Sign in to follow this  
prudence

Unhandled exception occurred

Recommended Posts

Hi

I hope you can help me. I have Ad-aware 2008 free. Ran a full scan which had detected 180 problems, but the scan stopped at a certain point (cookies) and gave an error report stating that an unhandled exception had occurred in aawservice.exe (definition file 1035.0000). I have deleted all cookies but the problem still persists.

 

Things aren't running particularly well on the computer with popups and new windows appearsing, whereas a week ago all was well. Popup blocker is always activated but these windows that come up, are getting through.

 

I have run Hijack This and the report is below:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:57:48, on 04/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\CDBurnerXP\NMSAccess.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\RTHDCPL.EXE

C:\apps\ABoard\ABoard.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe

C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\apps\ABoard\AOSD.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://u.tv

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://u.tv/searchbar.asp

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://u.tv

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by UTV

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"

O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-18 Startup: Readme.lnk = C:\Program Files\ChaosPro3.2\Readme.txt (User 'SYSTEM')

O4 - .DEFAULT Startup: Readme.lnk = C:\Program Files\ChaosPro3.2\Readme.txt (User 'Default user')

O4 - Startup: Readme.lnk = C:\Program Files\ChaosPro3.2\Readme.txt

O8 - Extra context menu item: &Search - ?p=ZUfox000

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/armhelper.ocx

O20 - AppInit_DLLs: C:\WINDOWS\System32\iasrecst32.dll

O20 - Winlogon Notify: 4ed8d76488 - C:\WINDOWS\System32\iasrecst32.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

--

End of file - 12270 bytes

 

Many thanks

 

Sue

Share this post


Link to post
Share on other sites

Hi Sue

 

 

Disable Spybot's TeaTimer

  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode

  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer

 

Please visit this webpage for download links, and instructions for running ComboFix tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Please ensure you read this guide carefully and install the Recovery Console first.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should see a blue screen prompt that says:

 

The Recovery Console was successfully installed.

 

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
     
     
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

 

Please include the following reports for further review, and so we may continue cleansing the system:

 

C:\ComboFix.txt

New HijackThis log.

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Share this post


Link to post
Share on other sites

Hi Blade

 

I really appreciate your help on this. Have done as you suggest regarding Spybot. Have also run Combofix and below is the report:

 

ComboFix 08-11-04.02 - halibut 2008-11-05 17:43:13.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1487 [GMT 0:00]

Running from: c:\downloads\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

c:\windows\system32\_003648_.tmp.dll

c:\windows\system32\_003649_.tmp.dll

c:\windows\system32\_003650_.tmp.dll

c:\windows\system32\_003651_.tmp.dll

c:\windows\system32\_003656_.tmp.dll

c:\windows\system32\_003657_.tmp.dll

c:\windows\system32\_003658_.tmp.dll

c:\windows\system32\_003659_.tmp.dll

c:\windows\system32\_003660_.tmp.dll

c:\windows\system32\_003661_.tmp.dll

c:\windows\system32\_003662_.tmp.dll

c:\windows\system32\_003663_.tmp.dll

c:\windows\system32\_003664_.tmp.dll

c:\windows\system32\_003665_.tmp.dll

c:\windows\system32\_003667_.tmp.dll

c:\windows\system32\_003668_.tmp.dll

c:\windows\system32\_003670_.tmp.dll

c:\windows\system32\_003671_.tmp.dll

c:\windows\system32\_003672_.tmp.dll

c:\windows\system32\_003674_.tmp.dll

c:\windows\system32\_003677_.tmp.dll

c:\windows\system32\_003678_.tmp.dll

c:\windows\system32\_003680_.tmp.dll

c:\windows\system32\_003681_.tmp.dll

c:\windows\system32\_003682_.tmp.dll

c:\windows\system32\_003683_.tmp.dll

c:\windows\system32\_003684_.tmp.dll

c:\windows\system32\_003685_.tmp.dll

c:\windows\system32\_003687_.tmp.dll

c:\windows\system32\_003688_.tmp.dll

c:\windows\system32\_003689_.tmp.dll

c:\windows\system32\_003690_.tmp.dll

c:\windows\system32\_003691_.tmp.dll

c:\windows\system32\_003692_.tmp.dll

c:\windows\system32\_003693_.tmp.dll

c:\windows\system32\_003694_.tmp.dll

c:\windows\system32\_003697_.tmp.dll

c:\windows\system32\_003698_.tmp.dll

c:\windows\system32\_003699_.tmp.dll

c:\windows\system32\_003700_.tmp.dll

c:\windows\system32\_003701_.tmp.dll

c:\windows\system32\_003702_.tmp.dll

c:\windows\system32\_003703_.tmp.dll

c:\windows\system32\_003705_.tmp.dll

c:\windows\system32\_003706_.tmp.dll

c:\windows\system32\_003707_.tmp.dll

c:\windows\system32\_003708_.tmp.dll

c:\windows\system32\_003709_.tmp.dll

c:\windows\system32\_003711_.tmp.dll

c:\windows\system32\_003714_.tmp.dll

c:\windows\system32\_003715_.tmp.dll

c:\windows\system32\_003719_.tmp.dll

c:\windows\system32\_003720_.tmp.dll

c:\windows\system32\_003722_.tmp.dll

c:\windows\system32\_003725_.tmp.dll

c:\windows\system32\_003727_.tmp.dll

c:\windows\system32\_003728_.tmp.dll

c:\windows\system32\_003729_.tmp.dll

c:\windows\system32\_003730_.tmp.dll

c:\windows\system32\_003733_.tmp.dll

c:\windows\system32\_003734_.tmp.dll

c:\windows\system32\_003735_.tmp.dll

c:\windows\system32\_003736_.tmp.dll

c:\windows\system32\_003737_.tmp.dll

c:\windows\system32\_003742_.tmp.dll

c:\windows\system32\_003744_.tmp.dll

c:\windows\system32\7.tmp

c:\windows\system32\chtbrkr32.dll

c:\windows\system32\dao350.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))

.

 

2008-11-05 16:23 . 2008-11-05 17:06 <DIR> d--hs---- c:\windows\system32\GroupPolicyManifest

2008-11-05 02:28 . 2008-11-05 02:28 0 --a------ c:\windows\system32\F8A.tmp

2008-11-05 01:41 . 2008-11-05 01:41 0 --a------ c:\windows\system32\14.tmp

2008-11-05 00:10 . 2008-11-05 00:10 0 --a------ c:\windows\system32\1E3.tmp

2008-11-05 00:00 . 2008-11-05 00:00 0 --a------ c:\windows\system32\C.tmp

2008-11-04 21:29 . 2008-11-04 21:29 0 --a------ c:\windows\system32\24.tmp

2008-11-04 01:16 . 2008-11-04 01:16 0 --a------ c:\windows\system32\60.tmp

2008-11-04 00:00 . 2008-11-04 00:00 318,976 --ahs---- c:\windows\system32\54.tmp

2008-11-03 23:59 . 2008-11-03 23:59 0 --a------ c:\windows\system32\53.tmp

2008-11-03 23:00 . 2008-11-03 23:00 318,976 --ahs---- c:\windows\system32\4C.tmp

2008-11-03 22:59 . 2008-11-03 22:59 0 --a------ c:\windows\system32\4B.tmp

2008-11-03 21:59 . 2008-11-03 22:00 318,976 --ahs---- c:\windows\system32\48.tmp

2008-11-03 21:58 . 2008-11-03 21:58 0 --a------ c:\windows\system32\47.tmp

2008-11-03 18:32 . 2008-11-03 18:33 318,976 --ahs---- c:\windows\system32\34.tmp

2008-11-03 03:37 . 2008-11-03 03:37 0 --a------ c:\windows\system32\AF7.tmp

2008-11-03 03:12 . 2008-11-03 03:12 0 --a------ c:\windows\system32\42.tmp

2008-11-03 01:59 . 2008-11-05 16:40 5,576 --a------ c:\windows\GnuHashes.ini

2008-11-03 01:51 . 2008-11-03 01:51 318,976 --ahs---- c:\windows\system32\36.tmp

2008-11-03 01:51 . 2008-11-03 01:51 131,072 --a------ c:\windows\system32\iasrecst32.dll

2008-11-03 01:51 . 2008-11-05 17:06 1,185 --ahs---- c:\windows\system32\GroupPolicy000.dat

2008-11-02 11:54 . 2007-10-26 03:34 8,460,288 --a------ c:\windows\system32\dllcache\shell32.dll

2008-11-02 02:23 . 2008-11-02 02:23 <DIR> d-------- c:\program files\Trend Micro

2008-10-10 18:13 . 2008-10-10 18:13 <DIR> d-------- d:\documents and settings\halibut\Application Data\CyberLink

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-05 17:42 --------- d-----w d:\documents and settings\halibut\Application Data\Free Download Manager

2008-11-05 17:26 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-11-05 08:00 --------- d-----w d:\documents and settings\spreadie\Application Data\LimeWire

2008-11-04 22:50 --------- d-----w d:\documents and settings\halibut\Application Data\uTorrent

2008-11-03 03:37 --------- d-----w d:\documents and settings\halibut\Application Data\LimeWire

2008-10-12 05:10 --------- d-----w d:\documents and settings\All Users\Application Data\Symantec

2008-10-02 12:47 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-10-02 10:47 --------- d-----w d:\documents and settings\All Users\Application Data\Absolutist

2008-09-20 23:10 --------- d-----w d:\documents and settings\halibut\Application Data\MahJong Suite

2008-09-17 15:46 --------- d-----w c:\program files\Flickr Uploadr

2008-09-14 00:07 --------- d-----w d:\documents and settings\halibut\Application Data\Flickr

2008-09-07 22:08 --------- d-----w c:\program files\DVD Shrink

2008-09-07 22:03 --------- d-----w c:\program files\XviD

2008-09-06 17:21 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-09-06 11:47 --------- d-----w c:\program files\Microsoft Silverlight

2008-09-05 19:07 --------- d-----w c:\program files\UP

2008-08-29 16:40 110 ----a-w d:\documents and settings\halibut\Application Data\wklnhst.dat

2008-08-08 23:57 7,680 --sha-w c:\program files\Thumbs.db

2007-11-05 16:08 73,921 ----a-w c:\program files\back.png

2007-11-05 16:08 497 ----a-w c:\program files\config.xml

2007-11-05 16:08 3,961 ----a-w c:\program files\config.png

2007-11-05 16:08 2,934 ----a-w c:\program files\close.png

2007-11-05 16:08 2,527 ----a-w c:\program files\save.png

2007-11-05 16:08 12,497 ----a-w c:\program files\index.html

2007-11-05 16:08 1,029 ----a-w c:\program files\icon.png

2007-01-19 12:20 9,829,367 ----a-w c:\program files\uesetup.exe

2006-12-19 22:28 1,913,285 ----a-w c:\program files\ehck_setup.exe

2006-10-09 03:36 2,855,080 ----a-w c:\program files\aawsepersonal.exe

2006-10-09 02:20 1,321,432 ----a-w c:\program files\noadware.exe

2005-10-05 08:23 1,800,518 ----a-w c:\program files\setup.exe

2005-10-04 13:59 420 ----a-w c:\program files\file_id.diz

1999-05-04 00:22 364 ----a-w c:\program files\HISTORY.TXT

1999-05-04 00:02 976,896 ----a-w c:\program files\NEWLINES.EXE

1999-05-03 19:07 10,669 ----a-w c:\program files\NEWLINES.HLP

1999-04-30 17:21 536 ----a-w c:\program files\SELECT.WAV

1998-10-22 00:00 1,192 ----a-w c:\program files\MOVE.WAV

1997-05-07 22:29 1,243,985 ----a-w c:\program files\FRACTINT.EXE

1997-05-06 19:37 12,692 ----a-w c:\program files\IF_ELSE.TXT

1997-05-04 15:23 7,147 ----a-w c:\program files\PHCTUTOR.FRM

1997-05-04 13:28 3,529 ----a-w c:\program files\DEMO.BAT

1997-05-04 13:27 34,865 ----a-w c:\program files\FRACTINT.FRM

1997-05-04 13:26 21,891 ----a-w c:\program files\PHCTUTOR.TXT

1997-05-03 22:43 14,601 ----a-w c:\program files\FRACTINT.CFG

1997-05-03 20:08 1,604 ----a-w c:\program files\NEW19-6.KEY

1997-05-03 19:50 26,139 ----a-w c:\program files\FRACT196.FRM

1997-05-03 18:38 16,005 ----a-w c:\program files\FRACT19.PAR

1997-05-03 18:35 18,450 ----a-w c:\program files\FRACTINT.PAR

1997-05-03 08:18 322 ----a-w c:\program files\READ.ME

1997-04-25 19:27 11,323 ----a-w c:\program files\FRACT19.BAT

1997-04-23 00:47 11,921 ----a-w c:\program files\FRACTINT.L

1997-03-30 12:58 40,576 ----a-w c:\program files\FRMTUT.ZIP

1996-08-26 12:59 1,496 ----a-w c:\program files\NEW19-4.KEY

1996-08-26 12:55 863 ----a-w c:\program files\NEW19-5.KEY

1996-08-25 14:16 2,013 ----a-w c:\program files\TRU.C

1996-08-25 14:15 3,338 ----a-w c:\program files\DEBUGFLA.DOC

1996-07-20 18:44 601 ----a-w c:\program files\DEMO.PAR

1996-04-21 23:28 1,189 ----a-w c:\program files\MUSIC.PAR

1996-04-21 22:24 4,843 ----a-w c:\program files\FRACT18.PAR

1996-04-18 22:05 537 ----a-w c:\program files\FRACTINT.DOC

1996-02-15 18:22 5,728 ----a-w c:\program files\ADD.WAV

1995-03-10 23:32 584 ----a-w c:\program files\SSCHOICE.EXE

1995-03-10 15:57 5,504 ----a-w c:\program files\PENROSE.L

1995-03-08 22:01 2,338 ----a-w c:\program files\NEW19.KEY

1995-03-08 22:01 1,865 ----a-w c:\program files\ADVANCED.KEY

1995-03-08 10:09 5,863 ----a-w c:\program files\FRACTINT.IFS

1995-02-05 15:25 1,273 ----a-w c:\program files\BASIC.KEY

1994-09-24 21:53 3,583 ----a-w c:\program files\TILING.L

1993-09-27 09:27 2,976 ----a-w c:\program files\END.WAV

1993-05-19 20:25 4,487 ----a-w c:\program files\CELLULAR.PAR

1993-05-19 18:06 539 ----a-w c:\program files\PHOENIX.PAR

1993-03-25 22:58 12,416 ----a-w c:\program files\ICONS.PAR

1993-03-22 18:53 1,672 ----a-w c:\program files\REMOVE.WAV

1993-01-20 22:47 3,328 ----a-w c:\program files\FROTH6.MAP

1993-01-20 22:47 208 ----a-w c:\program files\FROTH616.MAP

1993-01-12 19:31 14,054 ----a-w c:\program files\SIMPLGIF.EXE

1992-12-15 19:30 208 ----a-w c:\program files\FROTH316.MAP

1992-12-15 19:27 3,328 ----a-w c:\program files\FROTH3.MAP

1992-02-14 12:04 2,613 ----a-w c:\program files\LYAPUNOV.PAR

1991-10-08 16:09 3,328 ----a-w c:\program files\LYAPUNOV.MAP

1991-02-03 05:59 4,864 ----a-w c:\program files\TPLUS.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-05 7323648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-01-05 86016]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 57344]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-27 26112]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-11-14 286720]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 28672]

"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-25 714608]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]

"Device Detector"="c:\program files\Common Files\ACD Systems\EN\DevDetect.exe" [2004-09-02 221184]

"nwiz"="nwiz.exe" [2006-01-05 c:\windows\system32\nwiz.exe]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 c:\windows\RTHDCPL.EXE]

"SMSERIAL"="sm56hlpr.exe" [2005-10-18 c:\windows\sm56hlpr.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

"msacm.mpegacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm

"VIDC.ACDV"= ACDV.dll

 

[HKLM\~\startupfolder\D:^Documents and Settings^halibut^Start Menu^Programs^Startup^ChaosPro Help.lnk]

path=d:\documents and settings\halibut\Start Menu\Programs\Startup\ChaosPro Help.lnk

backup=c:\windows\pss\ChaosPro Help.lnkStartup

 

[HKLM\~\startupfolder\D:^Documents and Settings^halibut^Start Menu^Programs^Startup^ChaosPro.lnk]

path=d:\documents and settings\halibut\Start Menu\Programs\Startup\ChaosPro.lnk

backup=c:\windows\pss\ChaosPro.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AOL 9.0\\aol.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%ProgramFiles%\\AOL 9.0\\aol.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)

"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

"6346:TCP"= 6346:TCP:Gnutella

 

R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2004-07-26 7140]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]

R3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2005-05-27 799744]

R3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2005-11-28 7040]

S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

S3 USB28xxBGA;WinTV HVR-900;c:\windows\system32\DRIVERS\emBDA.sys [2006-06-06 281600]

S3 USB28xxOEM;WinTV OEM Filter;c:\windows\system32\DRIVERS\emOEM.sys [2006-06-01 21376]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22693ef6-a4e4-11dc-8170-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22693ef8-a4e4-11dc-8170-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{314f4780-a59d-11dc-8179-0014857c1834}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2754833-a548-11dc-8173-0014857c1834}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f79ef5fc-a278-11dc-8167-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f79ef5fe-a278-11dc-8167-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

 

2008-10-27 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - halibut.job

- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

Notify-4ed8d76502 - c:\windows\System32\chtbrkr32.dll

Notify-dimsntfy - (no file)

MSConfigStartUp-Run - c:\scanner\EXE16\AM.EXE

MSConfigStartUp-Webcam Concepts - c:\program files\Webcam Concepts\webcamconcepts.exe

 

 

.

------- Supplementary Scan -------

.

FireFox -: Profile - d:\documents and settings\halibut\Application Data\Mozilla\Firefox\Profiles\euib9end.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll

FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll

FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-05 17:48:19

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

c:\program files\Common Files\Symantec Shared\SPBBC\2008-11-05-54c8.kc

 

scan completed successfully

hidden files: 1

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\CDBurnerXP\NMSAccess.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\progra~1\COMMON~1\X10\Common\X10nets.exe

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\ehome\ehmsas.exe

c:\apps\ABOARD\AOSD.EXE

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2008-11-05 17:51:06 - machine was rebooted

ComboFix-quarantined-files.txt 2008-11-05 17:50:56

 

Pre-Run: 14,007,078,912 bytes free

Post-Run: 13,938,262,016 bytes free

 

345 --- E O F --- 2008-11-02 15:53:47

 

 

 

Many thanks

 

Sue

Share this post


Link to post
Share on other sites

Hi again,

 

 

Let's do some closer analyzing before removing anything.

 

 

Show hidden files

-----------------

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

 

 

Upload following files to http://www.virustotal.com and post back the results:

c:\windows\GnuHashes.ini

c:\windows\system32\iasrecst32.dll

c:\windows\system32\GroupPolicy000.dat

 

 

 

Open notepad and copy/paste the text in the quotebox below into it:

 

DirLook::
c:\windows\system32\GroupPolicyManifest

 

 

Save this as

CFScript

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

 

CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

 

 

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

 

 

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

 

Double-click ATF Cleaner.exe to open it

 

Under Main choose:

Windows Temp

Current User Temp

All Users Temp

Cookies

Temporary Internet Files

Prefetch

Java Cache

*The other boxes are optional*

Then click the Empty Selected button.

 

If you use Firefox:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

If you use Opera:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

 

Click Exit on the Main menu to close the program.

 

 

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

 

 

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Share this post


Link to post
Share on other sites

Hi Blade

 

My computer is working much better since running Combofix. I have run those files in virustotal.com but am having trouble posting the results here. I'll try again.

 

All the best.

 

Sue

Share this post


Link to post
Share on other sites

Ok, seems to be working now so here are the first lot of reports from virustotal.com:

 

This is the GnuHashes.ini report

 

Antivirus Version Last Update Result

AhnLab-V3 2008.11.5.3 2008.11.06 -

AntiVir 7.9.0.26 2008.11.06 -

Authentium 5.1.0.4 2008.11.06 -

Avast 4.8.1248.0 2008.11.05 -

AVG 8.0.0.161 2008.11.06 -

BitDefender 7.2 2008.11.06 -

CAT-QuickHeal 9.50 2008.11.04 -

ClamAV 0.94.1 2008.11.06 -

DrWeb 4.44.0.09170 2008.11.06 -

eSafe 7.0.17.0 2008.11.05 -

eTrust-Vet 31.6.6194 2008.11.06 -

Ewido 4.0 2008.11.06 -

F-Prot 4.4.4.56 2008.11.06 -

F-Secure 8.0.14332.0 2008.11.06 -

Fortinet 3.117.0.0 2008.11.05 -

GData 19 2008.11.06 -

Ikarus T3.1.1.45.0 2008.11.06 -

K7AntiVirus 7.10.517 2008.11.05 -

Kaspersky 7.0.0.125 2008.11.06 -

McAfee 5425 2008.11.05 -

Microsoft 1.4005 2008.11.06 -

NOD32 3590 2008.11.06 -

Norman 5.80.02 2008.11.06 -

Panda 9.0.0.4 2008.11.05 -

PCTools 4.4.2.0 2008.11.06 -

Prevx1 V2 2008.11.06 -

Rising 21.02.32.00 2008.11.06 -

SecureWeb-Gateway 6.7.6 2008.11.06 -

Sophos 4.35.0 2008.11.06 -

Sunbelt 3.1.1783.2 2008.11.05 -

Symantec 10 2008.11.06 -

TheHacker 6.3.1.1.141 2008.11.05 -

TrendMicro 8.700.0.1004 2008.11.06 -

VBA32 3.12.8.9 2008.11.05 -

ViRobot 2008.11.6.1455 2008.11.06 -

VirusBuster 4.5.11.0 2008.11.05 -

Additional information

File size: 5576 bytes

MD5...: 4ba99119a0f9cbb5aa42c1c339e2e2ea

SHA1..: dd11bf12fa660ab58c14970c9becd06a91f8e516

SHA256: 6d5b0bbbd4ac872116c80693e90351a23b76c3de090e0f3420877540f2d29ac6

SHA512: 4a01ec5d8f61fb04cbd13394a07328933a87e943999a24e14f47750876124618

f552709bccb10db614957b7ae0af69aa625abf973ff53a68cc9dd693d5af13b8

PEiD..: -

TrID..: File type identification

Unknown!

PEInfo: -

 

This is the iasrecst32.dll report:

 

Antivirus Version Last Update Result

AhnLab-V3 2008.11.5.3 2008.11.06 Win-Trojan/Agent.131072.DJ

AntiVir 7.9.0.26 2008.11.06 TR/Spy.Gen

Authentium 5.1.0.4 2008.11.06 W32/Heuristic-KPP!Eldorado

Avast 4.8.1248.0 2008.11.05 Win32:Spyware-gen

AVG 8.0.0.161 2008.11.06 Agent.AHMM

BitDefender 7.2 2008.11.06 Trojan.Downloader.Agent.ZUQ

CAT-QuickHeal 9.50 2008.11.04 TrojanDownloader.Agent.alqz

ClamAV 0.94.1 2008.11.06 -

DrWeb 4.44.0.09170 2008.11.06 DLOADER.Trojan

eSafe 7.0.17.0 2008.11.05 Win32.Agent.alqz

eTrust-Vet 31.6.6193 2008.11.05 Win32/Vundo.BCD

Ewido 4.0 2008.11.06 -

F-Prot 4.4.4.56 2008.11.06 W32/Heuristic-KPP!Eldorado

F-Secure 8.0.14332.0 2008.11.06 Trojan-Downloader.Win32.Agent.alqz

Fortinet 3.117.0.0 2008.11.05 W32/Agent.ALQZ!tr.dldr

GData 19 2008.11.06 Trojan.Downloader.Agent.ZUQ

Ikarus T3.1.1.45.0 2008.11.06 -

K7AntiVirus 7.10.517 2008.11.05 Trojan-Downloader.Win32.Agent.alqz

Kaspersky 7.0.0.125 2008.11.06 Trojan-Downloader.Win32.Agent.alqz

McAfee 5425 2008.11.05 Generic Downloader.x

Microsoft 1.4005 2008.11.06 Trojan:Win32/Vundo.IZ

NOD32 3590 2008.11.06 a variant of Win32/Agent.OAF

Norman 5.80.02 2008.11.06 W32/Agent.JBPQ

Panda 9.0.0.4 2008.11.05 Trj/Downloader.MDW

PCTools 4.4.2.0 2008.11.06 -

Prevx1 V2 2008.11.06 Password Stealer

Rising 21.02.32.00 2008.11.06 Trojan.Win32.Undef.sni

SecureWeb-Gateway 6.7.6 2008.11.06 Trojan.Spy.Gen

Sophos 4.35.0 2008.11.06 Mal/Behav-027

Sunbelt 3.1.1783.2 2008.11.05 Trojan-Downloader.Win32.Agent.alqz

Symantec 10 2008.11.06 -

TheHacker 6.3.1.1.141 2008.11.05 -

TrendMicro 8.700.0.1004 2008.11.06 -

ViRobot 2008.11.6.1455 2008.11.06 Trojan.Win32.Downloader.131072.S

VirusBuster 4.5.11.0 2008.11.05 -

Additional information

File size: 131072 bytes

MD5...: d5cca308740743eb4a1aebe784285736

SHA1..: 3f9eab065cd0434e0222bb3d9b845c2475c5b633

SHA256: 1acaa1d7e54b08d4347346dbfe7fae7f5cf6de7c6890965dd05d89d4ad14d168

SHA512: c2e48eeab12a6a545936c4222c911dba27856f805b659d93815c46d4f0d269f4

42099fb906c44c487f562cb96275f38933f4b96ff1a99f046524ff88124aa3c4

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x10001fc1

timedatestamp.....: 0x48fe1d7b (Tue Oct 21 18:20:43 2008)

machinetype.......: 0x14c (I386)

 

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x14bd0 0x15000 6.56 3e54f0ce95a495233acd9d3fbfbc078c

.rdata 0x16000 0x62e9 0x7000 6.20 bdb010647a04bd22282bcbd9e8f19f1e

.data 0x1d000 0x1478 0x1000 1.99 f44707b9c1a51d74b13dde04705a91f2

.reloc 0x1f000 0x1a4e 0x2000 5.79 2c7d0c1f74de957dae2eca1e47481934

 

( 11 imports )

> ntdll.dll: _snprintf, _strnicmp, strlen, strstr, _stricmp, memcmp, atoi, _itoa, memcpy, _ultoa, tolower, memset, _chkstk, _allmul, _alldiv

> msvcrt.dll: strtok

> WS2_32.dll: -, -, WSAIoctl, -, WSAGetOverlappedResult, -, WSACreateEvent, -, WSAWaitForMultipleEvents, WSASend, WSASocketW, -, -, -, -, -, -, WSARecv

> WININET.dll: InternetCloseHandle, InternetOpenUrlA, InternetSetOptionA, InternetConnectA, HttpAddRequestHeadersA, HttpOpenRequestA, HttpSendRequestA, InternetOpenA, HttpQueryInfoA, InternetReadFile

> OLEAUT32.dll: -, -

> SHLWAPI.dll: PathFileExistsA

> KERNEL32.dll: EnterCriticalSection, GetVolumeInformationA, GetWindowsDirectoryA, GetFileTime, SetNamedPipeHandleState, HeapAlloc, GetSystemDirectoryA, GetVersionExA, FindClose, RemoveDirectoryA, TransactNamedPipe, HeapSetInformation, HeapCreate, FindFirstFileA, HeapDestroy, HeapFree, WaitNamedPipeA, FindNextFileA, FreeLibrary, CreateFileMappingA, OpenFileMappingA, UnmapViewOfFile, MapViewOfFile, ExitProcess, GetFileAttributesExA, SetFileAttributesA, CreateDirectoryA, TlsGetValue, TlsAlloc, CreateEventA, TlsSetValue, ProcessIdToSessionId, Process32Next, Process32First, WriteProcessMemory, VirtualAllocEx, Thread32Next, GetModuleHandleA, Thread32First, CreateToolhelp32Snapshot, InterlockedIncrement, InterlockedDecrement, GetCurrentThreadId, GetProcAddress, CloseHandle, OpenThread, GetCurrentProcessId, lstrcpyA, CreateFileA, WaitForMultipleObjects, GetFileSize, ReadFile, GetModuleFileNameA, GetModuleFileNameW, InitializeCriticalSection, ResetEvent, lstrcatA, GetLocalTime, WaitForSingleObject, OpenMutexA, InterlockedCompareExchange, CreateMutexA, lstrlenA, SetEvent, TerminateThread, OutputDebugStringA, Sleep, DuplicateHandle, GetExitCodeThread, ReleaseMutex, FlushFileBuffers, OpenEventA, SetUnhandledExceptionFilter, LeaveCriticalSection, GetCurrentThread, VirtualFree, GetFileInformationByHandle, GetLastError, SystemTimeToFileTime, lstrcmpiA, GetSystemTime, GetCurrentProcess, WriteFile, CreateThread, VirtualFreeEx, DisconnectNamedPipe, CreateNamedPipeA, ConnectNamedPipe, PeekNamedPipe, GetTempPathA, lstrcmpA, SetFilePointer, SetEndOfFile, GetTempFileNameA, DeleteCriticalSection, SetThreadContext, VirtualProtect, FlushInstructionCache, VirtualQuery, VirtualAlloc, SuspendThread, ResumeThread, GetThreadContext, SetLastError, lstrcmpW, MultiByteToWideChar, GetTickCount, DeleteFileA, CreateProcessA, GetFileAttributesA, LoadLibraryA, CreateRemoteThread, OpenProcess

> USER32.dll: SetForegroundWindow, ShowWindow, PeekMessageA, WaitForInputIdle, MsgWaitForMultipleObjects, GetSystemMetrics, wsprintfA, DispatchMessageA

> ADVAPI32.dll: ChangeServiceConfigA, RegDeleteKeyA, OpenSCManagerA, RegCreateKeyExA, CloseServiceHandle, OpenServiceA, ControlService, RegQueryValueExA, RegQueryInfoKeyA, RegEnumKeyExA, RegSetValueExA, RegCloseKey, RegOpenKeyExA

> SHELL32.dll: ShellExecuteA, SHGetFolderPathA

> ole32.dll: CoUninitialize, CoInitializeEx, CoCreateInstance

 

( 2 exports )

DllGetClassObject, EventStartup

Prevx info: http://info.prevx.com/aboutprogramtext.asp...73B6600F5466C37

 

This is the GroupPolicy000.dat report:

 

Antivirus Version Last Update Result

AhnLab-V3 2008.11.5.3 2008.11.06 -

AntiVir 7.9.0.26 2008.11.06 -

Authentium 5.1.0.4 2008.11.06 -

Avast 4.8.1248.0 2008.11.05 -

AVG 8.0.0.161 2008.11.06 -

BitDefender 7.2 2008.11.06 -

CAT-QuickHeal 9.50 2008.11.04 -

ClamAV 0.94.1 2008.11.06 -

DrWeb 4.44.0.09170 2008.11.06 -

eSafe 7.0.17.0 2008.11.05 -

eTrust-Vet 31.6.6194 2008.11.06 -

Ewido 4.0 2008.11.06 -

F-Prot 4.4.4.56 2008.11.06 -

F-Secure 8.0.14332.0 2008.11.06 -

Fortinet 3.117.0.0 2008.11.05 -

GData 19 2008.11.06 -

Ikarus T3.1.1.45.0 2008.11.06 -

K7AntiVirus 7.10.517 2008.11.05 -

Kaspersky 7.0.0.125 2008.11.06 -

McAfee 5425 2008.11.05 -

Microsoft 1.4005 2008.11.06 -

NOD32 3590 2008.11.06 -

Norman 5.80.02 2008.11.06 -

Panda 9.0.0.4 2008.11.05 -

PCTools 4.4.2.0 2008.11.06 -

Prevx1 V2 2008.11.06 -

Rising 21.02.32.00 2008.11.06 -

SecureWeb-Gateway 6.7.6 2008.11.06 -

Sophos 4.35.0 2008.11.06 -

Sunbelt 3.1.1783.2 2008.11.05 -

Symantec 10 2008.11.06 -

TheHacker 6.3.1.1.141 2008.11.05 -

TrendMicro 8.700.0.1004 2008.11.06 -

VBA32 3.12.8.9 2008.11.05 -

ViRobot 2008.11.6.1455 2008.11.06 -

VirusBuster 4.5.11.0 2008.11.05 -

Additional information

File size: 1185 bytes

MD5...: 221677eb16ba2736343264b4fa6a66a7

SHA1..: 3a427c2cc80c52f0e591ace1fc515240897ee3fe

SHA256: fb53741c0af29a236ce3b975b5fbb0b3bec75a3aaa2706cf4bcbd8bd53aff638

SHA512: 8e6c28a833a5ee7546eef13db928a0de33858fa8a9df8154280332822c34daf6

59720a3bcd78852946d23512a64644c09261c6b31cd4c2c034dbcd443dec3c1e

PEiD..: -

TrID..: File type identification

Unknown!

PEInfo: -

 

 

More to follow.

 

Many thanks

Sue

Share this post


Link to post
Share on other sites

Hi Blade

 

Below is the Combofix report (after dragging CFScript into it)

 

ComboFix 08-11-04.02 - halibut 2008-11-06 14:14:57.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1454 [GMT 0:00]

Running from: c:\downloads\ComboFix.exe

Command switches used :: d:\documents and settings\halibut\My Documents\CFScript.txt

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))

.

 

2008-11-05 16:23 . 2008-11-05 17:06 <DIR> d--hs---- c:\windows\system32\GroupPolicyManifest

2008-11-05 02:28 . 2008-11-05 02:28 0 --a------ c:\windows\system32\F8A.tmp

2008-11-05 01:41 . 2008-11-05 01:41 0 --a------ c:\windows\system32\14.tmp

2008-11-05 00:10 . 2008-11-05 00:10 0 --a------ c:\windows\system32\1E3.tmp

2008-11-05 00:00 . 2008-11-05 00:00 0 --a------ c:\windows\system32\C.tmp

2008-11-04 21:29 . 2008-11-04 21:29 0 --a------ c:\windows\system32\24.tmp

2008-11-04 01:16 . 2008-11-04 01:16 0 --a------ c:\windows\system32\60.tmp

2008-11-04 00:00 . 2008-11-04 00:00 318,976 --ahs---- c:\windows\system32\54.tmp

2008-11-03 23:59 . 2008-11-03 23:59 0 --a------ c:\windows\system32\53.tmp

2008-11-03 23:00 . 2008-11-03 23:00 318,976 --ahs---- c:\windows\system32\4C.tmp

2008-11-03 22:59 . 2008-11-03 22:59 0 --a------ c:\windows\system32\4B.tmp

2008-11-03 21:59 . 2008-11-03 22:00 318,976 --ahs---- c:\windows\system32\48.tmp

2008-11-03 21:58 . 2008-11-03 21:58 0 --a------ c:\windows\system32\47.tmp

2008-11-03 18:32 . 2008-11-03 18:33 318,976 --ahs---- c:\windows\system32\34.tmp

2008-11-03 03:37 . 2008-11-03 03:37 0 --a------ c:\windows\system32\AF7.tmp

2008-11-03 03:12 . 2008-11-03 03:12 0 --a------ c:\windows\system32\42.tmp

2008-11-03 01:59 . 2008-11-05 16:40 5,576 --a------ c:\windows\GnuHashes.ini

2008-11-03 01:51 . 2008-11-03 01:51 318,976 --ahs---- c:\windows\system32\36.tmp

2008-11-03 01:51 . 2008-11-03 01:51 131,072 --a------ c:\windows\system32\iasrecst32.dll

2008-11-03 01:51 . 2008-11-05 17:06 1,185 --ahs---- c:\windows\system32\GroupPolicy000.dat

2008-11-02 11:54 . 2007-10-26 03:34 8,460,288 --a------ c:\windows\system32\dllcache\shell32.dll

2008-11-02 02:23 . 2008-11-02 02:23 <DIR> d-------- c:\program files\Trend Micro

2008-10-10 18:13 . 2008-10-10 18:13 <DIR> d-------- d:\documents and settings\halibut\Application Data\CyberLink

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-06 13:57 --------- d-----w d:\documents and settings\halibut\Application Data\Free Download Manager

2008-11-06 07:15 --------- d-----w d:\documents and settings\spreadie\Application Data\LimeWire

2008-11-06 00:09 --------- d-----w d:\documents and settings\halibut\Application Data\uTorrent

2008-11-05 17:26 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-11-03 03:37 --------- d-----w d:\documents and settings\halibut\Application Data\LimeWire

2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll

2008-10-12 05:10 --------- d-----w d:\documents and settings\All Users\Application Data\Symantec

2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll

2008-10-02 12:47 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-10-02 10:47 --------- d-----w d:\documents and settings\All Users\Application Data\Absolutist

2008-09-20 23:10 --------- d-----w d:\documents and settings\halibut\Application Data\MahJong Suite

2008-09-17 15:46 --------- d-----w c:\program files\Flickr Uploadr

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys

2008-09-14 00:07 --------- d-----w d:\documents and settings\halibut\Application Data\Flickr

2008-09-07 22:08 --------- d-----w c:\program files\DVD Shrink

2008-09-07 22:03 --------- d-----w c:\program files\XviD

2008-09-06 17:21 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-09-06 11:47 --------- d-----w c:\program files\Microsoft Silverlight

2008-08-29 16:40 110 ----a-w d:\documents and settings\halibut\Application Data\wklnhst.dat

2008-08-28 10:04 333,056 ----a-w c:\windows\system32\dllcache\srv.sys

2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe

2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-08-14 09:57 2,185,984 ----a-w c:\windows\system32\dllcache\ntoskrnl.exe

2008-08-14 09:55 2,142,720 ----a-w c:\windows\system32\ntoskrnl.exe

2008-08-14 09:55 2,142,720 ----a-w c:\windows\system32\dllcache\ntkrnlmp.exe

2008-08-14 09:51 138,368 ----a-w c:\windows\system32\dllcache\afd.sys

2008-08-14 09:18 2,062,976 ----a-w c:\windows\system32\dllcache\ntkrnlpa.exe

2008-08-14 09:18 2,020,864 ----a-w c:\windows\system32\ntkrnlpa.exe

2008-08-14 09:18 2,020,864 ----a-w c:\windows\system32\dllcache\ntkrpamp.exe

2008-08-08 23:57 7,680 --sha-w c:\program files\Thumbs.db

2007-11-05 16:08 73,921 ----a-w c:\program files\back.png

2007-11-05 16:08 497 ----a-w c:\program files\config.xml

2007-11-05 16:08 3,961 ----a-w c:\program files\config.png

2007-11-05 16:08 2,934 ----a-w c:\program files\close.png

2007-11-05 16:08 2,527 ----a-w c:\program files\save.png

2007-11-05 16:08 12,497 ----a-w c:\program files\index.html

2007-11-05 16:08 1,029 ----a-w c:\program files\icon.png

2007-01-19 12:20 9,829,367 ----a-w c:\program files\uesetup.exe

2006-12-19 22:28 1,913,285 ----a-w c:\program files\ehck_setup.exe

2006-10-09 03:36 2,855,080 ----a-w c:\program files\aawsepersonal.exe

2006-10-09 02:20 1,321,432 ----a-w c:\program files\noadware.exe

2005-10-05 08:23 1,800,518 ----a-w c:\program files\setup.exe

2005-10-04 13:59 420 ----a-w c:\program files\file_id.diz

1999-05-04 00:22 364 ----a-w c:\program files\HISTORY.TXT

1999-05-04 00:02 976,896 ----a-w c:\program files\NEWLINES.EXE

1999-05-03 19:07 10,669 ----a-w c:\program files\NEWLINES.HLP

1999-04-30 17:21 536 ----a-w c:\program files\SELECT.WAV

1998-10-22 00:00 1,192 ----a-w c:\program files\MOVE.WAV

1997-05-07 22:29 1,243,985 ----a-w c:\program files\FRACTINT.EXE

1997-05-06 19:37 12,692 ----a-w c:\program files\IF_ELSE.TXT

1997-05-04 15:23 7,147 ----a-w c:\program files\PHCTUTOR.FRM

1997-05-04 13:28 3,529 ----a-w c:\program files\DEMO.BAT

1997-05-04 13:27 34,865 ----a-w c:\program files\FRACTINT.FRM

1997-05-04 13:26 21,891 ----a-w c:\program files\PHCTUTOR.TXT

1997-05-03 22:43 14,601 ----a-w c:\program files\FRACTINT.CFG

1997-05-03 20:08 1,604 ----a-w c:\program files\NEW19-6.KEY

1997-05-03 19:50 26,139 ----a-w c:\program files\FRACT196.FRM

1997-05-03 18:38 16,005 ----a-w c:\program files\FRACT19.PAR

1997-05-03 18:35 18,450 ----a-w c:\program files\FRACTINT.PAR

1997-05-03 08:18 322 ----a-w c:\program files\READ.ME

1997-04-25 19:27 11,323 ----a-w c:\program files\FRACT19.BAT

1997-04-23 00:47 11,921 ----a-w c:\program files\FRACTINT.L

1997-03-30 12:58 40,576 ----a-w c:\program files\FRMTUT.ZIP

1996-08-26 12:59 1,496 ----a-w c:\program files\NEW19-4.KEY

1996-08-26 12:55 863 ----a-w c:\program files\NEW19-5.KEY

1996-08-25 14:16 2,013 ----a-w c:\program files\TRU.C

1996-08-25 14:15 3,338 ----a-w c:\program files\DEBUGFLA.DOC

1996-07-20 18:44 601 ----a-w c:\program files\DEMO.PAR

1996-04-21 23:28 1,189 ----a-w c:\program files\MUSIC.PAR

1996-04-21 22:24 4,843 ----a-w c:\program files\FRACT18.PAR

1996-04-18 22:05 537 ----a-w c:\program files\FRACTINT.DOC

1996-02-15 18:22 5,728 ----a-w c:\program files\ADD.WAV

1995-03-10 23:32 584 ----a-w c:\program files\SSCHOICE.EXE

1995-03-10 15:57 5,504 ----a-w c:\program files\PENROSE.L

1995-03-08 22:01 2,338 ----a-w c:\program files\NEW19.KEY

1995-03-08 22:01 1,865 ----a-w c:\program files\ADVANCED.KEY

1995-03-08 10:09 5,863 ----a-w c:\program files\FRACTINT.IFS

1995-02-05 15:25 1,273 ----a-w c:\program files\BASIC.KEY

1994-09-24 21:53 3,583 ----a-w c:\program files\TILING.L

1993-09-27 09:27 2,976 ----a-w c:\program files\END.WAV

1993-05-19 20:25 4,487 ----a-w c:\program files\CELLULAR.PAR

1993-05-19 18:06 539 ----a-w c:\program files\PHOENIX.PAR

1993-03-25 22:58 12,416 ----a-w c:\program files\ICONS.PAR

1993-03-22 18:53 1,672 ----a-w c:\program files\REMOVE.WAV

1993-01-20 22:47 3,328 ----a-w c:\program files\FROTH6.MAP

1993-01-20 22:47 208 ----a-w c:\program files\FROTH616.MAP

1993-01-12 19:31 14,054 ----a-w c:\program files\SIMPLGIF.EXE

1992-12-15 19:30 208 ----a-w c:\program files\FROTH316.MAP

1992-12-15 19:27 3,328 ----a-w c:\program files\FROTH3.MAP

1992-02-14 12:04 2,613 ----a-w c:\program files\LYAPUNOV.PAR

1991-10-08 16:09 3,328 ----a-w c:\program files\LYAPUNOV.MAP

1991-02-03 05:59 4,864 ----a-w c:\program files\TPLUS.DAT

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

---- Directory of c:\windows\system32\GroupPolicyManifest ----

 

2008-11-05 08:27 77284 --a------ c:\windows\system32\GroupPolicyManifest\unpack.zip

2008-11-05 08:27 77284 --a------ c:\windows\system32\GroupPolicyManifest\serial.zip

2008-11-05 08:27 77282 --a------ c:\windows\system32\GroupPolicyManifest\setup.zip

2008-11-05 08:27 77282 --a------ c:\windows\system32\GroupPolicyManifest\patch.zip

2008-11-05 08:27 77281 --a------ c:\windows\system32\GroupPolicyManifest\nodvd.zip

2008-11-05 08:26 77292 --a------ c:\windows\system32\GroupPolicyManifest\installer.zip

2008-11-05 08:26 77284 --a------ c:\windows\system32\GroupPolicyManifest\keygen.zip

2008-11-05 08:26 77280 --a------ c:\windows\system32\GroupPolicyManifest\nocd.zip

2008-11-05 08:26 76550 --a------ c:\windows\system32\GroupPolicyManifest\free access to 150 adult sites.zip

2008-11-05 08:26 76524 --a------ c:\windows\system32\GroupPolicyManifest\free adult videos.zip

2008-11-05 08:26 76514 --a------ c:\windows\system32\GroupPolicyManifest\free porn passwords.zip

2008-11-05 08:25 77282 --a------ c:\windows\system32\GroupPolicyManifest\crack.zip

2008-11-03 21:13 6145 --a------ c:\windows\system32\GroupPolicyManifest\free porn passwords.zip.kwd

2008-11-03 21:12 6075 --a------ c:\windows\system32\GroupPolicyManifest\free access to 150 adult sites.zip.kwd

2008-11-03 21:12 5979 --a------ c:\windows\system32\GroupPolicyManifest\free adult videos.zip.kwd

2008-10-18 19:23 37 --a------ c:\windows\system32\GroupPolicyManifest\patch.zip.kwd

2008-10-18 19:21 136 --a------ c:\windows\system32\GroupPolicyManifest\nodvd.zip.kwd

2008-10-18 19:15 9 --a------ c:\windows\system32\GroupPolicyManifest\unpack.zip.kwd

2008-10-18 19:12 45 --a------ c:\windows\system32\GroupPolicyManifest\setup.zip.kwd

2008-10-18 19:11 136 --a------ c:\windows\system32\GroupPolicyManifest\nocd.zip.kwd

2008-10-18 19:11 126 --a------ c:\windows\system32\GroupPolicyManifest\serial.zip.kwd

2008-10-18 19:09 193 --a------ c:\windows\system32\GroupPolicyManifest\keygen.zip.kwd

2008-10-18 19:07 115 --a------ c:\windows\system32\GroupPolicyManifest\installer.zip.kwd

2008-10-18 19:06 180 --a------ c:\windows\system32\GroupPolicyManifest\crack.zip.kwd

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-05 7323648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-01-05 86016]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 57344]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-27 26112]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-11-14 286720]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 28672]

"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-25 714608]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]

"Device Detector"="c:\program files\Common Files\ACD Systems\EN\DevDetect.exe" [2004-09-02 221184]

"nwiz"="nwiz.exe" [2006-01-05 c:\windows\system32\nwiz.exe]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 c:\windows\RTHDCPL.EXE]

"SMSERIAL"="sm56hlpr.exe" [2005-10-18 c:\windows\sm56hlpr.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

"msacm.mpegacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm

"VIDC.ACDV"= ACDV.dll

 

[HKLM\~\startupfolder\D:^Documents and Settings^halibut^Start Menu^Programs^Startup^ChaosPro Help.lnk]

path=d:\documents and settings\halibut\Start Menu\Programs\Startup\ChaosPro Help.lnk

backup=c:\windows\pss\ChaosPro Help.lnkStartup

 

[HKLM\~\startupfolder\D:^Documents and Settings^halibut^Start Menu^Programs^Startup^ChaosPro.lnk]

path=d:\documents and settings\halibut\Start Menu\Programs\Startup\ChaosPro.lnk

backup=c:\windows\pss\ChaosPro.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AOL 9.0\\aol.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%ProgramFiles%\\AOL 9.0\\aol.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)

"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

"6346:TCP"= 6346:TCP:Gnutella

 

R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2004-07-26 7140]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]

R3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2005-05-27 799744]

R3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2005-11-28 7040]

S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

S3 USB28xxBGA;WinTV HVR-900;c:\windows\system32\DRIVERS\emBDA.sys [2006-06-06 281600]

S3 USB28xxOEM;WinTV OEM Filter;c:\windows\system32\DRIVERS\emOEM.sys [2006-06-01 21376]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22693ef6-a4e4-11dc-8170-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22693ef8-a4e4-11dc-8170-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{314f4780-a59d-11dc-8179-0014857c1834}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2754833-a548-11dc-8173-0014857c1834}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f79ef5fc-a278-11dc-8167-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f79ef5fe-a278-11dc-8167-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

 

2008-10-27 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - halibut.job

- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-06 14:16:26

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-06 14:17:27

ComboFix-quarantined-files.txt 2008-11-06 14:17:15

ComboFix2.txt 2008-11-05 17:51:08

 

Pre-Run: 14,065,639,424 bytes free

Post-Run: 14,116,274,176 bytes free

 

275 --- E O F --- 2008-11-02 15:53:47

 

 

Many thanks.

 

Sue

Share this post


Link to post
Share on other sites

Hi Blade

 

Have now run the Kaspersky Online Scanner - report is below:

 

KASPERSKY ONLINE SCANNER 7 REPORT

Thursday, November 6, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Thursday, November 06, 2008 13:49:51

Records in database: 1372231

 

Scan settings

Scan using the following database extended

Scan archives yes

Scan mail databases yes

 

Scan area My Computer

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

 

Scan statistics

Files scanned 126601

Threat name 7

Infected objects 11

Suspicious objects 6

Duration of the scan 01:25:55

 

File name Threat name Threats count

C:\Downloads\Flower2008setup(1).exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1

 

C:\Downloads\Flower2008setup(2).exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1

 

C:\Downloads\Flower2008setup(3).exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1

 

C:\Downloads\Flower2008setup(4).exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1

 

C:\Downloads\Flower2008setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1

 

C:\Rocket\Flower\RocketSC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1

 

C:\WINDOWS\system32\iasrecst32.dll Infected: Trojan-Downloader.Win32.Agent.alqz 1

 

D:\Documents and Settings\halibut\Local Settings\Application Data\Identities\{4A77C32F-87D0-44F6-B7BC-35694028E757}\Microsoft\Outlook Express\Deleted Items.bak Infected: Trojan-Spy.HTML.Bankfraud.od 1

 

D:\Documents and Settings\halibut\Local Settings\Application Data\Identities\{4A77C32F-87D0-44F6-B7BC-35694028E757}\Microsoft\Outlook Express\Deleted Items.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 2

 

D:\Documents and Settings\halibut\Local Settings\Application Data\Identities\{4A77C32F-87D0-44F6-B7BC-35694028E757}\Microsoft\Outlook Express\Deleted Items.bak Infected: Email-Worm.Win32.Zhelatin.o 1

 

D:\Documents and Settings\halibut\My Documents\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 4

 

D:\Documents and Settings\halibut\My Documents\LimeWire\Saved\bubble shooter keygen [sSG].zip Infected: Trojan-Downloader.Win32.Agent.ampx 1

 

D:\Documents and Settings\halibut\My Documents\LimeWire\Saved\Bubble.Shooter.Deluxe.v1.0.Cracked-ViRiLiTY.zip Infected: Trojan.Win32.Agent.uvi 1

 

The selected area was scanned.

 

 

NOW THE NEW HIJACK SCAN - BELOW:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:58:38, on 06/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\CDBurnerXP\NMSAccess.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\RTHDCPL.EXE

C:\apps\ABoard\ABoard.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\apps\ABoard\AOSD.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe

C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"

O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Readme.lnk = C:\Program Files\ChaosPro3.2\Readme.txt

O8 - Extra context menu item: &Search - ?p=ZUfox000

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/armhelper.ocx

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

--

End of file - 10605 bytes

 

 

AND FINALLY THE COMBOFIX which was done last:

 

ComboFix 08-11-04.02 - halibut 2008-11-06 17:00:53.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1345 [GMT 0:00]

Running from: c:\downloads\ComboFix.exe

.

 

((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))

.

 

2008-11-05 16:23 . 2008-11-05 17:06 <DIR> d--hs---- c:\windows\system32\GroupPolicyManifest

2008-11-05 02:28 . 2008-11-05 02:28 0 --a------ c:\windows\system32\F8A.tmp

2008-11-05 01:41 . 2008-11-05 01:41 0 --a------ c:\windows\system32\14.tmp

2008-11-05 00:10 . 2008-11-05 00:10 0 --a------ c:\windows\system32\1E3.tmp

2008-11-05 00:00 . 2008-11-05 00:00 0 --a------ c:\windows\system32\C.tmp

2008-11-04 21:29 . 2008-11-04 21:29 0 --a------ c:\windows\system32\24.tmp

2008-11-04 01:16 . 2008-11-04 01:16 0 --a------ c:\windows\system32\60.tmp

2008-11-04 00:00 . 2008-11-04 00:00 318,976 --ahs---- c:\windows\system32\54.tmp

2008-11-03 23:59 . 2008-11-03 23:59 0 --a------ c:\windows\system32\53.tmp

2008-11-03 23:00 . 2008-11-03 23:00 318,976 --ahs---- c:\windows\system32\4C.tmp

2008-11-03 22:59 . 2008-11-03 22:59 0 --a------ c:\windows\system32\4B.tmp

2008-11-03 21:59 . 2008-11-03 22:00 318,976 --ahs---- c:\windows\system32\48.tmp

2008-11-03 21:58 . 2008-11-03 21:58 0 --a------ c:\windows\system32\47.tmp

2008-11-03 18:32 . 2008-11-03 18:33 318,976 --ahs---- c:\windows\system32\34.tmp

2008-11-03 03:37 . 2008-11-03 03:37 0 --a------ c:\windows\system32\AF7.tmp

2008-11-03 03:12 . 2008-11-03 03:12 0 --a------ c:\windows\system32\42.tmp

2008-11-03 01:59 . 2008-11-05 16:40 5,576 --a------ c:\windows\GnuHashes.ini

2008-11-03 01:51 . 2008-11-03 01:51 318,976 --ahs---- c:\windows\system32\36.tmp

2008-11-03 01:51 . 2008-11-03 01:51 131,072 --a------ c:\windows\system32\iasrecst32.dll

2008-11-03 01:51 . 2008-11-05 17:06 1,185 --ahs---- c:\windows\system32\GroupPolicy000.dat

2008-11-02 11:54 . 2007-10-26 03:34 8,460,288 --a------ c:\windows\system32\dllcache\shell32.dll

2008-11-02 02:23 . 2008-11-02 02:23 <DIR> d-------- c:\program files\Trend Micro

2008-10-10 18:13 . 2008-10-10 18:13 <DIR> d-------- d:\documents and settings\halibut\Application Data\CyberLink

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-06 13:57 --------- d-----w d:\documents and settings\halibut\Application Data\Free Download Manager

2008-11-06 07:15 --------- d-----w d:\documents and settings\spreadie\Application Data\LimeWire

2008-11-06 00:09 --------- d-----w d:\documents and settings\halibut\Application Data\uTorrent

2008-11-05 17:26 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-11-03 03:37 --------- d-----w d:\documents and settings\halibut\Application Data\LimeWire

2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll

2008-10-12 05:10 --------- d-----w d:\documents and settings\All Users\Application Data\Symantec

2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll

2008-10-02 12:47 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-10-02 10:47 --------- d-----w d:\documents and settings\All Users\Application Data\Absolutist

2008-09-20 23:10 --------- d-----w d:\documents and settings\halibut\Application Data\MahJong Suite

2008-09-17 15:46 --------- d-----w c:\program files\Flickr Uploadr

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys

2008-09-14 00:07 --------- d-----w d:\documents and settings\halibut\Application Data\Flickr

2008-09-07 22:08 --------- d-----w c:\program files\DVD Shrink

2008-09-07 22:03 --------- d-----w c:\program files\XviD

2008-09-06 17:21 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-09-06 11:47 --------- d-----w c:\program files\Microsoft Silverlight

2008-08-29 16:40 110 ----a-w d:\documents and settings\halibut\Application Data\wklnhst.dat

2008-08-28 10:04 333,056 ----a-w c:\windows\system32\dllcache\srv.sys

2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe

2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-08-14 09:57 2,185,984 ----a-w c:\windows\system32\dllcache\ntoskrnl.exe

2008-08-14 09:55 2,142,720 ----a-w c:\windows\system32\ntoskrnl.exe

2008-08-14 09:55 2,142,720 ----a-w c:\windows\system32\dllcache\ntkrnlmp.exe

2008-08-14 09:51 138,368 ----a-w c:\windows\system32\dllcache\afd.sys

2008-08-14 09:18 2,062,976 ----a-w c:\windows\system32\dllcache\ntkrnlpa.exe

2008-08-14 09:18 2,020,864 ----a-w c:\windows\system32\ntkrnlpa.exe

2008-08-14 09:18 2,020,864 ----a-w c:\windows\system32\dllcache\ntkrpamp.exe

2008-08-08 23:57 7,680 --sha-w c:\program files\Thumbs.db

2007-11-05 16:08 73,921 ----a-w c:\program files\back.png

2007-11-05 16:08 497 ----a-w c:\program files\config.xml

2007-11-05 16:08 3,961 ----a-w c:\program files\config.png

2007-11-05 16:08 2,934 ----a-w c:\program files\close.png

2007-11-05 16:08 2,527 ----a-w c:\program files\save.png

2007-11-05 16:08 12,497 ----a-w c:\program files\index.html

2007-11-05 16:08 1,029 ----a-w c:\program files\icon.png

2007-01-19 12:20 9,829,367 ----a-w c:\program files\uesetup.exe

2006-12-19 22:28 1,913,285 ----a-w c:\program files\ehck_setup.exe

2006-10-09 03:36 2,855,080 ----a-w c:\program files\aawsepersonal.exe

2006-10-09 02:20 1,321,432 ----a-w c:\program files\noadware.exe

2005-10-05 08:23 1,800,518 ----a-w c:\program files\setup.exe

2005-10-04 13:59 420 ----a-w c:\program files\file_id.diz

1999-05-04 00:22 364 ----a-w c:\program files\HISTORY.TXT

1999-05-04 00:02 976,896 ----a-w c:\program files\NEWLINES.EXE

1999-05-03 19:07 10,669 ----a-w c:\program files\NEWLINES.HLP

1999-04-30 17:21 536 ----a-w c:\program files\SELECT.WAV

1998-10-22 00:00 1,192 ----a-w c:\program files\MOVE.WAV

1997-05-07 22:29 1,243,985 ----a-w c:\program files\FRACTINT.EXE

1997-05-06 19:37 12,692 ----a-w c:\program files\IF_ELSE.TXT

1997-05-04 15:23 7,147 ----a-w c:\program files\PHCTUTOR.FRM

1997-05-04 13:28 3,529 ----a-w c:\program files\DEMO.BAT

1997-05-04 13:27 34,865 ----a-w c:\program files\FRACTINT.FRM

1997-05-04 13:26 21,891 ----a-w c:\program files\PHCTUTOR.TXT

1997-05-03 22:43 14,601 ----a-w c:\program files\FRACTINT.CFG

1997-05-03 20:08 1,604 ----a-w c:\program files\NEW19-6.KEY

1997-05-03 19:50 26,139 ----a-w c:\program files\FRACT196.FRM

1997-05-03 18:38 16,005 ----a-w c:\program files\FRACT19.PAR

1997-05-03 18:35 18,450 ----a-w c:\program files\FRACTINT.PAR

1997-05-03 08:18 322 ----a-w c:\program files\READ.ME

1997-04-25 19:27 11,323 ----a-w c:\program files\FRACT19.BAT

1997-04-23 00:47 11,921 ----a-w c:\program files\FRACTINT.L

1997-03-30 12:58 40,576 ----a-w c:\program files\FRMTUT.ZIP

1996-08-26 12:59 1,496 ----a-w c:\program files\NEW19-4.KEY

1996-08-26 12:55 863 ----a-w c:\program files\NEW19-5.KEY

1996-08-25 14:16 2,013 ----a-w c:\program files\TRU.C

1996-08-25 14:15 3,338 ----a-w c:\program files\DEBUGFLA.DOC

1996-07-20 18:44 601 ----a-w c:\program files\DEMO.PAR

1996-04-21 23:28 1,189 ----a-w c:\program files\MUSIC.PAR

1996-04-21 22:24 4,843 ----a-w c:\program files\FRACT18.PAR

1996-04-18 22:05 537 ----a-w c:\program files\FRACTINT.DOC

1996-02-15 18:22 5,728 ----a-w c:\program files\ADD.WAV

1995-03-10 23:32 584 ----a-w c:\program files\SSCHOICE.EXE

1995-03-10 15:57 5,504 ----a-w c:\program files\PENROSE.L

1995-03-08 22:01 2,338 ----a-w c:\program files\NEW19.KEY

1995-03-08 22:01 1,865 ----a-w c:\program files\ADVANCED.KEY

1995-03-08 10:09 5,863 ----a-w c:\program files\FRACTINT.IFS

1995-02-05 15:25 1,273 ----a-w c:\program files\BASIC.KEY

1994-09-24 21:53 3,583 ----a-w c:\program files\TILING.L

1993-09-27 09:27 2,976 ----a-w c:\program files\END.WAV

1993-05-19 20:25 4,487 ----a-w c:\program files\CELLULAR.PAR

1993-05-19 18:06 539 ----a-w c:\program files\PHOENIX.PAR

1993-03-25 22:58 12,416 ----a-w c:\program files\ICONS.PAR

1993-03-22 18:53 1,672 ----a-w c:\program files\REMOVE.WAV

1993-01-20 22:47 3,328 ----a-w c:\program files\FROTH6.MAP

1993-01-20 22:47 208 ----a-w c:\program files\FROTH616.MAP

1993-01-12 19:31 14,054 ----a-w c:\program files\SIMPLGIF.EXE

1992-12-15 19:30 208 ----a-w c:\program files\FROTH316.MAP

1992-12-15 19:27 3,328 ----a-w c:\program files\FROTH3.MAP

1992-02-14 12:04 2,613 ----a-w c:\program files\LYAPUNOV.PAR

1991-10-08 16:09 3,328 ----a-w c:\program files\LYAPUNOV.MAP

1991-02-03 05:59 4,864 ----a-w c:\program files\TPLUS.DAT

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-05 7323648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-01-05 86016]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 57344]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-27 26112]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-11-14 286720]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 28672]

"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-25 714608]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]

"Device Detector"="c:\program files\Common Files\ACD Systems\EN\DevDetect.exe" [2004-09-02 221184]

"nwiz"="nwiz.exe" [2006-01-05 c:\windows\system32\nwiz.exe]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 c:\windows\RTHDCPL.EXE]

"SMSERIAL"="sm56hlpr.exe" [2005-10-18 c:\windows\sm56hlpr.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

"msacm.mpegacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm

"VIDC.ACDV"= ACDV.dll

 

[HKLM\~\startupfolder\D:^Documents and Settings^halibut^Start Menu^Programs^Startup^ChaosPro Help.lnk]

path=d:\documents and settings\halibut\Start Menu\Programs\Startup\ChaosPro Help.lnk

backup=c:\windows\pss\ChaosPro Help.lnkStartup

 

[HKLM\~\startupfolder\D:^Documents and Settings^halibut^Start Menu^Programs^Startup^ChaosPro.lnk]

path=d:\documents and settings\halibut\Start Menu\Programs\Startup\ChaosPro.lnk

backup=c:\windows\pss\ChaosPro.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AOL 9.0\\aol.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%ProgramFiles%\\AOL 9.0\\aol.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)

"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

"6346:TCP"= 6346:TCP:Gnutella

 

R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2004-07-26 7140]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]

R3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2005-05-27 799744]

R3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2005-11-28 7040]

S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

S3 USB28xxBGA;WinTV HVR-900;c:\windows\system32\DRIVERS\emBDA.sys [2006-06-06 281600]

S3 USB28xxOEM;WinTV OEM Filter;c:\windows\system32\DRIVERS\emOEM.sys [2006-06-01 21376]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22693ef6-a4e4-11dc-8170-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22693ef8-a4e4-11dc-8170-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{314f4780-a59d-11dc-8179-0014857c1834}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2754833-a548-11dc-8173-0014857c1834}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f79ef5fc-a278-11dc-8167-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f79ef5fe-a278-11dc-8167-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

 

2008-10-27 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - halibut.job

- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - d:\documents and settings\halibut\Application Data\Mozilla\Firefox\Profiles\euib9end.default\

FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll

FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll

FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-06 17:02:37

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-06 17:03:37

ComboFix-quarantined-files.txt 2008-11-06 17:03:29

ComboFix2.txt 2008-11-06 14:17:28

ComboFix3.txt 2008-11-05 17:51:08

 

Pre-Run: 14,137,536,512 bytes free

Post-Run: 14,119,337,984 bytes free

 

258 --- E O F --- 2008-11-02 15:53:47

 

 

Many thanks.

 

Sue

Share this post


Link to post
Share on other sites

Hi Sue,

 

Let's continue cleaning ;)

 

Empty Outlook deleted items folder (thru Outlook Express)

 

Start hjt, do a system scan, check:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com

 

Close browsers and fix checked. Reboot.

 

 

Open notepad and copy/paste the text in the quotebox below into it:

 

File::
c:\windows\system32\F8A.tmp
c:\windows\system32\14.tmp
c:\windows\system32\1E3.tmp
c:\windows\system32\C.tmp
c:\windows\system32\24.tmp
c:\windows\system32\60.tmp
c:\windows\system32\54.tmp
c:\windows\system32\53.tmp
c:\windows\system32\4C.tmp
c:\windows\system32\4B.tmp
c:\windows\system32\48.tmp
c:\windows\system32\47.tmp
c:\windows\system32\34.tmp
c:\windows\system32\AF7.tmp
c:\windows\system32\42.tmp
c:\windows\system32\36.tmp
c:\windows\system32\iasrecst32.dll
c:\windows\system32\GroupPolicy000.dat
D:\Documents and Settings\halibut\My Documents\LimeWire\Saved\bubble shooter keygen [SSG].zip
D:\Documents and Settings\halibut\My Documents\LimeWire\Saved\Bubble.Shooter.Deluxe.v1.0.Cracked-ViRiLiTY.zip 

Folder::
c:\windows\system32\GroupPolicyManifest

 

 

Save this as

CFScript

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

 

CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log & a fresh hjt log. How's the system running?

 

 

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

Share this post


Link to post
Share on other sites

Hi Blade :)

 

Done as you requested and below are the reports for Combofix and Hijack:

 

COMBOFIX REPORT

 

ComboFix 08-11-04.02 - halibut 2008-11-07 12:29:01.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1515 [GMT 0:00]

Running from: c:\downloads\ComboFix.exe

Command switches used :: d:\documents and settings\halibut\My Documents\CFScript.txt

* Created a new restore point

 

FILE ::

c:\windows\system32\14.tmp

c:\windows\system32\1E3.tmp

c:\windows\system32\24.tmp

c:\windows\system32\34.tmp

c:\windows\system32\36.tmp

c:\windows\system32\42.tmp

c:\windows\system32\47.tmp

c:\windows\system32\48.tmp

c:\windows\system32\4B.tmp

c:\windows\system32\4C.tmp

c:\windows\system32\53.tmp

c:\windows\system32\54.tmp

c:\windows\system32\60.tmp

c:\windows\system32\AF7.tmp

c:\windows\system32\C.tmp

c:\windows\system32\F8A.tmp

c:\windows\system32\GroupPolicy000.dat

c:\windows\system32\iasrecst32.dll

d:\documents and settings\halibut\My Documents\LimeWire\Saved\bubble shooter keygen [sSG].zip

d:\documents and settings\halibut\My Documents\LimeWire\Saved\Bubble.Shooter.Deluxe.v1.0.Cracked-ViRiLiTY.zip

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\14.tmp

c:\windows\system32\1E3.tmp

c:\windows\system32\24.tmp

c:\windows\system32\34.tmp

c:\windows\system32\36.tmp

c:\windows\system32\42.tmp

c:\windows\system32\47.tmp

c:\windows\system32\48.tmp

c:\windows\system32\4B.tmp

c:\windows\system32\4C.tmp

c:\windows\system32\53.tmp

c:\windows\system32\54.tmp

c:\windows\system32\60.tmp

c:\windows\system32\AF7.tmp

c:\windows\system32\C.tmp

c:\windows\system32\F8A.tmp

c:\windows\system32\GroupPolicy000.dat

c:\windows\system32\GroupPolicyManifest

c:\windows\system32\GroupPolicyManifest\crack.zip

c:\windows\system32\GroupPolicyManifest\crack.zip.kwd

c:\windows\system32\GroupPolicyManifest\free access to 150 adult sites.zip

c:\windows\system32\GroupPolicyManifest\free access to 150 adult sites.zip.kwd

c:\windows\system32\GroupPolicyManifest\free adult videos.zip

c:\windows\system32\GroupPolicyManifest\free adult videos.zip.kwd

c:\windows\system32\GroupPolicyManifest\free porn passwords.zip

c:\windows\system32\GroupPolicyManifest\free porn passwords.zip.kwd

c:\windows\system32\GroupPolicyManifest\installer.zip

c:\windows\system32\GroupPolicyManifest\installer.zip.kwd

c:\windows\system32\GroupPolicyManifest\keygen.zip

c:\windows\system32\GroupPolicyManifest\keygen.zip.kwd

c:\windows\system32\GroupPolicyManifest\nocd.zip

c:\windows\system32\GroupPolicyManifest\nocd.zip.kwd

c:\windows\system32\GroupPolicyManifest\nodvd.zip

c:\windows\system32\GroupPolicyManifest\nodvd.zip.kwd

c:\windows\system32\GroupPolicyManifest\patch.zip

c:\windows\system32\GroupPolicyManifest\patch.zip.kwd

c:\windows\system32\GroupPolicyManifest\serial.zip

c:\windows\system32\GroupPolicyManifest\serial.zip.kwd

c:\windows\system32\GroupPolicyManifest\setup.zip

c:\windows\system32\GroupPolicyManifest\setup.zip.kwd

c:\windows\system32\GroupPolicyManifest\unpack.zip

c:\windows\system32\GroupPolicyManifest\unpack.zip.kwd

c:\windows\system32\iasrecst32.dll

d:\documents and settings\halibut\My Documents\LimeWire\Saved\bubble shooter keygen [sSG].zip

d:\documents and settings\halibut\My Documents\LimeWire\Saved\Bubble.Shooter.Deluxe.v1.0.Cracked-ViRiLiTY.zip

 

.

((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))

.

 

2008-11-07 06:21 . 2008-07-18 22:07 270,880 --a------ c:\windows\system32\mucltui.dll

2008-11-07 06:21 . 2008-07-18 22:07 29,728 --a------ c:\windows\system32\mucltui.dll.mui

2008-11-03 01:59 . 2008-11-05 16:40 5,576 --a------ c:\windows\GnuHashes.ini

2008-11-02 11:54 . 2007-10-26 03:34 8,460,288 --a------ c:\windows\system32\dllcache\shell32.dll

2008-11-02 02:23 . 2008-11-02 02:23 <DIR> d-------- c:\program files\Trend Micro

2008-10-10 18:13 . 2008-10-10 18:13 <DIR> d-------- d:\documents and settings\halibut\Application Data\CyberLink

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-07 11:59 --------- d-----w c:\program files\Microsoft Silverlight

2008-11-07 08:10 --------- d-----w d:\documents and settings\spreadie\Application Data\LimeWire

2008-11-06 13:57 --------- d-----w d:\documents and settings\halibut\Application Data\Free Download Manager

2008-11-06 00:09 --------- d-----w d:\documents and settings\halibut\Application Data\uTorrent

2008-11-05 17:26 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-11-03 03:37 --------- d-----w d:\documents and settings\halibut\Application Data\LimeWire

2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll

2008-10-12 05:10 --------- d-----w d:\documents and settings\All Users\Application Data\Symantec

2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll

2008-10-02 12:47 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-10-02 10:47 --------- d-----w d:\documents and settings\All Users\Application Data\Absolutist

2008-09-20 23:10 --------- d-----w d:\documents and settings\halibut\Application Data\MahJong Suite

2008-09-17 15:46 --------- d-----w c:\program files\Flickr Uploadr

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys

2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys

2008-09-14 00:07 --------- d-----w d:\documents and settings\halibut\Application Data\Flickr

2008-09-07 22:08 --------- d-----w c:\program files\DVD Shrink

2008-09-07 22:03 --------- d-----w c:\program files\XviD

2008-08-29 16:40 110 ----a-w d:\documents and settings\halibut\Application Data\wklnhst.dat

2008-08-28 10:04 333,056 ----a-w c:\windows\system32\dllcache\srv.sys

2008-08-27 08:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe

2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2008-08-14 09:57 2,185,984 ----a-w c:\windows\system32\dllcache\ntoskrnl.exe

2008-08-14 09:55 2,142,720 ----a-w c:\windows\system32\ntoskrnl.exe

2008-08-14 09:55 2,142,720 ----a-w c:\windows\system32\dllcache\ntkrnlmp.exe

2008-08-14 09:51 138,368 ----a-w c:\windows\system32\dllcache\afd.sys

2008-08-14 09:18 2,062,976 ----a-w c:\windows\system32\dllcache\ntkrnlpa.exe

2008-08-14 09:18 2,020,864 ----a-w c:\windows\system32\ntkrnlpa.exe

2008-08-14 09:18 2,020,864 ----a-w c:\windows\system32\dllcache\ntkrpamp.exe

2008-08-08 23:57 7,680 --sha-w c:\program files\Thumbs.db

2007-11-05 16:08 73,921 ----a-w c:\program files\back.png

2007-11-05 16:08 497 ----a-w c:\program files\config.xml

2007-11-05 16:08 3,961 ----a-w c:\program files\config.png

2007-11-05 16:08 2,934 ----a-w c:\program files\close.png

2007-11-05 16:08 2,527 ----a-w c:\program files\save.png

2007-11-05 16:08 12,497 ----a-w c:\program files\index.html

2007-11-05 16:08 1,029 ----a-w c:\program files\icon.png

2007-01-19 12:20 9,829,367 ----a-w c:\program files\uesetup.exe

2006-12-19 22:28 1,913,285 ----a-w c:\program files\ehck_setup.exe

2006-10-09 03:36 2,855,080 ----a-w c:\program files\aawsepersonal.exe

2006-10-09 02:20 1,321,432 ----a-w c:\program files\noadware.exe

2005-10-05 08:23 1,800,518 ----a-w c:\program files\setup.exe

2005-10-04 13:59 420 ----a-w c:\program files\file_id.diz

1999-05-04 00:22 364 ----a-w c:\program files\HISTORY.TXT

1999-05-04 00:02 976,896 ----a-w c:\program files\NEWLINES.EXE

1999-05-03 19:07 10,669 ----a-w c:\program files\NEWLINES.HLP

1999-04-30 17:21 536 ----a-w c:\program files\SELECT.WAV

1998-10-22 00:00 1,192 ----a-w c:\program files\MOVE.WAV

1997-05-07 22:29 1,243,985 ----a-w c:\program files\FRACTINT.EXE

1997-05-06 19:37 12,692 ----a-w c:\program files\IF_ELSE.TXT

1997-05-04 15:23 7,147 ----a-w c:\program files\PHCTUTOR.FRM

1997-05-04 13:28 3,529 ----a-w c:\program files\DEMO.BAT

1997-05-04 13:27 34,865 ----a-w c:\program files\FRACTINT.FRM

1997-05-04 13:26 21,891 ----a-w c:\program files\PHCTUTOR.TXT

1997-05-03 22:43 14,601 ----a-w c:\program files\FRACTINT.CFG

1997-05-03 20:08 1,604 ----a-w c:\program files\NEW19-6.KEY

1997-05-03 19:50 26,139 ----a-w c:\program files\FRACT196.FRM

1997-05-03 18:38 16,005 ----a-w c:\program files\FRACT19.PAR

1997-05-03 18:35 18,450 ----a-w c:\program files\FRACTINT.PAR

1997-05-03 08:18 322 ----a-w c:\program files\READ.ME

1997-04-25 19:27 11,323 ----a-w c:\program files\FRACT19.BAT

1997-04-23 00:47 11,921 ----a-w c:\program files\FRACTINT.L

1997-03-30 12:58 40,576 ----a-w c:\program files\FRMTUT.ZIP

1996-08-26 12:59 1,496 ----a-w c:\program files\NEW19-4.KEY

1996-08-26 12:55 863 ----a-w c:\program files\NEW19-5.KEY

1996-08-25 14:16 2,013 ----a-w c:\program files\TRU.C

1996-08-25 14:15 3,338 ----a-w c:\program files\DEBUGFLA.DOC

1996-07-20 18:44 601 ----a-w c:\program files\DEMO.PAR

1996-04-21 23:28 1,189 ----a-w c:\program files\MUSIC.PAR

1996-04-21 22:24 4,843 ----a-w c:\program files\FRACT18.PAR

1996-04-18 22:05 537 ----a-w c:\program files\FRACTINT.DOC

1996-02-15 18:22 5,728 ----a-w c:\program files\ADD.WAV

1995-03-10 23:32 584 ----a-w c:\program files\SSCHOICE.EXE

1995-03-10 15:57 5,504 ----a-w c:\program files\PENROSE.L

1995-03-08 22:01 2,338 ----a-w c:\program files\NEW19.KEY

1995-03-08 22:01 1,865 ----a-w c:\program files\ADVANCED.KEY

1995-03-08 10:09 5,863 ----a-w c:\program files\FRACTINT.IFS

1995-02-05 15:25 1,273 ----a-w c:\program files\BASIC.KEY

1994-09-24 21:53 3,583 ----a-w c:\program files\TILING.L

1993-09-27 09:27 2,976 ----a-w c:\program files\END.WAV

1993-05-19 20:25 4,487 ----a-w c:\program files\CELLULAR.PAR

1993-05-19 18:06 539 ----a-w c:\program files\PHOENIX.PAR

1993-03-25 22:58 12,416 ----a-w c:\program files\ICONS.PAR

1993-03-22 18:53 1,672 ----a-w c:\program files\REMOVE.WAV

1993-01-20 22:47 3,328 ----a-w c:\program files\FROTH6.MAP

1993-01-20 22:47 208 ----a-w c:\program files\FROTH616.MAP

1993-01-12 19:31 14,054 ----a-w c:\program files\SIMPLGIF.EXE

1992-12-15 19:30 208 ----a-w c:\program files\FROTH316.MAP

1992-12-15 19:27 3,328 ----a-w c:\program files\FROTH3.MAP

1992-02-14 12:04 2,613 ----a-w c:\program files\LYAPUNOV.PAR

1991-10-08 16:09 3,328 ----a-w c:\program files\LYAPUNOV.MAP

1991-02-03 05:59 4,864 ----a-w c:\program files\TPLUS.DAT

.

 

((((((((((((((((((((((((((((( [email protected]_17.50.33.50 )))))))))))))))))))))))))))))))))))))))))

.

- 2006-09-19 13:18:27 64,088 ----a-w c:\windows\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll

+ 2008-11-07 08:17:08 66,936 ----a-w c:\windows\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll

- 2006-09-19 13:18:27 223,800 ----a-w c:\windows\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL

+ 2008-11-07 08:17:03 226,656 ----a-w c:\windows\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL

+ 2003-07-14 21:43:20 87,616 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\ADDRPARS.DLL

+ 2003-07-14 21:57:34 38,968 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL

+ 2003-07-14 21:53:06 94,768 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\AW.DLL

+ 2003-07-15 02:14:28 350,264 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\CDLMSO.DLL

+ 2003-07-15 02:18:12 47,160 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DFUICOM.EXE

+ 2003-07-25 17:57:20 75,832 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DLGSETP.DLL

+ 2003-07-14 21:56:54 14,904 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DSITF.DLL

+ 2003-07-14 21:57:14 98,360 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DSSM.EXE

+ 2003-07-31 14:19:52 131,648 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\ENVELOPE.DLL

+ 2003-08-13 01:34:38 10,073,144 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\EXCEL.EXE

+ 2003-07-14 21:41:44 13,368 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FINDER.EXE

+ 2003-08-03 09:56:16 1,146,184 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FM20.DLL

+ 2003-07-23 22:01:40 1,949,240 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPCUTL.DLL

+ 2003-07-14 22:36:14 186,424 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPDTC.DLL

+ 2003-07-14 21:40:12 179,768 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPERSON.DLL

+ 2003-07-14 21:40:12 165,944 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPLACE.DLL

+ 2003-07-25 18:00:16 1,157,696 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPSRVUTL.DLL

+ 2003-07-25 18:14:50 799,288 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPWEC.DLL

+ 2003-07-14 22:11:42 2,139,192 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\GRAPH.EXE

+ 2003-07-14 21:57:44 87,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\IEAWSDC.DLL

+ 2003-07-14 21:53:50 161,336 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\IETAG.DLL

+ 2003-07-23 21:32:32 121,400 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\IMPMAIL.DLL

+ 2003-06-18 16:31:44 758,784 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIGRAPH.DLL

+ 2003-06-18 16:31:10 252,928 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIINK.DLL

+ 2003-06-18 16:31:48 17,920 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIMON.DLL

+ 2003-06-18 16:31:48 18,944 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIPPR.DLL

+ 2003-06-18 16:31:46 35,328 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIUI.DLL

+ 2003-06-18 16:31:34 443,904 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIVWCTL.DLL

+ 2003-07-14 21:46:08 176,696 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MIMEDIR.DLL

+ 2003-07-14 21:58:04 230,968 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSCDM.DLL

+ 2002-12-17 18:08:50 359,600 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSDMENG.DLL

+ 2002-12-17 18:08:54 1,383,592 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSDMINE.DLL

+ 2003-07-14 21:51:44 87,104 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL

+ 2002-04-09 19:14:36 187,560 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSMDUN80.DLL

+ 2003-07-14 21:52:52 17,464 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSMH.DLL

+ 2003-08-07 23:23:16 12,172,336 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSO.DLL

+ 2003-07-14 21:57:16 120,888 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL

+ 2003-07-15 02:14:18 106,552 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOCF.DLL

+ 2003-07-23 21:35:26 127,032 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOCFU.DLL

+ 2003-07-14 21:52:52 27,704 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSODCW.DLL

+ 2003-07-14 21:44:06 25,144 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOEURO.DLL

+ 2003-07-14 21:52:56 55,360 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE

+ 2002-12-17 18:09:24 2,071,752 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOLAP80.DLL

+ 2003-07-11 01:15:48 1,292,872 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSONSEXT.DLL

+ 2003-07-15 02:18:52 376,888 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSORUN.DLL

+ 2003-07-14 21:52:54 28,224 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL

+ 2003-07-14 21:52:52 35,896 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOSV.DLL

+ 2003-07-14 21:53:20 39,488 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOSVFBR.DLL

+ 2003-07-14 21:46:16 42,040 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL

+ 2003-07-14 21:45:12 55,360 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE

+ 2003-07-14 21:45:12 39,488 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL

+ 2003-06-18 16:31:24 1,033,216 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSPCORE.DLL

+ 2003-06-18 16:31:50 16,384 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL

+ 2003-06-19 15:05:50 364,648 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE

+ 2003-07-14 21:52:58 41,528 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSSH.DLL

+ 2003-07-14 22:02:14 627,256 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSTORDB.EXE

+ 2003-07-14 21:56:24 124,984 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSTORE.EXE

+ 2003-07-23 21:40:00 482,872 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSTORES.DLL

+ 2003-07-14 22:00:54 145,984 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL

+ 2003-07-14 21:57:10 56,888 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\NAME.DLL

+ 2003-07-14 21:56:52 13,888 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL

+ 2006-09-19 13:18:27 223,800 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OFFICE.DLL

+ 2003-07-15 02:14:26 283,696 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OIS.EXE

+ 2003-07-15 02:14:26 828,472 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OISAPP.DLL

+ 2003-07-15 02:14:26 27,192 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OISCTRL.DLL

+ 2003-07-15 02:14:26 242,240 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OISGRAPH.DLL

+ 2003-07-14 22:05:24 1,054,264 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OMFC.DLL

+ 2003-07-14 21:41:56 24,640 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLACCT.DLL

+ 2003-07-14 21:44:34 102,968 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLCTL.DLL

+ 2003-07-07 12:36:00 2,058,343 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT

+ 2003-07-08 10:48:00 115,288 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL

+ 2003-08-09 22:06:42 7,522,360 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLLIB.DLL

+ 2003-07-14 21:44:32 88,128 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLMIME.DLL

+ 2003-07-14 21:45:18 196,152 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLOOK.EXE

+ 2003-07-14 21:43:48 139,320 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLPH.DLL

+ 2003-07-14 21:43:18 64,056 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLRPC.DLL

+ 2003-07-14 21:43:16 49,208 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLWAB.DLL

+ 2003-08-01 14:09:04 8,086,072 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OWC11.DLL

+ 2003-07-30 11:40:40 6,133,312 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\POWERPNT.EXE

+ 2003-07-15 02:18:54 430,136 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\PP4X322.DLL

+ 2003-07-15 02:18:44 93,752 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\PP7X32.DLL

+ 2003-07-31 14:21:08 1,782,840 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\PPTVIEW.EXE

+ 2003-07-14 21:42:26 37,432 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\RECALL.DLL

+ 2003-05-08 20:54:00 77,824 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL

+ 2003-07-14 21:57:08 40,512 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\REFIEBAR.DLL

+ 2003-07-14 21:43:30 74,288 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\RM.DLL

+ 2003-07-21 10:46:38 390,712 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\RTFHTML.DLL

+ 2003-07-14 21:44:16 66,616 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SENDTO.DLL

+ 2003-07-14 21:57:08 58,944 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL

+ 2003-07-14 21:53:14 11,848 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SMARTTAGINSTALL.EXE

+ 2003-08-03 09:52:32 2,808,376 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\STSLIST.DLL

+ 2003-07-14 22:00:22 99,904 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\TRANSMGR.DLL

+ 2003-07-03 14:19:36 2,502,656 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\VBE6.DLL

+ 2006-09-19 13:18:27 64,088 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\VBIDEPIA.DLL

+ 2003-08-06 12:24:20 12,037,688 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\WINWORD.EXE

- 2006-09-30 16:37:08 12,288 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2008-11-07 08:18:31 12,288 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

- 2006-09-30 16:37:08 135,168 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2008-11-07 08:18:31 135,168 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2006-09-30 16:37:08 11,264 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2008-11-07 08:18:31 11,264 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2006-09-30 16:37:08 27,136 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2008-11-07 08:18:31 27,136 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2006-09-30 16:37:08 4,096 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2008-11-07 08:18:31 4,096 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2006-09-30 16:37:08 794,624 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2008-11-07 08:18:31 794,624 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2006-09-30 16:37:08 249,856 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2008-11-07 08:18:31 249,856 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2006-09-30 16:37:08 23,040 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2008-11-07 08:18:31 23,040 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2006-09-30 16:37:08 286,720 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2008-11-07 08:18:31 286,720 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2006-09-30 16:37:08 409,600 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2008-11-07 08:18:31 409,600 ----a-r c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2003-08-03 09:56:16 1,146,184 ------w c:\windows\system32\FM20.DLL

+ 2007-06-06 10:53:34 1,195,888 ----a-w c:\windows\system32\FM20.DLL

- 2003-07-14 21:57:04 32,584 ----a-w c:\windows\system32\FM20ENU.DLL

+ 2007-03-22 19:17:04 35,440 ----a-w c:\windows\system32\FM20ENU.DLL

- 2008-11-02 17:03:03 356,160 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2008-11-07 11:59:52 356,160 ----a-w c:\windows\system32\FNTCACHE.DAT

- 2003-06-18 16:31:48 17,920 ----a-w c:\windows\system32\mdimon.dll

+ 2007-04-09 13:23:54 28,040 ----a-w c:\windows\system32\mdimon.dll

+ 2008-07-18 22:07:54 210,976 ----a-w c:\windows\system32\muweb.dll

- 2003-06-18 16:31:44 758,784 ----a-w c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll

+ 2007-04-09 13:24:04 758,664 ----a-w c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll

- 2003-06-18 16:31:46 35,328 ----a-w c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll

+ 2007-04-09 13:23:58 46,472 ----a-w c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll

- 2003-06-18 16:31:44 758,784 ----a-w c:\windows\system32\spool\drivers\w32x86\mdigraph.dll

+ 2007-04-09 13:24:04 758,664 ----a-w c:\windows\system32\spool\drivers\w32x86\mdigraph.dll

- 2003-06-18 16:31:46 35,328 ----a-w c:\windows\system32\spool\drivers\w32x86\mdiui.dll

+ 2007-04-09 13:23:58 46,472 ----a-w c:\windows\system32\spool\drivers\w32x86\mdiui.dll

- 2003-06-18 16:31:48 18,944 ----a-w c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll

+ 2007-04-09 13:23:54 28,552 ----a-w c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-05 7323648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-01-05 86016]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 57344]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-28 188416]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-27 26112]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-11-14 286720]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 28672]

"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-25 714608]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]

"Device Detector"="c:\program files\Common Files\ACD Systems\EN\DevDetect.exe" [2004-09-02 221184]

"nwiz"="nwiz.exe" [2006-01-05 c:\windows\system32\nwiz.exe]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 c:\windows\RTHDCPL.EXE]

"SMSERIAL"="sm56hlpr.exe" [2005-10-18 c:\windows\sm56hlpr.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

"msacm.mpegacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm

"VIDC.ACDV"= ACDV.dll

 

[HKLM\~\startupfolder\D:^Documents and Settings^halibut^Start Menu^Programs^Startup^ChaosPro Help.lnk]

path=d:\documents and settings\halibut\Start Menu\Programs\Startup\ChaosPro Help.lnk

backup=c:\windows\pss\ChaosPro Help.lnkStartup

 

[HKLM\~\startupfolder\D:^Documents and Settings^halibut^Start Menu^Programs^Startup^ChaosPro.lnk]

path=d:\documents and settings\halibut\Start Menu\Programs\Startup\ChaosPro.lnk

backup=c:\windows\pss\ChaosPro.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AOL 9.0\\aol.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%ProgramFiles%\\AOL 9.0\\aol.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=

"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)

"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)

"6346:TCP"= 6346:TCP:Gnutella

 

R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2004-07-26 7140]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]

R3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2005-05-27 799744]

R3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2005-11-28 7040]

S3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

S3 USB28xxBGA;WinTV HVR-900;c:\windows\system32\DRIVERS\emBDA.sys [2006-06-06 281600]

S3 USB28xxOEM;WinTV OEM Filter;c:\windows\system32\DRIVERS\emOEM.sys [2006-06-01 21376]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22693ef6-a4e4-11dc-8170-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22693ef8-a4e4-11dc-8170-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{314f4780-a59d-11dc-8179-0014857c1834}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2754833-a548-11dc-8173-0014857c1834}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f79ef5fc-a278-11dc-8167-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f79ef5fe-a278-11dc-8167-00038a000015}]

\Shell\AutoRun\command - J:\AutoRun.exe

.

Contents of the 'Scheduled Tasks' folder

 

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

 

2008-10-27 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - halibut.job

- c:\program files\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-07 12:30:58

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-11-07 12:31:58

ComboFix-quarantined-files.txt 2008-11-07 12:31:50

ComboFix2.txt 2008-11-06 17:03:38

ComboFix3.txt 2008-11-06 14:17:28

ComboFix4.txt 2008-11-05 17:51:08

 

Pre-Run: 13,349,634,048 bytes free

Post-Run: 13,400,567,808 bytes free

 

444 --- E O F --- 2008-11-07 12:08:11

 

 

HIJACK REPORT

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:34:56, on 07/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\CDBurnerXP\NMSAccess.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\RTHDCPL.EXE

C:\apps\ABoard\ABoard.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\apps\ABoard\AOSD.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe

C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\imapi.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"

O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Readme.lnk = C:\Program Files\ChaosPro3.2\Readme.txt

O8 - Extra context menu item: &Search - ?p=ZUfox000

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1225998754234

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/armhelper.ocx

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

--

End of file - 10712 bytes

 

Many thanks.

 

Sue

Share this post


Link to post
Share on other sites

Looks much better :) How's the system running?

Share this post


Link to post
Share on other sites

Hi Blade

 

The computer is running much better, thank you. Did you find some nasties in the previous reports? I have just run Ad-aware again and it is still throwing up a report at the cookies. Below is a part of the Ad-aware report referring to the 'unhanded exception' (aawservice.exe) -

 

Process 00000734: aawservice.exe

Current Memory usage : 161300 kb

Memory usage peak : 208292 kb

Current Paged Pool usage : 127 kb

Paged Pool usage peak : 155 kb

Current Non-Paged Pool usage : 3 kb

Non-Paged Pool usage peak : 5 kb

Current Page file usage : 190576 kb

Page file usage peak : 221936 kb

Page Faults : 254660

 

Module list

Module at 0x00400000: aawservice.exe

Module at 0x7c900000: ntdll.dll

Module at 0x7c800000: kernel32.dll

Module at 0x10000000: CEAPI.dll

Module at 0x78050000: WININET.dll

Module at 0x77c10000: msvcrt.dll

Module at 0x77f60000: SHLWAPI.dll

Module at 0x77dd0000: ADVAPI32.dll

Module at 0x77e70000: RPCRT4.dll

Module at 0x77f10000: GDI32.dll

Module at 0x7e410000: USER32.dll

Module at 0x00350000: Normaliz.dll

Module at 0x78000000: iertutil.dll

Module at 0x71ab0000: WS2_32.dll

Module at 0x71aa0000: WS2HELP.dll

Module at 0x004a0000: PKArchive85u.dll

Module at 0x7c9c0000: SHELL32.dll

Module at 0x774e0000: ole32.dll

Module at 0x77a80000: CRYPT32.dll

Module at 0x77b20000: MSASN1.dll

Module at 0x76f60000: WLDAP32.dll

Module at 0x76bf0000: PSAPI.DLL

Module at 0x77c00000: VERSION.dll

Module at 0x769c0000: USERENV.dll

Module at 0x76390000: IMM32.DLL

Module at 0x629c0000: LPK.DLL

Module at 0x74d90000: USP10.dll

Module at 0x773d0000: comctl32.dll

Module at 0x5d090000: comctl32.dll

Module at 0x0ffd0000: rsaenh.dll

 

All the best.

 

Sue

Share this post


Link to post
Share on other sites

Hi again Sue,

 

 

Couldn't spot anything else there. Most cookies are quite harmless. However, if you want to get rid of most of them I recommend installing hosts file. Instructions for that a bit later. Let's do one more scan before it :)

 

 

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file & a fresh hjt log in your next reply.

Share this post


Link to post
Share on other sites

Hi Blade :angry:

 

Regarding the 'unhandled exception' - when Ad-aware gets to that point in the scan and pops up a report, the scan will not continue and freezes. I tend to use both Ad-aware and Spybot (plus Norton). Can you recommend any freeware checkers if I cannot use Ad-aware?

 

Any, the reports are below:

 

MALWARE REPORT

 

Malwarebytes' Anti-Malware 1.30

Database version: 1373

Windows 5.1.2600 Service Pack 2

 

07/11/2008 22:54:29

mbam-log-2008-11-07 (22-54-29).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 196652

Time elapsed: 45 minute(s), 9 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\System Volume Information\_restore{5FED904E-6E1E-4B49-8681-D5C017BB5784}\RP542\A0204171.exe (Trojan.Multis) -> Quarantined and deleted successfully.

C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

 

HIJACK REPORT

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:56:23, on 07/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\CDBurnerXP\NMSAccess.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\eHome\ehSched.exe

C:\apps\ABoard\ABoard.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\apps\ABoard\AOSD.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe

C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"

O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Readme.lnk = C:\Program Files\ChaosPro3.2\Readme.txt

O8 - Extra context menu item: &Search - ?p=ZUfox000

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1225998754234

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/armhelper.ocx

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

--

End of file - 10848 bytes

 

Many thanks

 

Sue

Share this post


Link to post
Share on other sites

Hi

 

Logs look ok.

 

Things that might help with Ad-Aware issue are:

1) Defragging hard drive before running the scan

2) Reinstalling Ad-Aware

 

Can you recommend any freeware checkers if I cannot use Ad-aware?

You just installed one good antispyware scanner in form of Malwarebytes' Anti-malware :angry:

Share this post


Link to post
Share on other sites

Blade - just want to the THANK YOU SO MUCH. I really appreciate the time you have taken to sort my computer. I will reinstall Ad-aware and use the new software too. :)

 

All the best.

 

Sue

Share this post


Link to post
Share on other sites

You're welcome :)

 

Hopefully reinstalling corrects the issue.

 

Let's uninstall ComboFix since it won't be needed anymore:

  • Click START then RUN
  • Now type "c:\downloads\ComboFix.exe" /u in the runbox and click OK

Share this post


Link to post
Share on other sites

Hi Blade

 

Have uninstalled Combofix as you suggested. Also uninstalled and then installed Ad-aware and it is now running perfectly :)

 

Just before I go, I downloaded an anti-virus software with a very similar name to Ad-aware (thinking it was Ad-aware at the time). It did a scan and apparently found trojans etc and said to open a window etc to continue. Window wouldn't open. Is this sort of thing a con, where they scare you into thinking your computer is infected and then ask for money? Just curious (I've deleted it now by the way).

 

Anyway - thank you, thank you, thank you :)

 

Sue

Share this post


Link to post
Share on other sites

Glad to hear reinstalling helped :)

 

I downloaded an anti-virus software with a very similar name to Ad-aware (thinking it was Ad-aware at the time). It did a scan and apparently found trojans etc and said to open a window etc to continue. Window wouldn't open. Is this sort of thing a con, where they scare you into thinking your computer is infected and then ask for money?

Can't say for sure without knowing the name but might be one of those that promise moon from the sky type programs and then turn out to be rogue ones. This list contains rogue software that should be avoided. New ones and clones from old ones keep coming so I recommend not to install software that you're not sure about.

Share this post


Link to post
Share on other sites

Hi Blade

 

I hope you don't mind me asking you this, but a problem has occurred when using links. A message comes up saying the following:

 

AcroIEHelpe.dll - ad-on was running when problem occurred.

 

I don't know whether it has anything to do with what we were doing recently. Any idea what is causing it. The page doesn't even try to load, just a blank screen and stalls. Have to click the close button twice, and then that message occurs.

 

Thank you.

 

Sue

Share this post


Link to post
Share on other sites

Hi

 

Adobe Reader related issue I think.

 

Uninstall Adobe Reader versions and get the latest one here or get Foxit Reader here. If it still doesn't work post a fresh hjt log and exact error message.

Share this post


Link to post
Share on other sites

Ok, I've checked in Control Panel/add remove and found the following:

 

Adobe flashplayer 9 active x

Adobe flash player active x

Adobe flashplayer plug in

 

In programs on the start menu there is Adobe acrobat reader 2.1 but can't find a way to uninstall it. I'm a little confused.

 

Sue

Share this post


Link to post
Share on other sites

Grrrr! - very frustrating. I installed Adobe Reader from the link and having installed a good percentage of it, an error message flashed up saying incomplete and to try again later.

 

I’ll explain the error message I am getting when trying to bring up a link:

 

A box appears and says:

 

INTERNET EXPLORER

 

Internet Explorer has encountered a problem with an add-on and needs to close

 

 

The following add-on was running when this problem occurred:

 

Ad-on Name : AcroIEHelpe.dll

Company Name : (not verified) Adobe Systems Incorporated

Description: AcroIEHelpe.dll

-------------------------------------------------------------------------------------------------------

After which I have to close and Windows pops up an error report.

 

Anyway, below is the latest Hijack report.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:54:33, on 13/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\CDBurnerXP\NMSAccess.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

c:\windows\ehome\ehtray.exe

c:\program files\intel\intel matrix storage manager\iaanotif.exe

c:\windows\rthdcpl.exe

c:\apps\aboard\aboard.exe

c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\eHome\ehmsas.exe

c:\program files\real\realplayer\realplay.exe

c:\program files\common files\microsoft shared\works shared\wkufind.exe

c:\program files\common files\ulead systems\autodetector\monitor.exe

C:\apps\ABoard\AOSD.exe

c:\program files\common files\symantec shared\ccsvchst.exe

c:\program files\java\jre1.6.0_07\bin\jusched.exe

c:\program files\common files\acd systems\en\devdetect.exe

c:\windows\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

c:\windows\system32\wuauclt.exe

C:\WINDOWS\system32\ntvdm.exe

c:\program files\trend micro\hijackthis\hijackthis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\system32\AcroIEHelpe.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Device Detector] "c:\program files\common files\acd systems\en\devdetect.exe" -autorun

O4 - HKLM\..\Run: [MSConfig] c:\windows\pchealth\helpctr\binaries\msconfig.exe /auto

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Search - ?p=ZUfox000

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20China/Images/stg_drm.ocx

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1225998754234

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Jigsaw%20Puzzle%20Platinum/Images/armhelper.ocx

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

--

End of file - 9692 bytes

 

Apologies – but it’s driving me bananas.

 

Sue

Share this post


Link to post
Share on other sites

Hi

 

Start hjt, do a system scan, check:

O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\system32\AcroIEHelpe.dll

 

Delete C:\WINDOWS\system32\AcroIEHelpe.dll file.

 

Reboot and post a fresh hjt log.

 

It's recommended you change all your online passwords thru some other system since that item seems to be a password stealer.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this