 |  |  |  |  |  |  |  |
nasty virus
Thread Solved |
ComboFix 08-05-29.1 - audition account 2008-05-31 20:31:27.1 - NTFSx86
Running from: C:\Documents and Settings\audition account\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\audition account\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Pamela Rice\Application Data\macromedia\Flash Player\#SharedObjects\3HBA8PMQ\www.broadcaster.com
C:\Documents and Settings\Pamela Rice\Application Data\macromedia\Flash Player\#SharedObjects\3HBA8PMQ\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Pamela Rice\Application Data\macromedia\Flash Player\#SharedObjects\3HBA8PMQ\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Pamela Rice\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Pamela Rice\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Pamela Rice\Application Data\SpeedRunner
C:\Documents and Settings\Pamela Rice\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\Pamela Rice\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\Pamela Rice\Application Data\WinAntiVirus Pro 2006\Logs\update.log
C:\Documents and Settings\Pamela Rice\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\Documents and Settings\Pamela Rice\Application Data\WinAntiVirus Pro 2006\Logs\winav.log
C:\Documents and Settings\Pamela Rice\Application Data\WinAntiVirus Pro 2006\PGE.dat
C:\Documents and Settings\Pamela Rice\err.log
C:\Documents and Settings\Pamela Rice\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Pamela Rice\My Documents\SEMBLY~1
C:\Documents and Settings\Pamela Rice\My Documents\SEMBLY~1\??sembly\
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Svconr
C:\Program Files\WinBudget
C:\WA6P
C:\WINDOWS\ecurit~1
C:\WINDOWS\system32\28463
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\awtsQHxv.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\ddcCRICr.dll
C:\WINDOWS\system32\eeeOUvut.ini
C:\WINDOWS\system32\eeeOUvut.ini2
C:\WINDOWS\system32\FffLknnn.ini2
C:\WINDOWS\system32\hQWGffii.ini
C:\WINDOWS\system32\KUBJPXyb.ini2
C:\WINDOWS\system32\NTBegMoq.ini
C:\WINDOWS\system32\NTBegMoq.ini2
C:\WINDOWS\system32\ppXxyGgh.ini2
C:\WINDOWS\system32\qoMdDwVO.dll
C:\WINDOWS\system32\qoMgeBTN.dll
C:\WINDOWS\system32\rCIRCcdd.ini
C:\WINDOWS\system32\rCIRCcdd.ini2
C:\WINDOWS\system32\RuuCLkkj.ini2
C:\WINDOWS\system32\sBKRBJlm.ini
C:\WINDOWS\system32\sBKRBJlm.ini2
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\vxHQstwa.ini
C:\WINDOWS\system32\vxHQstwa.ini2
C:\WINDOWS\system32\WINCNMDB.DLL
C:\WINDOWS\tk68.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FOPN
-------\Legacy_NWSAPAGENT
-------\Legacy_POWERMANAGER
-------\Legacy_VSPF
-------\Legacy_VSPF_HK
-------\Service_NwSapAgent
-------\Service_vspf
-------\Service_vspf_hk
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.
2008-05-31 20:06 . 2008-05-31 20:06 324,864 --a------ C:\WINDOWS\system32\mlJBRKBs.dll
2008-05-31 13:38 . 2008-05-31 13:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-30 16:43 . 2002-07-28 07:54 126,976 --a------ C:\WINDOWS\autoras.exe
2008-05-30 16:43 . 2002-06-19 17:55 36,864 --a------ C:\WINDOWS\Uninstall.exe
2008-05-30 16:43 . 2008-05-30 16:43 56 --a------ C:\WINDOWS\autmtst.ini
2008-05-30 11:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-29 20:46 . 2008-05-29 20:46 4,230 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-05-28 13:26 . 2008-05-28 13:26 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\Webroot
2008-05-28 12:49 . 2008-05-28 12:49 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-05-28 08:17 . 2008-05-28 08:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-05-28 08:16 . 2007-06-21 18:43 160,056 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-05-28 08:16 . 2007-06-21 18:43 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-05-28 08:16 . 2007-06-21 18:43 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-05-28 08:16 . 2007-06-21 18:43 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2008-05-28 08:14 . 2008-05-28 08:14 <DIR> d-------- C:\Program Files\Webroot
2008-05-28 08:14 . 2008-05-28 08:14 <DIR> d-------- C:\Documents and Settings\Pamela Rice\Application Data\Webroot
2008-05-28 08:14 . 2008-05-28 08:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-28 08:14 . 2007-06-21 18:57 1,520,952 --a------ C:\WINDOWS\WRSetup.dll
2008-05-28 07:27 . 2008-05-28 07:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-26 20:54 . 2008-05-26 20:54 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator
2008-05-25 19:22 . 2008-05-28 03:35 344 --ahs---- C:\WINDOWS\system32\JllVDcfe.ini
2008-05-25 19:06 . 2008-05-25 19:06 27,140 --a------ C:\New Microsoft Office PowerPoint Presentation.pptx
2008-05-25 10:29 . 2008-05-29 21:15 7,945 --a------ C:\WINDOWS\system32\Config.MPF
2008-05-25 10:26 . 2006-03-03 07:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-05-25 10:11 . 2007-11-22 05:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-25 10:11 . 2007-11-22 05:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-25 10:11 . 2007-12-02 11:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-05-25 10:11 . 2007-11-22 05:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-25 10:11 . 2007-11-22 05:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-05-25 10:10 . 2007-07-13 05:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-25 10:05 . 2008-05-25 10:06 <DIR> d-------- C:\Program Files\McAfee.com
2008-05-25 10:02 . 2008-05-25 10:11 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-25 09:59 . 2008-05-25 10:28 <DIR> d-------- C:\Program Files\McAfee
2008-05-24 16:48 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-24 16:48 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-24 16:48 . 2008-05-15 22:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-24 16:48 . 2008-05-18 20:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-24 16:48 . 2008-05-18 20:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-24 16:48 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-24 16:48 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-24 15:23 . 2008-05-30 17:24 2,702 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-24 14:49 . 2008-05-24 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 14:22 . 2008-05-12 13:10 22,528 --a------ C:\WINDOWS\system32\drivers\antispyware.sys
2008-05-24 14:21 . 2008-05-24 14:21 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\Antispyware
2008-05-24 12:53 . 2008-05-24 12:53 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-05-23 15:58 . 2008-05-23 16:17 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\ErrorSmart
2008-05-21 16:25 . 2008-05-21 16:25 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\HPAppData
2008-05-21 15:30 . 2008-05-21 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-05-21 15:29 . 2008-05-21 15:29 <DIR> d-------- C:\Documents and Settings\Pamela Rice\Application Data\HPAppData
2008-05-21 15:27 . 2008-05-21 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-05-21 15:26 . 2008-05-21 15:26 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-21 15:23 . 2008-05-21 15:36 141,260 --a------ C:\WINDOWS\hpoins14.dat
2008-05-21 15:23 . 2007-06-05 18:07 2,000 --------- C:\WINDOWS\hpomdl14.dat
2008-05-21 15:15 . 2008-05-31 21:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 15:15 . 2008-05-21 15:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-20 23:25 . 2008-05-20 23:25 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-05-20 20:37 . 2008-05-20 20:37 141,255 --------- C:\WINDOWS\hpoins14.dat.temp
2008-05-20 20:37 . 2007-06-05 18:07 2,000 --------- C:\WINDOWS\hpomdl14.dat.temp
2008-05-15 18:28 . 2008-05-18 11:21 <DIR> d-------- C:\Documents and Settings\audition account\.gimp-2.4
2008-05-15 17:43 . 2008-05-15 17:43 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-13 15:03 . 2008-05-15 17:04 <DIR> d-------- C:\Documents and Settings\Pamela Rice\Application Data\iolo
2008-05-13 03:16 . 2008-05-13 03:16 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-05-12 21:13 . 2008-05-12 21:13 432 --a------ C:\WINDOWS\system32\iolo.ini
2008-05-12 21:04 . 2008-05-12 21:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-12 20:46 . 2007-07-25 08:42 126,976 --a------ C:\WINDOWS\system32\iavlsp.dll
2008-05-12 20:34 . 2008-05-12 20:34 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-05-12 20:32 . 2008-05-15 21:02 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\Uniblue
2008-05-12 20:31 . 2008-05-13 03:16 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\iolo
2008-05-12 20:31 . 2008-05-15 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-05-10 11:03 . 2008-05-10 11:11 <DIR> d-------- C:\Documents and Settings\Pamela Rice\.frugoo_file_store_32
2008-05-08 20:13 . 2008-05-08 20:13 <DIR> d-------- C:\Program Files\ePSXe
2008-05-08 18:54 . 2008-05-08 18:54 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\fltk.org
2008-05-02 15:53 . 2008-05-08 18:32 <DIR> d-------- C:\Program Files\ActMak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 18:35 --------- d-----w C:\Program Files\Blubster
2008-05-31 03:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-30 21:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 01:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-28 09:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-28 03:20 --------- d-----w C:\Program Files\HyCam2
2008-05-25 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-24 19:31 --------- d-----w C:\Program Files\StreamCast
2008-05-24 17:21 --------- d-----w C:\Documents and Settings\audition account\Application Data\LimeWire
2008-05-22 01:46 269 ----a-w C:\Program Files\Common Files\lavuq599
2008-05-21 20:30 --------- d-----w C:\Program Files\HP
2008-05-21 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-13 12:40 --------- d-----w C:\Program Files\MixMeister Express 6
2008-05-13 11:59 --------- d-----w C:\Program Files\WonderlandSecretWorldsTrial_at
2008-05-13 11:59 --------- d-----w C:\Program Files\Cheat Engine
2008-05-09 11:52 --------- d-----w C:\Program Files\Tweak-XP Pro 4
2008-05-08 23:34 --------- d-----w C:\Program Files\Microsoft Bootvis
2008-05-07 08:34 --------- d-----w C:\Documents and Settings\Pamela Rice\Application Data\HP
2008-05-01 10:36 142 ----a-w C:\Program Files\Common Files\profsyfs.html
2008-04-27 20:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gtek
2008-04-27 20:15 --------- d-----w C:\Documents and Settings\audition account\Application Data\GTek
2008-04-19 05:31 448,384 ----a-w C:\WINDOWS\system32\drivers\EagleNt.sys
2008-04-09 22:18 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-04-07 22:15 --------- d-----w C:\Program Files\Google
2008-04-04 22:09 --------- d-----w C:\Documents and Settings\audition account\Application Data\Leadertech
2008-04-04 21:53 --------- d-----w C:\Documents and Settings\audition account\Application Data\HP
2008-03-20 01:47 718 ----a-w C:\Program Files\xFlaxPROGui$2.class
2008-03-16 22:20 52 ----a-w C:\xmp.bat
2007-06-21 18:33 378 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb1942.dat
2007-06-21 17:22 523 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb9948.dat
2007-06-21 17:22 177,152 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb4827.dat
2007-06-21 17:22 12,288 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb5436.dat
2007-06-21 17:22 0 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb4604.dat
2006-11-18 22:10 0 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb2391.dat
2006-11-16 19:40 0 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb153.dat
2006-11-13 00:55 0 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb9912.dat
2006-11-13 00:55 0 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb3902.dat
2005-12-15 08:07 1,116 -csha-w C:\WINDOWS\system32\sscms.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 63,712 2007-03-09 16:09:58 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe
----a-w 39,792 2007-10-11 00:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2008-01-12 02:16:38 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
----a-w 5,980,160 2007-04-13 14:35:40 C:\Program Files\Blubster\bak\Blubster.exe
----a-w 5,980,160 2007-04-13 15:35:40 C:\Program Files\Blubster\Blubster.exe
-c--a-w 180,269 2006-09-03 02:54:37 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
-c--a-w 90,112 2005-05-23 14:57:42 C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\monitor.exe
-c--a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
-c--a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
-c--a-w 473,928 2005-11-15 17:12:14 C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe
-c--a-w 8,192 2006-11-07 19:41:44 C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mimboot.exe
-c--a-w 110,592 2006-11-07 19:41:44 C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mm_tray.exe
-c--a-w 282,624 2007-04-27 13:41:54 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-02-01 03:13:08 C:\Program Files\QuickTime\QTTask.exe
-c--a-w 57,344 2001-07-25 19:04:00 C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE
-c--a-w 290,816 2005-04-18 20:35:10 C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\bak\LYRAHD2TrayApp.exe
-c--a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\ctfmon.exe
-c--a-w 36,864 2000-05-09 15:38:48 C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BB0AD19-01C1-4253-9EA9-20DF16CC4D44}]
C:\Program Files\Common Files\lavuq599.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E54E68A-D735-4549-A01A-90EA188BD41A}]
C:\Program Files\Online Services\cefyr821058.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6F19F93-C313-4DDF-9152-E55E6FE37310}]
C:\WINDOWS\system32\ykvjeev.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAF86C81-F962-F5B7-1196-A18F0E557CCD}]
C:\WINDOWS\system32\oxgkd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB8E467B-42C7-49FC-9CAF-F20C5974B415}]
C:\WINDOWS\system32\jkkLCuuR.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [ ]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Antispyware"="C:\Program Files\AntiSpywareApp\Antispyware.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
"Blubster"="C:\Program Files\Blubster\Blubster.exe" [2007-04-13 10:35 5980160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 20:34 49152]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50 113664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gEWqPHYP]
gEWqPHYP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\smcss]
smcss.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP
xpsp2res.dll,-22009
"9842:TCP"= 9842:TCP
isabled
olidNetworkManager
"9842:UDP"= 9842:UDPisabledolidNetworkManager
"606:TCP"= 606:TCP:VoIP On-Hold Server
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
R0 antispyware;antispyware;C:\WINDOWS\system32\DRIVERS\antispyware.sys [2008-05-12 13:10]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-11-25 01:35]
R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys [2007-11-24 22:03]
S3 6250spi;Elan USB Bridge Service;C:\WINDOWS\system32\Drivers\6250spi.sys [2006-09-19 16:46]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 17:44]
S3 XDva008;XDva008;C:\WINDOWS\system32\XDva008.sys []
S3 XDva026;XDva026;C:\WINDOWS\system32\XDva026.sys []
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-08-17 13:43]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 08:00:00 C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.exe
- C:\Program Files\AntiSpywareApp
"2008-05-26 22:48:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-31 08:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2008-05-25 15:08:03 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-25 15:08:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 21:13:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LexBceS.exe
C:\WINDOWS\system32\Lexpps.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-31 21:39:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 02:38:47
Pre-Run: 8,974,405,632 bytes free
Post-Run: 8,885,854,208 bytes free
334 --- E O F --- 2008-05-18 10:09:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Blubster\Blubster.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {0BB0AD19-01C1-4253-9EA9-20DF16CC4D44} - C:\Program Files\Common Files\lavuq599.dll (file missing)
O2 - BHO: (no name) - {0E54E68A-D735-4549-A01A-90EA188BD41A} - C:\Program Files\Online Services\cefyr821058.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: TChkBHO Class - {B6F19F93-C313-4DDF-9152-E55E6FE37310} - C:\WINDOWS\system32\ykvjeev.dll (file missing)
O2 - BHO: (no name) - {BAF86C81-F962-F5B7-1196-A18F0E557CCD} - C:\WINDOWS\system32\oxgkd.dll (file missing)
O2 - BHO: (no name) - {CB8E467B-42C7-49FC-9CAF-F20C5974B415} - C:\WINDOWS\system32\jkkLCuuR.dll (file missing)
O3 - Toolbar: (no name) - {EA0D26BD-9029-431A-86E0-83152D67828A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Antispyware] C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Pamela Rice\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flyword.com/loaderword_win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: gEWqPHYP - gEWqPHYP.dll (file missing)
O20 - Winlogon Notify: smcss - smcss.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 8341 bytes
Running from: C:\Documents and Settings\audition account\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\audition account\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Pamela Rice\Application Data\macromedia\Flash Player\#SharedObjects\3HBA8PMQ\www.broadcaster.com
C:\Documents and Settings\Pamela Rice\Application Data\macromedia\Flash Player\#SharedObjects\3HBA8PMQ\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Pamela Rice\Application Data\macromedia\Flash Player\#SharedObjects\3HBA8PMQ\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Pamela Rice\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Pamela Rice\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Pamela Rice\Application Data\SpeedRunner
C:\Documents and Settings\Pamela Rice\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\Pamela Rice\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\Pamela Rice\Application Data\WinAntiVirus Pro 2006\Logs\update.log
C:\Documents and Settings\Pamela Rice\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\Documents and Settings\Pamela Rice\Application Data\WinAntiVirus Pro 2006\Logs\winav.log
C:\Documents and Settings\Pamela Rice\Application Data\WinAntiVirus Pro 2006\PGE.dat
C:\Documents and Settings\Pamela Rice\err.log
C:\Documents and Settings\Pamela Rice\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Pamela Rice\My Documents\SEMBLY~1
C:\Documents and Settings\Pamela Rice\My Documents\SEMBLY~1\??sembly\
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Svconr
C:\Program Files\WinBudget
C:\WA6P
C:\WINDOWS\ecurit~1
C:\WINDOWS\system32\28463
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\awtsQHxv.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\ddcCRICr.dll
C:\WINDOWS\system32\eeeOUvut.ini
C:\WINDOWS\system32\eeeOUvut.ini2
C:\WINDOWS\system32\FffLknnn.ini2
C:\WINDOWS\system32\hQWGffii.ini
C:\WINDOWS\system32\KUBJPXyb.ini2
C:\WINDOWS\system32\NTBegMoq.ini
C:\WINDOWS\system32\NTBegMoq.ini2
C:\WINDOWS\system32\ppXxyGgh.ini2
C:\WINDOWS\system32\qoMdDwVO.dll
C:\WINDOWS\system32\qoMgeBTN.dll
C:\WINDOWS\system32\rCIRCcdd.ini
C:\WINDOWS\system32\rCIRCcdd.ini2
C:\WINDOWS\system32\RuuCLkkj.ini2
C:\WINDOWS\system32\sBKRBJlm.ini
C:\WINDOWS\system32\sBKRBJlm.ini2
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\vxHQstwa.ini
C:\WINDOWS\system32\vxHQstwa.ini2
C:\WINDOWS\system32\WINCNMDB.DLL
C:\WINDOWS\tk68.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FOPN
-------\Legacy_NWSAPAGENT
-------\Legacy_POWERMANAGER
-------\Legacy_VSPF
-------\Legacy_VSPF_HK
-------\Service_NwSapAgent
-------\Service_vspf
-------\Service_vspf_hk
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.
2008-05-31 20:06 . 2008-05-31 20:06 324,864 --a------ C:\WINDOWS\system32\mlJBRKBs.dll
2008-05-31 13:38 . 2008-05-31 13:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-30 16:43 . 2002-07-28 07:54 126,976 --a------ C:\WINDOWS\autoras.exe
2008-05-30 16:43 . 2002-06-19 17:55 36,864 --a------ C:\WINDOWS\Uninstall.exe
2008-05-30 16:43 . 2008-05-30 16:43 56 --a------ C:\WINDOWS\autmtst.ini
2008-05-30 11:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-29 20:46 . 2008-05-29 20:46 4,230 --a------ C:\WINDOWS\system32\PerfStringBackup.TMP
2008-05-28 13:26 . 2008-05-28 13:26 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\Webroot
2008-05-28 12:49 . 2008-05-28 12:49 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-05-28 08:17 . 2008-05-28 08:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-05-28 08:16 . 2007-06-21 18:43 160,056 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-05-28 08:16 . 2007-06-21 18:43 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-05-28 08:16 . 2007-06-21 18:43 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-05-28 08:16 . 2007-06-21 18:43 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2008-05-28 08:14 . 2008-05-28 08:14 <DIR> d-------- C:\Program Files\Webroot
2008-05-28 08:14 . 2008-05-28 08:14 <DIR> d-------- C:\Documents and Settings\Pamela Rice\Application Data\Webroot
2008-05-28 08:14 . 2008-05-28 08:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-28 08:14 . 2007-06-21 18:57 1,520,952 --a------ C:\WINDOWS\WRSetup.dll
2008-05-28 07:27 . 2008-05-28 07:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-26 20:54 . 2008-05-26 20:54 <DIR> d-------- C:\Program Files\Pivot Stickfigure Animator
2008-05-25 19:22 . 2008-05-28 03:35 344 --ahs---- C:\WINDOWS\system32\JllVDcfe.ini
2008-05-25 19:06 . 2008-05-25 19:06 27,140 --a------ C:\New Microsoft Office PowerPoint Presentation.pptx
2008-05-25 10:29 . 2008-05-29 21:15 7,945 --a------ C:\WINDOWS\system32\Config.MPF
2008-05-25 10:26 . 2006-03-03 07:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-05-25 10:11 . 2007-11-22 05:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-25 10:11 . 2007-11-22 05:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-25 10:11 . 2007-12-02 11:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-05-25 10:11 . 2007-11-22 05:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-25 10:11 . 2007-11-22 05:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-05-25 10:10 . 2007-07-13 05:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-25 10:05 . 2008-05-25 10:06 <DIR> d-------- C:\Program Files\McAfee.com
2008-05-25 10:02 . 2008-05-25 10:11 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-25 09:59 . 2008-05-25 10:28 <DIR> d-------- C:\Program Files\McAfee
2008-05-24 16:48 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-24 16:48 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-24 16:48 . 2008-05-15 22:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-24 16:48 . 2008-05-18 20:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-24 16:48 . 2008-05-18 20:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-24 16:48 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-24 16:48 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-24 15:23 . 2008-05-30 17:24 2,702 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-24 14:49 . 2008-05-24 14:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 14:22 . 2008-05-12 13:10 22,528 --a------ C:\WINDOWS\system32\drivers\antispyware.sys
2008-05-24 14:21 . 2008-05-24 14:21 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\Antispyware
2008-05-24 12:53 . 2008-05-24 12:53 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-05-23 15:58 . 2008-05-23 16:17 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\ErrorSmart
2008-05-21 16:25 . 2008-05-21 16:25 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\HPAppData
2008-05-21 15:30 . 2008-05-21 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-05-21 15:29 . 2008-05-21 15:29 <DIR> d-------- C:\Documents and Settings\Pamela Rice\Application Data\HPAppData
2008-05-21 15:27 . 2008-05-21 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-05-21 15:26 . 2008-05-21 15:26 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-21 15:23 . 2008-05-21 15:36 141,260 --a------ C:\WINDOWS\hpoins14.dat
2008-05-21 15:23 . 2007-06-05 18:07 2,000 --------- C:\WINDOWS\hpomdl14.dat
2008-05-21 15:15 . 2008-05-31 21:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-21 15:15 . 2008-05-21 15:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-20 23:25 . 2008-05-20 23:25 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-05-20 20:37 . 2008-05-20 20:37 141,255 --------- C:\WINDOWS\hpoins14.dat.temp
2008-05-20 20:37 . 2007-06-05 18:07 2,000 --------- C:\WINDOWS\hpomdl14.dat.temp
2008-05-15 18:28 . 2008-05-18 11:21 <DIR> d-------- C:\Documents and Settings\audition account\.gimp-2.4
2008-05-15 17:43 . 2008-05-15 17:43 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-13 15:03 . 2008-05-15 17:04 <DIR> d-------- C:\Documents and Settings\Pamela Rice\Application Data\iolo
2008-05-13 03:16 . 2008-05-13 03:16 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-05-12 21:13 . 2008-05-12 21:13 432 --a------ C:\WINDOWS\system32\iolo.ini
2008-05-12 21:04 . 2008-05-12 21:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-12 20:46 . 2007-07-25 08:42 126,976 --a------ C:\WINDOWS\system32\iavlsp.dll
2008-05-12 20:34 . 2008-05-12 20:34 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-05-12 20:32 . 2008-05-15 21:02 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\Uniblue
2008-05-12 20:31 . 2008-05-13 03:16 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\iolo
2008-05-12 20:31 . 2008-05-15 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-05-10 11:03 . 2008-05-10 11:11 <DIR> d-------- C:\Documents and Settings\Pamela Rice\.frugoo_file_store_32
2008-05-08 20:13 . 2008-05-08 20:13 <DIR> d-------- C:\Program Files\ePSXe
2008-05-08 18:54 . 2008-05-08 18:54 <DIR> d-------- C:\Documents and Settings\audition account\Application Data\fltk.org
2008-05-02 15:53 . 2008-05-08 18:32 <DIR> d-------- C:\Program Files\ActMak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 18:35 --------- d-----w C:\Program Files\Blubster
2008-05-31 03:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-30 21:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 01:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-28 09:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-28 03:20 --------- d-----w C:\Program Files\HyCam2
2008-05-25 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-24 19:31 --------- d-----w C:\Program Files\StreamCast
2008-05-24 17:21 --------- d-----w C:\Documents and Settings\audition account\Application Data\LimeWire
2008-05-22 01:46 269 ----a-w C:\Program Files\Common Files\lavuq599
2008-05-21 20:30 --------- d-----w C:\Program Files\HP
2008-05-21 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-05-13 12:40 --------- d-----w C:\Program Files\MixMeister Express 6
2008-05-13 11:59 --------- d-----w C:\Program Files\WonderlandSecretWorldsTrial_at
2008-05-13 11:59 --------- d-----w C:\Program Files\Cheat Engine
2008-05-09 11:52 --------- d-----w C:\Program Files\Tweak-XP Pro 4
2008-05-08 23:34 --------- d-----w C:\Program Files\Microsoft Bootvis
2008-05-07 08:34 --------- d-----w C:\Documents and Settings\Pamela Rice\Application Data\HP
2008-05-01 10:36 142 ----a-w C:\Program Files\Common Files\profsyfs.html
2008-04-27 20:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gtek
2008-04-27 20:15 --------- d-----w C:\Documents and Settings\audition account\Application Data\GTek
2008-04-19 05:31 448,384 ----a-w C:\WINDOWS\system32\drivers\EagleNt.sys
2008-04-09 22:18 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-04-07 22:15 --------- d-----w C:\Program Files\Google
2008-04-04 22:09 --------- d-----w C:\Documents and Settings\audition account\Application Data\Leadertech
2008-04-04 21:53 --------- d-----w C:\Documents and Settings\audition account\Application Data\HP
2008-03-20 01:47 718 ----a-w C:\Program Files\xFlaxPROGui$2.class
2008-03-16 22:20 52 ----a-w C:\xmp.bat
2007-06-21 18:33 378 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb1942.dat
2007-06-21 17:22 523 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb9948.dat
2007-06-21 17:22 177,152 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb4827.dat
2007-06-21 17:22 12,288 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb5436.dat
2007-06-21 17:22 0 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb4604.dat
2006-11-18 22:10 0 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb2391.dat
2006-11-16 19:40 0 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb153.dat
2006-11-13 00:55 0 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb9912.dat
2006-11-13 00:55 0 -c--a-w C:\Documents and Settings\Pamela Rice\Application Data\internaldb3902.dat
2005-12-15 08:07 1,116 -csha-w C:\WINDOWS\system32\sscms.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 63,712 2007-03-09 16:09:58 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe
----a-w 39,792 2007-10-11 00:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2008-01-12 02:16:38 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
----a-w 5,980,160 2007-04-13 14:35:40 C:\Program Files\Blubster\bak\Blubster.exe
----a-w 5,980,160 2007-04-13 15:35:40 C:\Program Files\Blubster\Blubster.exe
-c--a-w 180,269 2006-09-03 02:54:37 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
-c--a-w 90,112 2005-05-23 14:57:42 C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\monitor.exe
-c--a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
-c--a-w 132,496 2007-09-25 05:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
-c--a-w 473,928 2005-11-15 17:12:14 C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe
-c--a-w 8,192 2006-11-07 19:41:44 C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mimboot.exe
-c--a-w 110,592 2006-11-07 19:41:44 C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mm_tray.exe
-c--a-w 282,624 2007-04-27 13:41:54 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-02-01 03:13:08 C:\Program Files\QuickTime\QTTask.exe
-c--a-w 57,344 2001-07-25 19:04:00 C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE
-c--a-w 290,816 2005-04-18 20:35:10 C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\bak\LYRAHD2TrayApp.exe
-c--a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\ctfmon.exe
-c--a-w 36,864 2000-05-09 15:38:48 C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BB0AD19-01C1-4253-9EA9-20DF16CC4D44}]
C:\Program Files\Common Files\lavuq599.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E54E68A-D735-4549-A01A-90EA188BD41A}]
C:\Program Files\Online Services\cefyr821058.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6F19F93-C313-4DDF-9152-E55E6FE37310}]
C:\WINDOWS\system32\ykvjeev.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAF86C81-F962-F5B7-1196-A18F0E557CCD}]
C:\WINDOWS\system32\oxgkd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB8E467B-42C7-49FC-9CAF-F20C5974B415}]
C:\WINDOWS\system32\jkkLCuuR.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [ ]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Antispyware"="C:\Program Files\AntiSpywareApp\Antispyware.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 22:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 12:10 267048]
"Blubster"="C:\Program Files\Blubster\Blubster.exe" [2007-04-13 10:35 5980160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 20:34 49152]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
C:\Documents and Settings\Pamela Rice\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50 113664]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gEWqPHYP]
gEWqPHYP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\smcss]
smcss.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP
xpsp2res.dll,-22009"9842:TCP"= 9842:TCP
isabledolidNetworkManager"9842:UDP"= 9842:UDP
isabledolidNetworkManager"606:TCP"= 606:TCP:VoIP On-Hold Server
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
R0 antispyware;antispyware;C:\WINDOWS\system32\DRIVERS\antispyware.sys [2008-05-12 13:10]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-11-25 01:35]
R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys [2007-11-24 22:03]
S3 6250spi;Elan USB Bridge Service;C:\WINDOWS\system32\Drivers\6250spi.sys [2006-09-19 16:46]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 17:44]
S3 XDva008;XDva008;C:\WINDOWS\system32\XDva008.sys []
S3 XDva026;XDva026;C:\WINDOWS\system32\XDva026.sys []
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-08-17 13:43]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 08:00:00 C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.exe
- C:\Program Files\AntiSpywareApp
"2008-05-26 22:48:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-31 08:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2008-05-25 15:08:03 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-25 15:08:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 21:13:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LexBceS.exe
C:\WINDOWS\system32\Lexpps.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-31 21:39:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 02:38:47
Pre-Run: 8,974,405,632 bytes free
Post-Run: 8,885,854,208 bytes free
334 --- E O F --- 2008-05-18 10:09:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Blubster\Blubster.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {0BB0AD19-01C1-4253-9EA9-20DF16CC4D44} - C:\Program Files\Common Files\lavuq599.dll (file missing)
O2 - BHO: (no name) - {0E54E68A-D735-4549-A01A-90EA188BD41A} - C:\Program Files\Online Services\cefyr821058.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: TChkBHO Class - {B6F19F93-C313-4DDF-9152-E55E6FE37310} - C:\WINDOWS\system32\ykvjeev.dll (file missing)
O2 - BHO: (no name) - {BAF86C81-F962-F5B7-1196-A18F0E557CCD} - C:\WINDOWS\system32\oxgkd.dll (file missing)
O2 - BHO: (no name) - {CB8E467B-42C7-49FC-9CAF-F20C5974B415} - C:\WINDOWS\system32\jkkLCuuR.dll (file missing)
O3 - Toolbar: (no name) - {EA0D26BD-9029-431A-86E0-83152D67828A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Antispyware] C:\Program Files\AntiSpywareApp\Antispyware.exe -boot
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Pamela Rice\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flyword.com/loaderword_win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: gEWqPHYP - gEWqPHYP.dll (file missing)
O20 - Winlogon Notify: smcss - smcss.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 8341 bytes
•
•
Join Date: Feb 2004
Posts: 10,029
Reputation: 
Solved Threads: 761
Please download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.
When done, a text file, Find AWF report is produced.
Please provide Find AWF report in your reply.
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.
When done, a text file, Find AWF report is produced.
Please provide Find AWF report in your reply.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Sat 05/31/2008
The current time is: 23:33:28.22
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\BLUBSTER\BAK
04/13/2007 09:35 AM 5,980,160 Blubster.exe
1 File(s) 5,980,160 bytes
Directory of C:\PROGRA~1\MICROS~2\BAK
11/15/2005 12:12 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes
Directory of C:\PROGRA~1\MSNMES~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
04/27/2007 08:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\REGSHAVE\BAK
07/25/2001 02:04 PM 57,344 REGSHAVE.EXE
1 File(s) 57,344 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 12:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\WINDOWS\WIRELESS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK
11/07/2006 02:41 PM 8,192 mimboot.exe
11/07/2006 02:41 PM 110,592 mm_tray.exe
2 File(s) 118,784 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
09/02/2006 09:54 PM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\COMMON~1\ULEADS~1\AUTODE~1\BAK
05/23/2005 09:57 AM 90,112 monitor.exe
1 File(s) 90,112 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
09/25/2007 12:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\THOMSON\LYRAJU~1\LYRAHD~1\BAK
04/18/2005 03:35 PM 290,816 LYRAHD2TrayApp.exe
1 File(s) 290,816 bytes
Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK
03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\BAK
05/09/2000 10:38 AM 36,864 printray.exe
1 File(s) 36,864 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
5980160 Apr 13 2007 "C:\Program Files\Blubster\Blubster.exe"
5980160 Apr 13 2007 "C:\Program Files\Blubster\bak\Blubster.exe"
473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
385024 Jan 31 2008 "C:\Program Files\QuickTime\QTTask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
57344 Jul 25 2001 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8192 Nov 7 2006 "C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mimboot.exe"
110592 Nov 7 2006 "C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mm_tray.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
180269 Sep 2 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
90112 May 23 2005 "C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\monitor.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
126976 Sep 24 2007 "C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe"
139264 Feb 22 2008 "C:\Program Files\Java\jdk1.6.0_05\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
126976 Sep 24 2007 "C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe"
139264 Feb 22 2008 "C:\Program Files\Java\jdk1.6.0_05\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
290816 Apr 18 2005 "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\bak\LYRAHD2TrayApp.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\PrinTray.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"
end of report
Version 1.40
The current date is: Sat 05/31/2008
The current time is: 23:33:28.22
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\BLUBSTER\BAK
04/13/2007 09:35 AM 5,980,160 Blubster.exe
1 File(s) 5,980,160 bytes
Directory of C:\PROGRA~1\MICROS~2\BAK
11/15/2005 12:12 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes
Directory of C:\PROGRA~1\MSNMES~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
04/27/2007 08:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\REGSHAVE\BAK
07/25/2001 02:04 PM 57,344 REGSHAVE.EXE
1 File(s) 57,344 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 12:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\WINDOWS\WIRELESS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK
11/07/2006 02:41 PM 8,192 mimboot.exe
11/07/2006 02:41 PM 110,592 mm_tray.exe
2 File(s) 118,784 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
09/02/2006 09:54 PM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\COMMON~1\ULEADS~1\AUTODE~1\BAK
05/23/2005 09:57 AM 90,112 monitor.exe
1 File(s) 90,112 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
09/25/2007 12:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\THOMSON\LYRAJU~1\LYRAHD~1\BAK
04/18/2005 03:35 PM 290,816 LYRAHD2TrayApp.exe
1 File(s) 290,816 bytes
Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK
03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\BAK
05/09/2000 10:38 AM 36,864 printray.exe
1 File(s) 36,864 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
5980160 Apr 13 2007 "C:\Program Files\Blubster\Blubster.exe"
5980160 Apr 13 2007 "C:\Program Files\Blubster\bak\Blubster.exe"
473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
385024 Jan 31 2008 "C:\Program Files\QuickTime\QTTask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
57344 Jul 25 2001 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8192 Nov 7 2006 "C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mimboot.exe"
110592 Nov 7 2006 "C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mm_tray.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
180269 Sep 2 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
90112 May 23 2005 "C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\monitor.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
126976 Sep 24 2007 "C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe"
139264 Feb 22 2008 "C:\Program Files\Java\jdk1.6.0_05\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
126976 Sep 24 2007 "C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe"
139264 Feb 22 2008 "C:\Program Files\Java\jdk1.6.0_05\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
290816 Apr 18 2005 "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\bak\LYRAHD2TrayApp.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\PrinTray.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"
end of report
•
•
Join Date: Feb 2004
Posts: 10,029
Reputation:
Solved Threads: 761
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:
Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:
•
•
•
•
C:\Program Files\Blubster\bak\Blubster.exe
C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe
C:\Program Files\QuickTime\bak\qttask.exe"
C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE
C:\WINDOWS\system32\bak\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mimboot.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mm_tray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\monitor.exe
C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\bak\LYRAHD2TrayApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
by the way my computer is realy stable and the taskbar is not blinking anymore so after this you can put solved on it thanks ^_^
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Sun 06/01/2008
The current time is: 0:46:10.02
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\BLUBSTER\BAK
04/13/2007 09:35 AM 5,980,160 Blubster.exe
1 File(s) 5,980,160 bytes
Directory of C:\PROGRA~1\MICROS~2\BAK
11/15/2005 12:12 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes
Directory of C:\PROGRA~1\MSNMES~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
04/27/2007 08:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\REGSHAVE\BAK
07/25/2001 02:04 PM 57,344 REGSHAVE.EXE
1 File(s) 57,344 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 12:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\WINDOWS\WIRELESS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK
11/07/2006 02:41 PM 8,192 mimboot.exe
11/07/2006 02:41 PM 110,592 mm_tray.exe
2 File(s) 118,784 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
09/02/2006 09:54 PM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\COMMON~1\ULEADS~1\AUTODE~1\BAK
05/23/2005 09:57 AM 90,112 monitor.exe
1 File(s) 90,112 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
09/25/2007 12:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\THOMSON\LYRAJU~1\LYRAHD~1\BAK
04/18/2005 03:35 PM 290,816 LYRAHD2TrayApp.exe
1 File(s) 290,816 bytes
Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK
03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\BAK
05/09/2000 10:38 AM 36,864 printray.exe
1 File(s) 36,864 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
5980160 Apr 13 2007 "C:\Program Files\Blubster\Blubster.exe"
5980160 Apr 13 2007 "C:\Program Files\Blubster\bak\Blubster.exe"
473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
385024 Jan 31 2008 "C:\Program Files\QuickTime\QTTask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
57344 Jul 25 2001 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8192 Nov 7 2006 "C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mimboot.exe"
110592 Nov 7 2006 "C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mm_tray.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
180269 Sep 2 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
90112 May 23 2005 "C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\monitor.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
126976 Sep 24 2007 "C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe"
139264 Feb 22 2008 "C:\Program Files\Java\jdk1.6.0_05\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
126976 Sep 24 2007 "C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe"
139264 Feb 22 2008 "C:\Program Files\Java\jdk1.6.0_05\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
290816 Apr 18 2005 "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\bak\LYRAHD2TrayApp.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\PrinTray.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\2\printray.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"
end of report
Version 1.40
Option 2 run successfully
The current date is: Sun 06/01/2008
The current time is: 0:46:10.02
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\BLUBSTER\BAK
04/13/2007 09:35 AM 5,980,160 Blubster.exe
1 File(s) 5,980,160 bytes
Directory of C:\PROGRA~1\MICROS~2\BAK
11/15/2005 12:12 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes
Directory of C:\PROGRA~1\MSNMES~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
04/27/2007 08:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\REGSHAVE\BAK
07/25/2001 02:04 PM 57,344 REGSHAVE.EXE
1 File(s) 57,344 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 12:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\WINDOWS\WIRELESS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK
11/07/2006 02:41 PM 8,192 mimboot.exe
11/07/2006 02:41 PM 110,592 mm_tray.exe
2 File(s) 118,784 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
09/02/2006 09:54 PM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\COMMON~1\ULEADS~1\AUTODE~1\BAK
05/23/2005 09:57 AM 90,112 monitor.exe
1 File(s) 90,112 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
09/25/2007 12:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\THOMSON\LYRAJU~1\LYRAHD~1\BAK
04/18/2005 03:35 PM 290,816 LYRAHD2TrayApp.exe
1 File(s) 290,816 bytes
Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK
03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\BAK
05/09/2000 10:38 AM 36,864 printray.exe
1 File(s) 36,864 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
5980160 Apr 13 2007 "C:\Program Files\Blubster\Blubster.exe"
5980160 Apr 13 2007 "C:\Program Files\Blubster\bak\Blubster.exe"
473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
385024 Jan 31 2008 "C:\Program Files\QuickTime\QTTask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
57344 Jul 25 2001 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8192 Nov 7 2006 "C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mimboot.exe"
110592 Nov 7 2006 "C:\Program Files\Musicmatch\Musicmatch Jukebox\bak\mm_tray.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
180269 Sep 2 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
90112 May 23 2005 "C:\Program Files\Common Files\Ulead Systems\Autodetector\bak\monitor.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
126976 Sep 24 2007 "C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe"
139264 Feb 22 2008 "C:\Program Files\Java\jdk1.6.0_05\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
126976 Sep 24 2007 "C:\Program Files\Java\jdk1.6.0_03\jre\bin\jusched.exe"
139264 Feb 22 2008 "C:\Program Files\Java\jdk1.6.0_05\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
290816 Apr 18 2005 "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\bak\LYRAHD2TrayApp.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\PrinTray.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\2\printray.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"
end of report
•
•
Join Date: Feb 2004
Posts: 10,029
Reputation:
Solved Threads: 761
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:
Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:
•
•
•
•
C:\Program Files\Blubster\bak
C:\Program Files\Microsoft AntiSpyware\bak
C:\Program Files\QuickTime\bak
C:\Program Files\REGSHAVE\bak
C:\WINDOWS\system32\bak
C:\Program Files\Musicmatch\Musicmatch Jukebox\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Ulead Systems\Autodetector\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak
C:\WINDOWS\system32\spool\drivers\w32x86\2\bak
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Last edited by crunchie; Jun 1st, 2008 at 3:36 am.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
srry wrong log...
the good one is below this one
the good one is below this one
Last edited by jamjam19; Jun 1st, 2008 at 5:04 am. Reason: wrong log
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Sun 06/01/2008
The current time is: 2:53:05.41
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\MSNMES~1\BAK
0 File(s) 0 bytes
Directory of C:\WINDOWS\WIRELESS\BAK
0 File(s) 0 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
Version 1.40
Option 3 run successfully
The current date is: Sun 06/01/2008
The current time is: 2:53:05.41
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\MSNMES~1\BAK
0 File(s) 0 bytes
Directory of C:\WINDOWS\WIRELESS\BAK
0 File(s) 0 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
•
•
Join Date: Feb 2004
Posts: 10,029
Reputation:
Solved Threads: 761
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT
==
Reboot when done and post another hijackthis log please.
Let me know how your PC is.
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT
==
Reboot when done and post another hijackthis log please.
Let me know how your PC is.
Last edited by crunchie; Jun 1st, 2008 at 5:25 am.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
 |
Similar Threads
- Ad dropper virus and Spywarequake problem. (Viruses, Spyware and other Nasties)
- Nasty-*** virus (Viruses, Spyware and other Nasties)
- Nasty virus please help (Viruses, Spyware and other Nasties)
- Hotoffers.info virus (Viruses, Spyware and other Nasties)
- A virus I can't remove... (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Am I infected or am I simply in need of an upgrade? HJT report..
- Next Thread: Help me!!
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos domains education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting report research risk rogueantivirus samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
