Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Join the Team

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Pending] HJT Logs » Help with hijack this logfile

[Pending] HJT Logs - Help with hijack this logfile posted in the Security & Safety forums; First time user.....Windows XP, very slow, continuously finding virus/malware/spyware threats using various detections.... Internet Explorer "redirects" or "jumps" with every link. Would not mind wiping hard drive and re-installing XP ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 2 1 2 >
  #1  
Old 04-23-2008
fortinfam's Avatar
Bronze Member
  
Join Date: Apr 2008
Posts: 5
PC Experience: Some Experience
fortinfam - See this Members User comments on their Profile page
Default Help with hijack this logfile
First time user.....Windows XP, very slow, continuously finding virus/malware/spyware threats using various detections....

Internet Explorer "redirects" or "jumps" with every link.

Would not mind wiping hard drive and re-installing XP at this point.

Here is my Hijack This Logfile....Please Help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:46 AM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\WINDOWS\System32\aniServ.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Belkin\Belkin Wireless Utility\wcu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5F254614-1D8D-6D07-3F3A-032439EB6EC7} - C:\WINDOWS\system32\uqhtcqmj.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - (no file)
O2 - BHO: (no name) - {BBA89283-84B3-4B17-90FE-089A2D49581E} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: ['Ashampoo AntiSpyWare 2 Guard'] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AirgoACU] C:\Program Files\Belkin\Belkin Wireless Utility\wcu.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1207590642703
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://206.168.252.204/activex/AxisCamControl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: geBsrSJc - geBsrSJc.dll (file missing)
O21 - SSODL: DrvVolume - {f5fb2320-c6db-4bc2-b060-c69ae7aff98c} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0310671208939251) (0310671208939251mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\031067~1.EXE
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
--
End of file - 10135 bytes
  #2  
Old 04-24-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,856
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Help with hijack this logfile
Please download SDFix from here and save it to your desktop
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.
=================================

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running ComboFix

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems
NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #3  
Old 04-24-2008
fortinfam's Avatar
Bronze Member
  
Join Date: Apr 2008
Posts: 5
PC Experience: Some Experience
fortinfam - See this Members User comments on their Profile page
Default Re: Help with hijack this logfile
Pancake, I first off must thank you for your quick reply!!! I have followed the instructions you posted and have listed the results below.

SDFix: Version 1.174
Run by Iceman on Thu 04/24/2008 at 12:33 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting

Checking Files :
Trojan Files Found:
C:\WINDOWS\SYSTEM32\MSVCTVRL.DLL - Deleted
C:\WINDOWS\SYSTEM32\VBSUCT32.DLL - Deleted


Removing Temp Files
ADS Check :


Final Check :
catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 00:46:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Epoch]
"Epoch"=dword:000014a1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{A36B2D59-D7D6-4E96-91EE-F570E5618023}]
"DhcpRetryStatus"=dword:00000000
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\sp2gdr
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\sp2gdr\cdosys.dll 2067968 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\sp2qfe
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\sp2qfe\cdosys.dll 2068480 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\spmsg.dll 14048 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\spuninst.exe 209632 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\susdl.rq0 271 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\arpidfix.exe 30720 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\branches.inf 705 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\eula.txt 455 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\KB901017.cat 11084 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\spcustom.dll 22240 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\update.exe 718048 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\update.url 5324 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\update.ver 297 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\updatebr.inf 613 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\update_SP1QFE.inf 8191 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\update_SP2GDR.inf 16216 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\update_SP2QFE.inf 16926 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\update\updspapi.dll 371936 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\WindowsXP-KB901017-x86-ENU.psm 1089 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\_downloadprogress_.state 4 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\_file_to_execute_.txt 17 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\_unpacked_.state 34 bytes
C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da 652794a86c37dbd177bef9d\_usedelta_.state 34 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\sp1qfe
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\sp1qfe\esent.dll 991232 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\sp2gdr
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\sp2gdr\esent.dll 1082368 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\sp2qfe
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\sp2qfe\esent.dll 1082368 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\spmsg.dll 14048 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\spuninst.exe 213216 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\branches.inf 705 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\eula.txt 455 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\KB910437.CAT 10925 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\spcustom.dll 22752 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\update.exe 716000 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\update.ver 287 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\updatebr.inf 592 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\update_SP1QFE.inf 8350 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\update_SP2GDR.inf 16007 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\update_SP2QFE.inf 16717 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\update\updspapi.dll 371424 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\_downloadprogress_.state 4 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\_file_to_execute_.txt 17 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\_unpacked_.state 34 bytes
C:\WINDOWS\SoftwareDistribution\Download\f934b30a3 337b488590ef3c1f3bbfd68\_useselfcontained_.state 50 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\empty.cat 5149 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\npdsplay.dll 364544 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\spmsg.dll 13536 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\spuninst.exe 213216 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\spupdsvc.exe 22752 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\update
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\update\eula.txt 4092 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\update\kb911564.cat 8792 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\update\update.exe 716000 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\update\update.ver 99 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\update\updatebr.inf 312 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\update\update_win2003.inf 10199 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\update\update_win2k.inf 10203 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\update\update_winxp.inf 10201 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\update\updspapi.dll 371424 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\_downloadprogress_.state 4 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\_file_to_execute_.txt 17 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\_unpacked_.state 34 bytes
C:\WINDOWS\SoftwareDistribution\Download\fa53e6406 86f7f15b5ee3f532304b804\_useselfcontained_.state 50 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\sp2gdr
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\sp2gdr\kmixer.sys 172416 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\sp2gdr\splitter.sys 6400 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\sp2gdr\wdmaud.sys 82944 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\sp2qfe
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\sp2qfe\kmixer.sys 172416 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\sp2qfe\splitter.sys 6272 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\sp2qfe\wdmaud.sys 82944 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\spmsg.dll 14048 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\spuninst.exe 213216 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\susdl.rq0 633 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\branches.inf 705 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\eula.txt 804 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\KB920872.cat 11857 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\spcustom.dll 22752 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\update.exe 716000 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\update.url 5324 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\update.ver 568 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\updatebr.inf 496 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\update_SP2GDR.inf 17309 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\update_SP2QFE.inf 18019 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\update\updspapi.dll 371424 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\WindowsXP-KB920872-x86-ENU.psm 447 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\_downloadprogress_.state 4 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\_unpacked_.state 34 bytes
C:\WINDOWS\SoftwareDistribution\Download\8a10de025 95aa748279afc6c628f49a8\_usedelta_.state 34 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2gdr
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2gdr\hh.exe 10752 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2gdr\hhctrl.ocx 546304 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2gdr\hhsetup.dll 41472 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2gdr\itircl.dll 155136 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2gdr\itss.dll 137216 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2qfe
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2qfe\hh.exe 10752 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2qfe\hhctrl.ocx 546304 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2qfe\hhsetup.dll 41472 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2qfe\itircl.dll 155136 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\sp2qfe\itss.dll 137216 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\spmsg.dll 14048 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\spuninst.exe 209632 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\susdl.rq0 981 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\branches.inf 705 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\eula.txt 4092 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\KB896358.cat 15022 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\spcustom.dll 22240 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\update.exe 718048 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\update.url 5324 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\update.ver 1377 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\updatebr.inf 592 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\update_SP1QFE.inf 11237 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\update_SP2GDR.inf 19073 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\update_SP2QFE.inf 19724 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\update\updspapi.dll 371936 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\WindowsXP-KB896358-x86-ENU.psm 10649 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\_downloadprogress_.state 4 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\_file_to_execute_.txt 17 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\_unpacked_.state 34 bytes
C:\WINDOWS\SoftwareDistribution\Download\d424e8f65 5073b64c82b6f4f138d5f7e\_usedelta_.state 34 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\sp2gdr
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\sp2gdr\shell32.dll 8453632 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\sp2gdr\shsvcs.dll 134656 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\sp2qfe
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\sp2qfe\shell32.dll 8458752 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\sp2qfe\shsvcs.dll 135168 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\sp2qfe\xpsp3res.dll 248320 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\spmsg.dll 14048 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\spuninst.exe 213216 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\susdl.rq0 527 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\branches.inf 705 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\eula.txt 804 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\KB928255.cat 9906 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\spcustom.dll 22752 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\update.exe 716000 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\update.url 5324 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\update.ver 484 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\updatebr.inf 496 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\update_SP2GDR.inf 21951 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\update_SP2QFE.inf 23124 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\update\updspapi.dll 371424 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\WindowsXP-KB928255-x86-ENU.psm 1004 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\_downloadprogress_.state 4 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\_unpacked_.state 34 bytes
C:\WINDOWS\SoftwareDistribution\Download\d8816d09f 86abbe0c321ddc90d5c0948\_usedelta_.state 34 bytes
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem15.CAT 24290 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 162

Remaining Services :


Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*isabled:@xpsp3res.dll ,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\ \system32\\sessmgr.exe:*isabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Iceman\\Application Data\\printer.exe"="C:\\Documents and Settings\\Iceman\\Application Data\\printer.exe:*isabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"C:\\Documents and Settings\\Iceman\\Application Data\\printer.exe"="C:\\Documents and Settings\\Iceman\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system3 2\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Fri 23 Apr 1999 93,890 ..SH. --- "C:\COMMAND.COM"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 27 May 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 15 Apr 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Tue 15 Apr 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Fri 12 Nov 2004 37,376 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Tue 15 Apr 2008 54,807,786 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ff1abc45 bb4b51f55d5dd49be852a17a\BIT1.tmp"
Finished!


ComboFix 08-04-22.5 - Iceman 2008-04-24 1:28:05.1 - NTFSx86
Running from: C:\Documents and Settings\Iceman\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\stem32~1
C:\Program Files\stem32~1
C:\Program Files\stem32~1\??stem32\
C:\WINDOWS\BM1f3ab735.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\lqvhfjur.ini
C:\WINDOWS\system32\UtCdcccf.ini
C:\WINDOWS\system32\UtCdcccf.ini2
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-24 00:28 . 2008-04-24 00:28 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-24 00:19 . 2008-04-24 01:04 <DIR> d-------- C:\SDFix
2008-04-23 01:23 . 2008-04-23 01:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 03:15 . 2008-04-20 03:15 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-20 03:15 . 2008-04-20 03:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-20 03:12 . 2008-04-20 03:12 <DIR> d-------- C:\Documents and Settings\Iceman\Application Data\Grisoft
2008-04-20 03:12 . 2008-04-20 03:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-20 03:12 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-20 03:11 . 2008-04-21 00:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-20 03:11 . 2008-04-20 03:11 <DIR> d-------- C:\Documents and Settings\Iceman\Application Data\SUPERAntiSpyware.com
2008-04-20 03:11 . 2008-04-20 03:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-20 03:10 . 2008-04-20 03:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 00:41 . 2008-04-20 02:51 <DIR> d-------- C:\Documents and Settings\Iceman\.housecall6.6
2008-04-19 16:27 . 2004-08-04 05:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-04-19 16:25 . 2004-08-04 05:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-04-19 16:24 . 2004-08-04 05:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-04-19 16:23 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-19 16:22 . 2004-08-04 05:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-04-19 16:21 . 2004-05-13 01:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-04-19 16:17 . 2008-04-19 16:17 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-19 16:17 . 2008-04-19 16:17 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-19 16:17 . 2008-04-19 16:17 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-19 16:17 . 2008-04-19 16:17 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-04-19 16:17 . 2008-04-19 16:17 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-19 16:17 . 2008-04-19 16:17 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-19 16:16 . 2004-08-04 05:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-04-19 16:00 . 2004-08-04 05:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-04-19 16:00 . 2004-08-04 05:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-04-19 16:00 . 2004-08-04 05:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-04-19 16:00 . 2004-08-04 05:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-04-19 15:58 . 2004-08-04 05:00 1,086,058 -ra------ C:\WINDOWS\SET99.tmp
2008-04-19 15:58 . 2004-08-04 05:00 1,042,903 -ra------ C:\WINDOWS\SET96.tmp
2008-04-15 03:33 . 2008-04-15 03:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-15 03:32 . 2008-04-24 01:36 9,241 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-15 03:29 . 2008-04-15 03:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-15 03:28 . 2008-04-21 00:21 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-15 03:28 . 2008-04-23 01:21 <DIR> d-------- C:\Documents and Settings\Iceman\Application Data\SiteAdvisor
2008-04-15 03:28 . 2008-04-21 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-15 03:24 . 2006-03-03 09:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-15 03:16 . 2007-11-22 07:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-15 03:15 . 2007-11-22 07:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-15 03:15 . 2007-07-13 07:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-15 03:15 . 2007-11-22 07:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-15 03:15 . 2007-12-02 13:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-15 03:15 . 2007-11-22 07:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-15 03:11 . 2008-04-15 03:12 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-15 03:09 . 2008-04-15 03:15 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-15 03:07 . 2008-04-23 23:45 <DIR> d-------- C:\Program Files\McAfee
2008-04-15 02:24 . 2008-04-15 02:24 3,269 --a------ C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
2008-04-13 10:08 . 2008-04-13 10:08 <DIR> d-------- C:\WINDOWS\system32\drivers\bak34.tmp
2008-04-13 10:08 . 2008-04-13 10:08 <DIR> d-------- C:\WINDOWS\system32\drivers\bak30.tmp
2008-04-13 00:55 . 2008-04-17 00:51 <DIR> d-------- C:\fixwareout
2008-04-13 00:38 . 2008-04-23 01:18 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-13 00:20 . 2008-04-13 00:20 <DIR> d-------- C:\18f45c334e1629f61b
2008-04-11 23:55 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-11 23:55 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-11 04:16 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-11 04:11 . 2008-04-11 04:11 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-11 04:11 . 2008-04-19 07:54 <DIR> d-------- C:\WINDOWS\peernet
2008-04-11 04:04 . 2008-04-11 04:04 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-11 03:53 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-11 03:48 . 2008-04-19 07:54 <DIR> d-------- C:\WINDOWS\EHome
2008-04-11 02:45 . 2008-04-11 02:45 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-09 03:17 . 2008-04-15 02:24 <DIR> d-------- C:\Program Files\Norton 360
2008-04-05 03:03 . 2008-04-05 03:03 114,688 --a------ C:\Documents and Settings\All Users\Application Data\ytktwlwp.dll
2008-04-05 03:02 . 2008-04-05 03:02 114,688 --a------ C:\WINDOWS\system32\uqhtcqmj.dll
2008-04-05 00:47 . 2008-04-05 00:47 <DIR> d-------- C:\Documents and Settings\Iceman\Application Data\InstallShield
2008-04-04 04:05 . 2008-04-04 04:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-04 03:46 . 2008-04-04 03:46 <DIR> d-------- C:\Documents and Settings\Iceman\Application Data\Malwarebytes
2008-04-04 03:46 . 2008-04-04 03:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-04 03:45 . 2008-04-04 03:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-04 03:45 . 2008-04-04 03:45 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-28 00:59 . 2008-03-28 00:59 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-28 00:42 . 2008-04-07 00:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:37 . 2008-03-12 15:13 208,896 --a------ C:\WINDOWS\system32\ConTest.dll
2008-03-27 11:37 . 2007-10-17 11:19 20,480 --a------ C:\WINDOWS\system32\SysRestore.dll
2008-03-27 11:31 . 2008-04-08 11:39 3,020 --a------ C:\WINDOWS\WinInit.Ini
2008-03-27 10:41 . 2008-03-27 10:41 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-03-27 10:39 . 2008-04-15 03:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-19 22:11 --------- d-----w C:\Documents and Settings\Iceman\Application Data\U3
2008-04-16 10:56 --------- d-----w C:\Program Files\RcvSystem
2008-04-15 09:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-15 09:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-15 09:24 --------- d-----w C:\Program Files\Symantec
2008-04-12 15:24 --------- d-----w C:\Program Files\QuickTime
2008-04-09 10:07 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-08 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 03:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-05 08:13 --------- d-----w C:\Program Files\LimeWire
2008-04-05 07:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-05 07:40 --------- d-----w C:\Documents and Settings\Bozo\Application Data\Lavasoft
2008-03-28 09:56 --------- d-----w C:\Program Files\Common Files\kumf
2008-03-28 07:00 --------- d-----w C:\Program Files\Infogrames Interactive
2008-03-28 07:00 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-03-14 01:00 65,536 ----a-w C:\WINDOWS\DUMPbec8.tmp
2008-03-13 23:05 65,536 ----a-w C:\WINDOWS\DUMPd5d2.tmp
2008-03-13 01:15 65,536 ----a-w C:\WINDOWS\DUMPba66.tmp
2008-03-13 01:10 65,536 ----a-w C:\WINDOWS\DUMPc06c.tmp
2008-03-12 20:19 65,536 ----a-w C:\WINDOWS\DUMPb8c2.tmp
2008-03-12 19:55 65,536 ----a-w C:\WINDOWS\DUMPc58c.tmp
2008-03-12 03:07 65,536 ----a-w C:\WINDOWS\DUMPc5f0.tmp
2008-03-12 03:05 65,536 ----a-w C:\WINDOWS\DUMPb7db.tmp
2008-03-12 02:04 65,536 ----a-w C:\WINDOWS\DUMPb532.tmp
2008-03-12 01:40 65,536 ----a-w C:\WINDOWS\DUMPbdcd.tmp
2008-03-11 01:01 65,536 ----a-w C:\WINDOWS\DUMPe148.tmp
2008-03-10 20:52 65,536 ----a-w C:\WINDOWS\DUMPb637.tmp
2008-03-10 01:36 65,536 ----a-w C:\WINDOWS\DUMPdd41.tmp
2008-03-10 01:35 65,536 ----a-w C:\WINDOWS\DUMPc0c6.tmp
2008-03-09 04:46 65,536 ----a-w C:\WINDOWS\DUMPc275.tmp
2008-03-07 21:41 65,536 ----a-w C:\WINDOWS\DUMPb6cd.tmp
2008-03-06 21:12 65,536 ----a-w C:\WINDOWS\DUMPb745.tmp
2008-03-06 20:54 65,536 ----a-w C:\WINDOWS\DUMPdcb5.tmp
2008-03-06 02:02 65,536 ----a-w C:\WINDOWS\DUMPc243.tmp
2008-03-06 02:01 65,536 ----a-w C:\WINDOWS\DUMPb78b.tmp
2008-03-06 01:55 65,536 ----a-w C:\WINDOWS\DUMPe01c.tmp
2008-03-06 01:53 65,536 ----a-w C:\WINDOWS\DUMPd6a5.tmp
2008-03-06 00:46 65,536 ----a-w C:\WINDOWS\DUMPdb74.tmp
2008-03-03 23:11 --------- d-----w C:\Documents and Settings\Iceman\Application Data\Walgreens
2008-02-28 23:04 --------- d-----w C:\Documents and Settings\deven is the man\Application Data\Yahoo!
2008-02-28 00:06 635 ----a-w C:\kui3ow.exe
2008-02-27 21:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-04-13 21:33 20,192 ----a-w C:\Documents and Settings\Iceman\Application Data\GDIPFONTCACHEV1.DAT
2005-07-24 10:47 184,808 -c--a-w C:\Documents and Settings\Bozo\Application Data\shb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F254614-1D8D-6D07-3F3A-032439EB6EC7}]
2008-04-05 03:02 114688 --a------ C:\WINDOWS\system32\uqhtcqmj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8EEB996-62AA-4E48-995D-EADDCAC47476}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBA89283-84B3-4B17-90FE-089A2D49581E}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AtiPTA"="atiptaxx.exe" [2008-04-12 08:07 315392 C:\WINDOWS\system32\atiptaxx.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-12 08:07 180269]
"'Ashampoo AntiSpyWare 2 Guard'"="C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe" [2008-03-13 15:36 2316632]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 20:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 14:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 06:42 1164576]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]
"AirgoACU"="C:\Program Files\Belkin\Belkin Wireless Utility\wcu.exe" [2004-08-11 12:20 1036288]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [ ]
C:\Documents and Settings\Bozo\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 14:32:57 147456]
C:\Documents and Settings\Iceman\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-10-07 17:54:43 225280]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBsrSJc]
geBsrSJc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNT IO.sys [2004-03-05 18:09]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM. sys [2004-03-05 18:09]
R2 portD;ABS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2003-03-19 10:28]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\ialaunch.exe id= ver=1.0.0.0
.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 10:13:20 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-15 10:13:17 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
************************************************** ************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 01:41:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6172\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\WINDOWS\system32\aniServ.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
************************************************** ************************
.
Completion time: 2008-04-24 2:05:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 09:04:17
Pre-Run: 5,325,186,048 bytes free
Post-Run: 5,274,413,056 bytes free
250 --- E O F --- 2008-04-23 20:35:04


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:26 AM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\WINDOWS\System32\aniServ.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Belkin\Belkin Wireless Utility\wcu.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5F254614-1D8D-6D07-3F3A-032439EB6EC7} - C:\WINDOWS\system32\uqhtcqmj.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {BBA89283-84B3-4B17-90FE-089A2D49581E} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: ['Ashampoo AntiSpyWare 2 Guard'] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWare2Guard.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AirgoACU] C:\Program Files\Belkin\Belkin Wireless Utility\wcu.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1207590642703
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://206.168.252.204/activex/AxisCamControl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: geBsrSJc - geBsrSJc.dll (file missing)
O21 - SSODL: DrvVolume - {f5fb2320-c6db-4bc2-b060-c69ae7aff98c} - (no file)
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
--
End of file - 10339 bytes
  #4  
Old 04-24-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,856
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Help with hijack this logfile
Before we can carry on we need to install your Recovery Console.
Go to Microsoft's website => How to obtain Windows XP Setup boot disks
Select the download that's appropriate for your Operating System


Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFi