3,648 --a------ C:\WINDOWS\system32\swdhlrka.dll
2008-04-13 16:29 . 2008-04-13 17:49 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\HouseCall 6.6
2008-04-13 16:26 . 2008-04-14 11:25 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-13 16:00 . 2008-04-14 19:06 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\TmpRecentIcons
2008-04-13 14:24 . 2008-04-13 09:08 258,048 --a------ C:\WINDOWS\nslbvxpgrno.dll
2008-04-13 14:24 . 2008-04-13 09:08 217,088 --a------ C:\WINDOWS\dsktbwfe.dll
2008-04-13 14:24 . 2008-04-13 09:08 204,800 --a------ C:\WINDOWS\sgoblxtm.dll
2008-04-13 14:24 . 2008-04-13 09:08 200,704 --a------ C:\WINDOWS\ogxtsepr.dll
2008-04-13 14:24 . 2008-04-13 09:08 98,304 --a------ C:\WINDOWS\spnkfwad.exe
2008-04-13 14:23 . 2008-04-13 14:23 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\sderaxob
2008-04-13 14:22 . 2008-04-13 14:22 102,400 --a------ C:\WINDOWS\system32\ujsbwtmh.exe
2008-04-10 20:19 . 2008-04-10 20:19 <DIR> d-------- C:\Program Files\iPod
2008-04-10 17:54 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-04-06 14:22 . 2008-04-06 14:22 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TomTom
2008-04-06 14:19 . 2008-04-06 14:19 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\TomTom
2008-04-06 14:16 . 2008-04-06 14:16 <DIR> d-------- C:\Program Files\TomTom HOME 2
2008-03-29 22:27 . 2008-03-29 22:27 <DIR> d----c--- C:\DVDVideoSoft
2008-03-29 21:48 . 2008-03-29 21:48 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-03-29 21:47 . 2008-03-29 21:47 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 00:40 --------- dc--a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-04-14 19:19 --------- d-----w C:\Program Files\Lavasoft
2008-04-14 18:07 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-13 17:05 --------- d-----w C:\Documents and Settings\Mom\Application Data\tunebite
2008-04-11 00:12 --------- d-----w C:\Program Files\iTunes
2008-04-10 23:28 --------- d-----w C:\Program Files\QuickTime
2008-04-01 14:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 14:09 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-04-01 14:08 --------- d-----w C:\Program Files\Ultra Video To Flash Converter
2008-04-01 09:21 --------- d-----w C:\Documents and Settings\Mom\Application Data\AOL Communicator
2008-03-29 01:29 --------- d-----w C:\Documents and Settings\Mom\Application Data\Apple Computer
2008-03-11 23:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-11 22:26 12,160 ----a-w C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-11 21:11 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-03-11 21:09 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-03-08 02:47 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-03-07 21:47 --------- d-----w C:\Program Files\Xvid
2008-03-06 14:30 --------- d-----w C:\Program Files\Java
2008-03-04 20:09 --------- d-----w C:\Documents and Settings\Mom\Application Data\acccore
2008-03-04 20:02 --------- dc----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2008-03-04 19:32 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-04 18:59 --------- dc----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2008-02-28 03:18 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-28 03:17 --------- d-----w C:\Program Files\Red Kawa
2008-02-18 05:22 --------- d-----w C:\Program Files\Paint.NET
2008-02-16 16:34 --------- d-----w C:\Program Files\OverDrive Media Console
2008-02-13 01:27 54,400 -c--a-w C:\Documents and Settings\Mom\Application Data\GDIPFONTCACHEV1.DAT
2007-10-26 17:19 2,950 -c--a-w C:\Program Files\rapget.ini
2007-10-26 16:48 17 -c--a-w C:\Program Files\links.dat
2007-10-07 23:51 171,008 -c--a-w C:\Program Files\rapget.exe
2007-03-15 13:38 8,823,064 -c--a-w C:\Program Files\Photoshop_albumSE_en_us_320.exe
2006-08-25 23:05 59,310,760 -c--a-w C:\Program Files\iPodSetup.exe
2006-07-25 22:31 3,486,568 -c--a-w C:\Program Files\PaintDotNet_2_64.exe
2006-07-25 20:22 23,510,720 -c--a-w C:\Program Files\dotnetfx.exe
2006-06-16 19:12 3,756,032 -c--a-w C:\Program Files\PD955P.exe
2006-06-15 23:35 360,448 -c--a-w C:\Program Files\mouse32a.exe
2006-06-11 01:20 64,576 -c--a-w C:\Documents and Settings\Roger\Application Data\GDIPFONTCACHEV1.DAT
2006-05-30 01:54 2,428,967 -c--a-w C:\Program Files\BitTorrentAbsoluteDownloader.exe
2006-03-20 23:24 395,708 ----a-w C:\Program Files\Patience50.zip
2006-03-03 15:12 454,656 -c--a-w C:\Program Files\ie-spyad.exe
2006-02-25 04:52 282,601 -c--a-w C:\Program Files\hijackthis_sfx.exe
2006-02-25 02:50 212,849 ----a-w C:\Program Files\hijackthis.zip
2006-02-24 03:10 7,737,688 -c--a-w C:\Program Files\ewido-setup.exe
2006-02-21 22:56 523,976 -c--a-w C:\Program Files\PopUpStopperFree.exe
2006-02-21 17:51 83,220 -c--a-w C:\Program Files\IS4AOL2.exe
2005-12-05 22:18 243,512 -c--a-w C:\Program Files\jre-1_5_0_06-windows-i586-p-iftw-1.exe
2005-10-11 14:20 6,635,997 ----a-w C:\Program Files\photoshop_album_SE_3_0_ue.zip
2005-10-07 12:38 254 ----a-w C:\Program Files\Play video.url
2005-10-07 12:22 107,496 -c--a-w C:\Program Files\SH3.EXE
2005-06-20 12:05 20,798,256 -c--a-w C:\Program Files\AdbeRdr70_enu_full.exe
2005-06-06 19:30 6,180,438 -c--a-w C:\Program Files\win2k_xp1410.exe
2005-02-18 13:23 226,544 -c--a-w C:\Program Files\jre-1_5_0_01-windows-i586-p-iftw.exe
2005-01-10 16:04 5,334 -c--a-w C:\Program Files\README.txt
2005-01-10 16:04 16,322 -c--a-w C:\Program Files\Patience.html
2005-01-10 15:46 5,774 -c--a-w C:\Program Files\LICENSE.txt
2005-01-10 01:31 134,975 -c--a-w C:\Program Files\patience.prc
2005-01-10 01:23 1,710 -c--a-w C:\Program Files\Patience Revisited High Res.html
2004-12-25 15:37 1,536 -c--a-w C:\Program Files\Patience Revisited HandEra.html
2004-10-11 12:11 302 -c--a-w C:\Program Files\users.dat
2004-09-17 16:01 37,542 -c-ha-w C:\Program Files\palm.GID
2004-09-17 15:52 23,148 -c-ha-w C:\Program Files\sgcalendar.GID
2004-09-16 12:00 24,180 -c-ha-w C:\Program Files\HOTSYNC.GID
2004-09-15 12:36 136 -c--a-w C:\Program Files\SerialSync.txt
2003-09-20 01:18 32,374 -c--a-w C:\Program Files\removeme.exe
2003-03-27 14:40 1,540,293 -c--a-w C:\Program Files\aaw6.exe
2003-01-25 19:18 1,212,113 -c--a-w C:\Program Files\kali172e.exe
2003-01-25 17:45 892,753 -c--a-w C:\Program Files\aaw.exe
1999-09-21 18:07 1,552,384 -c--a-w C:\Program Files\Upgrade_Utility.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C796500F-4B97-4F2B-B886-11FA6B72F13F}]
2008-04-13 09:08 258048 --a------ C:\WINDOWS\nslbvxpgrno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0F0D14C-DA73-4D24-AE67-6F51C7287EF9}]
C:\WINDOWS\system32\urqQiIcA.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{54CF4CA2-C46C-4B5C-8DC5-0C0D42ECD69E}"= "C:\WINDOWS\sgoblxtm.dll" [2008-04-13 09:08 204800]

[HKEY_CLASSES_ROOT\clsid\{54cf4ca2-c46c-4b5c-8dc5-0c0d42ecd69e}]
[HKEY_CLASSES_ROOT\sgoblxtm.1]
[HKEY_CLASSES_ROOT\TypeLib\{6D2ABF11-1C46-482A-9B98-1E7C6F823EA8}]
[HKEY_CLASSES_ROOT\sgoblxtm]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe" [2002-07-24 20:37 155907]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 06:58 206184]
"brvnzizj"="C:\WINDOWS\system32\ujsbwtmh.exe" [2008-04-13 14:22 102400]
"wtbhkruu"="C:\WINDOWS\system32\irmdqviv.exe" [2008-04-14 22:04 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 11:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 02:39 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 06:29 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 06:20 114688]
"Auto EPSON Stylus C42 Series on B1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"\\B1\EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"Auto EPSON Stylus Photo R300 Series (Copy 1) on B1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"\\LAPTOP\EPSON"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"FLMOFFICE4DMOUSE"="C:\Program Files\Office Mouse\moffice.exe" [2006-06-16 15:12 806912]
"HostManager"="C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44 61440]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 02:26 3429904]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 21:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="F:\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-02-19 23:04:45 28672]
HotSync Manager.lnk - C:\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-02-18 18:52:00 81920]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bS9rlFXo1J"= C:\Documents and Settings\All Users\Application Data\sderaxob\uvedivet.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=34.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1161261455\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1161261455\\ee\\aim6.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\WINDOWS\\system32\\msiexec.exe"=
"C:\\Program Files\\Office Mouse\\moffice.exe"=
"C:\\Palm\\HOTSYNC.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\1161261455\\ee\\AOLDesktop.exe"=
"F:\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"8924:TCP"= 8924:TCP:BitComet 8924 TCP
"8924:UDP"= 8924:UDP:BitComet 8924 UDP
"3689:TCP"= 3689:TCP:Itunes

R3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver;C:\WINDOWS\system32\DRIVERS\Bel6001.sys [2003-07-09 23:06]
S2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" [2007-12-06 19:33]
S3 idrmkl;idrmkl;C:\DOCUME~1\Roger\LOCALS~1\Temp\idrmkl.sys []
S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys []
S3 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2006-06-16 15:12]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys []
S3 PKSDGSY;PKSDGSY;C:\DOCUME~1\Mom\LOCALS~1\Temp\PKSDGSY.exe []
S3 Rapter2USBConexant;Raptor 1.3 CMOS DSC;C:\WINDOWS\system32\DRIVERS\Rapvid.sys []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2004-12-18 20:32]
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2007-05-15 15:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 22:08:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\B1\\EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P35 \"\\\\B1\\EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"\\\\LAPTOP\\EPSON"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P14 \"\\\\LAPTOP\\EPSON\" /O14 \"\\\\LAPTOP\\EPSON\" /M \"Stylus Photo R300\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-14 22:32:14 - machine was rebooted [Mom]
ComboFix-quarantined-files.txt 2008-04-15 02:32:00

Pre-Run: 4,080,238,592 bytes free
Post-Run: 4,065,787,904 bytes free
.
2008-04-11 08:14:40 --- E O F ---
 

RKMole

Thread Starter
Joined
Nov 28, 2001
Messages
283
See previous post for Combofix log. Thanks. Please advise.

Logfile of HijackThis v1.99.1
Scan saved at 10:38:41 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\CF12922.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Documents and Settings\All Users\Application Data\sderaxob\uvedivet.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe
C:\WINDOWS\system32\irmdqviv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\QuickTime\QTTask.exe
F:\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weightwatchers.com/commu...d_no=&daterange=2days&viewchange=OPENDATEDESC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: DVA Storm - {C796500F-4B97-4F2B-B886-11FA6B72F13F} - C:\WINDOWS\nslbvxpgrno.dll
O2 - BHO: (no name) - {E0F0D14C-DA73-4D24-AE67-6F51C7287EF9} - C:\WINDOWS\system32\urqQiIcA.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: sgoblxtm - {54CF4CA2-C46C-4B5C-8DC5-0C0D42ECD69E} - C:\WINDOWS\sgoblxtm.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C42 Series on B1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P34 "Auto EPSON Stylus C42 Series on B1" /O13 "\\B1\Basement" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\B1\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P35 "\\B1\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series (Copy 1) on B1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P50 "Auto EPSON Stylus Photo R300 Series (Copy 1) on B1" /O20 "\\B1\EpsonStylusR300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\LAPTOP\EPSON] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P14 "\\LAPTOP\EPSON" /O14 "\\LAPTOP\EPSON" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [brvnzizj] C:\WINDOWS\system32\ujsbwtmh.exe
O4 - HKCU\..\Run: [wtbhkruu] C:\WINDOWS\system32\irmdqviv.exe
O4 - Startup: Epson printer Registration.lnk = E:\E_reg\EPSONREG.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136900030812
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PKSDGSY - Unknown owner - C:\DOCUME~1\Mom\LOCALS~1\Temp\PKSDGSY.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,192
Go to start - Control Panel - Display Properties - Desktop - Customize Desktop and click on the Web tab.

Select everything listed there (except for "My current home page") and click on Delete.

Click OK and on the next screen click Apply.



Please go to the following link and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\Program Files\removeme.exe


Also, do you recognize this?

C:\Program Files\Play video.url



Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\irmdqviv.exe
C:\WINDOWS\system32\nbvlypsc.dll
C:\WINDOWS\system32\bbeayjjd.ini
C:\WINDOWS\system32\chvlwjht.dll
C:\WINDOWS\system32\kqklpole.dll
C:\WINDOWS\system32\swdhlrka.dll
C:\WINDOWS\nslbvxpgrno.dll
C:\WINDOWS\dsktbwfe.dll
C:\WINDOWS\sgoblxtm.dll
C:\WINDOWS\ogxtsepr.dll
C:\WINDOWS\spnkfwad.exe
C:\WINDOWS\system32\ujsbwtmh.exe
C:\Program Files\BitTorrentAbsoluteDownloader.exe
C:\WINDOWS\nslbvxpgrno.dll
C:\WINDOWS\sgoblxtm.dll
C:\WINDOWS\system32\ujsbwtmh.exe
C:\WINDOWS\privacy_danger\index.htm

DirLook::
C:\Documents and Settings\Mom\Application Data\TmpRecentIcons
C:\Documents and Settings\All Users\Application Data\sderaxob

Driver::
idrmkl

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C796500F-4B97-4F2B-B886-11FA6B72F13F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0F0D14C-DA73-4D24-AE67-6F51C7287EF9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{54CF4CA2-C46C-4B5C-8DC5-0C0D42ECD69E}"=-
[-HKEY_CLASSES_ROOT\clsid\{54cf4ca2-c46c-4b5c-8dc5-0c0d42ecd69e}]
[-HKEY_CLASSES_ROOT\sgoblxtm.1]
[-HKEY_CLASSES_ROOT\TypeLib\{6D2ABF11-1C46-482A-9B98-1E7C6F823EA8}]
[-HKEY_CLASSES_ROOT\sgoblxtm]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"brvnzizj"=-
"wtbhkruu"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"bS9rlFXo1J"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=-
"C:\\WINDOWS\\system32\\rundll32.exe"=-
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 

RKMole

Thread Starter
Joined
Nov 28, 2001
Messages
283
Hi Cookiegal-
The scan said no problem with those 2 files. No, I don't recognize the name of the 2nd one. Here's the Combofix log and I'll do another post for the HJT thanks. The one pop-up warning still shows up.Thanks for your help I appreciate it.
ComboFix 08-04-13.3 - Mom 2008-04-15 22:51:02.2 - NTFSx86
Running from: C:\Documents and Settings\Mom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mom\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\BitTorrentAbsoluteDownloader.exe
C:\WINDOWS\dsktbwfe.dll
C:\WINDOWS\nslbvxpgrno.dll
C:\WINDOWS\ogxtsepr.dll
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\sgoblxtm.dll
C:\WINDOWS\spnkfwad.exe
C:\WINDOWS\system32\bbeayjjd.ini
C:\WINDOWS\system32\chvlwjht.dll
C:\WINDOWS\system32\irmdqviv.exe
C:\WINDOWS\system32\kqklpole.dll
C:\WINDOWS\system32\nbvlypsc.dll
C:\WINDOWS\system32\swdhlrka.dll
C:\WINDOWS\system32\ujsbwtmh.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\BitTorrentAbsoluteDownloader.exe
C:\WINDOWS\dsktbwfe.dll
C:\WINDOWS\nslbvxpgrno.dll
C:\WINDOWS\ogxtsepr.dll
C:\WINDOWS\sgoblxtm.dll
C:\WINDOWS\spnkfwad.exe
C:\WINDOWS\system32\bbeayjjd.ini
C:\WINDOWS\system32\chvlwjht.dll
C:\WINDOWS\system32\irmdqviv.exe
C:\WINDOWS\system32\kqklpole.dll
C:\WINDOWS\system32\nbvlypsc.dll
C:\WINDOWS\system32\swdhlrka.dll
C:\WINDOWS\system32\ujsbwtmh.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IDRMKL
-------\Service_idrmkl


((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-16 07:34 . 2008-04-16 07:34 102,400 --a------ C:\WINDOWS\system32\mpypcxav.exe
2008-04-15 21:57 . 2008-04-16 07:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 21:57 . 2008-04-15 21:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 23:24 . 2008-04-14 23:24 90,112 --a------ C:\WINDOWS\system32\ydabuvcb.exe
2008-04-14 14:57 . 2008-04-14 15:32 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-04-14 14:46 . 2008-04-14 14:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 16:29 . 2008-04-13 17:49 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\HouseCall 6.6
2008-04-13 16:26 . 2008-04-14 11:25 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-13 16:00 . 2008-04-14 19:06 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\TmpRecentIcons
2008-04-13 14:23 . 2008-04-13 14:23 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\sderaxob
2008-04-10 20:19 . 2008-04-10 20:19 <DIR> d-------- C:\Program Files\iPod
2008-04-10 17:54 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-04-06 14:22 . 2008-04-06 14:22 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TomTom
2008-04-06 14:19 . 2008-04-06 14:19 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\TomTom
2008-04-06 14:16 . 2008-04-06 14:16 <DIR> d-------- C:\Program Files\TomTom HOME 2
2008-03-29 22:27 . 2008-03-29 22:27 <DIR> d----c--- C:\DVDVideoSoft
2008-03-29 21:48 . 2008-03-29 21:48 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-03-29 21:47 . 2008-03-29 21:47 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 17:12 --------- d-----w C:\Program Files\AIM95
2008-04-15 16:48 --------- d-----w C:\Documents and Settings\Mom\Application Data\AOL Communicator
2008-04-15 00:40 --------- dc--a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-04-14 19:19 --------- d-----w C:\Program Files\Lavasoft
2008-04-14 18:07 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-13 17:05 --------- d-----w C:\Documents and Settings\Mom\Application Data\tunebite
2008-04-11 00:12 --------- d-----w C:\Program Files\iTunes
2008-04-10 23:28 --------- d-----w C:\Program Files\QuickTime
2008-04-01 14:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 14:09 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-04-01 14:08 --------- d-----w C:\Program Files\Ultra Video To Flash Converter
2008-03-29 01:29 --------- d-----w C:\Documents and Settings\Mom\Application Data\Apple Computer
2008-03-11 23:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-11 22:26 12,160 ----a-w C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-11 21:11 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-03-11 21:09 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-03-08 02:47 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-03-07 21:47 --------- d-----w C:\Program Files\Xvid
2008-03-06 14:30 --------- d-----w C:\Program Files\Java
2008-03-04 20:09 --------- d-----w C:\Documents and Settings\Mom\Application Data\acccore
2008-03-04 20:02 --------- dc----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2008-03-04 19:32 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-04 18:59 --------- dc----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2008-02-28 03:18 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-28 03:17 --------- d-----w C:\Program Files\Red Kawa
2008-02-18 05:22 --------- d-----w C:\Program Files\Paint.NET
2008-02-16 16:34 --------- d-----w C:\Program Files\OverDrive Media Console
2008-02-13 01:27 54,400 -c--a-w C:\Documents and Settings\Mom\Application Data\GDIPFONTCACHEV1.DAT
2007-10-26 17:19 2,950 -c--a-w C:\Program Files\rapget.ini
2007-10-26 16:48 17 -c--a-w C:\Program Files\links.dat
2007-10-07 23:51 171,008 -c--a-w C:\Program Files\rapget.exe
2007-03-15 13:38 8,823,064 -c--a-w C:\Program Files\Photoshop_albumSE_en_us_320.exe
2006-08-25 23:05 59,310,760 -c--a-w C:\Program Files\iPodSetup.exe
2006-07-25 22:31 3,486,568 -c--a-w C:\Program Files\PaintDotNet_2_64.exe
2006-07-25 20:22 23,510,720 -c--a-w C:\Program Files\dotnetfx.exe
2006-06-16 19:12 3,756,032 -c--a-w C:\Program Files\PD955P.exe
2006-06-15 23:35 360,448 -c--a-w C:\Program Files\mouse32a.exe
2006-06-11 01:20 64,576 -c--a-w C:\Documents and Settings\Roger\Application Data\GDIPFONTCACHEV1.DAT
2006-03-20 23:24 395,708 ----a-w C:\Program Files\Patience50.zip
2006-03-03 15:12 454,656 -c--a-w C:\Program Files\ie-spyad.exe
2006-02-25 04:52 282,601 -c--a-w C:\Program Files\hijackthis_sfx.exe
2006-02-25 02:50 212,849 ----a-w C:\Program Files\hijackthis.zip
2006-02-24 03:10 7,737,688 -c--a-w C:\Program Files\ewido-setup.exe
2006-02-21 22:56 523,976 -c--a-w C:\Program Files\PopUpStopperFree.exe
2006-02-21 17:51 83,220 -c--a-w C:\Program Files\IS4AOL2.exe
2005-12-05 22:18 243,512 -c--a-w C:\Program Files\jre-1_5_0_06-windows-i586-p-iftw-1.exe
2005-10-11 14:20 6,635,997 ----a-w C:\Program Files\photoshop_album_SE_3_0_ue.zip
2005-10-07 12:38 254 ----a-w C:\Program Files\Play video.url
2005-10-07 12:22 107,496 -c--a-w C:\Program Files\SH3.EXE
2005-06-20 12:05 20,798,256 -c--a-w C:\Program Files\AdbeRdr70_enu_full.exe
2005-06-06 19:30 6,180,438 -c--a-w C:\Program Files\win2k_xp1410.exe
2005-02-18 13:23 226,544 -c--a-w C:\Program Files\jre-1_5_0_01-windows-i586-p-iftw.exe
2005-01-10 16:04 5,334 -c--a-w C:\Program Files\README.txt
2005-01-10 16:04 16,322 -c--a-w C:\Program Files\Patience.html
2005-01-10 15:46 5,774 -c--a-w C:\Program Files\LICENSE.txt
2005-01-10 01:31 134,975 -c--a-w C:\Program Files\patience.prc
2005-01-10 01:23 1,710 -c--a-w C:\Program Files\Patience Revisited High Res.html
2004-12-25 15:37 1,536 -c--a-w C:\Program Files\Patience Revisited HandEra.html
2004-10-11 12:11 302 -c--a-w C:\Program Files\users.dat
2004-09-17 16:01 37,542 -c-ha-w C:\Program Files\palm.GID
2004-09-17 15:52 23,148 -c-ha-w C:\Program Files\sgcalendar.GID
2004-09-16 12:00 24,180 -c-ha-w C:\Program Files\HOTSYNC.GID
2004-09-15 12:36 136 -c--a-w C:\Program Files\SerialSync.txt
2003-09-20 01:18 32,374 -c--a-w C:\Program Files\removeme.exe
2003-03-27 14:40 1,540,293 -c--a-w C:\Program Files\aaw6.exe
2003-01-25 19:18 1,212,113 -c--a-w C:\Program Files\kali172e.exe
2003-01-25 17:45 892,753 -c--a-w C:\Program Files\aaw.exe
1999-09-21 18:07 1,552,384 -c--a-w C:\Program Files\Upgrade_Utility.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\sderaxob ----

2008-04-13 14:23 38912 --a--c--- C:\Documents and Settings\All Users\Application Data\sderaxob\uvedivet.exe

---- Directory of C:\Documents and Settings\Mom\Application Data\TmpRecentIcons ----

2008-04-14 14:07 701 --a------ C:\Documents and Settings\Mom\Application Data\TmpRecentIcons\SpywareBlaster.lnk
2007-12-29 15:35 1631 --a------ C:\Documents and Settings\Mom\Application Data\TmpRecentIcons\Mozilla Firefox.lnk
2007-12-17 21:11 705 --a------ C:\Documents and Settings\Mom\Application Data\TmpRecentIcons\Tunebite (2).lnk
2007-12-17 17:13 1318 --a------ C:\Documents and Settings\Mom\Application Data\TmpRecentIcons\HotSync Manager (2).lnk
2007-11-29 09:42 104 --a------ C:\Documents and Settings\Mom\Application Data\TmpRecentIcons\Shortcut to My Computer.lnk
2007-01-29 08:26 814 --a------ C:\Documents and Settings\Mom\Application Data\TmpRecentIcons\Internet Explorer.lnk


((((((((((((((((((((((((((((( [email protected]_22.30.27.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 01:56:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-16 03:07:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-01-24 21:45:46 102,800 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
+ 2007-12-24 21:37:00 138,384 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe" [2002-07-24 20:37 155907]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 06:58 206184]
"oatoxykh"="C:\WINDOWS\system32\ydabuvcb.exe" [2008-04-14 23:24 90112]
"sthhxkxe"="C:\WINDOWS\system32\mpypcxav.exe" [2008-04-16 07:34 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 11:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 02:39 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 06:29 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 06:20 114688]
"Auto EPSON Stylus C42 Series on B1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"\\B1\EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"Auto EPSON Stylus Photo R300 Series (Copy 1) on B1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"\\LAPTOP\EPSON"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"FLMOFFICE4DMOUSE"="C:\Program Files\Office Mouse\moffice.exe" [2006-06-16 15:12 806912]
"HostManager"="C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44 61440]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 02:26 3429904]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 21:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="F:\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-02-19 23:04:45 28672]
HotSync Manager.lnk - C:\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-02-18 18:52:00 81920]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bS9rlFXo1J"= C:\Documents and Settings\All Users\Application Data\sderaxob\uvedivet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=34.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1161261455\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1161261455\\ee\\aim6.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\WINDOWS\\system32\\msiexec.exe"=
"C:\\Program Files\\Office Mouse\\moffice.exe"=
"C:\\Palm\\HOTSYNC.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\1161261455\\ee\\AOLDesktop.exe"=
"F:\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"8924:TCP"= 8924:TCP:BitComet 8924 TCP
"8924:UDP"= 8924:UDP:BitComet 8924 UDP
"3689:TCP"= 3689:TCP:Itunes

R3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver;C:\WINDOWS\system32\DRIVERS\Bel6001.sys [2003-07-09 23:06]
S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys []
S3 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2006-06-16 15:12]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys []
S3 Rapter2USBConexant;Raptor 1.3 CMOS DSC;C:\WINDOWS\system32\DRIVERS\Rapvid.sys []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2004-12-18 20:32]
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2007-05-15 15:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 07:35:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\B1\\EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P35 \"\\\\B1\\EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"\\\\LAPTOP\\EPSON"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P14 \"\\\\LAPTOP\\EPSON\" /O14 \"\\\\LAPTOP\\EPSON\" /M \"Stylus Photo R300\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Office Mouse\mouse32a.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccUpdUI.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Temp\aubin\patch.exe
.
**************************************************************************
.
Completion time: 2008-04-16 7:57:42 - machine was rebooted [Mom]
ComboFix-quarantined-files.txt 2008-04-16 11:56:22
ComboFix2.txt 2008-04-15 02:32:26

Pre-Run: 9,343,021,056 bytes free
Post-Run: 9,246,855,168 bytes free
.
2008-04-11 08:14:40 --- E O F ---
 

RKMole

Thread Starter
Joined
Nov 28, 2001
Messages
283
Logfile of HijackThis v1.99.1
Scan saved at 8:30:20 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\sderaxob\uvedivet.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\xsjavwtg.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\QTTask.exe
F:\iTunes\iTunesHelper.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weightwatchers.com/commu...d_no=&daterange=2days&viewchange=OPENDATEDESC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C42 Series on B1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P34 "Auto EPSON Stylus C42 Series on B1" /O13 "\\B1\Basement" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\B1\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P35 "\\B1\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series (Copy 1) on B1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P50 "Auto EPSON Stylus Photo R300 Series (Copy 1) on B1" /O20 "\\B1\EpsonStylusR300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\LAPTOP\EPSON] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P14 "\\LAPTOP\EPSON" /O14 "\\LAPTOP\EPSON" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [oatoxykh] C:\WINDOWS\system32\ydabuvcb.exe
O4 - HKCU\..\Run: [sthhxkxe] C:\WINDOWS\system32\mpypcxav.exe
O4 - HKCU\..\Run: [btxmanlv] C:\WINDOWS\system32\xsjavwtg.exe
O4 - Startup: Epson printer Registration.lnk = E:\E_reg\EPSONREG.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136900030812
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - AppInit_DLLs: 34.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PKSDGSY - Unknown owner - C:\DOCUME~1\Mom\LOCALS~1\Temp\PKSDGSY.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,192
Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\mpypcxav.exe
C:\WINDOWS\system32\ydabuvcb.exe
C:\Program Files\removeme.exe

Folder::
C:\Documents and Settings\All Users\Application Data\sderaxob

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"oatoxykh"=-
"sthhxkxe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bS9rlFXo1J"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 

RKMole

Thread Starter
Joined
Nov 28, 2001
Messages
283
ComboFix 08-04-13.3 - Mom 2008-04-16 12:23:47.3 - NTFSx86
Running from: C:\Documents and Settings\Mom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mom\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\removeme.exe
C:\WINDOWS\system32\mpypcxav.exe
C:\WINDOWS\system32\ydabuvcb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\sderaxob
C:\Documents and Settings\All Users\Application Data\sderaxob\uvedivet.exe
C:\Program Files\removeme.exe
C:\WINDOWS\system32\mpypcxav.exe
C:\WINDOWS\system32\ydabuvcb.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-16 08:14 . 2008-04-16 08:14 102,400 --a------ C:\WINDOWS\system32\xsjavwtg.exe
2008-04-15 21:57 . 2008-04-16 08:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 21:57 . 2008-04-15 21:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 14:57 . 2008-04-14 15:32 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-04-14 14:46 . 2008-04-14 14:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 16:29 . 2008-04-13 17:49 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\HouseCall 6.6
2008-04-13 16:26 . 2008-04-14 11:25 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-04-13 16:00 . 2008-04-14 19:06 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\TmpRecentIcons
2008-04-10 20:19 . 2008-04-10 20:19 <DIR> d-------- C:\Program Files\iPod
2008-04-10 17:54 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-04-06 14:22 . 2008-04-06 14:22 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TomTom
2008-04-06 14:19 . 2008-04-06 14:19 <DIR> d-------- C:\Documents and Settings\Mom\Application Data\TomTom
2008-04-06 14:16 . 2008-04-06 14:16 <DIR> d-------- C:\Program Files\TomTom HOME 2
2008-03-29 22:27 . 2008-03-29 22:27 <DIR> d----c--- C:\DVDVideoSoft
2008-03-29 21:48 . 2008-03-29 21:48 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-03-29 21:47 . 2008-03-29 21:47 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 17:12 --------- d-----w C:\Program Files\AIM95
2008-04-15 16:48 --------- d-----w C:\Documents and Settings\Mom\Application Data\AOL Communicator
2008-04-15 00:40 --------- dc--a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-04-14 19:19 --------- d-----w C:\Program Files\Lavasoft
2008-04-14 18:07 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-13 17:05 --------- d-----w C:\Documents and Settings\Mom\Application Data\tunebite
2008-04-11 00:12 --------- d-----w C:\Program Files\iTunes
2008-04-10 23:28 --------- d-----w C:\Program Files\QuickTime
2008-04-01 14:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 14:09 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-04-01 14:08 --------- d-----w C:\Program Files\Ultra Video To Flash Converter
2008-03-29 01:29 --------- d-----w C:\Documents and Settings\Mom\Application Data\Apple Computer
2008-03-11 23:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-11 22:26 12,160 ----a-w C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-11 21:11 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-03-11 21:09 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-03-08 02:47 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-03-07 21:47 --------- d-----w C:\Program Files\Xvid
2008-03-06 14:30 --------- d-----w C:\Program Files\Java
2008-03-04 20:09 --------- d-----w C:\Documents and Settings\Mom\Application Data\acccore
2008-03-04 20:02 --------- dc----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2008-03-04 19:32 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-04 18:59 --------- dc----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2008-02-28 03:18 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-28 03:17 --------- d-----w C:\Program Files\Red Kawa
2008-02-18 05:22 --------- d-----w C:\Program Files\Paint.NET
2008-02-16 16:34 --------- d-----w C:\Program Files\OverDrive Media Console
2008-02-13 01:27 54,400 -c--a-w C:\Documents and Settings\Mom\Application Data\GDIPFONTCACHEV1.DAT
2007-10-26 17:19 2,950 -c--a-w C:\Program Files\rapget.ini
2007-10-26 16:48 17 -c--a-w C:\Program Files\links.dat
2007-10-07 23:51 171,008 -c--a-w C:\Program Files\rapget.exe
2007-03-15 13:38 8,823,064 -c--a-w C:\Program Files\Photoshop_albumSE_en_us_320.exe
2006-08-25 23:05 59,310,760 -c--a-w C:\Program Files\iPodSetup.exe
2006-07-25 22:31 3,486,568 -c--a-w C:\Program Files\PaintDotNet_2_64.exe
2006-07-25 20:22 23,510,720 -c--a-w C:\Program Files\dotnetfx.exe
2006-06-16 19:12 3,756,032 -c--a-w C:\Program Files\PD955P.exe
2006-06-15 23:35 360,448 -c--a-w C:\Program Files\mouse32a.exe
2006-06-11 01:20 64,576 -c--a-w C:\Documents and Settings\Roger\Application Data\GDIPFONTCACHEV1.DAT
2006-03-20 23:24 395,708 ----a-w C:\Program Files\Patience50.zip
2006-03-03 15:12 454,656 -c--a-w C:\Program Files\ie-spyad.exe
2006-02-25 04:52 282,601 -c--a-w C:\Program Files\hijackthis_sfx.exe
2006-02-25 02:50 212,849 ----a-w C:\Program Files\hijackthis.zip
2006-02-24 03:10 7,737,688 -c--a-w C:\Program Files\ewido-setup.exe
2006-02-21 22:56 523,976 -c--a-w C:\Program Files\PopUpStopperFree.exe
2006-02-21 17:51 83,220 -c--a-w C:\Program Files\IS4AOL2.exe
2005-12-05 22:18 243,512 -c--a-w C:\Program Files\jre-1_5_0_06-windows-i586-p-iftw-1.exe
2005-10-11 14:20 6,635,997 ----a-w C:\Program Files\photoshop_album_SE_3_0_ue.zip
2005-10-07 12:38 254 ----a-w C:\Program Files\Play video.url
2005-10-07 12:22 107,496 -c--a-w C:\Program Files\SH3.EXE
2005-06-20 12:05 20,798,256 -c--a-w C:\Program Files\AdbeRdr70_enu_full.exe
2005-06-06 19:30 6,180,438 -c--a-w C:\Program Files\win2k_xp1410.exe
2005-02-18 13:23 226,544 -c--a-w C:\Program Files\jre-1_5_0_01-windows-i586-p-iftw.exe
2005-01-10 16:04 5,334 -c--a-w C:\Program Files\README.txt
2005-01-10 16:04 16,322 -c--a-w C:\Program Files\Patience.html
2005-01-10 15:46 5,774 -c--a-w C:\Program Files\LICENSE.txt
2005-01-10 01:31 134,975 -c--a-w C:\Program Files\patience.prc
2005-01-10 01:23 1,710 -c--a-w C:\Program Files\Patience Revisited High Res.html
2004-12-25 15:37 1,536 -c--a-w C:\Program Files\Patience Revisited HandEra.html
2004-10-11 12:11 302 -c--a-w C:\Program Files\users.dat
2004-09-17 16:01 37,542 -c-ha-w C:\Program Files\palm.GID
2004-09-17 15:52 23,148 -c-ha-w C:\Program Files\sgcalendar.GID
2004-09-16 12:00 24,180 -c-ha-w C:\Program Files\HOTSYNC.GID
2004-09-15 12:36 136 -c--a-w C:\Program Files\SerialSync.txt
2003-03-27 14:40 1,540,293 -c--a-w C:\Program Files\aaw6.exe
2003-01-25 19:18 1,212,113 -c--a-w C:\Program Files\kali172e.exe
2003-01-25 17:45 892,753 -c--a-w C:\Program Files\aaw.exe
1999-09-21 18:07 1,552,384 -c--a-w C:\Program Files\Upgrade_Utility.exe
.

((((((((((((((((((((((((((((( [email protected]_22.30.27.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 01:56:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-16 12:11:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-01-24 21:45:46 102,800 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
+ 2007-12-24 21:37:00 138,384 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe" [2002-07-24 20:37 155907]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 06:58 206184]
"btxmanlv"="C:\WINDOWS\system32\xsjavwtg.exe" [2008-04-16 08:14 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 11:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 02:39 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 06:29 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 06:20 114688]
"Auto EPSON Stylus C42 Series on B1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"\\B1\EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"Auto EPSON Stylus Photo R300 Series (Copy 1) on B1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"\\LAPTOP\EPSON"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 03:00 99840]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"FLMOFFICE4DMOUSE"="C:\Program Files\Office Mouse\moffice.exe" [2006-06-16 15:12 806912]
"HostManager"="C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 17:44 61440]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 02:26 3429904]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 21:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 19:52 849280]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="F:\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-02-19 23:04:45 28672]
HotSync Manager.lnk - C:\Palm\Hotsync.exe [2004-06-09 14:27:34 471040]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-02-18 18:52:00 81920]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1161261455\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1161261455\\ee\\aim6.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\WINDOWS\\system32\\msiexec.exe"=
"C:\\Program Files\\Office Mouse\\moffice.exe"=
"C:\\Palm\\HOTSYNC.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\1161261455\\ee\\AOLDesktop.exe"=
"F:\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"8924:TCP"= 8924:TCP:BitComet 8924 TCP
"8924:UDP"= 8924:UDP:BitComet 8924 UDP
"3689:TCP"= 3689:TCP:Itunes

R3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver;C:\WINDOWS\system32\DRIVERS\Bel6001.sys [2003-07-09 23:06]
S2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" [2007-12-06 19:33]
S3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys []
S3 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2006-06-16 15:12]
S3 PCDRDRV;Pcdr CPU Helper Driver;C:\WINDOWS\system32\drivers\PCDRDRV.sys []
S3 PKSDGSY;PKSDGSY;C:\DOCUME~1\Mom\LOCALS~1\Temp\PKSDGSY.exe []
S3 Rapter2USBConexant;Raptor 1.3 CMOS DSC;C:\WINDOWS\system32\DRIVERS\Rapvid.sys []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2004-12-18 20:32]
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2007-05-15 15:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 12:33:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\B1\\EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P35 \"\\\\B1\\EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"\\\\LAPTOP\\EPSON"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P14 \"\\\\LAPTOP\\EPSON\" /O14 \"\\\\LAPTOP\\EPSON\" /M \"Stylus Photo R300\""
.
Completion time: 2008-04-16 12:44:30
ComboFix-quarantined-files.txt 2008-04-16 16:43:32
ComboFix2.txt 2008-04-16 11:57:49
ComboFix3.txt 2008-04-15 02:32:26

Pre-Run: 9,216,454,656 bytes free
Post-Run: 9,206,099,968 bytes free
.
2008-04-11 08:14:40 --- E O F ---
 

RKMole

Thread Starter
Joined
Nov 28, 2001
Messages
283
Logfile of HijackThis v1.99.1
Scan saved at 6:24:50 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Office Mouse\moffice.exe
C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\QuickTime\QTTask.exe
F:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\xsjavwtg.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Office Mouse\MOUSE32A.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weightwatchers.com/commu...d_no=&daterange=2days&viewchange=OPENDATEDESC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C42 Series on B1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P34 "Auto EPSON Stylus C42 Series on B1" /O13 "\\B1\Basement" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\B1\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P35 "\\B1\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series (Copy 1) on B1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P50 "Auto EPSON Stylus Photo R300 Series (Copy 1) on B1" /O20 "\\B1\EpsonStylusR300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\LAPTOP\EPSON] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P14 "\\LAPTOP\EPSON" /O14 "\\LAPTOP\EPSON" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [btxmanlv] C:\WINDOWS\system32\xsjavwtg.exe
O4 - Startup: Epson printer Registration.lnk = E:\E_reg\EPSONREG.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136900030812
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PKSDGSY - Unknown owner - C:\DOCUME~1\Mom\LOCALS~1\Temp\PKSDGSY.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,192
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Please run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.
 

RKMole

Thread Starter
Joined
Nov 28, 2001
Messages
283
Hi Cookiegal: I did the 3 things you told me to. The Kaspersky Scan took over 6 hours and when I went to save the scan log it froze and so I lost it all. I'll do it over and try to save it differently next time. But here's the HJT & SuperAntiSpyware. I don't know if you can use it without the Kaspersky Scan, but I wanted to update you.
Unfortunately, too I still have the pop-up virus on my taskbar.


Logfile of HijackThis v1.99.1
Scan saved at 8:28:46 PM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\xsjavwtg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weightwatchers.com/commu...d_no=&daterange=2days&viewchange=OPENDATEDESC
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C42 Series on B1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P34 "Auto EPSON Stylus C42 Series on B1" /O13 "\\B1\Basement" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O5 "LPT1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\B1\EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P35 "\\B1\EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R300 Series (Copy 1) on B1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P50 "Auto EPSON Stylus Photo R300 Series (Copy 1) on B1" /O20 "\\B1\EpsonStylusR300" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [\\LAPTOP\EPSON] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P14 "\\LAPTOP\EPSON" /O14 "\\LAPTOP\EPSON" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161261455\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [btxmanlv] C:\WINDOWS\system32\xsjavwtg.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Epson printer Registration.lnk = E:\E_reg\EPSONREG.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136900030812
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PKSDGSY - Unknown owner - C:\DOCUME~1\Mom\LOCALS~1\Temp\PKSDGSY.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

RKMole

Thread Starter
Joined
Nov 28, 2001
Messages
283
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/16/2008 at 10:44 PM

Application Version : 4.0.1154

Core Rules Database Version : 3440
Trace Rules Database Version: 1432

Scan type : Complete Scan
Total Scan Time : 02:09:40

Memory items scanned : 509
Memory threats detected : 0
Registry items scanned : 6813
Registry threats detected : 4
File items scanned : 123048
File threats detected : 144

Adware.Tracking Cookie
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\mom[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][2].txt
C:\Documents and Settings\Mom\Cookies\[email protected][3].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Mom\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected]click[1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][2].txt
C:\Documents and Settings\Carolyn\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
C:\Documents and Settings\Peter\Cookies\[email protected][2].txt
C:\Documents and Settings\Peter\Cookies\[email protected][2].txt
C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
C:\Documents and Settings\Peter\Cookies\[email protected][2].txt
C:\Documents and Settings\Peter\Cookies\[email protected][2].txt
C:\Documents and Settings\Peter\Cookies\[email protected][2].txt
C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
C:\Documents and Settings\Peter\Cookies\[email protected][2].txt
C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
C:\Documents and Settings\Peter\Cookies\[email protected][2].txt
C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
C:\Documents and Settings\Peter\Cookies\[email protected][2].txt
C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
C:\Documents and Settings\Peter\Cookies\[email protected][3].txt
C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
C:\Documents and Settings\Roger\Cookies\[email protected][1].txt
C:\Documents and Settings\Roger\Cookies\[email protected][1].txt
C:\Documents and Settings\Roger\Cookies\[email protected][2].txt
C:\Documents and Settings\Roger\Cookies\[email protected][2].txt
C:\Documents and Settings\Roger\Cookies\[email protected][1].txt
C:\Documents and Settings\Roger\Cookies\[email protected][1].txt
C:\Documents and Settings\Roger\Cookies\[email protected][1].txt
C:\Documents and Settings\Roger\Cookies\[email protected][2].txt
C:\Documents and Settings\Roger\Cookies\[email protected][2].txt
C:\Documents and Settings\Roger\Cookies\[email protected][2].txt

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-4097411637-2911765694-2800509490-1010\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 ]

Adware.ClickSpring/Yazzle
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx#{74CD40EA-EF77-4BAD-808A-B5982DA73F20}
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,192
It would be good if you could get the Kaspersky scan results.

Open Notepad and copy and paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\system32\xsjavwtg.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"btxmanlv"=-
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 

RKMole

Thread Starter
Joined
Nov 28, 2001
Messages
283
Cookiegal- I'm having the same trouble saving CFScript.txt as I did when I tried to save the Kaspersky scan. When I click save, the hourglass shows up and never goes away. If I click again, it says "Notepad not responding".
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top