combofix for friend

K

koolkid12349

New Member
ComboFix 08-04-26.5 - Chris Scanlon 2008-04-27 14:49:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.316 [GMT -4:00]
Running from: C:\Documents and Settings\Chris Scanlon\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\XP Antivirus
C:\Program Files\XP Antivirus\xpa .exe
C:\temp\tn3
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\TEMP\600.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_NWSAPAGENT
-------\Service_6to4
-------\Service_NwSapAgent


((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 14:58 . 2008-04-27 14:58 <DIR> d-------- C:\Temp\tn3
2008-04-27 02:34 . 2008-04-27 02:41 <DIR> d-------- C:\Program Files\Acoustica Mixcraft 4
2008-04-26 23:17 . 2008-01-11 17:39 145,408 --a------ C:\WINDOWS\system32\ZuneMTPZ.dll
2008-04-26 23:17 . 2008-01-11 17:39 70,656 --a------ C:\WINDOWS\system32\ZuneIpTransport.dll
2008-04-26 23:17 . 2008-01-11 17:39 62,464 --a------ C:\WINDOWS\system32\ZuneUsbTransport.dll
2008-04-26 23:17 . 2008-01-11 17:39 35,840 --a------ C:\WINDOWS\system32\ZuneUsbCOnnection.dll
2008-04-20 19:35 . 2008-04-20 19:35 <DIR> d-------- C:\Program Files\AIM Search
2008-04-17 22:22 . 2008-04-17 22:23 <DIR> d-------- C:\Program Files\Magic Video Converter
2008-04-17 22:22 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2008-04-15 20:14 . 2008-04-15 20:14 <DIR> d-------- C:\Program Files\DAP
2008-04-15 20:14 . 2008-04-15 20:14 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-04-15 20:14 . 2008-04-15 20:14 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-04-15 20:14 . 2008-04-15 20:14 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-04-14 18:50 . 2008-04-14 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SwiftKit
2008-04-14 18:38 . 2008-04-14 18:38 <DIR> d-------- C:\Program Files\Ascentive
2008-04-14 18:38 . 2008-04-14 18:38 <DIR> d-------- C:\Documents and Settings\Chris Scanlon\Application Data\InstallShield
2008-04-14 18:38 . 2007-08-10 12:56 303,104 --a------ C:\WINDOWS\system32\ciplListBar.ocx
2008-04-14 18:38 . 2008-03-12 14:13 208,896 --a------ C:\WINDOWS\system32\ConTest.dll
2008-04-14 18:38 . 2007-08-10 12:56 155,648 --a------ C:\WINDOWS\system32\ciplImageList.ocx
2008-04-02 13:58 . 2008-04-02 13:58 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-02 13:02 . 2008-04-13 14:22 <DIR> d-------- C:\Program Files\HyCam2
2008-04-02 01:51 . 2008-04-02 01:51 <DIR> d-------- C:\Documents and Settings\Chris Scanlon\Application Data\acccore
2008-04-02 01:47 . 2008-04-20 19:35 <DIR> d-------- C:\Program Files\AIM6
2008-04-02 01:47 . 2008-04-20 19:35 1,003 --ah----- C:\IPH.PH
2008-03-27 23:46 . 2008-03-27 23:46 <DIR> d-------- C:\Program Files\uTorrent
2008-03-27 23:46 . 2008-04-21 16:14 <DIR> d-------- C:\Documents and Settings\Chris Scanlon\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 18:58 167,545 ----a-w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-27 18:44 --------- d-----w C:\Program Files\BellSouth Internet Tools
2008-04-27 17:21 --------- d-----w C:\Documents and Settings\Chris Scanlon\Application Data\teamspeak2
2008-04-27 16:31 --------- d-----w C:\Program Files\AIMTunes
2008-04-27 06:41 --------- d-----w C:\Program Files\Acoustica Shared Effects
2008-04-27 03:22 --------- d-----w C:\Documents and Settings\Chris Scanlon\Application Data\LimeWire
2008-04-27 03:18 --------- d-----w C:\Program Files\Zune
2008-04-20 23:42 --------- d-----w C:\Program Files\LimeWire
2008-04-20 19:28 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-20 19:28 --------- d-----w C:\Documents and Settings\Chris Scanlon\Application Data\NCH Swift Sound
2008-04-16 00:14 --------- d-----w C:\Program Files\Google
2008-04-14 22:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-03 06:37 7,606 ----a-w C:\Documents and Settings\Chris Scanlon\Application Data\wklnhst.dat
2008-04-02 05:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-25 19:48 --------- d-----w C:\Program Files\Java
2008-03-16 19:08 --------- d-----w C:\Documents and Settings\Chris Scanlon\Application Data\Move Networks
2008-03-10 21:39 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-03 02:17 --------- d-----w C:\Program Files\Unity
2008-03-02 19:01 --------- d-----w C:\Program Files\GoldWave
2008-03-02 18:46 --------- d-----w C:\Program Files\Acoustica Spin It Again
2008-02-29 04:29 --------- d-----w C:\Program Files\iTunes
2008-02-29 04:29 --------- d-----w C:\Program Files\iPod
2008-02-21 01:57 60,968 ----a-w C:\Documents and Settings\Lisa Scanlon\GoToAssistDownloadHelper.exe
2008-01-28 02:22 14,336 ----a-w C:\Documents and Settings\Chris Scanlon\Application Data\nuupo .exe
2008-01-27 04:09 34,816 ----a-w C:\info.exe
2008-01-20 23:48 489,984 ----a-w C:\Documents and Settings\Chris Scanlon\installer.exe
2008-01-14 23:47 10 ----a-w C:\Program Files\.autoreg
2008-01-06 08:44 19,456 ----a-w C:\Documents and Settings\Chris Scanlon\Application Data\yuj.exe
2008-01-06 08:44 19,456 ----a-w C:\Documents and Settings\Chris Scanlon\Application Data\qbdsqxfkb.exe
2008-01-06 08:44 19,456 ----a-w C:\Documents and Settings\Chris Scanlon\Application Data\hsqt.exe
2007-12-13 21:31 75,232 ----a-w C:\Documents and Settings\Chris Scanlon\Application Data\GDIPFONTCACHEV1.DAT
2007-08-06 17:12 10,385,200 ----a-w C:\Documents and Settings\Chris Scanlon\HC41Installer.exe
2007-08-06 04:32 212,849 ----a-w C:\Program Files\hijackthis.zip
2007-05-20 18:01 0 ----a-w C:\Documents and Settings\Chris Scanlon\HC4Installer.exe
2007-05-20 01:17 628 ----a-w C:\Documents and Settings\Sean Scanlon\Application Data\wklnhst.dat
2006-12-06 03:14 1,178 ----a-w C:\Documents and Settings\Lisa Scanlon\Application Data\wklnhst.dat
2006-05-07 06:05 251 -c--a-w C:\Program Files\wt3d.ini
2006-05-16 02:08 56 -csh--r C:\WINDOWS\system32\DA7BA0A167.sys
2006-05-16 02:08 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
Code: 
<pre>
----a-w            14,336 2008-01-28 02:22:34  C:\Documents and Settings\Chris Scanlon\Application Data\nuupo .exe
----a-w         6,382,974 2008-01-13 06:38:07  C:\Documents and Settings\Chris Scanlon\Shared\MPEG AVI to DVD VCD SVCD Converter Pro Full Version Cucusoft\Cucusoft Apple TV Video Converter .exe
----a-w            50,528 2008-01-16 22:37:30  C:\Program Files\AOL 9.1\AOL .EXE
----a-w            24,592 2008-01-17 22:37:06  C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager .exe
----a-w            24,592 2008-01-26 01:26:00  C:\Program Files\BellSouth Internet Tools\blsloader .exe
----a-w            41,824 2008-01-17 02:51:35  C:\Program Files\Common Files\AOL\1149387323\ee\AOLSoftware .exe
----a-w            71,216 2008-01-17 22:37:09  C:\Program Files\Common Files\AOL\ACS\AOLDial .exe
----a-w            24,592 2008-01-16 01:31:37  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w            36,040 2008-01-17 02:49:58  C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w            24,592 2008-01-17 02:49:30  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            24,592 2008-01-16 01:31:30  C:\Program Files\Creative\VoiceCenter\AndreaVC .exe
----a-w           460,784 2008-01-26 02:34:41  C:\Program Files\DellSupport\DSAgnt .exe
----a-w            61,440 2008-01-19 01:48:15  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w           171,448 2008-01-16 01:32:21  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w            24,592 2008-01-17 02:49:25  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w            24,592 2008-01-16 01:31:30  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w           176,128 2008-01-19 01:48:10  C:\Program Files\Internet Explorer\5384 .EXE
----a-w           267,048 2008-02-01 01:10:55  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2008-01-18 19:17:00  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w            24,592 2008-01-14 23:37:47  C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
----a-w            24,592 2008-01-17 22:37:06  C:\Program Files\Logitech\Video\LogiTray .exe
----a-w           196,608 2008-01-30 03:30:53  C:\Program Files\Logitech\Video\ManifestEngine .exe
----a-w         1,694,208 2008-01-30 03:30:46  C:\Program Files\Messenger\msmsgs .exe
----a-w            24,592 2008-01-17 02:49:23  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
----a-w            24,592 2008-01-17 02:49:32  C:\Program Files\NCH Swift Sound\RecordPad\recordpad .exe
----a-w           385,024 2008-02-01 01:10:55  C:\Program Files\QuickTime\qttask    .exe
----a-w         1,318,912 2008-01-14 23:37:52  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w            24,592 2008-01-17 02:49:23  C:\Program Files\Support.com\BellSouth\hcenter .exe
----a-w           166,304 2008-01-21 18:26:22  C:\Program Files\Zune\ZuneLauncher .exe
----a-w            24,592 2008-01-16 01:31:24  C:\WINDOWS\ehome\ehtray .exe
----a-w           839,685 2008-01-17 22:37:23  C:\WINDOWS\Fonts\svchost .exe
----a-w            24,592 2008-01-16 01:31:27  C:\WINDOWS\system32\hkcmd .exe
----a-w            50,688 2008-02-03 23:10:06  C:\WINDOWS\system32\ieupdates .exe
----a-w            24,592 2008-01-16 01:31:26  C:\WINDOWS\system32\igfxpers .exe
----a-w            24,592 2008-01-16 01:31:24  C:\WINDOWS\system32\igfxtray .exe
----a-w            24,592 2008-01-17 02:49:22  C:\WINDOWS\system32\LVCOMSX .EXE
----a-w         1,478,612 2008-01-17 22:37:21  C:\WINDOWS\system32\updater\explorer .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,896,448 2006-01-10 21:56:58 C:\Program Files\BellSouth\Alert Manager\bak\BellSouthAlertManager.exe

----a-w 86,016 2006-03-27 22:55:43 C:\Program Files\BellSouth Internet Tools\bak\blsloader.exe

----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1149387323\ee\bak\AOLSoftware.exe

----a-r 71,216 2006-10-23 12:50:37 C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe

----a-w 81,920 2005-06-10 16:44:02 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 180,269 2006-08-06 06:07:05 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 1,159,168 2005-02-23 17:08:50 C:\Program Files\Creative\VoiceCenter\bak\AndreaVC.exe

----a-w 49,152 2004-09-13 20:49:00 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 221,184 2003-09-04 02:12:44 C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 24,592 2007-09-26 20:46:04 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

----a-w 67,128 2007-02-27 05:26:37 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe

----a-w 458,752 2005-06-08 19:24:32 C:\Program Files\Logitech\Video\bak\ISStart.exe

----a-w 217,088 2005-06-08 19:14:44 C:\Program Files\Logitech\Video\bak\LogiTray.exe

----a-w 8,192 2005-10-06 14:34:18 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe

----a-w 512,004 2007-09-10 02:13:03 C:\Program Files\NCH Swift Sound\RecordPad\bak\recordpad.exe

----a-w 98,304 2005-11-19 02:05:36 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-02-01 04:13:08 C:\Program Files\QuickTime\QTTask.exe

----a-w 1,318,912 2007-06-21 18:06:28 C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe
----a-w 1,318,912 2007-06-21 19:06:28 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

----a-w 1,277,952 2005-08-31 19:14:52 C:\Program Files\Support.com\BellSouth\bak\hcenter.exe

----a-w 376,832 2007-09-11 09:31:36 C:\QooBox\Quarantine\C\Program Files\ISM\bak\ISMModule4.exe.vir
----a-w 24,592 2007-09-26 20:46:04 C:\QooBox\Quarantine\C\Program Files\ISM\ISMModule4.exe.vir

----a-w 189,009 2008-01-05 03:22:28 C:\QooBox\Quarantine\C\Program Files\ISM\bak\synupd.exe.vir

----a-w 200,763 2007-12-29 23:25:27 C:\QooBox\Quarantine\C\Program Files\ISM2\bak\cringupd.exe.vir

----a-w 335,872 2007-09-21 16:18:02 C:\QooBox\Quarantine\C\Program Files\ISM2\bak\ISMPack5.exe.vir
----a-w 24,592 2007-09-26 20:46:04 C:\QooBox\Quarantine\C\Program Files\ISM2\ISMPack5.exe.vir

----a-w 64,512 2005-08-05 19:56:34 C:\WINDOWS\ehome\bak\ehtray.exe

----a-w 77,824 2005-04-05 12:19:18 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 114,688 2005-04-05 12:23:14 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 94,208 2005-04-05 12:22:32 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 221,184 2005-07-19 21:32:18 C:\WINDOWS\system32\bak\LVCOMSX.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
2008-03-25 16:49 111968 --a------ C:\Program Files\AIM Search\AOLSearch.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C835EC2A-1D13-43A9-4CAB-69D5BC5B0D5A}]
C:\Program Files\MSN\quzajeciv396.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [ ]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [ ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Cxnqs"="C:\Documents and Settings\Chris Scanlon\Application Data\M?crosoft.NET\d?xplore.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 15:06 1318912]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"QdrModule9"="C:\Program Files\QdrModule\QdrModule9.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"Uaol"="C:\PROGRA~1\RACLE~1\explorer.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]
"Performance Center"="C:\Program Files\Ascentive\Performance Center\ApcMain.exe" [2008-03-13 17:35 3239936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"A8AAAAB2ACAEB2B7B"="9092929A94969A9.exe" [2007-12-14 08:40 120832 C:\WINDOWS\system32\9092929A94969A9.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2008-01-11 17:54 166304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2008-02-20 21:57 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lisa Scanlon^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Lisa Scanlon\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8fPfHq5]
C:\WINDOWS\ogrycvw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A8AAAAB2ACAEB2B7B]
--a------ 2007-12-14 08:40 120832 C:\WINDOWS\system32\9092929A94969A9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BellSouthAlertManager.exe]
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\blspcloader]
C:\Program Files\BellSouth Internet Tools\blsloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleUpdate]
C:\Program Files\Internet Explorer\5384.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1149387323\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\pmnno.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordPadRun]
C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\BellSouth\hcenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Updater]
C:\WINDOWS\system32\updater\explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-01-11 17:54 166304 c:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\ogrycvw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\ogrycvw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\ogrycvw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R1 beepp;beepp;C:\WINDOWS\system32\drivers\beepp.sys [2008-01-11 16:42]
R2 CKVC;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-01-27 00:09]
R2 hdfile;hdfile;C:\WINDOWS\system32\hdfile.sys [2008-01-23 22:04]
R2 hdport;hdport;C:\WINDOWS\system32\hdport.sys [2008-01-23 22:04]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R2 znntzs;znntzs;C:\WINDOWS\system32\svchost.exe [2004-08-10 07:00]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 17:54]
S3 DISK_DRIVE32;DISK_DRIVE32;C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\Rar$EX00.532\U1CE\UCE\disk_1024.sys []
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 17:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
qzbjwn REG_MULTI_SZ qzbjwn
znntzs REG_MULTI_SZ znntzs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 21:29:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 14:58:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\qtplugin.log 4158 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> c:\windows\system32\znntzs.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1149387323\ee\AOLDesktop.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-04-27 15:08:49 - machine was rebooted [Chris Scanlon]
ComboFix-quarantined-files.txt 2008-04-27 19:08:19
ComboFix2.txt 2008-02-03 23:52:22
ComboFix3.txt 2008-02-03 23:37:56

Pre-Run: 31,229,177,856 bytes free
Post-Run: 33,682,194,432 bytes free

375 --- E O F --- 2008-04-12 17:06:11
 
hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:46 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\9092929A94969A9.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\1149387323\ee\AOLDesktop.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} - - (no file)
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 0 - {C835EC2A-1D13-43A9-4CAB-69D5BC5B0D5A} - C:\Program Files\MSN\quzajeciv396.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [A8AAAAB2ACAEB2B7B] 9092929A94969A9.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Cxnqs] "C:\Documents and Settings\Chris Scanlon\Application Data\M?crosoft.NET\d?xplore.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Uaol] "C:\PROGRA~1\RACLE~1\explorer.exe" -vt ndrv
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\ApcMain.exe -m
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZZ
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.ciscering.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Security Service (CKVC) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9333 bytes
 
This system is very badly infected.

Your log reveals a backdoor trojan. These can severely compromise personal information which could lead to identity theft.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC may already be compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If this were my PC, I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

If you wish to proceed with the disinfection, I strongly suggest you install the Recovery Console, as removing malware from a system this badly infected may have unforeseen consequences. Please see the guide at http://www.bleepingcomputer.com/tutorials/tutorial117.html for detailed instructions.

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Paste the contents of the Report.txt back on the forum in your next reply



  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Documents and Settings\Chris Scanlon\Application Data\nuupo .exe
C:\info.exe
C:\Documents and Settings\Chris Scanlon\installer.exe
C:\Documents and Settings\Chris Scanlon\Application Data\yuj.exe
C:\Documents and Settings\Chris Scanlon\Application Data\qbdsqxfkb.exe
C:\Documents and Settings\Chris Scanlon\Application Data\hsqt.exe
C:\Program Files\wt3d.ini
C:\Program Files\Internet Explorer\5384 .EXE
C:\WINDOWS\system32\ieupdates .exe
C:\WINDOWS\system32\9092929A94969A9.exe
C:\WINDOWS\system32\drivers\beepp.sys
c:\windows\system32\znntzs.dll
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager .exe
C:\Program Files\BellSouth Internet Tools\blsloader .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Creative\VoiceCenter\AndreaVC .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
C:\Program Files\NCH Swift Sound\RecordPad\recordpad .exe
C:\Program Files\Support.com\BellSouth\hcenter .exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\LVCOMSX .EXE
C:\WINDOWS\system32\hdfile.sys
C:\WINDOWS\system32\hdport.sys

Folder::
C:\Temp\tn3
C:\WINDOWS\Fonts
C:\WINDOWS\system32\updater
C:\Program Files\QuickTime\bak
C:\Program Files\SUPERAntiSpyware\bak
C:\Program Files\QdrModule
C:\Program Files\Dot1XCfg
C:\Program Files\Router

RenV::
C:\Documents and Settings\Chris Scanlon\Shared\MPEG AVI to DVD VCD SVCD Converter Pro Full Version Cucusoft\Cucusoft Apple TV Video Converter .exe
C:\Program Files\AOL 9.1\AOL .EXE
C:\Program Files\Common Files\AOL\1149387323\ee\AOLSoftware .exe
C:\Program Files\Common Files\AOL\ACS\AOLDial .exe
C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Logitech\Video\ManifestEngine .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QuickTime\qttask    .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Zune\ZuneLauncher .exe

AWF::
C:\Program Files\BellSouth\Alert Manager\bak\BellSouthAlertManager.exe
C:\Program Files\BellSouth Internet Tools\bak\blsloader.exe
C:\Program Files\Common Files\AOL\1149387323\ee\bak\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Creative\VoiceCenter\bak\AndreaVC.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Video\bak\ISStart.exe
C:\Program Files\Logitech\Video\bak\LogiTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe
C:\Program Files\NCH Swift Sound\RecordPad\bak\recordpad.exe
C:\Program Files\Support.com\BellSouth\bak\hcenter.exe
C:\WINDOWS\ehome\bak\ehtray.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\WINDOWS\system32\bak\LVCOMSX.EXE

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C835EC2A-1D13-43A9-4CAB-69D5BC5B0D5A}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cxnqs"=-
"QdrModule9"=-
"Dot1XCfg"=-
"Router"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"A8AAAAB2ACAEB2B7B"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8fPfHq5]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A8AAAAB2ACAEB2B7B]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files\ISTsvc\istsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
qzbjwn=-
znntzs=-

Driver::
beepp
CKVC
hdfile
hdport
znntzs
DISK_DRIVE32
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please post
  • The SDFix log
  • The ComboFix log
  • A new HijackThis log
 
Last edited:
Rebooting

Service hdport - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\hdport.sys - Deleted



Folder C:\Program Files\Dot1XCfg - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 22:21:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\Chris Scanlon\Local Settings\Temp\qtplugin.log 4158 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 24 Nov 2005 56 A.SHR --- "C:\i386\DA7BA0A167.sys"
Thu 24 Nov 2005 2,516 A.SH. --- "C:\i386\KGyGaAvL.sys"
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Wed 18 Apr 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0\AOLphx.exe"
Wed 18 Apr 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0\AOLphxex.exe"
Wed 18 Apr 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0\rbm.exe"
Sat 27 Oct 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1\AOLphx.exe"
Sat 27 Oct 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1\AOLphxex.exe"
Sat 27 Oct 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1\rbm.exe"
Mon 15 May 2006 56 ..SHR --- "C:\WINDOWS\system32\DA7BA0A167.sys"
Mon 15 May 2006 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 30 Nov 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 16 Sep 2004 1,949,696 ...HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\LAUNCHER.EXE"
Thu 16 Sep 2004 53,760 ...HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\MNYINSTA.DLL"
Thu 16 Sep 2004 94,208 ...HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\RMVSUITE.EXE"
Thu 16 Sep 2004 35,328 ...HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\SETUPLNG.DLL"
Thu 16 Sep 2004 20,480 ...HR --- "C:\Program Files\Microsoft Works Suite 2005\Setup\UNREGWTR.EXE"
Mon 29 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 16 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\003bb8bbe9f41a593f54050bf67fed75\BIT3AF.tmp"
Wed 16 Jan 2008 13,133,840 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1ed1b59d1a09d907b309130a93a4867a\BIT399.tmp"
Wed 16 Jan 2008 10,089,488 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5b34e1df94075cd8ea6839a668366d9e\BIT3AA.tmp"
Sun 3 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\927c988306a93278708f61afaae477cc\BITB.tmp
 
ComboFix 08-05-01.3 - 2008-05-06 22:46:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT -4:00]
Running from: C:\Documents and Settings\Chris Scanlon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris Scanlon\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Chris Scanlon\Application Data\hsqt.exe
C:\Documents and Settings\Chris Scanlon\Application Data\nuupo .exe
C:\Documents and Settings\Chris Scanlon\Application Data\qbdsqxfkb.exe
C:\Documents and Settings\Chris Scanlon\Application Data\yuj.exe
C:\Documents and Settings\Chris Scanlon\installer.exe
C:\info.exe
C:\Program Files\BellSouth Internet Tools\blsloader .exe
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Creative\VoiceCenter\AndreaVC .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
C:\Program Files\Internet Explorer\5384 .EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
C:\Program Files\NCH Swift Sound\RecordPad\recordpad .exe
C:\Program Files\Support.com\BellSouth\hcenter .exe
C:\Program Files\wt3d.ini
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\system32\9092929A94969A9.exe
C:\WINDOWS\system32\drivers\beepp.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\hdfile.sys
C:\WINDOWS\system32\hdport.sys
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\ieupdates .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\LVCOMSX .EXE
c:\windows\system32\znntzs.dll
C:\WINDOWS\Fonts :#:
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Chris Scanlon\Application Data\hsqt.exe
C:\Documents and Settings\Chris Scanlon\Application Data\nuupo .exe
C:\Documents and Settings\Chris Scanlon\Application Data\qbdsqxfkb.exe
C:\Documents and Settings\Chris Scanlon\Application Data\yuj.exe
C:\Documents and Settings\Chris Scanlon\installer.exe
C:\info.exe
C:\Program Files\BellSouth Internet Tools\blsloader .exe
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Creative\VoiceCenter\AndreaVC .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
C:\Program Files\Internet Explorer\5384 .EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
C:\Program Files\NCH Swift Sound\RecordPad\recordpad .exe
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\SUPERAntiSpyware\bak
C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe
C:\Program Files\Support.com\BellSouth\hcenter .exe
C:\Program Files\wt3d.ini
C:\Program Files\XP Antivirus
C:\Program Files\XP Antivirus\xpa .exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\9092929A94969A9.exe
C:\WINDOWS\system32\drivers\beepp.sys
C:\WINDOWS\system32\drivers\core.cache(10).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(8).dsk
C:\WINDOWS\system32\drivers\core.cache(9).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\hdfile.sys
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\ieupdates .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\LVCOMSX .EXE
C:\WINDOWS\system32\updater
C:\WINDOWS\system32\updater\explorer .exe
c:\windows\system32\znntzs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_BEEPP
-------\Legacy_CKVC
-------\Legacy_DISK_DRIVE32
-------\Legacy_HDFILE
-------\Legacy_HDPORT
-------\Legacy_NWSAPAGENT
-------\Legacy_ZNNTZS
-------\Service_6to4
-------\Service_beepp
-------\Service_CKVC
-------\Service_DISK_DRIVE32
-------\Service_hdfile
-------\Service_NwSapAgent
-------\Service_znntzs


((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-06 22:43 . 2008-05-06 22:44 6,010 --a------ C:\Documents and Settings\Chris Scanlon\CFScript.txt
2008-05-06 22:11 . 2008-05-06 22:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-06 22:01 . 2008-05-06 22:28 <DIR> d-------- C:\SDFix
2008-04-29 21:14 . 2008-04-29 21:14 <DIR> d-------- C:\Program Files\Canon
2008-04-29 21:14 . 2008-04-29 21:14 <DIR> d-------- C:\5e1a9adccaf11c7134470508668e0e
2008-04-29 19:10 . 2008-04-29 21:14 <DIR> d-------- C:\RECYCLER(2)
2008-04-27 02:34 . 2008-04-29 21:14 <DIR> d-------- C:\Program Files\Acoustica Mixcraft 4
2008-04-26 23:17 . 2007-11-15 22:51 155,552 --a------ C:\WINDOWS\system32\ZuneMTPZ.dll
2008-04-26 23:17 . 2007-11-15 22:51 80,288 --a------ C:\WINDOWS\system32\ZuneIpTransport.dll
2008-04-26 23:17 . 2007-11-15 22:51 72,608 --a------ C:\WINDOWS\system32\ZuneUsbTransport.dll
2008-04-26 23:17 . 2007-11-15 22:51 45,472 --a------ C:\WINDOWS\system32\ZuneUsbConnection.dll
2008-04-20 19:35 . 2008-04-20 19:35 <DIR> d-------- C:\Program Files\AIM Search
2008-04-17 22:22 . 2008-04-17 22:23 <DIR> d-------- C:\Program Files\Magic Video Converter
2008-04-17 22:22 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2008-04-15 20:14 . 2008-04-15 20:14 <DIR> d-------- C:\Program Files\DAP
2008-04-15 20:14 . 2008-04-15 20:14 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-04-15 20:14 . 2008-04-15 20:14 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-04-15 20:14 . 2008-04-15 20:14 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-04-14 18:50 . 2008-04-14 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SwiftKit
2008-04-14 18:38 . 2008-04-14 18:38 <DIR> d-------- C:\Program Files\Ascentive
2008-04-14 18:38 . 2008-04-14 18:38 <DIR> d-------- C:\Documents and Settings\Chris Scanlon\Application Data\InstallShield
2008-04-14 18:38 . 2007-08-10 12:56 303,104 --a------ C:\WINDOWS\system32\ciplListBar.ocx
2008-04-14 18:38 . 2008-03-12 14:13 208,896 --a------ C:\WINDOWS\system32\ConTest.dll
2008-04-14 18:38 . 2007-08-10 12:56 155,648 --a------ C:\WINDOWS\system32\ciplImageList.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 02:50 --------- d-----w C:\Program Files\BellSouth Internet Tools
2008-05-07 02:47 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-07 02:47 --------- d-----w C:\Program Files\QuickTime
2008-05-07 02:46 --------- d-----w C:\Program Files\Zune
2008-05-07 02:46 --------- d-----w C:\Program Files\iTunes
2008-05-07 02:46 --------- d-----w C:\Program Files\DellSupport
2008-05-07 02:46 --------- d-----w C:\Program Files\AOL 9.1
2008-05-07 02:31 --------- d-----w C:\Program Files\AIMTunes
2008-05-06 19:28 --------- d-----w C:\Documents and Settings\Chris Scanlon\Application Data\LimeWire
2008-05-04 16:13 --------- d-----w C:\Documents and Settings\Chris Scanlon\Application Data\teamspeak2
2008-04-30 01:14 --------- d-----w C:\Program Files\Acoustica Shared Effects
2008-04-30 00:56 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-21 20:14 --------- d-----w C:\Documents and Settings\Chris Scanlon\Application Data\uTorrent
2008-04-20 23:42 --------- d-----w C:\Program Files\LimeWire
2008-04-20 23:35 --------- d-----w C:\Program Files\AIM6
2008-04-20 19:28 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-20 19:28 --------- d-----w C:\Documents and Settings\Chris Scanlon\Application Data\NCH Swift Sound
2008-04-16 00:14 --------- d-----w C:\Program Files\Google
2008-04-14 22:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 18:22 --------- d-----w C:\Program Files\HyCam2
2008-04-03 06:37 7,606 ----a-w C:\Documents and Settings\Chris Scanlon\Application Data\wklnhst.dat
2008-04-02 17:58 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-04-02 05:51 --------- d-----w C:\Documents and Settings\Chris Scanlon\Application Data\acccore
2008-04-02 05:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-28 03:46 --------- d-----w C:\Program Files\uTorrent
2008-03-25 19:48 --------- d-----w C:\Program Files\Java
2008-03-16 19:08 --------- d-----w C:\Documents and Settings\Chris Scanlon\Application Data\Move Networks
2008-02-21 01:57 60,968 ----a-w C:\Documents and Settings\Lisa Scanlon\GoToAssistDownloadHelper.exe
2008-01-14 23:47 10 ----a-w C:\Program Files\.autoreg
2007-12-13 21:31 75,232 ----a-w C:\Documents and Settings\Chris Scanlon\Application Data\GDIPFONTCACHEV1.DAT
2007-08-06 17:12 10,385,200 ----a-w C:\Documents and Settings\Chris Scanlon\HC41Installer.exe
2007-08-06 04:32 212,849 ----a-w C:\Program Files\hijackthis.zip
2007-05-20 18:01 0 ----a-w C:\Documents and Settings\Chris Scanlon\HC4Installer.exe
2007-05-20 01:17 628 ----a-w C:\Documents and Settings\Sean Scanlon\Application Data\wklnhst.dat
2006-12-06 03:14 1,178 ----a-w C:\Documents and Settings\Lisa Scanlon\Application Data\wklnhst.dat
2006-05-16 02:08 56 -csh--r C:\WINDOWS\system32\DA7BA0A167.sys
2006-05-16 02:08 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
Code: 
<pre>
----a-w           839,685 2008-01-17 22:37:23  C:\WINDOWS\Fonts\svchost .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
2008-03-25 16:49 111968 --a------ C:\Program Files\AIM Search\AOLSearch.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [ ]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-27 01:26 67128]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-14 19:37 1318912]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-15 21:32 171448]
"Uaol"="C:\PROGRA~1\RACLE~1\explorer.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 21:10 385024]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]
"Performance Center"="C:\Program Files\Ascentive\Performance Center\ApcMain.exe" [2008-03-13 17:35 3239936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"A8AAAAB2ACAEB2B7B"="9092929A94969A9.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 21:10 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-31 21:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2008-02-20 21:57 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lisa Scanlon^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Lisa Scanlon\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2006-10-23 08:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BellSouthAlertManager.exe]
--a------ 2006-01-10 17:56 1896448 C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\blspcloader]
--a------ 2006-03-27 18:55 86016 C:\Program Files\BellSouth Internet Tools\blsloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2008-01-25 22:34 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 15:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 20:52 50736 C:\Program Files\Common Files\AOL\1149387323\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-04-05 08:19 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 16:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-04-05 08:22 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 22:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-31 21:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-02-27 01:26 67128 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2008-01-29 23:30 196608 C:\Program Files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 15:24 458752 C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 15:14 217088 C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2005-07-19 17:32 221184 C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-29 23:30 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-04-05 08:23 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 21:10 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordPadRun]
--a------ 2007-09-09 22:13 512004 C:\Program Files\NCH Swift Sound\RecordPad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-01-18 15:17 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-15 21:32 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2005-08-31 15:14 1277952 C:\Program Files\Support.com\BellSouth\hcenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-08-06 02:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Updater]
C:\WINDOWS\system32\updater\explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
--a------ 2005-02-23 13:08 1159168 C:\Program Files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-01-21 14:26 166304 c:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Gh'þ9Óœû3rÅWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\ogrycvw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á²# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\ogrycvw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# Lh'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\ogrycvw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 22:51]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 22:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
qzbjwn REG_MULTI_SZ qzbjwn
znntzs REG_MULTI_SZ znntzs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 21:29:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 22:51:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1149387323\ee\AOLDesktop.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-06 23:00:43 - machine was rebooted [Chris Scanlon]
ComboFix-quarantined-files.txt 2008-05-07 03:00:30
ComboFix2.txt 2008-04-27 19:08:50
ComboFix3.txt 2008-02-03 23:52:22
ComboFix4.txt 2008-02-03 23:37:56

Pre-Run: 33,079,074,816 bytes free
Post-Run: 33,102,811,136 bytes free

365 --- E O F --- 2008-04-12 17:06:11
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:21 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Ascentive\Performance Center\ApcMain.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\1149387323\ee\AOLDesktop.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\1149387323\ee\aolsoftware.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} - - (no file)
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [A8AAAAB2ACAEB2B7B] 9092929A94969A9.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uaol] "C:\PROGRA~1\RACLE~1\explorer.exe" -vt ndrv
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\ApcMain.exe -m
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZZ
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9052 bytes
 
Great, that's gotten rid of most of the infections, but still more work to do.

Your logfile shows signs of Viewpoint Manager.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. It is known to be intrusive, but there is some possibility that it is now being used by those companies to give them info about your habits. It is not considered spyware since this is not clear, but I would not tolerate it on my machine if I didn't install it.

I suggest you remove it. To do so, click on Start -> Control Panel -> Add or Remove Programs. Click on Viewpoint Manager and click Remove.

Please download ATF Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

  • [*]R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    [*]R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} - - (no file)
    [*]R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    [*]O4 - HKLM\..\Run: [A8AAAAB2ACAEB2B7B] 9092929A94969A9.exe
    [*]O4 - HKCU\..\Run: [Uaol] "C:\PROGRA~1\RACLE~1\explorer.exe" -vt ndrv
    [*]O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    [*]O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZZ
    [*]O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab

If you chose to remove Viewpoint Manager, also check the following entry:
  • O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Please close all open windows except for HijackThis and choose Fix checked



  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\Fonts\svchost .exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"qzbjwn"=-
"znntzs"=-
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

How is the system running now?
 
You must log in or register to reply here.
Back
Top