Ad-Aware SE keeps finding them too but can't delete them (even though it says it has). Have logs for both as well as combofix. I got rid of the trojan yesterday but the varmits keep appearing. Where is that critter?
I am in South Florida and got the darn thing on an install 9-23 of a file I downloaded, probably. At least all signs point to that date. That was about the time things went a bit haywire.
Spybot S&D keeps it at bay real time for now and TM PCillin is a backup along with the various other program scans and deletions I have been doing. If I let it fester, it seems to grow, darnit! I just can't seem to rid them varmits from the system.
I am running in Windows XP Home with an AMD 64 3200+ 4 years old with Gigabyte MOB. Thanks for your help.
Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, October 10, 2007 9:48:03 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R195 08.10.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):3 total references
WinAntiVirusPro(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
10-10-2007 9:48:03 AM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 1080
ThreadCreationTime : 10-10-2007 1:30:40 PM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1188
ThreadCreationTime : 10-10-2007 1:30:44 PM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1220
ThreadCreationTime : 10-10-2007 1:30:47 PM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1268
ThreadCreationTime : 10-10-2007 1:30:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1280
ThreadCreationTime : 10-10-2007 1:30:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1480
ThreadCreationTime : 10-10-2007 1:30:48 PM
BasePriority : Normal
FileVersion : 6.14.10.4163
ProductVersion : 6.14.10.4163
ProductName : ATI External Event Utility for Windows
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2007 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1492
ThreadCreationTime : 10-10-2007 1:30:48 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1604
ThreadCreationTime : 10-10-2007 1:30:48 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1736
ThreadCreationTime : 10-10-2007 1:30:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1788
ThreadCreationTime : 10-10-2007 1:30:49 PM
BasePriority : Normal
FileVersion : 6.14.10.4163
ProductVersion : 6.14.10.4163
ProductName : ATI External Event Utility for Windows
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2007 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE
#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1828
ThreadCreationTime : 10-10-2007 1:30:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1940
ThreadCreationTime : 10-10-2007 1:30:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2028
ThreadCreationTime : 10-10-2007 1:30:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:14 [dkservice.exe]
FilePath : C:\Program Files\Diskeeper Corporation\Diskeeper\
ProcessID : 456
ThreadCreationTime : 10-10-2007 1:30:55 PM
BasePriority : Below Normal
FileVersion : 11.0.709.0
ProductVersion : 11.0.709.0
ProductName : Diskeeper (TM) Disk Defragmenter
CompanyName : Diskeeper Corporation
FileDescription : Diskeeper Service
InternalName : DkService
LegalCopyright : © 1995-2007 Diskeeper Corporation
OriginalFilename : DkService
#:15 [gearsec.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 476
ThreadCreationTime : 10-10-2007 1:30:55 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 6
ProductVersion : 1, 0, 0, 6
ProductName : gearsec
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
LegalCopyright : Copyright © 2001-2003 GEAR Software
OriginalFilename : gearsec.exe
#:16 [pcctlcom.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 500
ThreadCreationTime : 10-10-2007 1:30:55 PM
BasePriority : Normal
FileVersion : 15.30.0.1151
ProductVersion : 15.30.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Inc.
FileDescription : PcCtlCom Module
InternalName : PcCtlCom
LegalCopyright : Copyright (C) 1995-2006 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : PcCtlCom.EXE
#:17 [pcscnsrv.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 540
ThreadCreationTime : 10-10-2007 1:30:55 PM
BasePriority : Normal
FileVersion : 15.30.0.1128
ProductVersion : 15.30.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Inc.
FileDescription : PcScnSrv
InternalName : PcScnSrv.exe
LegalCopyright : Copyright (C) 1995-2006 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : PcScnSrv.exe
#:18 [hpzipm12.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 668
ThreadCreationTime : 10-10-2007 1:30:56 PM
BasePriority : Normal
FileVersion : 9, 0, 0, 0
ProductVersion : 9, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe
#:19 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 812
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:20 [tmntsrv.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 844
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 15.30.0.1128
ProductVersion : 15.30.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Inc.
FileDescription : Tmntsrv
InternalName : Tmntsrv
LegalCopyright : Copyright (C) 1995-2006 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : Tmntsrv.exe
#:21 [tmpfw.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 868
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 3.2.0.1027
ProductVersion : 3.2.0
ProductName : Trend Micro Network Security Components 3.2
CompanyName : Trend Micro Inc.
FileDescription : TmPfw
InternalName : TmPfw
LegalCopyright : Copyright (C) 2001-2006 Trend Micro Inc. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Inc.
OriginalFilename : TmPfw.exe
#:22 [tmproxy.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 972
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 3.2.0.1024
ProductVersion : 3.2.0
ProductName : Trend Micro Network Security Components 3.2
CompanyName : Trend Micro Inc.
FileDescription : TmProxy.exe
InternalName : TmProxy.exe
LegalCopyright : Copyright (C) 2001-2006 Trend Micro Inc. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Inc.
OriginalFilename : TmProxy.exe
#:23 [upsd.exe]
FilePath : C:\Program Files\Belkin Bulldog Plus\
ProcessID : 1000
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 1.1
ProductVersion : 3.1
ProductName : UPSentry Smart 2000
CompanyName : Delta
FileDescription : upsd
InternalName : UPSentry Service
LegalCopyright : Copyright c 1999
OriginalFilename : upsd.exe
#:24 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1060
ThreadCreationTime : 10-10-2007 1:30:59 PM
BasePriority : Normal
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
ProductName : Microsoft (R) DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE
#:25 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 3612
ThreadCreationTime : 10-10-2007 1:31:56 PM
BasePriority : Normal
FileVersion : 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)
ProductVersion : 6.00.2900.3156
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:26 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3728
ThreadCreationTime : 10-10-2007 1:31:58 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
#:27 [type32.exe]
FilePath : C:\Program Files\Microsoft IntelliType Pro\
ProcessID : 3736
ThreadCreationTime : 10-10-2007 1:31:58 PM
BasePriority : Normal
#:28 [launch~1.exe]
FilePath : C:\PROGRA~1\Nokia\NOKIAP~1\
ProcessID : 3752
ThreadCreationTime : 10-10-2007 1:31:58 PM
BasePriority : Normal
#:29 [pccguide.exe]
FilePath : C:\PROGRA~1\TRENDM~1\INTERN~2\
ProcessID : 3772
ThreadCreationTime : 10-10-2007 1:31:58 PM
BasePriority : Normal
FileVersion : 15.30.0.1151
ProductVersion : 15.30.0
ProductName : Trend Micro Internet Security
CompanyName : Trend Micro Inc.
FileDescription : PCCGuide
InternalName : PCCGuide
LegalCopyright : Copyright (C) 1995-2006 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Incorporated.
OriginalFilename : PCCGuide
#:30 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.6.0_03\bin\
ProcessID : 3808
ThreadCreationTime : 10-10-2007 1:31:58 PM
BasePriority : Normal
#:31 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ProcessID : 3864
ThreadCreationTime : 10-10-2007 1:31:59 PM
BasePriority : Normal
FileVersion : 9.79.025
ProductVersion : 9.79.025
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
LegalCopyright : (C) 1987-2003 Logitech. All rights reserved.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : Em_Exec.exe
Comments : Created by the MouseWare team
#:32 [psfree.exe]
FilePath : C:\PROGRA~1\PANICW~1\POP-UP~2\
ProcessID : 3892
ThreadCreationTime : 10-10-2007 1:31:59 PM
BasePriority : Normal
FileVersion : 3, 1, 0, 1014
ProductVersion : 1, 0, 0, 1
ProductName : Pop-Up Stopper Free Edition
CompanyName : Panicware, Inc.
FileDescription : Pop-Up Stopper Free Edition
InternalName : Pop-Up Stopper Free Edition
LegalCopyright : Copyright (C) 2002-2005
OriginalFilename : PSFree.exe
#:33 [pcsync2.exe]
FilePath : C:\Program Files\Nokia\Nokia PC Suite 6\
ProcessID : 3952
ThreadCreationTime : 10-10-2007 1:32:00 PM
BasePriority : Normal
FileVersion : 2.00 (486)
ProductVersion : 2.00
ProductName : PC Sync
CompanyName : Time Information Services Ltd.
FileDescription : PC Sync
InternalName : PcSync2
LegalCopyright : Copyright © Time I.S. Ltd. 2002 - 2006
OriginalFilename : PcSync2.EXE
#:34 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 4048
ThreadCreationTime : 10-10-2007 1:32:04 PM
BasePriority : Normal
FileVersion : 8.1.0178.00
ProductVersion : 8.1.0178
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr.exe
LegalCopyright : Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFilename : msnmsgr.exe
#:35 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 4056
ThreadCreationTime : 10-10-2007 1:32:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE
#:36 [teatimer.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ProcessID : 4068
ThreadCreationTime : 10-10-2007 1:32:06 PM
BasePriority : Idle
FileVersion : 1, 5, 0, 9
ProductVersion : 1, 5, 0, 0
ProductName : Spybot - Search & Destroy
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
LegalCopyright : © 2000-2007 Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : TeaTimer.exe
Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.
#:37 [mups.exe]
FilePath : C:\Program Files\Belkin Bulldog Plus\
ProcessID : 792
ThreadCreationTime : 10-10-2007 1:32:09 PM
BasePriority : Normal
#:38 [mpapi3s.exe]
FilePath : C:\PROGRA~1\COMMON~1\Nokia\MPAPI\
ProcessID : 928
ThreadCreationTime : 10-10-2007 1:32:10 PM
BasePriority : Normal
FileVersion : 6.80.161.0
ProductVersion : 6.0
ProductName : Nokia Connectivity Library
CompanyName : Nokia Corporation
FileDescription : Mobile Phone API
InternalName : MPAPI
LegalCopyright : Copyright © 1999-2004 Nokia. All Rights Reserved
OriginalFilename : MPAPI.EXE
#:39 [snagit32.exe]
FilePath : C:\Program Files\TechSmith\SnagIt 8\
ProcessID : 164
ThreadCreationTime : 10-10-2007 1:32:12 PM
BasePriority : Normal
#:40 [memturbo.exe]
FilePath : C:\Program Files\Silicon Prairie Software\MemTurbo\
ProcessID : 224
ThreadCreationTime : 10-10-2007 1:32:12 PM
BasePriority : Normal
ProductName : MemTurbo Application
CompanyName : SharewareOnline.com, Inc.
FileDescription : MemTurbo
InternalName : MemTurbo
LegalCopyright : Copyright (C) 1998-2000
LegalTrademarks : MemTurbo, RAMScrub
OriginalFilename : MemTurbo.EXE
Comments : http://www.memturbo.com
#:41 [tschelp.exe]
FilePath : C:\Program Files\TechSmith\SnagIt 8\
ProcessID : 1684
ThreadCreationTime : 10-10-2007 1:32:14 PM
BasePriority : Normal
FileVersion : 8.2.3.14
ProductVersion : 8.2.3.14
CompanyName : TechSmith Corporation
FileDescription : TechSmith HTML Help Helper
InternalName : TechSmith HTML Help Helper
LegalCopyright : Copyright (c) 2002-2007 TechSmith Corporation. All rights reserved.
OriginalFilename : TscHelp.exe
#:42 [snagpriv.exe]
FilePath : C:\Program Files\TechSmith\SnagIt 8\
ProcessID : 1400
ThreadCreationTime : 10-10-2007 1:32:14 PM
BasePriority : Normal
FileVersion : 8.2.3.14
ProductVersion : 8.2.3.14
ProductName : SnagPriv
CompanyName : TechSmith Corporation
FileDescription : SnagIt RPC Helper
InternalName : SnagPriv
LegalCopyright : Copyright © 1996-2007 TechSmith Corp. All rights reserved.
OriginalFilename : SnagPriv.exe
Comments : 8.2.3 release
#:43 [servicelayer.exe]
FilePath : C:\Program Files\Common Files\PCSuite\Services\
ProcessID : 2652
ThreadCreationTime : 10-10-2007 1:32:26 PM
BasePriority : Normal
FileVersion : 6, 80, 56, 4
ProductVersion : 6.0
ProductName : PC Connectivity Solution
CompanyName : Nokia.
FileDescription : ServiceLayer Module
InternalName : ServiceLayer
LegalCopyright : Copyright © 2002-2006 Nokia. All Rights Reserved.
OriginalFilename : ServiceLayer.exe
#:44 [wscntfy.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1640
ThreadCreationTime : 10-10-2007 1:32:27 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe
#:45 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3212
ThreadCreationTime : 10-10-2007 1:32:28 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
#:46 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3064
ThreadCreationTime : 10-10-2007 1:32:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:47 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1332
ThreadCreationTime : 10-10-2007 1:34:23 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
#:48 [hijackthis_v2.exe]
FilePath : C:\Documents and Settings\Paul\Desktop\Utilities\
ProcessID : 1560
ThreadCreationTime : 10-10-2007 1:34:46 PM
BasePriority : Normal
FileVersion : 2.00
ProductVersion : 2.00
ProductName : HijackThis
CompanyName : Trend Micro Inc.
FileDescription : HijackThis
InternalName : HijackThis
LegalCopyright : (c) 2007 Trend Micro Inc
OriginalFilename : HijackThis.exe
#:49 [opera.exe]
FilePath : C:\Program Files\Opera75\
ProcessID : 2680
ThreadCreationTime : 10-10-2007 1:36:33 PM
BasePriority : Normal
FileVersion : 8808
ProductVersion : 9.23
ProductName : Opera Internet Browser
CompanyName : Opera Software
FileDescription : Opera Internet Browser
InternalName : Opera
LegalCopyright : Copyright © Opera Software 1995-2007
OriginalFilename : Opera.exe
#:50 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2812
ThreadCreationTime : 10-10-2007 1:47:44 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinAntiVirusPro Object Recognized!
Type : File
Data : A0000004.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{A13EE8D9-B42B-4BDE-9C01-36611043B31B}\RP1\
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
6651 entries scanned.
New critical objects:0
Objects found so far: 4
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinAntiVirusPro Object Recognized!
Type : File
Data : sporder.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 5.00.2095.1
ProductVersion : 5.00.2095.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : WinSock2 reorder service providers
InternalName : sporder.dll
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : sporder.dll
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 5
10:16:31 AM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:28:28.250
Objects scanned:340230
Objects identified:2
Objects ignored:0
New critical objects:2
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:04:38 AM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Opera75\Opera.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Paul\Desktop\Utilities\HJT\HJT.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9FAC296D-F17B-48BE-9857-0701BBCE4E23} - C:\WINDOWS\system32\jkklm.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Inst ... S_live.cab
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx ... ,0,0831,02
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/ins ... _v01_6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8617141609
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - http://entimg.msn.com/client/msnediag3503.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral ... 10,0,910,0
O17 - HKLM\System\CCS\Services\Tcpip\..\{0703F95A-7E05-4585-83F8-48511813BBD9}: NameServer = 216.89.226.2,216.89.226.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{0703F95A-7E05-4585-83F8-48511813BBD9}: NameServer = 216.89.226.2,216.89.226.3
O17 - HKLM\System\CS3\Services\Tcpip\..\{0703F95A-7E05-4585-83F8-48511813BBD9}: NameServer = 216.89.226.2,216.89.226.3
O20 - Winlogon Notify: vtuutst - C:\WINDOWS\SYSTEM32\vtuutst.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ibluomrb.exe (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
--
End of file - 10002 bytes
ComboFix 07-10-09.3 - Paul 2007-10-10 11:24:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.374 [GMT -4:00]
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\WINDOWS\system32\avrqjdbg.dll
C:\WINDOWS\system32\cfhnxfcb.dll
C:\WINDOWS\system32\cvfyqmxb.dll
C:\WINDOWS\system32\dbpqyddo.dll
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\gbdjqrva.ini
C:\WINDOWS\system32\gcmgperd.dll
C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\klqruoej.dll
C:\WINDOWS\system32\kuoffmjg.dll
C:\WINDOWS\system32\ljupporm.dll
C:\WINDOWS\system32\lmjuschy.dll
C:\WINDOWS\system32\lqifeemh.dll
C:\WINDOWS\system32\lqtcuynx.exe
C:\WINDOWS\system32\mabqlfbc.dll
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mroppujl.ini
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\nnnmp.bak2
C:\WINDOWS\system32\nnnmp.bak2
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\nnnmp.ini2
C:\WINDOWS\system32\nnnmp.tmp
C:\WINDOWS\system32\nnnmp.tmp
C:\WINDOWS\system32\nqltgvlg.dll
C:\WINDOWS\system32\ouvbyddi.dll
C:\WINDOWS\system32\pdvwptab.dll
C:\WINDOWS\system32\pohechsy.dll
C:\WINDOWS\system32\ppvmvynk.dll
C:\WINDOWS\system32\rhbitdvh.dll
C:\WINDOWS\system32\sjujfjlv.dll
C:\WINDOWS\system32\vtbusixy.dll
C:\WINDOWS\system32\whixewsb.dll
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\system32\xhwlrrfy.dll
C:\WINDOWS\system32\xssnhkul.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))
.
2007-10-10 11:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 20:14 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-10-09 20:14 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-10-09 20:14 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-10-09 20:14 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-10-09 20:14 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-10-09 20:14 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-10-09 20:14 106,496 --------- C:\WINDOWS\system32\TwnLib20.dll
2007-10-09 20:12 2,682,880 --------- C:\WINDOWS\UNNeroVision.exe
2007-10-09 20:05 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-10-09 20:04 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-10-09 18:12 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-10-09 18:12 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-10-09 18:12 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-10-09 18:12 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-10-09 18:12 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-10-09 18:12 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-10-09 11:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Opera
2007-10-09 10:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-10-08 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 15:06 <DIR> d-------- C:\Documents and Settings\Joyce\Application Data\Share-to-Web Upload Folder
2007-10-07 16:22 717 --a------ C:\WINDOWS\EReg206.dat
2007-10-07 16:12 <DIR> d-------- C:\WINDOWS\EReg206
2007-10-06 18:30 <DIR> d-------- C:\tmp
2007-09-29 16:00 65,536 --a------ C:\WINDOWS\system32\a3d.dll
2007-09-27 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avanquest Software
2007-09-24 18:35 <DIR> d-------- C:\Program Files\Temporary
2007-09-23 19:20 33,792 --a------ C:\WINDOWS\system32\ssqnkkl.dll
2007-09-23 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-09-23 18:02 33,792 --a------ C:\WINDOWS\system32\ddcyawu.dll
2007-09-23 18:01 33,792 --a------ C:\WINDOWS\system32\vtuutst.dll
2007-09-14 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-09-13 15:28 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Printer Info Cache
2007-09-13 15:26 <DIR> d-------- C:\Program Files\Common Files\HP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 00:15 --------- d-----w C:\Program Files\Ahead
2007-10-10 00:04 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-09 22:12 --------- d-----w C:\Program Files\Trend Micro
2007-10-09 21:00 --------- d-----w C:\Program Files\Quicken
2007-10-09 21:00 --------- d-----w C:\Program Files\ItsDeductible2005
2007-10-09 20:58 --------- d-----w C:\Program Files\TurboTax
2007-10-09 19:58 --------- d-----w C:\Program Files\Opera75
2007-10-09 16:08 --------- d-----w C:\Program Files\Ulead Systems
2007-10-09 16:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-08 22:11 --------- d-----w C:\Program Files\Creative
2007-10-07 20:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-27 20:46 2,754 ----a-w C:\Documents and Settings\Paul\Application Data\SAS7_000.DAT
2007-09-26 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-26 17:52 --------- d-----w C:\Documents and Settings\Paul\Application Data\RipIt4Me
2007-09-26 12:40 --------- d-----w C:\Documents and Settings\Paul\Application Data\uTorrent
2007-09-25 02:22 --------- d-----w C:\Documents and Settings\Paul\Application Data\dvdcss
2007-09-25 02:12 --------- d-----w C:\Documents and Settings\Paul\Application Data\Ahead
2007-09-24 13:03 --------- d-----w C:\Program Files\Belkin Bulldog Plus
2007-09-23 22:09 --------- d-----w C:\Documents and Settings\Paul\Application Data\Nero
2007-09-14 13:48 --------- d-----w C:\Documents and Settings\Paul\Application Data\Image Zone Express
2007-09-13 19:26 --------- d-----w C:\Program Files\HP
2007-09-09 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-07 19:19 --------- d-----w C:\Program Files\PowerISO
2007-09-07 18:22 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-07 18:22 --------- d-----w C:\Program Files\Microsoft Works
2007-09-06 21:04 --------- d-----w C:\Program Files\QuickZip4
2007-08-19 17:39 --------- d-----w C:\Documents and Settings\Paul\Application Data\Nuance
2007-08-19 17:36 --------- d-----w C:\Program Files\Common Files\Scansoft Shared
2007-08-19 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-08-19 17:35 --------- d-----w C:\Program Files\Nuance
2007-08-19 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nuance
2007-08-17 23:02 --------- d-----w C:\Program Files\Codemasters
2007-08-16 14:12 --------- d-----w C:\Program Files\Copy-Discovery 2000
2007-08-13 23:15 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-12 19:48 --------- d-----w C:\Program Files\Diskeeper Corporation
2007-08-12 19:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2007-08-12 19:37 --------- d-----w C:\Program Files\Hewlett-Packard
2007-08-12 19:36 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-08-11 23:48 --------- d-----w C:\Program Files\MagicDisc
2007-08-11 23:30 --------- d-----w C:\Program Files\Ricochet Lost Worlds Recharged
2007-08-11 18:40 --------- d-----w C:\Program Files\microsoft frontpage
2007-08-11 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-10 17:15 --------- d-----w C:\Program Files\MagicISO
2007-04-28 19:25 81,920 ----a-w C:\Documents and Settings\Paul\Application Data\ezpinst.exe
2007-04-28 19:25 47,360 ----a-w C:\Documents and Settings\Paul\Application Data\pcouffin.sys
2003-03-31 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42 1,028,096 --sha-w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudCtrl"="AudCtrl.dll" [2002-03-21 19:53 C:\WINDOWS\system32\AudCtrl.dll]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 04:51]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29]
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe" [2007-01-23 02:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe" [2005-03-17 12:10]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 17:52]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
C:\Documents and Settings\Paul\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe [2004-02-14 12:52:52]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56]
MUPS.lnk - C:\Program Files\Belkin Bulldog Plus\MUPS.exe [2003-12-31 19:24:27]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 11:11:48]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutst]
vtuutst.dll 2007-09-23 18:01 33792 C:\WINDOWS\system32\vtuutst.dll
R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys
R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\WINDOWS\system32\drivers\pe3ah4nc.sys
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\WINDOWS\system32\drivers\ps6ah4nc.sys
R0 si3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys
R1 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys
R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys
R2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
R3 sbext;Sound Blaster Extigy Audio Driver;C:\WINDOWS\system32\DRIVERS\sbext.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\WINDOWS\system32\pr2ah4nc.exe svc
S3 ICDUSB2;Sony IC Recorder (P);C:\WINDOWS\system32\Drivers\ICDUSB2.sys
S3 MarkFun_NT;MarkFun_NT;\??\C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\markfun.w32
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys
S3 vidcap;vidcap;C:\WINDOWS\system32\DRIVERS\vidcap.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmHidLo;Logitech Gaming USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
"2004-11-14 02:28:01 C:\WINDOWS\Tasks\HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1080782758.job"
- C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe
.
**************************************************************************
disk not found C:\
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
disk not found C:\
**************************************************************************
.
Completion time: 2007-10-10 11:35:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-10 11:34
.
--- E O F ---
Thanks for goodness there are some good people out there to help. Thank you very much. I will not be using anymore untrusted files anytime soon. Virus scan doesn't seem to pick up on all of the critters in them.
Thank God I got the machine is stable with all the help from reading other peoples posts. Thanks again!!!!
Vexed in the Keys